basic-enumeration

For enumeration we can use the following tools:

• The ActiveDirectory PowerShell module (MS signed and works even in PowerShell CLM)

  • https://learn.microsoft.com/en-us/powershell/module/activedirectory/?view=windowsserver2022-ps

  • https://github.com/samratashok/ADModule

• BloodHound (C# and PowerShell Collectors)

  • https://github.com/BloodHoundAD/BloodHound

• PowerView (PowerShell)

  • https://github.com/ZeroDayLab/PowerSploit/blob/master/Recon/PowerView.ps1

• SharpView (C#) - Doesn't support filtering using Pipeline

  • https://github.com/tevora-threat/SharpView/

Basic Enumeration

ℹ️ Info:

PowerView is used primarily on this page unless stated otherwise.

Domain Enumeration

Get current domain

Get-Domain

Get object of another domain

Get-Domain -Domain <Domain>

Get domain SID for the current domain

Get-DomainSID

Domain Policy Enumeration

Get domain policy for the current domain

Get-DomainPolicyData
(Get-DomainPolicyData).SystemAccess

Get domain policy for another domain

Get-DomainPolicy -Domain <Domain>
(Get-DomainPolicy -Domain <Domain>).SystemAccess

Get Domain Kerberos Policy Information

(Get-DomainPolicy).KerberosPolicy

Domain Controller Enumeration

Get Domain Controllers for the current domain

Get-DomainController

Get Domain Controller for another domain

Get-DomainController -Domain <Domain>

Get Primary Domain Controller

Get-Domain | Select-Object 'PdcRoleOwner'

Get Primary Domain Controller of different Domain

Get-Domain -Domain <Domain> | Select-Object 'PdcRoleOwner'

Domain User Enumeration

Get Domain Users Information

Get-DomainUser

Get Domain Users Information of different Domain

Get-DomainUser -Domain <Domain>

Get list of all properties for users in the current domain

Get-DomainUser -Identity <User> -Properties *

Get Domain Users with Descriptions

Get-DomainUser -LDAPFilter "Description=*" | Select Name,Description

Get Domain Enabled Accounts

Get-DomainUser -UACFilter NOT_ACCOUNTDISABLE -Properties Name,Description,pwdlastset,badpwdcount | Sort Name

Get Domain Users and their Groups

Get-DomainUser -Properties name, MemberOf | fl

Get Foreign Users

Find-ForeignUser

Get last Domain User logged on

Get-NetLoggedon
Get-LastLoggedOn -ComputerName servername

Get actively logged users on a computer (needs local admin rights on the target)

Get-NetLoggedon -ComputerName servername

Get locally logged users on a computer (needs remote registry on the target started by default on server OS)

Get-LoggedonLocal -ComputerName dcorp-dc

Get Domain Kerberoastable Accounts

Get-DomainUser -SPN | Select Name, ServicePrincipalName

Get Domain AS-REP Roastable Accounts

Get-DomainUser -PreauthNotRequired -Verbose

Get Constrained Delegation enabled Accounts

Get-DomainUser -TrustedToAuth | Select Name, msds-allowedtodelegateto

Get Enterprise Admins

Get-NetGroup -GroupName "Enterprise Admins" -Domain contoso.local -FullData

Domain User Hunting

Find all machines on the current domain where the current user has local admin access

Find-LocalAdminAccess –Verbose

This can also be done with the help of remote administration tools like WMI and PowerShell remoting. Pretty useful in cases ports (RPC and SMB) used by Find-LocalAdminAccess are blocked.

Find-WMILocalAdminAccess.ps1
Find-PSRemotingLocalAdminAccess.ps1

Find computers where a domain admin (or specified user/group) has sessions

Find-DomainUserLocation -Verbose 
Find-DomainUserLocation -UserGroupIdentity "StudentUsers"

Find computers where a domain admin session is available and current user has admin access

Find-DomainUserLocation -CheckAccess

Find computers (File Servers and Distributed File servers) where a domain admin session is available.

Find-DomainUserLocation –Stealth

List sessions on remote machines (InvokeSessionHunter)

https://github.com/Leo4j/Invoke-SessionHunter

Invoke-SessionHunter -FailSafe

An opsec friendly command would be (avoid connecting to all the target machines by specifying targets)

Invoke-SessionHunter -NoPortScan -Targets C:\AD\Tools\servers.txt

Domain Computer Enumeration

Get Domain Computers Information

Get-DomainComputer

Get short Domain Computers Information

Get-DomainComputer | Select Name,Description,Operatingsystem | Sort Name

Get Domain Computers Information of alive Computers

Get-DomainComputer -Ping

Get Domain Computers with Unconstrained Delegation enabled

Get-DomainComputer -Unconstrained | select Name

Get Domain Computers with Constrained Delegation enabled

Get-DomainComputer -TrustedToAuth | select Name, msds-allowedtodelegateto

Get Domain Computers with specific Operating System

Get-DomainComputer -OperatingSystem "Windows Server 2022*"

