WINDOWS. AD. OSINT. Locate privileged users

Purpose

Locate and discover privileged user in Active Directory. Locate privileged users in the AD, either by direct association or by nesting to a group with special privileges.

Steps

[*] AD users have a property that is set to one if you have direct nested privileges in any AD group.

COMMAND: Get-ADUser administrador -properties *

[*] List All users

Command: Get-ADUser -Filter {AdminCount -eq 1} - | Select-Object Name, SamAccountName

[*]  View user information

We already have a way to attack a network and try to make lateral movement.

By GoN | Published: Feb 2025 | Last Updated:

WINDOWS. PS. Users list

 Purpose

List AD users with the most important properties and then work with them in Excel.

Steps

Run te script: 

# Importar el módulo de Active Directory

Import-Module ActiveDirectory

 # Obtener todos los usuarios y seleccionar los campos deseados

Get-ADUser -Filter * -Property SamAccountName, DisplayName, CN, Enabled, LockedOut, AccountExpirationDate, EmailAddress, WhenCreated, LastLogonDate, PasswordLastSet, LogonWorkstations, PasswordNeverExpires, PasswordNotRequired, DistinguishedName, Description 

Select-Object SamAccountName,

              DisplayName,

              CN,

              Enabled,

              LockedOut,

              AccountExpirationDate,

              EmailAddress,

              WhenCreated,

              LastLogonDate,

              PasswordLastSet,

              LogonWorkstations,

              @{Name="La cuenta expira";Expression={$_.AccountExpirationDate}},

              @{Name="la contraseña nunca expira";Expression={$_.PasswordNeverExpires}},

              @{Name="no requiere contraseña";Expression={$_.PasswordNotRequired}},

              DistinguishedName,

              Description |

Export-Csv -Path "C:\tmp\Usuarios30012025.csv" -NoTypeInformation -Encoding UTF8 -Delimiter "#"

We will be left with an output like this 

By GoN | Published: Jan 2025 | Last Updated:

WINDOWS. GPO. Block executables

Purpose

The purpose of this post is to block an executable on a network of PCs.

Steps

Here are the steps to block the VNC.exe program (or any executable) on all domain PCs, even if you don’t know its location:

• Open the Group Policy Management Editor: 
• On the server, open “Server Manager” and select “Tools” > “Group Policy Management”.

• Create a new GPO:

• Right-click on the domain or the organizational unit (OU) where you want to apply the policy and select “Create a GPO in this domain, and Link it here”.
• Name the new GPO, for example, “Block VNC.exe”.

• Configure the GPO:

• Right-click on the new GPO and select “Edit”.
• Navigate to “Computer Configuration” > “Policies” > “Windows Settings” > “Security Settings” > “Software Restriction Policies”.
• Right-click on “Software Restriction Policies” and select “Create New Policies”.

• Add a path-based restriction rule:
• Under “Additional Rules”, right-click and select “New Path Rule”.
• In the path field, enter *\\pp.exe to block any file named vnc.exe regardless of its location.
• Set the rule to “Disallowed”.

• Apply the GPO:
• Close the Group Policy Management Editor.
• In the “Group Policy Management” console, ensure the GPO is linked to the correct domain or OU.

• Update policies on domain PCs:
• On each domain PC, open a command prompt and run gpupdate /force to apply the new policies immediately.

These steps should help you block the vnc.exe program on all domain PCs, regardless of its folder location. 

You only have to modify what is in yellow, the rest of the GPO content will be added by itself.

As a point of improvement, in case someone renames the executable would be to set it by HASH

By GoN | Published: Jan 2025 | Last Updated: