Sharphound

Quick Reference Technique Tool Privilege Needed Domain / forest info Native AD cmdlets, PowerView Domain user User / group / computer enumeration Get-ADUser, Get-DomainUser Domain user SPN discovery (Kerberoast candidates) Get-ADUser, PowerView Domain user AdminSDHolder / privileged objects Get-ADObject Domain user ACL enumeration PowerView Domain user Local admin discovery Find-LocalAdminAccess Domain user Share discovery Find-DomainShare, Snaffler Domain user Full graph collection SharpHound Domain user Host recon Seatbelt Local user (some checks need admin) Session enumeration SharpHound, NetSessionEnum Local admin (remote hosts) GPO enumeration PowerView Domain user Trust mapping Get-DomainTrust, nltest Domain user Native AD Cmdlets No extra tooling required. Requires the ActiveDirectory PowerShell module, which is present on domain-joined systems with RSAT installed, or can be imported from a DC. ...

Quick Reference Technique Tool Requirement Effect Immediate Scheduled Task SharpGPOAbuse Write on GPO Code exec as SYSTEM on all linked machines Restricted Groups SharpGPOAbuse Write on GPO Add attacker to local Admins User Rights Assignment SharpGPOAbuse Write on GPO Grant SeDebugPrivilege / SeImpersonatePrivilege Manual XML task PowerShell / SYSVOL write Write on GPO or SYSVOL Arbitrary command as SYSTEM New GPO + Link PowerView / RSAT CreateGPO right + link permission Full control over target OU GPO Delegation read PowerView / BloodHound Any domain user Map attack surface GPO Fundamentals Group Policy Objects (GPOs) are containers of policy settings applied to users and computers. They are linked to Organizational Units (OUs), Sites, or the Domain. When a machine or user logs in, the domain controller delivers applicable GPOs via SYSVOL (a shared folder replicated to all DCs). The machine then applies them every 90 minutes by default (± 30-minute random offset), or immediately on gpupdate /force. ...