Living off the Land .Net payloads for when powershell modules aren't available
The goal of this repo is to eventually aggregate all of this information into a queryable site like that of LOLBAS. For now, I'm placing everything in this readme.
Get information about the current forest (Get-ADForest)
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()Attributes:
- Name
- Sites
- Domains
- GlobalCatalogs
- ApplicationPartitions
- ForestMode
- RootDomain
- Schema
- SchemaRoleOwner
- NamingRoleOwner
Get information about the current domain (Get-ADDomain)
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllersAttributes:
- Forest
- DomainControllers
- Children
- DomainMode
- Parent
- PdcRoleOwner
- RidRoleOwner
- InfrastructureRoleOwner
Get information about domain trusts (Get-ADTrust)
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()Find all discoverable domain controllers
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).FindAllDiscoverableDomainControllers()Get information about the current site
[System.DirectoryServices.ActiveDirectory.ActiveDirectorySite]::GetComputerSite()Attributes:
- Name
- Domains
- Subnets
- Servers
- AdjacentSites
- SiteLinks
- InterSiteTopologyGenerator
- Options
- Location
- BridgeheadServers
- PreferredSmtpBridgeheadServers
- PreferredRpcBridgeheadServers
- IntraSiteReplicationSchedule
- Get Attributes of a File
[System.IO.File]::GetAttributes("C:\Users\Administrator\Desktop\root.txt")- Check if currently in a 64-bit process
[System.Environment]::Is64BitProcess- Get the current identity of the user
[System.Security.Principal.WindowsIdentity]::GetCurrent()- Name
- AuthenticationType
- Groups
- User
- Token
- ImpersonationLevel
- Owner
- IsSystem
- IsGuest
- IsAnonymous
- IsAuthenticated
- AccessToken
- UserClaims
- DeviceClaims
- Claims
- This is largely based on the series PowerShell: Using Active Directory .Net methods in PowerShell by Sean Metcalf