# Cheatsheet - Fast Commands (ENUMERATION) ## Invisible Shells + Addons
HerramientaPara qué sirveEjemplos de comandos
Invisi-ShellPowerShell stealth (AMSI + logging bypass)

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

or

C:\AD\Tools\InviShell\RunWithPathAsAdmin.bat

PowerViewEnumeración ofensiva de Active Directory

. C:\AD\Tools\PowerView.ps1

Example Commands:

powershell Get-DomainUser powershell Get-DomainGroup

powershell Find-InterestingDomainAcl

powershell Get-DomainObjectAcl -Identity administrador -ResolveGUIDs

ADModuleMódulo oficial de Microsoft para administrar AD

Import-Module C:\AD\Tools\ADModulemaster\Microsoft.ActiveDirectory.Management.dll

and

Import-Module C:\AD\Tools\ADModule-master\ActiveDirectory\ActiveDirectory.psd1

Example Commands:

powershell Get-ADUser -Filter * powershell Get-ADGroup -Filter *

### Using Invisi-Shell > • With admin privileges:\ > `RunWithPathAsAdmin.bat`\ > • With non-admin privileges:\ > `RunWithRegistryNonAdmin.bat`\ > • Type exit from the new PowerShell session to complete the clean-up. ``` cd \AD\Tools C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat ``` ``` . C:\AD\Tools\PowerView.ps1 ``` *** ## All Enumeration - PowerView * Domain Info * Users * Member Computers * Computers * Domain Administrators * Members of the Domain Admins group * Enterprise Administrators * Members of the Enterprise Administrators {% embed url="" %}
CommandsFunctionExample
Get-DomainGeneral Info by Domain
Forest : moneycorp.local
DomainControllers : {dcorp-dc.dollarcorp.moneycorp.local}
Children : {us.dollarcorp.moneycorp.local}
Get-DomainUser | select -ExpandProperty samaccountnameList All Current Domain Users
Administrator
Guest
[snip]
Get-DomainComputer | select -ExpandProperty dnshostnameList Names of Machines: DCs, Servers, PCs, WorkStations, etc...
dcorp-dc.dollarcorp.moneycorp.local
dcorp-adminsrv.dollarcorp.moneycorp.local
dcorp-appsrv.dollarcorp.moneycorp.local
dcorp-ci.dollarcorp.moneycorp.local
dcorp-mgmt.dollarcorp.moneycorp.local
dcorp-mssql.dollarcorp.moneycorp.local
dcorp-sql1.dollarcorp.moneycorp.local
dcorp-stdadmin.dollarcorp.moneycorp.local
dcorp-std111.dollarcorp.moneycorp.local
[snip]
Get-DomainGroup -Identity "Domain Admins"List Domain Admins: members, SID, descriptions, DN, etc..
samaccountname : Domain Admins
member : {CN=svc admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local, CN=Administrator,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local}
Get-DomainGroupMember -Identity "Domain Admins"List Doamin Admins into the forest
MemberName : Administrator
MemberName : svcadmin
Get-Domain GroupMemberList members of the Enterprise Administrators
GroupDomain : moneycorp.local
GroupName : Enterprise Admin
MemberName : Administrator
*** ## All Enumeration - ADModule * Domain Users * List Properties * All Computers * Enumerate Domain Administrators * Enumerate the Enterprise Administrators {% embed url="" %}
CommandsFunctionExample
Get-ADUser -Filter *List all users in the current domain
SamAccountName : Administrator
SID : S-1-5-21-719815819-3726368948-3917688648-500
SamAccountName : Guest
SID : S-1-5-21-719815819-3726368948-3917688648-501
Get-ADUser -Filter * -Properties *| select Samaccountname,DescriptionList specific properties: Samaccountname,Description
Samaccountname Description
-------------- -----------
Administrator  Built-in account for administering the computer/domain
Guest          Built-in account for guest access to the computer/domain
krbtgt         Key Distribution Center Service Account
[snip]
Get-ADComputer -Filter *List All Computers
DistinguishedName : CN=DCORP-ADMINSRV,OU=Applocked,DC=dollarcorp,DC=moneycorp,DC=local
DNSHostName       : dcorp-adminsrv.dollarcorp.moneycorp.local
Enabled           : True
Name              : DCORP-ADMINSRV
ObjectClass       : computer
ObjectGUID        : 2e036483-7f45-4416-8a62-893618556370
SamAccountName    : DCORP-ADMINSRV$
SID               : S-1-5-21-719815819-3726368948-3917688648-1105
[snip]

