# basic-enumeration

For enumeration we can use the following tools:

* **The ActiveDirectory PowerShell module (MS signed and works even in PowerShell CLM)**
  * <https://learn.microsoft.com/en-us/powershell/module/activedirectory/?view=windowsserver2022-ps>
  * <https://github.com/samratashok/ADModule>
* **BloodHound (C# and PowerShell Collectors)**
  * <https://github.com/BloodHoundAD/BloodHound>
* **PowerView (PowerShell)**
  * <https://github.com/ZeroDayLab/PowerSploit/blob/master/Recon/PowerView.ps1>
* **SharpView (C#) - Doesn't support filtering using Pipeline**
  * <https://github.com/tevora-threat/SharpView/>

## Basic Enumeration

> **ℹ️ Info:**
>
> PowerView is used primarily on this page unless stated otherwise.

### Domain Enumeration

**Get current domain**

```
Get-Domain
```

**Get object of another domain**

```
Get-Domain -Domain <Domain>
```

**Get domain SID for the current domain**

```
Get-DomainSID
```

### Domain Policy Enumeration

**Get domain policy for the current domain**

```
Get-DomainPolicyData
(Get-DomainPolicyData).SystemAccess
```

**Get domain policy for another domain**

```
Get-DomainPolicy -Domain <Domain>
(Get-DomainPolicy -Domain <Domain>).SystemAccess
```

**Get Domain Kerberos Policy Information**

```
(Get-DomainPolicy).KerberosPolicy
```

### Domain Controller Enumeration

**Get Domain Controllers for the current domain**

```
Get-DomainController
```

**Get Domain Controller for another domain**

```
Get-DomainController -Domain <Domain>
```

**Get Primary Domain Controller**

```
Get-Domain | Select-Object 'PdcRoleOwner'
```

**Get Primary Domain Controller of different Domain**

```
Get-Domain -Domain <Domain> | Select-Object 'PdcRoleOwner'
```

### Domain User Enumeration

**Get Domain Users Information**

```
Get-DomainUser
```

**Get Domain Users Information of different Domain**

```
Get-DomainUser -Domain <Domain>
```

**Get list of all properties for users in the current domain**

```
Get-DomainUser -Identity <User> -Properties *
```

**Get Domain Users with Descriptions**

```
Get-DomainUser -LDAPFilter "Description=*" | Select Name,Description
```

**Get Domain Enabled Accounts**

```
Get-DomainUser -UACFilter NOT_ACCOUNTDISABLE -Properties Name,Description,pwdlastset,badpwdcount | Sort Name
```

**Get Domain Users and their Groups**

```
Get-DomainUser -Properties name, MemberOf | fl
```

**Get Foreign Users**

```
Find-ForeignUser
```

**Get last Domain User logged on**

```
Get-NetLoggedon
Get-LastLoggedOn -ComputerName servername
```

**Get actively logged users on a computer (needs local admin rights on the target)**

```
Get-NetLoggedon -ComputerName servername
```

**Get locally logged users on a computer (needs remote registry on the target started by default on server OS)**

```
Get-LoggedonLocal -ComputerName dcorp-dc
```

**Get Domain Kerberoastable Accounts**

```
Get-DomainUser -SPN | Select Name, ServicePrincipalName
```

**Get Domain AS-REP Roastable Accounts**

```
Get-DomainUser -PreauthNotRequired -Verbose
```

**Get Constrained Delegation enabled Accounts**

```
Get-DomainUser -TrustedToAuth | Select Name, msds-allowedtodelegateto
```

**Get Enterprise Admins**

```
Get-NetGroup -GroupName "Enterprise Admins" -Domain contoso.local -FullData
```

### Domain User Hunting

**Find all machines on the current domain where the current user has local admin access**

```
Find-LocalAdminAccess –Verbose
```

This can also be done with the help of remote administration tools like WMI and PowerShell remoting. Pretty useful in cases ports (RPC and SMB) used by Find-LocalAdminAccess are blocked.

```
Find-WMILocalAdminAccess.ps1
Find-PSRemotingLocalAdminAccess.ps1
```

**Find computers where a domain admin (or specified user/group) has sessions**

```
Find-DomainUserLocation -Verbose 
Find-DomainUserLocation -UserGroupIdentity "StudentUsers"
```

**Find computers where a domain admin session is available and current user has admin access**

```
Find-DomainUserLocation -CheckAccess
```

**Find computers (File Servers and Distributed File servers) where a domain admin session is available.**

```
Find-DomainUserLocation –Stealth
```

**List sessions on remote machines (InvokeSessionHunter)**

<https://github.com/Leo4j/Invoke-SessionHunter>

```
Invoke-SessionHunter -FailSafe
```

An opsec friendly command would be (avoid connecting to all the target machines by specifying targets)

```
Invoke-SessionHunter -NoPortScan -Targets C:\AD\Tools\servers.txt
```

### Domain Computer Enumeration

**Get Domain Computers Information**

```
Get-DomainComputer
```

**Get short Domain Computers Information**

```
Get-DomainComputer | Select Name,Description,Operatingsystem | Sort Name
```

**Get Domain Computers Information of alive Computers**

```
Get-DomainComputer -Ping
```

**Get Domain Computers with Unconstrained Delegation enabled**

```
Get-DomainComputer -Unconstrained | select Name
```

**Get Domain Computers with Constrained Delegation enabled**

```
Get-DomainComputer -TrustedToAuth | select Name, msds-allowedtodelegateto
```

