EnumerationChecklist.md

mainfont	sansfont	monofont	mathfont
FiraCode-Retina	JetBrainsMono-Regular	FiraCode-Retina	FiraCode-Retina

EnumerationChecklist

Only PowerView is included

Users

Get-Domain -Domain <name>
Get-DomainUser -Identity [username] -Properties DisplayName, MemberOf | Format-List
Get-DomainUser -Properties samaccountname,logonCount
Get-DomainUser | Out-File -FilePath .\DomainUsers.txt
Get-DomainSID
Get-DomainController -Domain <name>

• See DNS Hostname of all computers in a domain -> Get-DomainComputer | select -ExpandProperty dnshostname
• Get details of Domain Admins group -> Get-DomainGroup -Identity "Domain Admins"
• Get enterprise group membership -> Get-DomainGroupMember -Identity "Enterprise Admins" -Domain moneycorp.local
• Get domain policy ->

    Get-DomainPolicy

    #Will show us the policy configurations of the Domain about system access or kerberos
    Get-DomainPolicy | Select-Object -ExpandProperty SystemAccess
    et-DomainPolicy | Select-Object -ExpandProperty KerberosPolicy

• Session information for a user ->

    #Enumerate user logged on a machine
    Get-NetLoggedon -ComputerName <ComputerName>

    #Enumerate Session Information for a machine
    Get-NetSession -ComputerName <ComputerName>

    #Enumerate domain machines of the current/specified domain where specific users are logged into
    Find-DomainUserLocation -Domain <DomainName> | Select-Object UserName, SessionFromName

• Ping all machines to determine active ones ->

    Get-DomainComputer -Ping -Properties OperatingSystem, Name, DnsHostName | Sort-Object -Property DnsHostName

• Search all user's description for a string "built" -> Get-DomainUser -LDAPFilter "Description=*built*" | select name,Description

S-1-5-18- is the default SID for a built-in account. This is useful to tell those apart from virtual account.

Groups

• List details of all groups containing the string "admin" ->

Get-DomainGroup *admin* | select name # EA is not visible as it is in the forest root
Get-DomainGroup *admin* -domain <forest_root_domain> | select name # EA must be present here

• Save all groups to text file -> Get-DomainGroup | Out-File -FilePath .\DomainGroup.txt
• Return members of Specific Group (eg. Domain Admins & Enterprise Admins) ->

Get-DomainGroup -Identity '<GroupName>' | Select-Object -ExpandProperty Member
Get-DomainGroupMember -Identity '<GroupName>' | Select-Object MemberDistinguishedName

• Enumerate the local groups on the local (or remote) machine. Requires local admin rights on the remote machine -> Get-NetLocalGroup | Select-Object GroupName
• Enumerates members of a specific local group on the local (or remote) machine. Also requires local admin rights on the remote machine -> Get-NetLocalGroupMember -GroupName Administrators | Select-Object MemberName, IsGroup, IsDomain

Shares

• Enumerate Domain Shares -> Find-DomainShare
• Enumerate Domain Shares the current user has access -> Find-DomainShare -CheckShareAccess
• Enumerate "Interesting" Files on accessible shares -> Find-InterestingDomainShareFile -Include *passwords*

OU and GPO

• Get domain OUs -> Get-DomainOU -Identity <name>
• Get computers in StudentMachines OU -> (Get-DomainOU -Identity StudentMachines).distinguishedname | %{Get-DomainComputer -SearchBase $_} | select name
• Get current GPO -> Get-DomainGPO and Get-DomainGPO -Properties DisplayName | Sort-Object -Property DisplayName
• Enumerate all GPOs to a specific computer -> Get-DomainGPO -ComputerIdentity <ComputerName> -Properties DisplayName | Sort-Object -Property DisplayName
• To get GPO applied on an OU. First copy the gplink attribute from (Get-DomainOU -Identity StudentsMachine).gplink. The gplink attribute in Get-DomainOU would indicate the group policy applied on the OU. Get-DomainGPO -Identity <value_of_gplink_with_angle_brackets> would give details about the GPO applied on that OU. But we won't be able to see the exact settings applied through that GPO.
• Get users which are in a local group of a machine using GPO -> Get-DomainGPOComputerLocalGroupMapping -ComputerIdentity <name>

ACLs

• Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDs -Verbose
• Find-InterestingDomainAcl -ResolveGUIDs | ? {$_.IdentityReferenceName -match "<user>"}
• If the user is a member of RDP Users group -> Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"}.
• If the trust is bidirectional, enumerate immediate forest root domain trust -> Get-ForestDomain -Forest eurocorp.local | %{Get-DomainTrust -Domain $_.Name}

If this returns errors, that means there's sub-domain set up and PV fails to enumerate trusts as forest trusts are non-transitive.

• Check the ACLs associated with a specified path (e.g smb share) -> Get-PathAcl -Path "\\Path\Of\A\Share"

Forests and Trusts

• Get-ForestDomain -Verbose, Get-DomainTrust, Get-ForestTrust
• List only external trusts -> Get-ForestDomain | %{Get-DomainTrust -Domain $_.Name} | ? {$_.TrustAttributes -eq "FILTER_SIDS"}
• Get trust mapping -> Get-ForestTrustMapping

Kerberoasting Enumeration

Check Bloodhound

User Hunting

• Find local admin access if the user is member of RDP users -> Find-PSRemotingLocalAdminAccess -Verbose
• Finds all machines on the current domain where the current user has local admin access -> Find-LocalAdminAccess -Verbose
• Find local admin access if the user is part of RDP Users group -> Find-PSRemotingLocalAdminAccess -Verbose
• Find local admins on all machines of the domain -> Find-DomainLocalGroupMember -Verbose
• Find computers were a Domain Admin OR a spesified user has a session -> Find-DomainUserLocation | Select-Object UserName, SessionFromName
• Confirming admin access -> Test-AdminAccess
• Find-WMIRemotingLocalAdminAccess

Privilege Escalation (Local)

Use AMSI Trigger and Defender Check in-case a tool doesn't work.

Exam Pointer -> Use combination of PowerUp and WinPEAS, to provide full coverage and fault-tolerance.

• PowerUp -> Invoke-AllChecks

Follow suggestions in PowerUp for abuse functions.