{ "id": "14ca6ec5-a91b-4d9c-a85d-539f48e0877e", "created_at": "2026-04-06T00:07:33.857733Z", "updated_at": "2026-04-10T03:24:29.48545Z", "deleted_at": null, "sha1_hash": "cd94217807d697cd0007e6727fdae1d7df496f62", "title": "PowerSploit/Recon at master · PowerShellMafia/PowerSploit", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54575, "plain_text": "PowerSploit/Recon at master · PowerShellMafia/PowerSploit\r\nBy HarmJ0y\r\nArchived: 2026-04-05 20:28:44 UTC\r\nTo install this module, drop the entire Recon folder into one of your module directories. The default PowerShell\r\nmodule paths are listed in the $Env:PSModulePath environment variable.\r\nThe default per-user module path is:\r\n\"$Env:HomeDrive$Env:HOMEPATH\\Documents\\WindowsPowerShell\\Modules\" The default computer-level\r\nmodule path is: \"$Env:windir\\System32\\WindowsPowerShell\\v1.0\\Modules\"\r\nTo use the module, type Import-Module Recon\r\nTo see the commands imported, type Get-Command -Module Recon\r\nFor help on each individual command, Get-Help is your friend.\r\nNote: The tools contained within this module were all designed such that they can be run individually. Including\r\nthem in a module simply lends itself to increased portability.\r\nPowerView\r\nPowerView is a PowerShell tool to gain network situational awareness on Windows domains. It contains a set of\r\npure-PowerShell replacements for various windows \"net *\" commands, which utilize PowerShell AD hooks and\r\nunderlying Win32 API functions to perform useful Windows domain functionality.\r\nIt also implements various useful metafunctions, including some custom-written user-hunting functions which will\r\nidentify where on the network specific users are logged into. It can also check which machines on the domain the\r\ncurrent user has local administrator access on. Several functions for the enumeration and abuse of domain trusts\r\nalso exist. See function descriptions for appropriate usage and available options. For detailed output of underlying\r\nfunctionality, pass the -Verbose or -Debug flags.\r\nFor functions that enumerate multiple machines, pass the -Verbose flag to get a progress status as each host is\r\nenumerated. Most of the \"meta\" functions accept an array of hosts from the pipeline.\r\nMisc Functions:\r\nExport-PowerViewCSV - thread-safe CSV append\r\nResolve-IPAddress - resolves a hostname to an IP\r\nConvertTo-SID - converts a given user/group name to a security identifier (SID)\r\nConvert-ADName - converts object names between a variety of formats\r\nConvertFrom-UACValue - converts a UAC int value to human readable form\r\nAdd-RemoteConnection - pseudo \"mounts\" a connection to a remote path using the specified credential\r\nhttps://github.com/PowerShellMafia/PowerSploit/tree/master/Recon\r\nPage 1 of 3\n\nRemove-RemoteConnection - destroys a connection created by New-RemoteConnection\r\nInvoke-UserImpersonation - creates a new \"runas /netonly\" type logon and impersonates the token\r\nInvoke-RevertToSelf - reverts any token impersonation\r\nGet-DomainSPNTicket - request the kerberos ticket for a specified service principal name (SPN)\r\nInvoke-Kerberoast - requests service tickets for kerberoast-able accounts and returns extracted\r\nGet-PathAcl - get the ACLs for a local/remote file path with optional group recursion\r\nDomain/LDAP Functions:\r\nGet-DomainDNSZone - enumerates the Active Directory DNS zones for a given domain\r\nGet-DomainDNSRecord - enumerates the Active Directory DNS records for a given zone\r\nGet-Domain - returns the domain object for the current (or specified) domain\r\nGet-DomainController - return the domain controllers for the current (or specified) domain\r\nGet-Forest - returns the forest object for the current (or specified) forest\r\nGet-ForestDomain - return all domains for the current (or specified) forest\r\nGet-ForestGlobalCatalog - return all global catalogs for the current (or specified) forest\r\nFind-DomainObjectPropertyOutlier- inds user/group/computer objects in AD that have 'outlier' properties set\r\nGet-DomainUser - return all users or specific user objects in AD\r\nNew-DomainUser - creates a new domain user (assuming appropriate permissions) and returns the\r\nSet-DomainUserPassword - sets the password for a given user identity and returns the user object\r\nGet-DomainUserEvent - enumerates account logon events (ID 4624) and Logon with explicit credential\r\nGet-DomainComputer - returns all computers or specific computer objects in AD\r\nGet-DomainObject - returns all (or specified) domain objects in AD\r\nSet-DomainObject - modifies a gven property for a specified active directory object\r\nGet-DomainObjectAcl - returns the ACLs associated with a specific active directory object\r\nAdd-DomainObjectAcl - adds an ACL for a specific active directory