Get-ADGroupMember

-Identity 'Domain Admins'

List Domain Admins: members, SID, descriptions, DN, etc..
samaccountname : Domain Admins
member : {CN=svc admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local, CN=Administrator,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local}
Get-ADGroupMember -Identity 'Enterprise Admins' -Server moneycorp.localList Doamin Admins into the forest
distinguishedName : CN=Administrator,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
name              : Administrator
objectClass       : user
objectGUID        : d954e824-f549-47c2-9809-646c218cef36
SamAccountName    : Administrator
SID               : S-1-5-21-719815819-3726368948-3917688648-500
distinguishedName : CN=svc admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
name              : svc admin
objectClass       : user
objectGUID        : 244f9c84-7e33-4ed6-aca1-3328d0802db0
SamAccountName    : svcadmin
SID               : S-1-5-21-719815819-3726368948-3917688648-1118
*** ## Bloodhound {% embed url="" %} We need to install the neo4j service. Unzip the archive C:\AD\Tools\neo4j-community-4.1.1-windows.zip ### Instalation > Install and start the neo4j service as follows, into: > > ``` > cd C:\AD\Tools\neo4j-community-4.4.5-windows\neo4j-community-4.4.5\bin > ``` > For it, we need a admin user to continue with the installation ``` neo4j.bat install-service neo4j.bat start ``` Once the service is started, browse to [http://localhost:7474](http://localhost:7474/) Enter the username: neo4j and password: neo4j. You need to enter a new password. Let's use BloodHound as the new password. Now, open BloodHound from `C:\AD\Tools\BloodHound-win32-x64\BloodHound-win32-x64` and provide the following details: > bolt://localhost:7687 > > Username: neo4j Password: BloodHound ### Ingestores Run BloodHound ingestores to gather data and information about the current domain. Run the following commands to run Collector: ``` C:\AD\Tools\BloodHound-master\BloodHound-master\Collectors\SharpHound.exe --collectionmethods Group,GPOLocalGroup,Session,Trusts,ACL,Container,ObjectProps,SPNTargets --excludedcs ``` ``` C:\AD\Tools\>C:\AD\Tools\BloodHound-master\BloodHound-master\Collectors\SharpHound.exe --collectionmethods Group,GPOLocalGroup,Session,Trusts,ACL,Container,ObjectProps,SPNTargets --excludedcs [+] Successfully unhooked ETW! [+++] NTDLL.DLL IS UNHOOKED! [+++] KERNEL32.DLL IS UNHOOKED! [+++] KERNELBASE.DLL IS UNHOOKED! [+++] ADVAPI32.DLL IS UNHOOKED! [+] URL/PATH : C:\AD\Tools\BloodHound-master\BloodHound-master\Collectors\SharpHound.exe Arguments : --collectionmethods Group,GPOLocalGroup,Session,Trusts,ACL,Container,ObjectProps,SPNTargets ?excludedcs [snip] 2024-12-19T02:51:45.7390124-08:00|INFORMATION|SharpHound Enumeration Completed at 2:51 AM on 12/19/2024! Happy Graphing! ``` Once all the data is uploaded to BloodHound, search for shortest path to Domain Admins in dollarcorp domain. (press Ctrl to toggle labels). *** ## PowerHuntShares Run the following commands from a PowerShell session started using [Invisi-Shell](https://eldeim.gitbook.io/brain_fuck/checklists/certifications/crtp-certified-red-team-professional/learning-objectives/learning-objetive-1#using-the-active-directory-module-admodule): > After this, we need save into a file txt in C:\AD\Tools, all Domain Computer, extract its using: > > ``` > Get-DomainComputer | select -ExpandProperty dnshostname > ``` ``` PS C:\AD\Tools> notepad servers.txt ## Paste the servers cat C:\AD\Tools\servers.txt ``` ``` Import-Module C:\AD\Tools\PowerHuntShares.psm1 Invoke-HuntSMBShares -NoPing -OutputDirectory C:\AD\Tools\ -HostList C:\AD\Tools\servers.txt ``` > It generate us a .htlm in the same folder > > You need to copy the summary report to your host machine because the report needs interent access, which is not available on the student VM. Go to ShareGraph -> search dcorp-ci -> Right click on dcorp-ci node -> Click expand. Tt turns out that 'Everyone' has privileges on the 'AI' folder. *** ## ACLs Enumeration - Domain Admins Group {% embed url="" %} > Remember to continúe using the PowerShell session started using Invisi-Shell
CommandsFunctionExample
Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDsList all users in the current domain
AceQualifier           : AccessAllowed
ObjectDN               : CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
ActiveDirectoryRights  : ReadProperty
ObjectAceType          : User-Account-Restrictions
