🏁Cheatsheet - Fast Commands (ENUMERATION)

Invisible Shells + Addons

Herramienta	Para qué sirve	Ejemplos de comandos
Invisi-Shell	PowerShell stealth (AMSI + logging bypass)	C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat or C:\AD\Tools\InviShell\RunWithPathAsAdmin.bat
PowerView	Enumeración ofensiva de Active Directory	. C:\AD\Tools\PowerView.ps1 Example Commands: powershell Get-DomainUser powershell Get-DomainGroup powershell Find-InterestingDomainAcl powershell Get-DomainObjectAcl -Identity administrador -ResolveGUIDs
ADModule	Módulo oficial de Microsoft para administrar AD	Import-Module C:\AD\Tools\ADModulemaster\Microsoft.ActiveDirectory.Management.dll and Import-Module C:\AD\Tools\ADModule-master\ActiveDirectory\ActiveDirectory.psd1 Example Commands: powershell Get-ADUser -Filter * powershell Get-ADGroup -Filter *

Using Invisi-Shell

• With admin privileges: RunWithPathAsAdmin.bat • With non-admin privileges: RunWithRegistryNonAdmin.bat • Type exit from the new PowerShell session to complete the clean-up.

cd \AD\Tools
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

. C:\AD\Tools\PowerView.ps1

---

All Enumeration - PowerView

• Domain Info

• Users

  • Member Computers

• Computers

• Domain Administrators

  • Members of the Domain Admins group

• Enterprise Administrators

  • Members of the Enterprise Administrators

Learning Objetive 1 | Checklists | brain_fuckeldeim.gitbook.io

Commands	Function	Example
Get-Domain	General Info by Domain	Forest : moneycorp.local DomainControllers : {dcorp-dc.dollarcorp.moneycorp.local} Children : {us.dollarcorp.moneycorp.local}
Get-DomainUser | select -ExpandProperty samaccountname	List All Current Domain Users	Administrator Guest [snip]
Get-DomainComputer | select -ExpandProperty dnshostname	List Names of Machines: DCs, Servers, PCs, WorkStations, etc...	dcorp-dc.dollarcorp.moneycorp.local dcorp-adminsrv.dollarcorp.moneycorp.local dcorp-appsrv.dollarcorp.moneycorp.local dcorp-ci.dollarcorp.moneycorp.local dcorp-mgmt.dollarcorp.moneycorp.local dcorp-mssql.dollarcorp.moneycorp.local dcorp-sql1.dollarcorp.moneycorp.local dcorp-stdadmin.dollarcorp.moneycorp.local dcorp-std111.dollarcorp.moneycorp.local [snip]
Get-DomainGroup -Identity "Domain Admins"	List Domain Admins: members, SID, descriptions, DN, etc..	samaccountname : Domain Admins member : {CN=svc admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local, CN=Administrator,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local}
Get-DomainGroupMember -Identity "Domain Admins"	List Doamin Admins into the forest	MemberName : Administrator MemberName : svcadmin
Get-DomainGroupMember	List members of the Enterprise Administrators	GroupDomain : moneycorp.local GroupName : Enterprise Admin MemberName : Administrator

