Powerview

Forest Enumeration

Get-DomainTrust -API

Get-NetForest

Get-DomainTrust

Get-DomainTrustMapping

Get-DomainUser -Domain corp1.com

Find-ForeignGroup -Verbose

Get-DomainForeignGroupMember -Domain "test.lab"

ACLs Enumeration


Find-InterestingDomainAcl -ResolveGUIDs

Invoke-ACLScanner -ResolveGUIDs

Get-DomainObjectAcl -Identity "Managers" -ResolveGUIDs | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convertfrom-Sid $_.SecurityIdentifier);$_}

Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "LAPS Password Readers"}

Get-DomainObjectAcl -Identity machineadmins -ResolveGUIDs | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convertfrom-Sid $_.SecurityIdentifier);$_} | ?{$_.IdentityName -match 'Will'}

Constrained delegation

Get-NetUser -trustedToAuth -Domain eu.local

Get-DomainUser -TrustedToAuth -Domain test.corp 2>$null

Get-DomainComputer -TrustedToAuth -Domain test.corp 2>$null

Unconstraint delegation

Get-DomainComputer -Unconstrained

RBCD

Get-NetComputer us-jump3 | Select-Object -Property name, msds-allowedtoactonbehalfofotheridentity

PreviousBloodhound cypher query NextPrivilege Escalation

Last updated 2 months ago

Was this helpful?