ObjectSID              : S-1-5-21-719815819-3726368948-3917688648-512
InheritanceFlags       : None
### Excesive Permissions - On us account Finally, to check for modify rights/permissions for the studentx, we can use Find-InterestingDomainACL from PowerView: ``` Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "student113"} ``` ### Member of the RDPUsers group > Note that the output in your lab for the below command will be different and will depend on your lab instance:
CommandsFunctionExample
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"}List all users in the current domain with RDP permissions
ObjectDN                : CN=ControlxUser,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
AceQualifier            : AccessAllowed
ActiveDirectoryRights   : GenericAll
ObjectAceType           : None
AceFlags                : None
AceType                 : AccessAllowed
InheritanceFlags        : None
SecurityIdentifier      : S-1-5-21-719815819-3726368948-3917688648-1123
IdentityReferenceName   : RDPUsers
IdentityReferenceDomain : dollarcorp.moneycorp.local
IdentityReferenceDN     : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
IdentityReferenceClass  : group
[snip]
*** ## Analyze the permissions - BloodHound UI (local machine) > DO IT with ADMIN LOCAL PRIVILEGES! ### Install Bloodhound - Neo4j ```bash ## Unzip it C:\AD\Tools\neo4j-community-4.4.5-windows.zip ## Exec \bin neo4j.bat install-service ## Startcd bin neo4j.bat start ```
Once the service is started, browse to [http://localhost:7474](http://localhost:7474/) > Username: neo4j Password: neo4j > > After do login, we need change the passwd, set BloodHound or neo4j! #### Install/Start BloodHound Now, open BloodHound from C:\AD\Tools\BloodHound-win32-x64\BloodHound-win32-x64 and provide the following details: ``` C:\AD\Tools\BloodHound-win32-x64\BloodHound-win32-x64\BloodHound.exe ``` > Set the same user and password that before
### BloodHound Ingestor Once we have do all of this, execute the ingestor and upload it --> > It save into `C:\AD\Tools\BloodHound-4.0.3_old\BloodHound-master\Collectors` 
.\SharpHound.exe
IMPORT!: Upload all zip file, not stract it
*** ## Enumerate OUs
CommandsFunctionExample
Get-DomainOUEnumerate folders and his complete info of AD
description            : Default container for domain controllers
systemflags            : -1946157056
iscriticalsystemobject : True
gplink                 : [LDAP://CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=dollarcorp,DC=moneycorp,DC=local;0]
whenchanged            : 11/12/2022 5:59:00 AM
objectclass            : {top, organizationalUnit}
showinadvancedviewonly : False
usnchanged             : 7921
dscorepropagationdata  : {11/15/2022 3:49:24 AM, 11/12/2022 5:59:41 AM, 1/1/1601 12:04:16 AM}
name                   : Domain Controllers
distinguishedname      : OU=Domain Controllers,DC=dollarcorp,DC=moneycorp,DC=local
ou                     : Domain Controllers
Get-DomainOU | select -ExpandProperty nameEnumerate only the names of the folder of AD
Domain Controllers
StudentMachines
Applocked
Servers
DevOps
(Get-DomainOU -Identity DevOps).distinguishedname | %{Get-DomainComputer -SearchBase $_} | select nameList all the computers in the DevOps OU
name
----
DCORP-CI
[snip]
*** ## Enumerate GPOs
CommandsFunctionExample
Get-DomainGPOList info GPOs of AD
flags                    : 0
displayname              : DevOps Policy
gpcmachineextensionnames : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
whenchanged              : 12/19/2024 12:00:15 PM
versionnumber            : 3
name                     : {0BF8D01C-1F62-4BDC-958C-57140B67D147}
cn                       : {0BF8D01C-1F62-4BDC-958C-57140B67D147}
usnchanged               : 314489
dscorepropagationdata    : {12/18/2024 7:31:56 AM, 1/1/1601 12:00:00 AM}
objectguid               : fc0df125-5e26-4794-93c7-e60c6eecb75f
gpcfilesyspath           : \\dollarcorp.moneycorp.local\SysVol\dollarcorp.moneycorp.local\Policies\{0BF8D01C-1F62-4BDC-958C-57140B67D147}
distinguishedname        : CN={0BF8D01C-1F62-4BDC-958C-57140B67D147},CN=Policies,CN=System,DC=dollarcorp,DC=moneycorp,DC=local
whencreated              : 12/18/2024 7:31:22 AM
showinadvancedviewonly   : True
usncreated               : 293100
gpcfunctionalityversion  : 2
instancetype             : 4
objectclass              : {top, container, groupPolicyContainer}
objectcategory           : CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
[snip]