---

All Enumeration - ADModule

• Domain Users

  • List Properties

• All Computers

• Enumerate Domain Administrators

• Enumerate the Enterprise Administrators

Learning Objetive 1 | Checklists | brain_fuckeldeim.gitbook.io

Commands	Function	Example
Get-ADUser -Filter *	List all users in the current domain	SamAccountName : Administrator SID : S-1-5-21-719815819-3726368948-3917688648-500 SamAccountName : Guest SID : S-1-5-21-719815819-3726368948-3917688648-501
Get-ADUser -Filter * -Properties *| select Samaccountname,Description	List specific properties: Samaccountname,Description	Samaccountname Description -------------- ----------- Administrator Built-in account for administering the computer/domain Guest Built-in account for guest access to the computer/domain krbtgt Key Distribution Center Service Account [snip]
Get-ADComputer -Filter *	List All Computers	DistinguishedName : CN=DCORP-ADMINSRV,OU=Applocked,DC=dollarcorp,DC=moneycorp,DC=local DNSHostName : dcorp-adminsrv.dollarcorp.moneycorp.local Enabled : True Name : DCORP-ADMINSRV ObjectClass : computer ObjectGUID : 2e036483-7f45-4416-8a62-893618556370 SamAccountName : DCORP-ADMINSRV$ SID : S-1-5-21-719815819-3726368948-3917688648-1105 [snip]
Get-ADGroupMember -Identity 'Domain Admins'	List Domain Admins: members, SID, descriptions, DN, etc..	samaccountname : Domain Admins member : {CN=svc admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local, CN=Administrator,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local}
Get-ADGroupMember -Identity 'Enterprise Admins' -Server moneycorp.local	List Doamin Admins into the forest	distinguishedName : CN=Administrator,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local name : Administrator objectClass : user objectGUID : d954e824-f549-47c2-9809-646c218cef36 SamAccountName : Administrator SID : S-1-5-21-719815819-3726368948-3917688648-500 distinguishedName : CN=svc admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local name : svc admin objectClass : user objectGUID : 244f9c84-7e33-4ed6-aca1-3328d0802db0 SamAccountName : svcadmin SID : S-1-5-21-719815819-3726368948-3917688648-1118

---

Bloodhound

Learning Objetive 1 | Checklists | brain_fuckeldeim.gitbook.io

We need to install the neo4j service. Unzip the archive C:\AD\Tools\neo4j-community-4.1.1-windows.zip

Instalation

Install and start the neo4j service as follows, into:

cd C:\AD\Tools\neo4j-community-4.4.5-windows\neo4j-community-4.4.5\bin

For it, we need a admin user to continue with the installation

neo4j.bat install-service
neo4j.bat start

Once the service is started, browse to http://localhost:7474

Enter the username: neo4j and password: neo4j. You need to enter a new password. Let's use BloodHound as the new password.

Now, open BloodHound from C:\AD\Tools\BloodHound-win32-x64\BloodHound-win32-x64 and provide the following details:

bolt://localhost:7687

Username: neo4j Password: BloodHound

Ingestores

Run BloodHound ingestores to gather data and information about the current domain. Run the following commands to run Collector:

C:\AD\Tools\BloodHound-master\BloodHound-master\Collectors\SharpHound.exe --collectionmethods Group,GPOLocalGroup,Session,Trusts,ACL,Container,ObjectProps,SPNTargets --excludedcs

C:\AD\Tools\>C:\AD\Tools\BloodHound-master\BloodHound-master\Collectors\SharpHound.exe --collectionmethods Group,GPOLocalGroup,Session,Trusts,ACL,Container,ObjectProps,SPNTargets --excludedcs
[+] Successfully unhooked ETW!
[+++] NTDLL.DLL IS UNHOOKED!
[+++] KERNEL32.DLL IS UNHOOKED!
[+++] KERNELBASE.DLL IS UNHOOKED!
[+++] ADVAPI32.DLL IS UNHOOKED!
[+] URL/PATH : C:\AD\Tools\BloodHound-master\BloodHound-master\Collectors\SharpHound.exe Arguments : --collectionmethods Group,GPOLocalGroup,Session,Trusts,ACL,Container,ObjectProps,SPNTargets ?excludedcs
[snip]
2024-12-19T02:51:45.7390124-08:00|INFORMATION|SharpHound Enumeration Completed at 2:51 AM on 12/19/2024! Happy Graphing!

Once all the data is uploaded to BloodHound, search for shortest path to Domain Admins in dollarcorp domain. (press Ctrl to toggle labels).

---

PowerHuntShares

Run the following commands from a PowerShell session started using Invisi-Shell:

After this, we need save into a file txt in C:\AD\Tools, all Domain Computer, extract its using:

Get-DomainComputer | select -ExpandProperty dnshostname

PS C:\AD\Tools> notepad servers.txt
## Paste the servers
cat C:\AD\Tools\servers.txt

Import-Module C:\AD\Tools\PowerHuntShares.psm1
Invoke-HuntSMBShares -NoPing -OutputDirectory C:\AD\Tools\ -HostList C:\AD\Tools\servers.txt

It generate us a .htlm in the same folder

You need to copy the summary report to your host machine because the report needs interent access, which is not available on the student VM.

Go to ShareGraph -> search dcorp-ci -> Right click on dcorp-ci node -> Click expand. Tt turns out that 'Everyone' has privileges on the 'AI' folder.

