-Complete ground-up rewrite of PowerView

-Lots of function cleanup/code rot removal and standardization
    -Additional options added to Get-DomainSearcher in order to support new param sets
    -Expanded parameter validation
    -XML help format standardized
    -PSScriptAnalyzer fixups- passes PS script analyzer now!
    -Nearly all functions should tag custom types to output objectsx
-Identity supported by all appropriate functions
-Transformed all filters to functions
-Expanded the formats for Convert-ADName
-Get-SPNTicket returns enc part automatically now, and Hashcat output format added
-Write-Verbose/Write-Warning/Throw messages now have the function name tagged in the message
-Verb-Domain* functions now all include a -FindOne function to return one result
-Get-DomainUserEvent now uses -XPathFilter for a massive speedup
-ALL Verb-Domain* (LDAP) functions now return full data objects (no more -FullData). Use -Properties for paring down.
-Lots of bug fixes
-"Required Dependencies" for each function completed
-Fixed logic bugs for -ComputerIdentity in Get-DomainGPO, now enumerates domain-linked GPOs as well
-Added -UserIdentity to Get-DomainGPO to enumerate GPOs applied to a given user identity

New function naming scheme with proper Verb-PrefixNoun syntax to better match the 'real' AD cmdlets:
    Verbs:
        Get     - retrieve full raw data sets
        Find    - 'find' specific data entries in a data set or execute threaded computer enumeration
        Add     - add a new object to a destination
        Set     - modify a given object
        Invoke  - lazy catch-all
    Prefixes now give an indication of the data source:
        Verb-DomainX    -   LDAP/.NET AD connections (e.g. Get-DomainUser)
        Verb-WMIX       -   Uses WMI for connections/enumeration of a specific host (e.g. Get-WMIRegLastLoggedOn)
        Verb-NetX       -   API access (e.g. Get-NetSession)
    Nouns have been renamed to be more descriptive
    Big gotcha:
        Get-NetLocalGroup - now returns local *groups* themselves
        Get-NetLocalGroupMember - returns local group *members* (old Get-NetLocalGroup)

-Parameter sets standardized - parameters shared as appropriate across functions
    -Identity -> replaces -UserName/-GroupName/etc. Accepts samAccountName, GUID, distinguishedName, SID
        -these can be used in tandem -> Get-DomainUser "S-1-5-21-890171859-3433809279-3366196753-1108","administrator"
    -Properties -> return only the specified properties (i.e. Get-DomainUser -Properties samAccountName,lastLogon
    -LDAPFilter replaces -Filter, -SearchBase replaces -ADSPath, -Server replaces -DomainController
    -ServerTimeLimit, -SearchScope, -Tombstone, -SecurityMasks added for most functions

All functions (as appropriate) now support -Credential:
    -Verb-Domain* (LDAP) functions use alternate creds for a DirectorySearcher through Get-DomainSearcher
    -COM methods (i.e. Convert-ADName) use appropriate initializations
    -Verb-WMI methods pass the -Credential through as appropriate
    -Verb-Net* (API) functions use Invoke-UserImpersonation/Invoke-RevertToSelf implicitly for token impersonation

Removed functions:
    Get-ComputerProperty, Get-UserProperty, Find-ComputerField, Find-UserField
    Get-NameField (translated to ValueFromPipelineByPropertyName calls)
    Invoke-DowngradeAccount - not used
    Add-NetUser - split into New-DomainUser/others
    Add-NetGroupUser - split into Add-DomainGroupMember/others
    New-GPOImmediateTask - inconsistent and better done manually
    Invoke-StealthUserHunter - combined into Find-DomainUserLocation
    Get-ExploitableSystem

Added helper functions:
    Get-PrincipalContext - helper to return a DirectoryServices.AccountManagement.PrincipalContext
    Get-ForestSchemaClass - returns the forest schema for a specified object class

Added exported functions:
    Add-RemoteConnection - 'mounts' a remote UNC path using WNetAddConnection2W
    Remove-RemoteConnection - 'unmounts' a remote UNC path using WNetCancelConnection2
    Invoke-UserImpersonation - creates a new "runas /netonly" type logon and impersonates the token in the current thread
    Invoke-RevertToSelf - reverts any token impersonation
    Invoke-Kerberoast - automates Kerberoasting
    Find-DomainObjectPropertyOutlier - finds user/group/computer objects in AD that have 'outlier' properties sets
    New-DomainUser - creates a new domain user
    New-DomainGroup - creates a new domain group
    Add-DomainGroupMember - adds a domain user (or group) to an existing domain group
    Get-NetLocalGroup - now returns local *groups* themselves
    Get-NetLocalGroupMember - returns local group *members* (old Get-NetLocalGroup)

