Red Team Codex
A general cheatsheet provided and maintained by Cyndicate Labs. We hope it helps. |
Contents
Active Directory
Get Domain Name
C:\> echo %USERDNSDOMAIN%
C:\> systeminfo | findstr /B /C:"Domain"
C:\> wmic computersystem get domain
PS C:\> [System.Net.Dns]::GetHostByName(($env:computerName))
PS C:\> [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
Get Forest Trusts
C:\> nltest /trusted_domains
C:\> nltest /server:cdc001.corp.contoso.local /sc_query:contoso.local
PS C:\> ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
PS C:\> ([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest())
PS C:\> ([ADSISearcher]"(objectClass=trustedDomain)").FindAll()
PS C:\> ([ADSISearcher]"(objectClass=trustedDomain)").FindAll() | %{$a=$_.Properties["trustattributes"]; $d=$_.Properties["trustdirection"]; $t=$_.Properties["trusttype"] ; write-Host $_.Properties["distinguishedname"] $a $d $t}
Domain Password Policy
C:\> net accounts
C:\> net accounts /domain
PS C:\> Get-ADDefaultDomainPasswordPolicy -Current LoggedOnUser
Get Domain Computer
C:\> net group "Domain Computers" /domain
# Find all computers
PS C:\> ([ADSISearcher]"ObjectClass=computer").FindAll()
# Here we search for any computers with a name like DES*
PS C:\> ([ADSISearcher]"(&(objectClass=computer)(name=DES*))").FindAll()
Get Domain Controllers
C:\> nltest /dclist:corp.contoso.local
C:\> nslookup -type=all _ldap._tcp.dc._msdcs.corp.contoso.local
C:\> net group "domain controllers" /domain
# Which DC authenticated us?
C:\>echo %LOGONSERVER%
C:\> nltest /dsgetdc:corp.contoso.local
PS C:\> ([ADSISearcher]"(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))").FindAll()
Enumerate Users
C:\> net user maurice.moss /domain
C:\> net user /domain
PS C:\> ([ADSISearcher]"(&(objectClass=user)(samAccountType=805306368)(samaccountname=maurice.moss))").FindAll().Properties
# Enumerate all users
PS C:\> ([ADSISearcher]"(&(objectClass=user)(samAccountType=805306368))").FindAll()|ft
# Enumerate all users returning specific properties
PS C:\> ([ADSISearcher]"(&(objectClass=user)(samAccountType=805306368))").FindAll() | %{ $_.Properties["samaccountname"] }
# Enumerate all users with a Service Principal Name (SPN)
PS C:\> ([ADSISearcher]"(&(objectClass=user)(servicePrincipalName=*)(samAccountType
Enumerate Groups
C:\> net group /domain
# Enumerate domain group members
C:\> net group "Domain Admins" /domain
# Enumerate all domain groups
PS C:\> ([ADSISearcher]"ObjectClass=group").FindAll()
PS C:\> ([ADSISearcher]"ObjectClass=group").FindAll() | %{ $_.Properties["samaccountname"] }
# Enumerate all groups with the string "ACCESS" in the name property
PS C:\> ([ADSISearcher]"(&(objectClass=group)(name=*ACCESS*))").FindAll()
# Enumerate specific domain group
PS C:\> ([ADSISearcher]"(&(ObjectClass=group)(samaccountname=Domain Admins))").FindOne()
# Enumerate domain group members
PS C:\> ([ADSISearcher]"(distinguishedname=CN=TS ACCESS,CN=Users,DC=corp,DC=contoso,DC=local)").FindOne().Properties.member
AppLocker
C:\> reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe\
PS C:\> (Get-AppLockerPolicy -Local).RuleCollections
PS C:\> Get-AppLockerPolicy -Effective -Xml
PS C:\> Get-ChildItem -Path HKLM:Software\Policies\Microsoft\Windows\SrpV2 -Recurse
PS C:\> Get-AppLockerPolicy -Domain -LDAP "LDAP://DC1.contoso.com/CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=contoso,DC=com