---

ACLs Enumeration - Domain Admins Group

Learning Objetive 2 | Checklists | brain_fuckeldeim.gitbook.io

Remember to continúe using the PowerShell session started using Invisi-Shell

Commands	Function	Example
Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDs	List all users in the current domain	AceQualifier : AccessAllowed ObjectDN : CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local ActiveDirectoryRights : ReadProperty ObjectAceType : User-Account-Restrictions ObjectSID : S-1-5-21-719815819-3726368948-3917688648-512 InheritanceFlags : None

Excesive Permissions - On us account

Finally, to check for modify rights/permissions for the studentx, we can use Find-InterestingDomainACL from PowerView:

Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "student113"}

Member of the RDPUsers group

Note that the output in your lab for the below command will be different and will depend on your lab instance:

Commands	Function	Example
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"}	List all users in the current domain with RDP permissions	ObjectDN : CN=ControlxUser,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local AceQualifier : AccessAllowed ActiveDirectoryRights : GenericAll ObjectAceType : None AceFlags : None AceType : AccessAllowed InheritanceFlags : None SecurityIdentifier : S-1-5-21-719815819-3726368948-3917688648-1123 IdentityReferenceName : RDPUsers IdentityReferenceDomain : dollarcorp.moneycorp.local IdentityReferenceDN : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local IdentityReferenceClass : group [snip]

---

Analyze the permissions - BloodHound UI (local machine)

DO IT with ADMIN LOCAL PRIVILEGES!

Install Bloodhound - Neo4j

## Unzip it
C:\AD\Tools\neo4j-community-4.4.5-windows.zip
## Exec \bin
neo4j.bat install-service
## Start
neo4j.bat start

Once the service is started, browse to http://localhost:7474

Username: neo4j Password: neo4j

After do login, we need change the passwd, set BloodHound or neo4j!

Install/Start BloodHound

Now, open BloodHound from C:\AD\Tools\BloodHound-win32-x64\BloodHound-win32-x64 and provide the following details:

C:\AD\Tools\BloodHound-win32-x64\BloodHound-win32-x64\BloodHound.exe

Set the same user and password that before

BloofHound Ingestor

Once we have do all of this, execute the ingestor and upload it -->

It save into C:\AD\Tools\neo4j-community-4.4.5-windows\neo4j-community-4.4.5\bin

C:\AD\Tools\BloodHound-master\BloodHound-master\Collectors\SharpHound.exe --collectionmethods Group,GPOLocalGroup,Session,Trusts,ACL,Container,ObjectProps,SPNTargets --excludedcs

IMPORT!: Upload all zip file, not stract it

---

Enumerate OUs

Commands	Function	Example
Get-DomainOU	Enumerate folders and his complete info of AD	description : Default container for domain controllers systemflags : -1946157056 iscriticalsystemobject : True gplink : [LDAP://CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=dollarcorp,DC=moneycorp,DC=local;0] whenchanged : 11/12/2022 5:59:00 AM objectclass : {top, organizationalUnit} showinadvancedviewonly : False usnchanged : 7921 dscorepropagationdata : {11/15/2022 3:49:24 AM, 11/12/2022 5:59:41 AM, 1/1/1601 12:04:16 AM} name : Domain Controllers distinguishedname : OU=Domain Controllers,DC=dollarcorp,DC=moneycorp,DC=local ou : Domain Controllers
Get-DomainOU | select -ExpandProperty name	Enumerate only the names of the folder of AD	Domain Controllers StudentMachines Applocked Servers DevOps
(Get-DomainOU -Identity DevOps).distinguishedname | %{Get-DomainComputer -SearchBase $_} | select name	List all the computers in the DevOps OU	name ---- DCORP-CI [snip]