(Get-DomainOU

-Identity DevOps).gplink

Get GUID of specific police
[LDAP://cn={0BF8D01C-1F62-4BDC-958C-57140B67D147},cn=policies,cn=system,DC=dollarcorp,DC=moneycorp,DC=local;0]

Get-DomainGPO

-Identity '{GUID}'

List all datails of specific GPO
flags                    : 0
displayname              : DevOps Policy
gpcmachineextensionnames : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
whenchanged              : 12/19/2024 12:00:15 PM
versionnumber            : 3
name                     : {0BF8D01C-1F62-4BDC-958C-57140B67D147}
cn                       : {0BF8D01C-1F62-4BDC-958C-57140B67D147}
usnchanged               : 314489
dscorepropagationdata    : {12/18/2024 7:31:56 AM, 1/1/1601 12:00:00 AM}
objectguid               : fc0df125-5e26-4794-93c7-e60c6eecb75f
gpcfilesyspath           : \\dollarcorp.moneycorp.local\SysVol\dollarcorp.moneycorp.local\Policies\{0BF8D01C-1F62-4BDC-958C-57140B67D147}
distinguishedname        : CN={0BF8D01C-1F62-4BDC-958C-57140B67D147},CN=Policies,CN=System,DC=dollarcorp,DC=moneycorp,DC=local
whencreated              : 12/18/2024 7:31:22 AM
showinadvancedviewonly   : True
usncreated               : 293100
gpcfunctionalityversion  : 2
instancetype             : 4
objectclass              : {top, container, groupPolicyContainer}
objectcategory           : CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=moneycorp,DC=local
*** ### Enumerate ACLs of GPOs To enumerate the ACLs for the Applocked and DevOps GPO, let's use the BloodHound CE UI. Search for Applocker in the UI -> Click on the node -> Click on Inboud Object Control
It turns out that the RDPUsers group has GenericAll over the policy. Similary, search for DevOps and look at its 'Inbound Object Control':
A user named 'devopsadmin' has 'WriteDACL' on DevOps Policy. *** ## Enumerate all domains in the current Forest > Note: Remenber use a silent powershell ``` Get-ForestDomain -Verbose ```
*** ### Enumerate all Trust of "dollarcorp" Domain > Note: Remenber use a silent powershell ``` Get-DomainTrust ```
### List external trusts & Extact Infromation {% embed url="" %}
CommandsFunctionExample

Get-ForestDomain

| %{Get-DomainTrust

-Domain $_.Name} | ?{$_.TrustAttributes -eq

"FILTER_SIDS"}

List only the external trusts in the "moneycorp.local" forest
SourceName      : dollarcorp.moneycorp.local
TargetName      : eurocorp.local
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FILTER_SIDS
TrustDirection  : Bidirectional
WhenCreated     : 11/12/2022 8:15:23 AM
WhenChanged     : 1/25/2026 4:16:41 AM
Get-DomainTrust | ?{$_.TrustAttributes -eq "FILTER_SIDS"}Enumerate external trusts of the "dollarcorp" domain
SourceName      : dollarcorp.moneycorp.local
TargetName      : eurocorp.local
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FILTER_SIDS
TrustDirection  : Bidirectional
WhenCreated     : 11/12/2022 8:15:23 AM
WhenChanged     : 1/25/2026 4:16:41 AM

Since the above is a Bi-Directional trust, we can extract information from the eurocorp.local forest.

We either need bi-directional trust or one-way trust from eurocorp.local to dollarcorp to be able to use the below command

Get-ForestDomain -Forest eurocorp.local | %{Get-DomainTrust -Domain $_.Name}Extract information from the eurocorp.local forest
SourceName      : dollarcorp.moneycorp.local
TargetName      : eurocorp.local
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FILTER_SIDS
TrustDirection  : Bidirectional
WhenCreated     : 11/12/2022 8:15:23 AM
WhenChanged     : 1/25/2026 4:16:41 AM

Notice the error above. It occurred because PowerView attempted to list trusts even for eu.eurocorp.local. Because external trust is non-transitive it was not possible!

