Find existing local admin access for the current user:


Hunt for sessions of interesting users on machines where you have access:

15890 137378315890
Find-DomainUserLocation -CheckAccess | ?{$_.LocalAdmin -Eq True }

Search for kerberoastable users:

Get-DomainUser -SPN | select name,serviceprincipalname

Search for AS-REP roastable users:

Get-DomainUser -PreauthNotRequired | select name

Look for interesting ACLs within the domain, filtering on a specific user or group you have compromised

15890 137378315890
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "UserOrGroupToQuery"}
Get-DomainComputer -Unconstrained
Get-DomainUser -TrustedToAuth | select userprincipalname,msds-allowedtodelegateto
Get-DomainComputer -TrustedToAuth | select name,msds-allowedtodelegateto
AD Attacks

Sign up to receive awesome content in your inbox, every month.

We don’t spam! Read our privacy policy for more info.