Skip to content

Instantly share code, notes, and snippets.

@alexdhital

alexdhital/Cobalt Strike PowerView Cheatsheet.md

Last active September 20, 2024 10:40
Show Gist options
  • Save alexdhital/60dfe93a0fd017b03dabc28606f48cd2 to your computer and use it in GitHub Desktop.
Save alexdhital/60dfe93a0fd017b03dabc28606f48cd2 to your computer and use it in GitHub Desktop.
Download ZIP
Cobalt Strike PowerView Cheatsheet
Raw
Cobalt Strike PowerView Cheatsheet.md

Domain Enumeration

Import PowerView

beacon> powershell-import C:\Users\Alex\Desktop\PowerSploit\Recon\PowerView.ps1

Domain, Forest Recon

Get info about current domain, current domain's domain controller, its forest, its child domain, etc.

beacon> powershell Get-Domain

Get information about another domain or forest, its child domain, its domain controller, its forest, etc.

beacon> powershell Get-Domain -Domain <forest/another-domain>

Get details about current forest

beacon> powershell Get-Forest

Get details about another forest

beacon> powershell Get-Forest <forest>

Get all domains in current forest

beacon> powershell Get-ForestDomain

Get all domains in another forest

beacon> powershell Get-ForestDomain -Forest <forest>

Get all global catalogue for current forest

beacon> powershell Get-ForestGlobalCatalog

Get All global catalogue for another forest

beacon> powershell Get-ForestGlobalCatalog -Forest <forest>

Domain Policy Recon

Get policy of current domain like Kerberos policy, system access policy, version, registry values, Unicode, etc

beacon> powershell Get-DomainPolicy

Gets min/max password age, min password length, clear text passwords, complexicity, etc for current domain

beacon> powershell (Get-DomainPolicy)."System Access"

Gets info like max ticket age, max service age, max renew age, etc for current domain

beacon> powershell (Get-DomainPolicy)."Kerberos Policy"

Gets policy of another forest like Kerberos policy, system access policy, version, registry values, Unicode, etc

beacon> powershell Get-DomainPolicy -domain <forest>

Gets min/max password age, min password length, clear text passwords, complexicity, etc for another forest

beacon> powershell (Get-DomainPolicy -domain <forest>)."System Access"

Gets info like max ticket age, max service age, max renew age, etc for another forest.

beacon> powershell (Get-DomainPolicy -domain <forest>)."Kerberos Policy"

Domain Controller Enumeration

Gets name and ip address of domain controller of current domain

beacon> powershell Get-DomainController

Gets name and ip address of domain controller of another domain/forest

beacon> powershell Get-DomainController -Domain <domain/forest>

SID

Gets SID for current domain

beacon> powershell Get-DomainSID

Gets SID of another domain/forest

beacon> powershell Get-DomainSID -Domain <forest/domain>

Computer Enumeration

Get all computers in current domain with all properties(output may be tedious)

beacon> powershell Get-DomainComputer # All computer objects with all properties

Get all computers in current domain their names

beacon> powershell Get-DomainComputer | select Name

Gets all computers in another domain/forest their names

beacon> powershell Get-DomainComputer -Domain <forest> | select Name

Get all computers in current domain with os server 2022

beacon> powershell Get-DomainComputer -OperatingSystem "*server 2022*"

Get all domain computers and check if it can be reached or not.

beacon> Get-DomainComputer -Ping

User Enumeration

Get all domain users with default properties.

beacon> powershell Get-DomainUser

Get information about a domain user with default properties

beacon> powershell Get-DomainUser -Identity <username>

Get logon count of all users

beacon> powershell Get-DomainUser | select samaccountname, logoncount

Get information about a domain user with all properties.

beacon> powershell Get-DomainUser -Identity <username> -Properties *

Search for a particular string in user's attribute

beacon> powershell Get-DomainUser -LDAPFilter "Description=*pass*" | select name,description

Domain Admin Enumeration

beacon> powershell Get-DomainGroupMember -Identity "Domain Admins" -Recurse

Group Enumeration

Get all groups in current domain

beacon> powershell Get-DomainGroup | select Name

Get all groups in current domain with all properties (output may be tedious)

beacon> powershell Get-DomainGroup

Get all groups in another forest

beacon> powershell Get-DomainGroup -Domain <forest>

Get members of specific group

beacon> powershell Get-DomainGroupMember -Identity "<Group Name>" -Recurse

Get members of specific group in another forest

beacon> powershell Get-DomainGroupMember -Domain <forest> -Identity "<Group-Name>" -Recurse

Get group membership of a user

beacon> powershell Get-DomainGroup -Username "<username>"

OU enumeration

Gets organizational units in a domain

beacon> powershell Get-DomainOU -Properties Name | sort -Property Name

List all computers which is part of certain OU

beacon> powershell (Get-DomainOU -Identity <OU-Name>).distinguishedname | %{Get-DomainComputer -SearchBase $_} | select name

GPO Enumeration

List all configured GPOs in a domain

beacon> powershell Get-DomainGPO -Properties DisplayName | sort -Property DisplayName

List all GPOs that are applied to a particular machine

beacon> powershell Get-DomainGPO -ComputerIdentity <computer-name>

Interested to find out what are the GPOs applied to certain OUs? (Not important)

  • List all OUs => Get-DomainOU | select name
  • Extract cn from gplink {...-...-...-...} this is the policy name by doing Get-DomainOU -Identity <OU-name>
  • See the GPO for that OU Get-DomainGPO -Identity '{0D1C3BF-1F556-AF64-D999877JU}'

Get-DomainGPOLocalGroup

Restricted groups are used to manage local groups on workstations, member servers or domain controllers. One of the main features of GPO is the ability to configure Restricted groups. This allows administrators to control the local group memberships on workstations, members servers or domain controllers through GPO settings. Here, Get-DomainGPOLocalGroup is displaying the restricted groups(IT Engineers) which has some sort of local access or local admin access on the workstations where these GPOs(Database Admins, Web Admins) are applied to. Meaning if we compromise any user within IT Engineers groups we have access on the machines where the displayed gpo are applied to.

beacon> powershell Get-DomainGPOLocalGroup | select GPODisplayName, GroupName

GPODisplayName     GroupName            
--------------     ---------            
Database Admins DEV\IT Engineers
Web Admins      DEV\IT Engineers

More automated way of querying above information is by doing, below it says that if we compromise any user within IT Engineers group that user has local administrator on web, web-2, web-3, SQL-1, SQL-2 and SQL-3 computers.

beacon> powershell Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | select ObjectName, GPODisplayName, ContainerName, ComputerName | fl

ObjectName     : IT Engineers
GPODisplayName : Web Admins
ContainerName  : {OU=Web,DC=dev,DC=alex,DC=io}
ComputerName   : {web.dev.alex.io, web-2.dev.alex.io, web-3.dev.alex.io}

ObjectName     : IT Engineers
GPODisplayName : Database Admins
ContainerName  : {OU=Databases,DC=dev,DC=alex,DC=io}
ComputerName   : {SQL-1.dev.alex.io, SQL-2.dev.alex.io}

Trusts

Get list of all domain trusts of current domain

beacon> powershell Get-DomainTrust

Get list of all domain trusts of another forest

beacon> powershell Get-DomainTrust -Domain <forest>

Logon Enumeration

Requires Administrative rights on target computer

powershell Get-NetLoggedOn -ComputerName <targetComputer> # all logged on users
powershell Get-LoggedonLocal -ComputerName <targetComputer> # locally logged on users
powershell Get-LastLoggedOn -ComputerName <targetComputer> # last logged on users.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment