RTFnotes

Red Team Fundamentals

AD Searches

all protected AD objects

Get-ADObject -filter "admincount -eq 1"

#members of the Domain Admins group Get-ADGroup "Domain Admins" | Get-ADGroupMember

#members of the Enterprise Admins group Get-ADGroup "Enterprise Admins" -server caesar-dc.caesar.pvt | Get-ADGroupMember

#all members of the BA group Get-ADGroup administrators | Get-ADGroupMember

#all members of the BA group, including nested groups Get-ADGroup administrators | Get-ADGroupMember -Recursive | Get-ADUser

#find other groups that grant privileged access of some kind Get-ADGroup -Filter 'GroupCategory -eq "Security" -and Name -like "admin"’

#find the members of all those groups Get-ADGroup -Filter 'GroupCategory -eq "Security" -and Name -like "admin"’ | Get-ADGroupMember

#find all active user accounts Get-ADUser -filter 'enabled -eq $true' | select samaccountname | export-csv –NoTypeInformation AllUsers.csv

#find all active computer accounts $OldPwdDate = (get-date).AddDays(-31); Get-ADComputer -Filter {PasswordLastSet -gt $OldPwdDate} –properties OperatingSystem

#Kerberos enabled applications Get-ADObject -LDAPFilter '(ServicePrincipalName=*)' -properties ServicePrincipalName | select -ExpandProperty ServicePrincipalName | where {$_ -notmatch "HOST|TERMSRV|WSMAN"} | sort

#AD site information Get-ADReplicationSite -filter * | select name, Description

#registered networks by site Get-ADReplicationSubnet -Filter * | select name, site

Last updated