PowerView: Active Directory Enumeration
This lab explores a couple of common cmdlets of PowerView that allows for Active Directory/Domain enumeration.

Get current user's domain:

Get information about the forest the current user's domain is in:

Get all domains of the forest the current user is in:

Get info about the DC of the domain the current user belongs to:

Get a list of domain members that belong to a given group:

Get users that are logged on to a given computer:

Enumerate domain trust relationships of the current user's domain:

Enumerate forest trusts from the current domain's perspective:

Get running processes for a given remote machine:
Get-NetProcess -ComputerName dc01 -RemoteUserName offense\administrator -RemotePassword 123456 | ft

Enumerate and map all domain trusts:

Enumerate shares on a given PC - could be easily combines with other scripts to enumerate all machines in the domain:

Find machines on a domain or users on a given machine that are logged on:

GitHub - PowerShellMafia/PowerSploit: PowerSploit - A PowerShell Post-Exploitation Framework
GitHub
Copy link
On this page
Get-NetDomain
Get-NetForest
Get-NetForestDomain
Get-NetDomainController
Get-NetGroupMember
Get-NetLoggedon
Get-NetDomainTrust
Get-NetForestTrust
Get-NetProcess
Invoke-MapDomainTrust
Invoke-ShareFinder
Invoke-UserHunter
References