**Get Domain Computers with specific Operating System**

```
Get-DomainComputer -OperatingSystem "Windows Server 2022*"
```

### Domain Group Enumeration

**Get Domain Groups Information**

```
Get-DomainGroup
```

**Get Domain Groups Information of different Domain**

```
Get-DomainGroup -Domain <Domain>
```

**Get Domain Groups Name**

```
Get-DomainGroup -Properties SamAccountName | Sort SamAccountName
```

**Get Domain Groups a User is in**

```
Get-DomainGroup -UserName '<User>' -Properties name,description,distinguishedname
```

**Get Members of Domain Group**

```
Get-DomainGroupMember -Identity <Group> -Recurse | Select Groupname,Membername | Sort Groupname
```

**Get Domain Groups and Members of Domain Groups**

```
Get-DomainGroup | Get-DomainGroupMember | Select GroupName,MemberName | Sort GroupName
```

**Get Recursive search of Domain Groups**

```
Get-DomainGroupMember -Identity "<Group>" -Recurse | Select GroupName,MemberName
```

**Get Domain Groups containing a specific word**

```
Get-DomainGroup "*admin*" -Properties SamAccountName | Sort SamAccountName
```

**Get Domain Groups with Administrator privileges**

```
Get-DomainGroup -AdminCount | select name,memberof,admincount,member | fl
```

**Get Foreign Groups**

```
Find-ForeignGroup
```

**Get Local Groups**

```
Get-NetLocalGroup
```

**Get Local Groups of different Computer**

```
Get-NetLocalGroup -ComputerName <Hostname>
```

**Get Members of Local Group**

```
Get-NetLocalGroupMember -ComputerName <Hostname> -GroupName <Group>
```

**Get Local Groups of Domain Controllers**

```
Get-DomainController | Get-NetLocalGroup
```

### Domain Group Policy Enumeration

\*\*Get Domain GPOs

```
Get-DomainGPO
Get-DomainGPO -Properties DisplayName,CN
```

**Get Domain GPOs applied to Computer**

```
Get-DomainGPO -ComputerIdentity <Hostname>.<Domain> | select DisplayName
```

**Get Domain GPOs Restricted Groups**

```
Get-DomainGPOLocalGroup
```

**Get users which are in a local group of a machine using GPO**

```
Get-DomainGPOComputerLocalGroupMapping –ComputerIdentity student1.us.techcorp.local
```

**Get machines where the given user is member of a specific group**

```
Get-DomainGPOUserLocalGroupMapping -Identity studentuser1 -Verbose
```

**Get Domain GPOs Permissions**

```
Get-DomainGPO | Get-ObjectAcl
```

**Get Domain GPO Restricted Groups and list each member of the groups**

```
$GroupNames = Get-NetGPOGroup -ResolveMembersToSIDs | Select-Object -ExpandProperty "GroupName" ; foreach ($GroupName in $GroupNames) {$ModifiedGroupName = $GroupName -replace '^.*\\' ; Get-DomainGroupMember -Identity $ModifiedGroupName}
```

### Domain Organizational Unit Enumeration

**Get OUs in a domain**

```
Get-DomainOU
Get-DomainOU -Properties Name,Description,Gplink 
```

**Get Domain Organizational Units of different Domain**

```
Get-DomainOU -Domain <Domain>
```

**Get GPO applied on an OU**

```
Get-DomainGPO -Identity '{<GPLink>}'
Get-DomainGPO -Identity '{6AC1786C-016F-11D2-945F-00C04fB984F9}'
```

**Get users which are in a local group of a machine in any OU using GPO**

```
(Get-DomainOU).distinguishedname | %{Get-DomainComputer -SearchBase $_} | Get-DomainGPOComputerLocalGroupMapping
(Get-DomainOU -Identity 'OU=Mgmt,DC=us,DC=techcorp,DC=local').distinguishedname | %{Get-DomainComputer -SearchBase $_} | Get-DomainGPOComputerLocalGroupMapping
```

\*\*Get the users inside a OU \*\*

```
(Get-DomainOU -Identity hybrid).distinguishedname | %{Get-DomainObject -SearchBase $_}
```

### Domain Acces Control List Enumeration

**Get Domain ACLs**

```
Get-DomainObjectAcl -ResolveGUIDs
```

**Get Domain ACLs of User**

```
Get-DomainObjectAcl -Identity <User> -ResolveGUIDs
```

**Get Domain ACLs of Computer**

```
Get-DomainObjectAcl -Identity <Hostname> -ResolveGUIDs
```

**Get Domain ACE of File**

```
Get-PathAcl -Path "\\us-dc\sysvol"
```

**Get Interesting Domain ACLs of User**

```
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "<User>"}
```

**Get ACLs of specific domain**

```
Find-InterestingDomainAcl -Domain <Domain>
```

### Domain Trust Enumeration

**Get Domain Trusts**

```
Get-DomainTrust
```

**Get Domain Trusts of different Domain**

```
Get-DomainTrust -Domain <Domain>
```

**Get All Domain Trusts**

```
Get-DomainTrustMapping
```

**Get Domain Forest**

```
Get-Forest
```

**Get Domains inside the Forest**

```
Get-ForestDomain
```

**Get Global Catalog of Forest**

```
Get-NetForestCatalog
```

**Get Forest Trusts**

```
Get-NetForestTrust
```