Domains

Get Current Domain

# AD Module
Get-ADDomain

# PowerView
Get-NetDomain

Get Object of Another Domain

# AD Module
Get-ADDomain -Identity lab.local

# PowerView
Get-NetDomain -Domain lab.local

Get Domain SID for Current Domain

# AD Module
(Get-ADDomain).DomainSID

# PowerView
Get-DomainSID

Get Domain Policy for Current Domain

# PowerView
Get-DomainPolicy
(Get-DomainPolicy)."System Access"

Get Password Policy for Another Domain

# PowerView
(Get-DomainPolicy -Domain lab.local)."System Access"

Get Kerberos Policy for e.g. Mimikatz Golden Tickets

# PowerView
(Get-DomainPolicy -Domain lab.local)."Kerberos Policy"

Get Domain Controllers for Current Domain

# AD Module
Get-ADDomainController

# PowerView
Get-NetDomainController

Get Domain Controllers for Another Domain

# AD Module
Get-ADDomainController -DomainName lab.local -Discover

# PowerView
Get-NetDomainController -Domain lab.local

Enumerate All Gobal Catalogs in the Forest

# PowerView
Get-ForestGlobalCatalog

Turn a List of Computer Short Names to FQDNs, Using a Global Catalog

# PowerView
gc computers.txt | % {Get-DomainComputer -SearchBase "GC://GLOBAL.CATALOG" -LDAP "(name=$_)" -Properties dnshostname}

Enumerate the Current Domain Controller Policy

# PowerView
$DCPolicy = Get-DomainPolicy -Policy DC
$DCPolicy.PrivilegeRights # user privilege rights on the dc...

Enumerate the Current Domain Policy

# PowerView
$DomainPolicy = Get-DomainPolicy -Domain bufu-sec.local
$DomainPolicy.KerberosPolicy # useful for golden tickets ;)
$DomainPolicy.SystemAccess # password age/etc.

PreviousACLs NextTrusts

Last updated 2 years ago