Domain Group Enumeration

Get Domain Groups Information

Get-DomainGroup

Get Domain Groups Information of different Domain

Get-DomainGroup -Domain <Domain>

Get Domain Groups Name

Get-DomainGroup -Properties SamAccountName | Sort SamAccountName

Get Domain Groups a User is in

Get-DomainGroup -UserName '<User>' -Properties name,description,distinguishedname

Get Members of Domain Group

Get-DomainGroupMember -Identity <Group> -Recurse | Select Groupname,Membername | Sort Groupname

Get Domain Groups and Members of Domain Groups

Get-DomainGroup | Get-DomainGroupMember | Select GroupName,MemberName | Sort GroupName

Get Recursive search of Domain Groups

Get-DomainGroupMember -Identity "<Group>" -Recurse | Select GroupName,MemberName

Get Domain Groups containing a specific word

Get-DomainGroup "*admin*" -Properties SamAccountName | Sort SamAccountName

Get Domain Groups with Administrator privileges

Get-DomainGroup -AdminCount | select name,memberof,admincount,member | fl

Get Foreign Groups

Find-ForeignGroup

Get Local Groups

Get-NetLocalGroup

Get Local Groups of different Computer

Get-NetLocalGroup -ComputerName <Hostname>

Get Members of Local Group

Get-NetLocalGroupMember -ComputerName <Hostname> -GroupName <Group>

Get Local Groups of Domain Controllers

Get-DomainController | Get-NetLocalGroup

Domain Group Policy Enumeration

**Get Domain GPOs

Get-DomainGPO
Get-DomainGPO -Properties DisplayName,CN

Get Domain GPOs applied to Computer

Get-DomainGPO -ComputerIdentity <Hostname>.<Domain> | select DisplayName

Get Domain GPOs Restricted Groups

Get-DomainGPOLocalGroup

Get users which are in a local group of a machine using GPO

Get-DomainGPOComputerLocalGroupMapping –ComputerIdentity student1.us.techcorp.local

Get machines where the given user is member of a specific group

Get-DomainGPOUserLocalGroupMapping -Identity studentuser1 -Verbose

Get Domain GPOs Permissions

Get-DomainGPO | Get-ObjectAcl

Get Domain GPO Restricted Groups and list each member of the groups

$GroupNames = Get-NetGPOGroup -ResolveMembersToSIDs | Select-Object -ExpandProperty "GroupName" ; foreach ($GroupName in $GroupNames) {$ModifiedGroupName = $GroupName -replace '^.*\\' ; Get-DomainGroupMember -Identity $ModifiedGroupName}

Domain Organizational Unit Enumeration

Get OUs in a domain

Get-DomainOU
Get-DomainOU -Properties Name,Description,Gplink 

Get Domain Organizational Units of different Domain

Get-DomainOU -Domain <Domain>

Get GPO applied on an OU

Get-DomainGPO -Identity '{<GPLink>}'
Get-DomainGPO -Identity '{6AC1786C-016F-11D2-945F-00C04fB984F9}'

Get users which are in a local group of a machine in any OU using GPO

(Get-DomainOU).distinguishedname | %{Get-DomainComputer -SearchBase $_} | Get-DomainGPOComputerLocalGroupMapping
(Get-DomainOU -Identity 'OU=Mgmt,DC=us,DC=techcorp,DC=local').distinguishedname | %{Get-DomainComputer -SearchBase $_} | Get-DomainGPOComputerLocalGroupMapping

**Get the users inside a OU **

(Get-DomainOU -Identity hybrid).distinguishedname | %{Get-DomainObject -SearchBase $_}

Domain Acces Control List Enumeration

Get Domain ACLs

Get-DomainObjectAcl -ResolveGUIDs

Get Domain ACLs of User

Get-DomainObjectAcl -Identity <User> -ResolveGUIDs

Get Domain ACLs of Computer

Get-DomainObjectAcl -Identity <Hostname> -ResolveGUIDs

Get Domain ACE of File

Get-PathAcl -Path "\\us-dc\sysvol"

Get Interesting Domain ACLs of User

Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "<User>"}

Get ACLs of specific domain

Find-InterestingDomainAcl -Domain <Domain>

Domain Trust Enumeration

Get Domain Trusts

Get-DomainTrust

Get Domain Trusts of different Domain

Get-DomainTrust -Domain <Domain>

Get All Domain Trusts

Get-DomainTrustMapping

Get Domain Forest

Get-Forest

Get Domains inside the Forest

Get-ForestDomain

Get Global Catalog of Forest

Get-NetForestCatalog

Get Forest Trusts

Get-NetForestTrust