Renamed functions (aliases created for old functions):
    Get-IPAddress -> Resolve-IPAddress
    Convert-NameToSid -> ConvertTo-SID
    Convert-SidToName -> ConvertFrom-SID
    Request-SPNTicket -> Get-DomainSPNTicket
    Get-DNSZone -> Get-DomainDNSZone
    Get-DNSRecord -> Get-DomainDNSRecord
    Get-NetDomain -> Get-Domain
    Get-NetDomainController -> Get-DomainController
    Get-NetForest -> Get-Forest
    Get-NetForestDomain -> Get-ForestDomain
    Get-NetForestCatalog -> Get-ForestGlobalCatalog
    Get-NetUser -> Get-DomainUser
    Get-UserEvent -> Get-DomainUserEvent
    Get-NetComputer -> Get-DomainComputer
    Get-ADObject -> Get-DomainObject
    Set-ADObject -> Set-DomainObject
    Get-ObjectAcl -> Get-DomainObjectAcl
    Add-ObjectAcl -> Add-DomainObjectAcl
    Invoke-ACLScanner -> Find-InterestingDomainAcl
    Get-GUIDMap -> Get-DomainGUIDMap
    Get-NetOU -> Get-DomainOU
    Get-NetSite -> Get-DomainSite
    Get-NetSubnet -> Get-DomainSubnet
    Get-NetGroup -> Get-DomainGroup
    Find-ManagedSecurityGroups -> Get-DomainManagedSecurityGroup
    Get-NetGroupMember -> Get-DomainGroupMember
    Get-NetFileServer -> Get-DomainFileServer
    Get-DFSshare -> Get-DomainDFSShare
    Get-NetGPO -> Get-DomainGPO
    Get-NetGPOGroup -> Get-DomainGPOLocalGroup
    Find-GPOLocation -> Get-DomainGPOUserLocalGroupMapping
    Find-GPOComputerAdmin -> Get-DomainGPOComputerLocalGroupMappin
    Get-LoggedOnLocal -> Get-RegLoggedOn
    Test-AdminAccess -> Invoke-CheckLocalAdminAccess
    Get-SiteName -> Get-NetComputerSiteName
    Get-Proxy -> Get-WMIRegProxy
    Get-LastLoggedOn -> Get-WMIRegLastLoggedOn
    Get-CachedRDPConnection -> Get-WMIRegCachedRDPConnection
    Get-RegistryMountedDrive -> Get-WMIRegMountedDrive
    Get-NetProcess -> Get-WMIProcess
    Invoke-ThreadedFunction -> New-ThreadedFunction
    Invoke-UserHunter -> Find-DomainUserLocation
    Invoke-ProcessHunter -> Find-DomainProcess
    Invoke-EventHunter -> Find-DomainUserEvent
    Invoke-ShareFinder -> Find-DomainShare
    Invoke-FileFinder -> Find-InterestingDomainShareFile
    Invoke-EnumerateLocalAdmin -> Find-DomainLocalGroupMember
    Get-NetDomainTrust -> Get-DomainTrust
    Get-NetForestTrust -> Get-ForestTrust
    Find-ForeignUser -> Get-DomainForeignUser
    Find-ForeignGroup -> Get-DomainForeignGroupMember
    Invoke-MapDomainTrust -> Get-DomainTrustMapping

1 files changed, 70 insertions, 70 deletions

diff --git a/Recon/Recon.psd1 b/Recon/Recon.psd1
index a170218..64953b0 100644
--- a/Recon/Recon.psd1
+++ b/Recon/Recon.psd1
@@ -23,83 +23,83 @@ PowerShellVersion = '2.0'
 

