PowerShell
Windows PowerShell is a powerful tool that allows you to gather various types of information about users in a Windows domain. With PowerShell, you can retrieve information about specific users, find information about multiple users, and even search for inactive, expired, or disabled user accounts. Additionally, it is also possible to gather information about computers in the domain. The tool uses different cmdlets, parameters and filters to extract information. This makes it a versatile tool that can be tailored to the specific needs of any organization. It is an efficient way to manage and automate tasks and processes related to Active directory users, computers and groups. With proper permissions, an administrator can use PowerShell to perform a wide range of actions, from retrieving information to making changes to the active directory.
Launch powershell from CMD
poweshell -ep bypass
Get User information (Account Info)
Get-ADUser -Identity First_name.Last_name -Server Domain_Name -Properties *
- -Identity - The account name that we are enumerating
- -Properties - Which properties associated with the account will be shown, * will show all properties
- -Server - Since we are not domain-joined, we have to use this parameter to point it to our domain controller
Get User information (Using Filter Name)
Get-ADUser -Filter 'Name -like "*stevens"' -Server Domain_Name | Format-Table Name,SamAccountName -A
Get Groups information
Get-ADGroup -Identity GROUPS_NAME -Server Domain_Name -Properties *
Get Users in Groups
Get-ADGroupMember -Identity GROUPS_NAME -Server Domain_Name
AD Objects
Get-ADObject -Filter 'badPwdCount -gt 0' -Server Domain_Name
- If we wanted to, for example, perform a password spraying attack without locking out accounts, we can use this to enumerate accounts that have a badPwdCount that is greater than 0, to avoid these accounts in our attack
- This will only show results if one of the users in the network mistyped their password a couple of times.
Domains (Retrieve additional information about the specific domain)
Get-ADDomain -Server Domain_Name
Altering AD Objects (Changing the password of AD user using Set-ADAccountPassword
The great thing about the AD-RSAT cmdlets is that some even allow you to create new or alter existing AD objects. However, our focus for this network is on enumeration. Creating new objects or altering existing ones would be considered AD exploitation
Set-ADAccountPassword -Identity First_name.Last_name -Server Domain_Name -OldPassword (ConvertTo-SecureString -AsPlaintext "old" -force) -NewPassword (ConvertTo-SecureString -AsPlainText "new" -Force)
More Powershell command for the Active Directory ---> https://learn.microsoft.com/en-us/powershell/module/activedirectory/?view=windowsserver2022-ps (opens in a new tab)
Benefits
-
The PowerShell cmdlets can enumerate significantly more information than the net commands from Command Prompt.
-
We can specify the server and domain to execute these commands using runas from a non-domain-joined machine.
-
We can create our own cmdlets to enumerate specific information.
-
We can use the AD-RSAT cmdlets to directly change AD objects, such as resetting passwords or adding a user to a specific group.
Drawbacks
- PowerShell is often monitored more by the blue teams than Command Prompt.
- We have to install the AD-RSAT tooling or use other, potentially detectable, scripts for PowerShell enumeration.