PowerView has long been the de-facto tool for domain enumeration. One of its biggest strengths is that the queries return proper PowerShell objects, which can be piped to other cmdlets. This allows you to chain multiple commands together to form complex and powerful queries.
Returns a domain object for the current domain or the domain specified with -Domain. Useful information includes the domain name, the forest name and the domain controllers.
Returns the default domain policy or the domain controller policy for the current domain or a specified domain/domain controller. Useful for finding information such as the domain password policy.
Return all (or specific) user(s). To only return specific properties, use -Properties. By default, all user objects for the current domain are returned, use -Identity to return a specific user.
beacon> powershell Get-DomainUser -Identity jking -Properties DisplayName, MemberOf | fl
displayname : John King
memberof : {CN=Internet Users,CN=Users,DC=dev,DC=cyberbotic,DC=io, CN=Support
Engineers,CN=Users,DC=dev,DC=cyberbotic,DC=io}
This shows that jking is a member of the Support Engineers group. Most privileges in a domain are delegated to domain groups, rather than individual users. So if we can find where this domain group has privileged access, we know that members will also have those privileges.
If you run this command without the -Identity parameter, prepare to wait a while for all the data to return.
Get-DomainComputer
Return all computers or specific computer objects.
Return all Group Policy Objects (GPOs) or specific GPO objects. To enumerate all GPOs that are applied to a particular machine, use -ComputerIdentity.
beacon> powershell Get-DomainGPO -Properties DisplayName | sort -Property DisplayName
displayname
-----------
Computer Certificates
Default Domain Controllers Policy
Default Domain Policy
LAPS
Proxy Settings
Server Admins
Vulnerable GPO
Windows Defender
Windows Firewall
Workstation Admins
Get-DomainGPOLocalGroup
Returns all GPOs that modify local group membership through Restricted Groups or Group Policy Preferences. You can then manually find which OUs, and by extension which computers, these GPOs apply to.
This shows that the Support Engineers group is being assigned some sort of local access to the machines to which these GPOs apply. Although the GPO naming convention suggests this is local admin access, it may also be a different localgroup such as Remote Desktop Users.
Get-DomainGPOUserLocalGroupMapping
Enumerates the machines where a specific domain user/group is a member of a specific local group. This is useful for finding where domain groups have local admin access, which is a more automated way to perform the manual cross-referencing described above.
This output confirms that the Support Engineers domain group is a member of the local Administrators group on machines: web, sql-2, fs, wkstn-1 and wkstn-2.
Get-DomainTrust
Return all domain trusts for the current or specified domain.