object\r\nFind-InterestingDomainAcl - finds object ACLs in the current (or specified) domain with modification rig\r\nGet-DomainOU - search for all organization units (OUs) or specific OU objects in AD\r\nGet-DomainSite - search for all sites or specific site objects in AD\r\nGet-DomainSubnet - search for all subnets or specific subnets objects in AD\r\nGet-DomainSID - returns the SID for the current domain or the specified domain\r\nGet-DomainGroup - return all groups or specific group objects in AD\r\nNew-DomainGroup - creates a new domain group (assuming appropriate permissions) and returns th\r\nGet-DomainManagedSecurityGroup - returns all security groups in the current (or target) domain that have a ma\r\nGet-DomainGroupMember - return the members of a specific domain group\r\nAdd-DomainGroupMember - adds a domain user (or group) to an existing domain group, assuming appropri\r\nGet-DomainFileServer - returns a list of servers likely functioning as file servers\r\nGet-DomainDFSShare - returns a list of all fault-tolerant distributed file systems for the curren\r\nGPO functions\r\nGet-DomainGPO - returns all GPOs or specific GPO objects in AD\r\nGet-DomainGPOLocalGroup - returns all GPOs in a domain that modify local group memberships thr\r\nGet-DomainGPOUserLocalGroupMapping - enumerates the machines where a specific domain user/group is a memb\r\nhttps://github.com/PowerShellMafia/PowerSploit/tree/master/Recon\r\nPage 2 of 3\n\nGet-DomainGPOComputerLocalGroupMapping - takes a computer (or GPO) object and determines what users/groups ar\r\nGet-DomainPolicy - returns the default domain policy or the domain controller policy fo\r\nComputer Enumeration Functions\r\nGet-NetLocalGroup - enumerates the local groups on the local (or remote) machine\r\nGet-NetLocalGroupMember - enumerates members of a specific local group on the local (or remote) ma\r\nGet-NetShare - returns open shares on the local (or a remote) machine\r\nGet-NetLoggedon - returns users logged on the local (or a remote) machine\r\nGet-NetSession - returns session information for the local (or a remote) machine\r\nGet-RegLoggedOn - returns who is logged onto the local (or a remote) machine through enume\r\nGet-NetRDPSession - returns remote desktop/session information for the local (or a remote) m\r\nTest-AdminAccess - rests if the current user has administrative access to the local (or a r\r\nGet-NetComputerSiteName - returns the AD site where the local (or a remote) machine resides\r\nGet-WMIRegProxy - enumerates the proxy server and WPAD conents for the current user\r\nGet-WMIRegLastLoggedOn - returns the last user who logged onto the local (or a remote) machine\r\nGet-WMIRegCachedRDPConnection - returns information about RDP connections outgoing from the local (or re\r\nGet-WMIRegMountedDrive - returns information about saved network mounted drives for the local (or\r\nGet-WMIProcess - returns a list of processes and their owners on the local or remote mach\r\nFind-InterestingFile - searches for files on the given path that match a series of specified cr\r\nThreaded 'Meta'-Functions\r\nFind-DomainUserLocation - finds domain machines where specific users are logged into\r\nFind-DomainProcess - finds domain machines where specific processes are currently running\r\nFind-DomainUserEvent - finds logon events on the current (or remote domain) for the specified u\r\nFind-DomainShare - finds reachable shares on domain machines\r\nFind-InterestingDomainShareFile - searches for files matching specific criteria on readable shares in the\r\nFind-LocalAdminAccess - finds machines on the local domain where the current user has local admi\r\nFind-DomainLocalGroupMember - enumerates the members of specified local group on machines in the domai\r\nDomain Trust Functions:\r\nGet-DomainTrust - returns all domain trusts for the current domain or a specified domain\r\nGet-ForestTrust - returns all forest trusts for the current forest or a specified forest\r\nGet-DomainForeignUser - enumerates users who are in groups outside of the user's domain\r\nGet-DomainForeignGroupMember - enumerates groups with users outside of the group's domain and returns e\r\nGet-DomainTrustMapping - this function enumerates all trusts for the current domain and then enum\r\nSource: https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon\r\nhttps://github.com/PowerShellMafia/PowerSploit/tree/master/Recon\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon" ], "report_names": [ "Recon" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434053, "ts_updated_at": 1775791469, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cd94217807d697cd0007e6727fdae1d7df496f62.pdf", "text": "https://archive.orkl.eu/cd94217807d697cd0007e6727fdae1d7df496f62.txt", "img": "https://archive.orkl.eu/cd94217807d697cd0007e6727fdae1d7df496f62.jpg" } }