---

Enumerate GPOs

Commands	Function	Example
Get-DomainGPO	List info GPOs of AD	flags : 0 displayname : DevOps Policy gpcmachineextensionnames : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}] whenchanged : 12/19/2024 12:00:15 PM versionnumber : 3 name : {0BF8D01C-1F62-4BDC-958C-57140B67D147} cn : {0BF8D01C-1F62-4BDC-958C-57140B67D147} usnchanged : 314489 dscorepropagationdata : {12/18/2024 7:31:56 AM, 1/1/1601 12:00:00 AM} objectguid : fc0df125-5e26-4794-93c7-e60c6eecb75f gpcfilesyspath : \\dollarcorp.moneycorp.local\SysVol\dollarcorp.moneycorp.local\Policies\{0BF8D01C-1F62-4BDC-958C-57140B67D147} distinguishedname : CN={0BF8D01C-1F62-4BDC-958C-57140B67D147},CN=Policies,CN=System,DC=dollarcorp,DC=moneycorp,DC=local whencreated : 12/18/2024 7:31:22 AM showinadvancedviewonly : True usncreated : 293100 gpcfunctionalityversion : 2 instancetype : 4 objectclass : {top, container, groupPolicyContainer} objectcategory : CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=moneycorp,DC=local [snip]
(Get-DomainOU -Identity DevOps).gplink	Get GUID of specific police	[LDAP://cn={0BF8D01C-1F62-4BDC-958C-57140B67D147},cn=policies,cn=system,DC=dollarcorp,DC=moneycorp,DC=local;0]
Get-DomainGPO -Identity '{GUID}'	List all datails of specific GPO	flags : 0 displayname : DevOps Policy gpcmachineextensionnames : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}] whenchanged : 12/19/2024 12:00:15 PM versionnumber : 3 name : {0BF8D01C-1F62-4BDC-958C-57140B67D147} cn : {0BF8D01C-1F62-4BDC-958C-57140B67D147} usnchanged : 314489 dscorepropagationdata : {12/18/2024 7:31:56 AM, 1/1/1601 12:00:00 AM} objectguid : fc0df125-5e26-4794-93c7-e60c6eecb75f gpcfilesyspath : \\dollarcorp.moneycorp.local\SysVol\dollarcorp.moneycorp.local\Policies\{0BF8D01C-1F62-4BDC-958C-57140B67D147} distinguishedname : CN={0BF8D01C-1F62-4BDC-958C-57140B67D147},CN=Policies,CN=System,DC=dollarcorp,DC=moneycorp,DC=local whencreated : 12/18/2024 7:31:22 AM showinadvancedviewonly : True usncreated : 293100 gpcfunctionalityversion : 2 instancetype : 4 objectclass : {top, container, groupPolicyContainer} objectcategory : CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=moneycorp,DC=local

---

Enumerate ACLs of GPOs

To enumerate the ACLs for the Applocked and DevOps GPO, let's use the BloodHound CE UI.

Search for Applocker in the UI -> Click on the node -> Click on Inboud Object Control

It turns out that the RDPUsers group has GenericAll over the policy.

Similary, search for DevOps and look at its 'Inbound Object Control':

A user named 'devopsadmin' has 'WriteDACL' on DevOps Policy.

---

Enumerate all domains in the current Forest

Note: Remenber use a silent powershell

Get-ForestDomain -Verbose

---

Enumerate all Trust of "dollarcorp" Domain

Note: Remenber use a silent powershell

Get-DomainTrust

List external trusts & Extact Infromation

Learning Objetive 4 | Checklists | brain_fuckeldeim.gitbook.io

Commands	Function	Example
Get-ForestDomain | %{Get-DomainTrust -Domain $_.Name} | ?{$_.TrustAttributes -eq "FILTER_SIDS"}	List only the external trusts in the "moneycorp.local" forest	SourceName : dollarcorp.moneycorp.local TargetName : eurocorp.local TrustType : WINDOWS_ACTIVE_DIRECTORY TrustAttributes : FILTER_SIDS TrustDirection : Bidirectional WhenCreated : 11/12/2022 8:15:23 AM WhenChanged : 1/25/2026 4:16:41 AM
Get-DomainTrust | ?{$_.TrustAttributes -eq "FILTER_SIDS"}	Enumerate external trusts of the "dollarcorp" domain	SourceName : dollarcorp.moneycorp.local TargetName : eurocorp.local TrustType : WINDOWS_ACTIVE_DIRECTORY TrustAttributes : FILTER_SIDS TrustDirection : Bidirectional WhenCreated : 11/12/2022 8:15:23 AM WhenChanged : 1/25/2026 4:16:41 AM Since the above is a Bi-Directional trust, we can extract information from the eurocorp.local forest. We either need bi-directional trust or one-way trust from eurocorp.local to dollarcorp to be able to use the below command
Get-ForestDomain -Forest eurocorp.local | %{Get-DomainTrust -Domain $_.Name}	Extract information from the eurocorp.local forest	SourceName : dollarcorp.moneycorp.local TargetName : eurocorp.local TrustType : WINDOWS_ACTIVE_DIRECTORY TrustAttributes : FILTER_SIDS TrustDirection : Bidirectional WhenCreated : 11/12/2022 8:15:23 AM WhenChanged : 1/25/2026 4:16:41 AM Notice the error above. It occurred because PowerView attempted to list trusts even for eu.eurocorp.local. Because external trust is non-transitive it was not possible!

