![](https://cdn-0.reconshell.com/wp-content/uploads/2022/05/01-1024x576.png)
This repository is aimed at sharing the cliff notes for performing Red Teaming of Active Directory System combined with Detection Engineering part of AD Attacks
Assumed Breach Methodology
![ef](https://cdn-0.reconshell.com/wp-content/uploads/2022/05/ef.png)
Insider Attack Simlation Model
![c65](https://cdn-0.reconshell.com/wp-content/uploads/2022/05/c65-1024x357.png)
AD Red Teaming Ops
Domain Enumeration Commands
C:\Users\Windows-Machine> whoamii /priv C:\Users\Windows-Machine> $ADClass = [System.DirectorServices.ActiveDirectory.Domain] C:\Users\Windows-Machine> $ADClass::GetCurrentDomain()
C:\Users\Windows-Machine> cd C:\AD\PowerView C:\AD\PowerView> ..\Powerview.ps1 C:\AD\PowerView> Get-NetDomain
C:\Users\Windows-Machine> cd C:\AD\Pentesting\ADModule-master C:\AD\Pentesting\ADModule-master> .\Microsoft.ActiveDirectory.Management.dll C:\AD\Pentesting\ADModule-master> .\ActiveDirectory\ActiveDirectory.psd1 C:\AD\Pentesting\ADModule-master> Get-ADDomain C:\AD\Pentesting\ADModule-master> Get-NetDomain -Domain moneycorp.local C:\AD\Pentesting\ADModule-master> Get-ADDomain -Identity corp.local
Get Domain SID for current domain C:\AD\Pentesting\ADModule-master> Get-DomainSID C:\AD\Pentesting\ADModule-master> (Get-ADDomain).DomainSID
Get Domain Policy for the current domain C:\AD\PowerView> Get-DomainPolicy
Get domain policy for another domain *Domain Password Policy
C:\AD\PowerView> (Get-DomainPolicy)."system access"
Domain Kerberos Policy C:\AD\PowerView> (Get-DomainPolicy)."Kerberos Policy"
C:\AD\Pentesting\ADModule-master> Get-NetDomainController C:\AD\Pentesting\ADModule-master> Get-ADDomainController C:\AD\Pentesting\ADModule-master> Get-ADDomainController -Domain corp2.local
Get List of Users in Current Domain
C:\AD\Pentesting\ADModule-master> Get-NetUser C:\AD\Pentesting\ADModule-master> Get-NetUser -Username student1 C:\AD\Pentesting\ADModule-master> Get-ADUser -Filter * -Properties * C:\AD\Pentesting\ADModule-master> Get-ADUser -Identity student1 -Properties* C:\AD\Pentesting\ADModule-master> Get-NetUser | select cn C:\AD\Pentesting\ADModule-master> Get-NetUser | select Name
Get list of all properties for users in the current domain
C:\AD\Pentesting\ADModule-master> Get-UserProperty C:\AD\Pentesting\ADModule-master> Get-UserProperty -Properties pwdlastset C:\AD\Pentesting\ADModule-master> Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member - MemberType *Property | select Name C:\AD\Pentesting\ADModule-master> Get-ADUser -Filter * -Properties * | select name,@{expression={[dateime]::fromFileTime($_.pwdlastset)]}
Additional Resources:
https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 https://docs.microsoft.com/en-us/powershell/module/activedirectory/?view=windowsserver2022-ps
The Purple-Teaming is a github repository by MirHassanRiaz
Leave a Reply