Here are a cheat sheet of PS commands that are useful for interacting with AD and Office 365 that I use regularly use as a SOC analyst.
Get AD Password Information — Can be used to find stale accounts or users that don’t require authentication
Get-ADUser -Properties Name,UserPrincipalName,Enabled,PasswordNeverExpires,PasswordExpired,PasswordNotRequired,AccountExpirationDate,PasswordLastSet | Export-csv userpasswordinfo.csvGet Admins with an SPN — Any account in this list are good targets for Kerberoasting attacks
Get-AdUser -filter {(ServicePrincipalName -like “*”) -AND (AdminCount -eq 1)} -Properties * | Select SAMAccountname,PasswordLastSet | Sort PasswordLastSetGet Email from List of usernames
Get-Content usernames.txt | Foreach-object { Get-ADUser $_ -Properties Name,UserPrincipalName,Enabled} | Export-csv output.csvGet Usernames from List of Emails
Get-Content upns.txt | ForEach-Object { Get-ADUser -LDAPFilter “(mail=$_)” } | Select-Object -ExpandProperty sAMAccountName |Out-File “upn2user.txt”Set PowerShell to use your current proxy authentication
$wc = new-object System.Net.WebClient
$wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentialsGet all Exchange Distribution groups a user is in (Requires Exchange Online Powershell)
$Username = upn@company.com.au
$DistributionGroups= Get-DistributionGroup -ResultSize Unlimited | where { (Get-DistributionGroupMember $_.Name | foreach {$_.PrimarySmtpAddress}) -contains “$Username”}
