PowerShell ActiveDirectory Module

The ActiveDirectory PowerShell module is a group of PowerShell cmdlets for administering an Active Directory environment from the command line. It consists of 147 different cmdlets at the time of writing.

Discover Modules

Get-Module

Load ActiveDirectory Module

Import-Module ActiveDirectory

Get Domain Info

Get-ADDomain

Get-ADUser

Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName | select Name

Get-ADUser cmdlet with filtering for accounts with the ServicePrincipalName property populated. This will get us a listing of accounts that may be susceptible to a Kerberoasting attack, which we will cover in-depth after the next section.

Checking For Trust Relationships

Get-ADTrust -Filter *

This cmdlet will print out any trust relationships the domain has. We can determine if they are trusts within our forest or with domains in other forests, the type of trust, the direction of the trust, and the name of the domain the relationship is with. This will be useful later on when looking to take advantage of child-to-parent trust relationships and attacking across forest trusts.

Group Enumeration

Get-ADGroup -Filter * | select name

Detailed Group Info

Get-ADGroup -Identity "Backup Operators"

Group Membership

Get-ADGroupMember -Identity "Backup Operators"