Users

Get List of Users in Current Domain

# AD Module
Get-ADUser -Filter * -Properties *
Get-ADUser -Identity student1 -Properties *
Get-ADUser -Filter * -Properties * | Select Name

# PowerView
Get-NetUser
Get-NetUser -Username student1
Get-NetUser | Select cn

Get List of All Properties for Users in Current Domain

# AD Module
Get-ADUser -Filter * -Properties * | Select -First 1 | Get-Member -MemberType *Property | Select Name
Get-ADUser -Filter * -Properties * | Select name,@{expression={[datetime]::fromFileTime($_.pwdlastset)}}

Find All Users with an SPN

# PowerView
Get-DomainUser -SPN

Find All Service Accounts in "Domain Admins"

Check for Users Who Don't Have Kerberos Preauthentication Set

Find Users with sidHistory Set

Find Any Users with Constrained Delegation Set

Find All Privileged Users that Aren't Marked as sensitive/not for Delegation

Get List of All Properties for Users in Current Domain

Search for a Particular String in a User's Attributes

Get Actively Logged on Users on a Computer (needs Local Admin Rights on the target)

Get Actively Logged on Users on a Computer

Get the Last Logged User on a Computer

Get All Users with Passwords Changed > 1 Year ago

Get All Enabled Users

Get All Disabled Users

Get All Users that Require Smart Card Authentication

Get All Users that don't Require Smart Card Authentication

Use Multiple Identity Types for Any -Domain Function

Enumerate All Foreign Users in the Global Catalog, and Query the Specified Domain Localgroups for Their Memberships

If Running in -sta Mode, Impersonate Another Credential a la "runas /netonly"

Set the Specified Property for the given User Identity

Set the Owner of 'dfm' in the Current Domain to 'bufu'

Retrieve most Users Who Can Perform DC Replication for dev.testlab.local (i.e. DCsync)

Check if Any User Passwords Are Set

User Hunting with PowerView

Find All Machines on the Current Domain where the Current User Has Local Admin Access

This function queries the DC of the current or provided Domain for a list of Computers (Get-NetComputer) and then use multi-threaded Invoke-CheckLocalAdminAccess on each machine.

Can also be done using WMI and PowerShell Remoting, see Find-WMILocalAdminAccess.ps1 and Find-PSRemotingLocalAdminAccess.ps1.

Find Local Admins on All Machines

Needs administrator privs on non-dc machines.

This function queries the DC of the current or provided Domain for a list of Computers (Get-NetComputer) and then use multi-threaded Get-NetLocalGroup on each machine.

Find Computers where a Domain Admin (or Specified User/group) Has Sessions

This function queries the DC of the current or provided Domain for members of the given group (Domain Admins by default) using Get-NetGroupMember, gets a list of Computers (Get-NetComputer) and list sessions and logged on Users (Get-NetSession / Get-NetLoggedon) from each one.

Confirm Admin Access

Find Computers where a Domain Admin is Logged-in

This option queries the DC of the current or provided Domain for members of the given group (Domain Admins by default) using Get-NetGroupMember, gets a list only of high traffic servers (DC, File Servers and Distributed File servers) for less traffic generation and list sessions and logged on Users (Get-NetSession / Get-NetLoggedon) from each machine.

Enumerate Servers that Allow Unconstrained Delegation and Show All Logged in Users

Find-DomainUserLocation == old Invoke-UserHunter

Hunt for Admin Users that Allow Delegation, Logged into Servers that Allow Unconstrained Delegation

Defending against User Hunting

NetCease

• Script to change permissions on NetSessionEnum method by removing permissions for Authenticated Users group

• Fails many of the attacker's session enumeration and hence User hunting capabilities

SAMRi10

• From same author as NetCease

• Hardens Windows 10 and Server 2016 against enumeration wihch uses SAMR protocol (like net.exe)

• https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b