Windows Powershell for purple teams

📆
🏷
security, windows

Generic Powershell Stuff

  • Where does a Command come from?

    PS C:\> Get-Command Get-Command
    
  • Silence errors

    $nh_oea = $ErrorActionPreference ; $ErrorActionPreference = "SilentlyContinue"
    
  • Restore errors

    $ErrorActionPreference = $nh_oea
    
  • Import AD-Modules

    Import-Module .\Microsoft.ActiveDirectory.Management.dll
    Import-Module .\ActiveDirectory\ActiveDirectory.psd1
    

Recon / Enumeration

  • Get all admin groups of all domains in the forest (AD Modules)

    $nh_doms = (Get-ADForest).domains ; foreach ($nh_dom in $nh_doms) { "`n[*] " + $nh_dom ; (Get-ADGroup -Filter { Name -like "*admin*" } -Server $nh_dom).name | foreach { "[-] " $_ } } ; "`n"
    
  • Enumerate Users (AD Modules)

    (Get-ADUser -Filter { Enabled -eq $true }).name
    
  • Enumerate Computers (AD Modules)

    (Get-ADComputer -Filter *).name
    
  • Get Domain Admins for all domains in the forest (AD Modules)

    $nh_doms = (Get-ADForest).domains ; foreach ($nh_dom in $nh_doms) { "`n[*] " + $nh_dom ; Get-ADGroupMember -Identity "Domain Admins" -Server $nh_dom | foreach { "[-] " + ($_).Name + " (" + ($_).ObjectClass + ")" } } ; "`n"
    
  • Get Enterprise Admins for all domains in the forest (AD Modules)

    $nh_doms = (Get-ADForest).domains ; foreach ($nh_dom in $nh_doms) { "`n[*] " + $nh_dom ; Get-ADGroupMember -Identity "Enterprise Admins" -Server $nh_dom | foreach { "[-] " + ($_).Name + " (" + ($_).ObjectClass + ")" } } ; "`n"
    
  • Find sensitive shares (PowerView)

    Invoke-ShareFinder -ExcludePrint -ExcludeStandard -ExcludeIPC
    
  • Get all OU in Domain (AD modules)

    Get-ADOrganizationalUnit -Filter * | select Name, DistinguishedName
    
  • List all Computers in OU foobar (AD modules)

    # -Filter does not work for OU
    (Get-ADComputer -Filter * | where { $_ -match "OU=foobar,DC=contoso,DC=local$" }).Name
    
  • List all GPOs (PowerView)

    Get-NetGPO | select displayName, Name
    
  • Get GPO for OU foobar (PowerView)

    (Get-NetOU foobar -FullData).gplink
    [LDAP://cn={3E04167E-C2B6-4A9A-8FB7-C811158DC97C},cn=policies,cn=system,DC=contoso,DC=local;0]
    Get-NetGPO -ADSpath 'cn={3E04167E-C2B6-4A9A-8FB7-C811158DC97C},cn=policies,cn=system,DC=contoso,DC=local'
    
  • Get ACL for Administrator (PowerView)

    See description of ActiveDirectoryRights

    # Who, Where, What
    Get-ObjectACL -ADSPrefix 'CN=Administrator,CN=Users' | select IdentityReference, ObjectDN, ActiveDirectoryRights
    # literally the same
    Get-ObjectACL -SamAccountName Administrator | select IdentityReference, ObjectDN, ActiveDirectoryRights
    
  • Who can modify User foobar? (PowerView)

    Get-ObjectACL -SamAccountName 'foobar' -ResolveGUIDs | `
        where -Value "GenericExecute", 
                        "GenericRead",
                        "ListChildren",
                        "ListObject",
                        "ReadControl",
                        "ReadProperty",
                        "Synchronize" `
            -CNotin ActiveDirectoryRights | `
        select IdentityReference, ObjectDN, ActiveDirectoryRights
    
  • What can User foobar modify? (PowerView)

    Invoke-ACLScanner -ResolveGUIDS | ?{$_.IdentityReference -eq "foobar"}
    

    If empty result look for Group Memberships (PowerView, AD modules)

    foreach ($nh_idref in (Get-ADPrincipalGroupMembership -Identity foobar).SamAccountName) `
    { `
      Invoke-ACLScanner -ResolveGUIDs | `
          ?{$_.IdentityReference -match "$nh_idref"} | `
          select IdentityReference, ObjectDN, ActiveDirectoryRights `
    }
    
  • What is my current domain (AD Modules)

    Get-ADDomain
    
  • Get Domain Policy (PowerView)

    Get-DomainPolicy
    (Get-DomainPolicy)."System Access"
    (Get-DomainPolicy)."Kerberos Policy"  # Important for Golden Tickets / mimikatz
    
  • Get Domain Controllers (AD Modules)

    Get-ADDomainController
    Get-ADDomainController -Domain foo -discover # works for parent / child domains
    
  • Enumerate Users. Beware Users which haven't change for a long time and have no bad passwords or low logoncounts

    Get-ADUser -Filter { Enabled -eq $true } -Properties * | `
      select name, `
      @{name='pwdlastset' ; expression={[datetime]::fromFileTime($_.pwdlastset)}}, `
      badpwdcount, `
      logoncount
    
  • Search for User with built in Description

    Get-ADUser -Filter { Description -like '*built*' } -Properties Description | Select Name, Description
    
  • Search Machines where foo is member of local Administrators group (Powerview)

    Find-LocalAdminAccess
    

    Local Privilege Escalation

  • PowerUp

    Invoke-AllChecks