 # Functions to export from this module

 FunctionsToExport = @(

-    'Add-NetGroupUser',

-    'Add-NetUser',

-    'Add-ObjectAcl',

-    'Convert-NameToSid',

-    'Convert-SidToName',

+    'Export-PowerViewCSV',

+    'Resolve-IPAddress',

+    'ConvertTo-SID',

+    'ConvertFrom-SID',

     'Convert-ADName',

     'ConvertFrom-UACValue',

-    'Export-PowerViewCSV',

-    'Find-ComputerField',

-    'Find-ForeignGroup',

-    'Find-ForeignUser',

-    'Find-GPOComputerAdmin',

-    'Find-GPOLocation',

-    'Find-InterestingFile',

-    'Find-LocalAdminAccess',

-    'Find-ManagedSecurityGroups',

-    'Find-UserField',

-    'Get-ADObject',

-    'Get-CachedRDPConnection',

-    'Get-ComputerDetails',

-    'Get-ComputerProperty',

-    'Get-DFSshare',

-    'Get-DNSRecord',

-    'Get-DNSZone',

-    'Get-DomainPolicy',

+    'Add-RemoteConnection',

+    'Remove-RemoteConnection',

+    'Invoke-UserImpersonation',

+    'Invoke-RevertToSelf',

+    'Get-DomainSPNTicket',

+    'Invoke-Kerberoast',

+    'Get-PathAcl',

+    'Get-DomainDNSZone',

+    'Get-DomainDNSRecord',

+    'Get-Domain',

+    'Get-DomainController',

+    'Get-Forest',

+    'Get-ForestDomain',

+    'Get-ForestGlobalCatalog',

+    'Find-DomainObjectPropertyOutlier',

+    'Get-DomainUser',

+    'New-DomainUser',

+    'Get-DomainUserEvent',

+    'Get-DomainComputer',

+    'Get-DomainObject',

+    'Set-DomainObject',

+    'Get-DomainObjectAcl',

+    'Add-DomainObjectAcl',

+    'Find-InterestingDomainAcl',

+    'Get-DomainOU',

+    'Get-DomainSite',

+    'Get-DomainSubnet',

     'Get-DomainSID',

-    'Get-ExploitableSystem',

-    'Get-GUIDMap',

-    'Get-HttpStatus',

-    'Get-IPAddress',

-    'Get-LastLoggedOn',

-    'Get-LoggedOnLocal',

-    'Get-NetComputer',

-    'Get-NetDomain',

-    'Get-NetDomainController',

-    'Get-NetDomainTrust',

-    'Get-NetFileServer',

-    'Get-NetForest',

-    'Get-NetForestCatalog',

-    'Get-NetForestDomain',

-    'Get-NetForestTrust',

-    'Get-NetGPO',

-    'Get-NetGPOGroup',

-    'Get-NetGroup',

-    'Get-NetGroupMember',

+    'Get-DomainGroup',

+    'New-DomainGroup',

+    'Get-DomainManagedSecurityGroup',

+    'Get-DomainGroupMember',

+    'Add-DomainGroupMember',

+    'Get-DomainFileServer',

+    'Get-DomainDFSShare',

+    'Get-DomainGPO',

+    'Get-DomainGPOLocalGroup',

+    'Get-DomainGPOUserLocalGroupMapping',

+    'Get-DomainGPOComputerLocalGroupMapping',

+    'Get-DomainPolicy',

     'Get-NetLocalGroup',

+    'Get-NetLocalGroupMember',

+    'Get-NetShare',

     'Get-NetLoggedon',

-    'Get-NetOU',

-    'Get-NetProcess',

-    'Get-NetRDPSession',

     'Get-NetSession',

-    'Get-NetShare',

-    'Get-NetSite',

-    'Get-NetSubnet',

-    'Get-NetUser',

-    'Get-ObjectAcl',

-    'Get-PathAcl',

-    'Get-Proxy',

-    'Get-RegistryMountedDrive',

-    'Get-SiteName',

-    'Get-UserEvent',

-    'Get-UserProperty',

-    'Invoke-ACLScanner',

-    'Invoke-CheckLocalAdminAccess',

-    'Invoke-DowngradeAccount',

-    'Invoke-EnumerateLocalAdmin',

-    'Invoke-EventHunter',

-    'Invoke-FileFinder',

-    'Invoke-MapDomainTrust',

+    'Get-RegLoggedOn',

+    'Get-NetRDPSession',

+    'Test-AdminAccess',

+    'Get-NetComputerSiteName',

+    'Get-WMIRegProxy',

+    'Get-WMIRegLastLoggedOn',

+    'Get-WMIRegCachedRDPConnection',

+    'Get-WMIRegMountedDrive',

+    'Get-WMIProcess',

+    'Find-InterestingFile',

+    'Find-DomainUserLocation',

+    'Find-DomainProcess',

+    'Find-DomainUserEvent',

+    'Find-DomainShare',

+    'Find-InterestingDomainShareFile',

+    'Find-LocalAdminAccess',

+    'Get-DomainLocalGroupMember',

+    'Get-DomainTrust',

+    'Get-ForestTrust',

+    'Get-DomainForeignUser',

+    'Get-DomainForeignGroupMember',

+    'Get-DomainTrustMapping',

+    'Get-ComputerDetails',

+    'Get-HttpStatus',

     'Invoke-Portscan',

-    'Invoke-ProcessHunter',

-    'Invoke-ReverseDnsLookup',

-    'Invoke-ShareFinder',

-    'Invoke-UserHunter',

-    'New-GPOImmediateTask',

-    'Request-SPNTicket',

-    'Set-ADObject'

+    'Invoke-ReverseDnsLookup'

 )

 

 # List of all files packaged with this module