> For the complete documentation index, see [llms.txt](https://notes.shashwatshah.me/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://notes.shashwatshah.me/windows/active-directory/basic-recon.md).

# Basic Recon

## Powerview <a href="#domain" id="domain"></a>

### Domain/Computers Recon

`Get-Domain` => Get Domain Information.\
`Get-DomainPolicy` => Get Domain Policy.\
`(Get-DomainPolicy)."SystemAccess"` => Password Policy.\
`Get-DomainController` => Get Domain Controller Information.

`Get-NetComputer| select name` => Get a list of computers in the current domain.\
`Get-NetComputer -OperatingSystem "*Server 2016*" | select name ,operatingsystem |Format-List` => OS info.

### Groups/Users Recon

`Get-NetGroup | select name` => Get names of groups\
`Get-NetGroup 'Group-Name'` => All data about the specific group\
`Get-NetGroupMember -MemberName "Group Name" -Recurse | select MemberName` => Get all members of the domain admin group

`Get-DomainUser` => Get user's info about everything on the domain.\
`Get-DomainUser | select cn` => Get users name.\
`Get-DomainUser -Identity <username> -Properties DisplayName, MemberOf,objectsid,useraccountcontrol | Format-List` => Properties of a specific user.

## Bloodhound

### Collectors.

[Powershell Version](https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/situational_awareness/network/BloodHound.ps1) ==> `Invoke-BloodHound -CollectionMethod All`\
[SharpHound](https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.exe) ==> `./SharpHound.exe --CollectionMethod All`\
[Python Bloodhound](https://github.com/fox-it/BloodHound.py) ==> `bloodhound-python -u support -p '#00^BlackKnight' -ns 10.10.10.192 -d blackfield.local -c all`
