In his talk I have the Power(View): Offensive Active Directory with PowerShell Will Schroeder, a researcher and Red teamer in Veris Group´s Adaptive Thread Division, presented offensive Active Directory information gathering technics using his Tool PowerView.
PowerView does not use the built in AD cmdlets to be independent from the Remote Server Administration Tools (RSAT)-AD PowerShell Module which is only compatible with PowerShell 3.0+ and by default only installed on servers that have Active Directory services roles. PowerView, however, is compatible with PowerShell 2.0 and has no outer dependencies. Furthermore, it does not require any installation process.
Will Schroeder did structure his talk following the steps of a typical procedure of information gathering in an Active Directory network.
As a first step, you would want to know rewarding targets, which accounts you would want to compromise for privilege escalation. To achieve this goal, PowerView gives you, for example, the possibility to enumerate users and groups by name using wildcards. If you found an interesting group, you can also enumerate his effective members. To identify privileged groups, it is helpful to search for groups that have the Admin-Count attribute set which means they have been added directly or transitively to at least one administrative group. Sometimes computer accounts end up as members of privileged groups which would make them an appealing target too. For information gathering it is also interesting which accounts (privileged and non-privileged) belong to the same person. To group accounts that likely belong to the same person, you need to find out, what particular attribute in the environment, you are observing, links different accounts of the same person like email address or DisplayName.
As a second step, you would like to locate where your potential targets are logged in. Thereby the PowerView function “Invoke-UserHunter” which enumerates sessions and logged in users and matches the result with a list of targeted users without requiring administrative privileges, may help. The PowerView function “Get-NetLocalGroup” enables you to enumerate all members of a local group on a local machine. Combine both functions and you are able to figure out all accounts with administrative privileges on the local machine your target is logged on and again where these accounts used at the moment and so on. With this information you can create a map to get a chain of workstations/accounts you have to compromise to get to your target.
As another step, PowerView provides the function “Get-GPPPassword” to get all Passwords that were set via Group Policy Preference files. These passwords are encrypted but the key was published by Microsoft. Furthermore, there is another function to locate all machines where you can use the so found password. Enumerating GPO Objects also helps to find out where a user has local administrative rights.
Group Policy Objects have access control lists (ACL) and any user who has modification rights to a GPO can get code execution for the machines this GPO is applied to. PowerView makes it easier to find out for which GPO an account has modifying rights.
Another especially interesting Active Directory Object is AdminSDHolder, a permission template whose changes are pushed out to every protected user, so it may be interesting to have a look at the ACLs set for it.
Another information gathering functionality PowerView provides is “Invoke-MapDomainTrust” that maps recursively all reachable domain and forests trusts which may be exploitable to achieve the end goal.