*** ### Using AD Module in a PowerShell - Invisi-Shell > Import the AD Module in a PowerShell session started using Invisi-Shell: ``` C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat Import-Module C:\AD\Tools\ADModule-master\Microsoft.ActiveDirectory.Management.dll Import-Module C:\AD\Tools\ADModule-master\ActiveDirectory\ActiveDirectory.psd1 ```
CommandsFunctionExample
(Get-ADForest).DomainsEnumerate all the domains
dollarcorp.moneycorp.local
moneycorp.local
us.dollarcorp.moneycorp.local
Get-ADTrust -Filter *Enumerate all the Trusts in the current domain
Direction : BiDirectional
DisallowTransivity : False
DistinguishedName :
CN=moneycorp.local,CN=System,DC=dollarcorp,DC=moneycorp,DC=local
ForestTransitive : False
IntraForest : True
IsTreeParent : False
IsTreeRoot : False
Name : moneycorp.local
ObjectClass : trustedDomain
ObjectGUID : 01c3b68d-520b-44d8-8e7f-4c10927c2b98
SelectiveAuthentication : False
SIDFilteringForestAware : False
SIDFilteringQuarantined : False
Source : DC=dollarcorp,DC=moneycorp,DC=local
Target : moneycorp.local
TGTDelegation : False
TrustAttributes : 32
TrustedPolicy :
TrustingPolicy :
TrustType : Uplevel
UplevelOnly : False
UsesAESKeys : False
UsesRC4Encryption : False
[snip]

Get-ADForest | %{Get-ADTrust

-Filter *}

Enumerate all the trusts in the moneycorp.local forest
Direction : BiDirectional
DisallowTransivity : False
DistinguishedName :
CN=moneycorp.local,CN=System,DC=dollarcorp,DC=moneycorp,DC=local
ForestTransitive : False
IntraForest : True
IsTreeParent : False
IsTreeRoot : False
Name : moneycorp.local
ObjectClass : trustedDomain
ObjectGUID : 01c3b68d-520b-44d8-8e7f-4c10927c2b98
SelectiveAuthentication : False
SIDFilteringForestAware : False
SIDFilteringQuarantined : False
Source : DC=dollarcorp,DC=moneycorp,DC=local
Target : moneycorp.local
TGTDelegation : False
TrustAttributes : 32
TrustedPolicy :
TrustingPolicy :
TrustType : Uplevel
UplevelOnly : False
UsesAESKeys : False
UsesRC4Encryption : False
[snip]
(Get-ADForest).Domains | %{Get-ADTrust -Filter '(intraForest -ne $True) -and (ForestTransitive -ne $True)' -Server $_}Enumerate external trusts in moneycorp.local domain
Direction : BiDirectional
DisallowTransivity : False
DistinguishedName :
CN=eurocorp.local,CN=System,DC=dollarcorp,DC=moneycorp,DC=local
ForestTransitive : False
IntraForest : False
IsTreeParent : False
IsTreeRoot : False
Name : eurocorp.local
ObjectClass : trustedDomain
ObjectGUID : d4d64a77-63be-4d77-93c2-6524e73d306d
SelectiveAuthentication : False
SIDFilteringForestAware : False
SIDFilteringQuarantined : True
Source : DC=dollarcorp,DC=moneycorp,DC=local
Target : eurocorp.local
TGTDelegation : False
TrustAttributes : 4
TrustedPolicy :
TrustingPolicy :
TrustType : Uplevel
UplevelOnly : False
UsesAESKeys : False
UsesRC4Encryption : False
*** ## Enumeate File shares with Write permissions > **Invisi-Shell & PowerHuntShares exec** > > > Remenber use `C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat` > > > After this, we need save into a file txt in C:\AD\Tools, all Domain Computer, extract its using: > > > > ``` > > Get-DomainComputer | select -ExpandProperty dnshostname > > ``` > > ``` > PS C:\AD\Tools> notepad servers.txt > ## Paste the servers > cat C:\AD\Tools\servers.txt > ``` ``` Import-Module C:\AD\Tools\PowerHuntShares.psm1 Invoke-HuntSMBShares -NoPing -OutputDirectory C:\AD\Tools\ -HostList C:\AD\Tools\servers.txt ```
> You need to copy the summary report to your host machine because the report needs interent access, which is not available on the student VM. > > Connect via RDP to download it, for example --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://eldeim.gitbook.io/brain_fuck/notes/certifications/eastereggs/crtp-certified-red-team-professional/cheatsheet-fast-commands-enumeration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.