---

Using AD Module in a PowerShell - Invisi-Shell

Import the AD Module in a PowerShell session started using Invisi-Shell:

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
Import-Module C:\AD\Tools\ADModule-master\Microsoft.ActiveDirectory.Management.dll
Import-Module C:\AD\Tools\ADModule-master\ActiveDirectory\ActiveDirectory.psd1

Commands	Function	Example
(Get-ADForest).Domains	Enumerate all the domains	dollarcorp.moneycorp.local moneycorp.local us.dollarcorp.moneycorp.local
Get-ADTrust -Filter *	Enumerate all the Trusts in the current domain	Direction : BiDirectional DisallowTransivity : False DistinguishedName : CN=moneycorp.local,CN=System,DC=dollarcorp,DC=moneycorp,DC=local ForestTransitive : False IntraForest : True IsTreeParent : False IsTreeRoot : False Name : moneycorp.local ObjectClass : trustedDomain ObjectGUID : 01c3b68d-520b-44d8-8e7f-4c10927c2b98 SelectiveAuthentication : False SIDFilteringForestAware : False SIDFilteringQuarantined : False Source : DC=dollarcorp,DC=moneycorp,DC=local Target : moneycorp.local TGTDelegation : False TrustAttributes : 32 TrustedPolicy : TrustingPolicy : TrustType : Uplevel UplevelOnly : False UsesAESKeys : False UsesRC4Encryption : False [snip]
Get-ADForest | %{Get-ADTrust -Filter *}	Enumerate all the trusts in the moneycorp.local forest	Direction : BiDirectional DisallowTransivity : False DistinguishedName : CN=moneycorp.local,CN=System,DC=dollarcorp,DC=moneycorp,DC=local ForestTransitive : False IntraForest : True IsTreeParent : False IsTreeRoot : False Name : moneycorp.local ObjectClass : trustedDomain ObjectGUID : 01c3b68d-520b-44d8-8e7f-4c10927c2b98 SelectiveAuthentication : False SIDFilteringForestAware : False SIDFilteringQuarantined : False Source : DC=dollarcorp,DC=moneycorp,DC=local Target : moneycorp.local TGTDelegation : False TrustAttributes : 32 TrustedPolicy : TrustingPolicy : TrustType : Uplevel UplevelOnly : False UsesAESKeys : False UsesRC4Encryption : False [snip]
(Get-ADForest).Domains | %{Get-ADTrust -Filter '(intraForest -ne $True) -and (ForestTransitive -ne $True)' -Server $_}	Enumerate external trusts in moneycorp.local domain	Direction : BiDirectional DisallowTransivity : False DistinguishedName : CN=eurocorp.local,CN=System,DC=dollarcorp,DC=moneycorp,DC=local ForestTransitive : False IntraForest : False IsTreeParent : False IsTreeRoot : False Name : eurocorp.local ObjectClass : trustedDomain ObjectGUID : d4d64a77-63be-4d77-93c2-6524e73d306d SelectiveAuthentication : False SIDFilteringForestAware : False SIDFilteringQuarantined : True Source : DC=dollarcorp,DC=moneycorp,DC=local Target : eurocorp.local TGTDelegation : False TrustAttributes : 4 TrustedPolicy : TrustingPolicy : TrustType : Uplevel UplevelOnly : False UsesAESKeys : False UsesRC4Encryption : False

---

Enumeate File shares with Write permissions

Invisi-Shell & PowerHuntShares exec

Remenber use C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

After this, we need save into a file txt in C:\AD\Tools, all Domain Computer, extract its using:

Get-DomainComputer | select -ExpandProperty dnshostname

PS C:\AD\Tools> notepad servers.txt
## Paste the servers
cat C:\AD\Tools\servers.txt

Import-Module C:\AD\Tools\PowerHuntShares.psm1
Invoke-HuntSMBShares -NoPing -OutputDirectory C:\AD\Tools\ -HostList C:\AD\Tools\servers.txt

You need to copy the summary report to your host machine because the report needs interent access, which is not available on the student VM.

Connect via RDP to download it, for example