AD Enumeration

Initial Active Directory Enumeration

Active Directory Enumeration

Domain Enumeration

Get current domain

PV: Get-Domain
ADM: Get-ADDomain

Get object of another domain

PV: Get-Domain -Domain evilcorp.local
ADM: Get-ADDomain -Identity evilcorp.local

Get domain SID for the current domain

PV: Get-DomainSID
ADM: (Get-ADDomain).DomainSID

Get domain policy for the current domain

PV: Get-DomainPolicyData
ADM: (Get-DomainPolicyData).systemaccess

Get domain policy for another domain

ADM: (Get-DomainPolicyData -domain evilcorp.local).systemaccess

Get domain controllers for current domain

PV: Get-DomainController
ADM: Get-ADDomainController

Get domain controllers for another domain

PV: Get-DomainController -Domain evilcorp.local
ADM: Get-ADDomainController -DomainName evilcorp.local -Discover

User Enumeration

Get users in current domain

PV: Get-DomainUser
PV: Get-DomainUser -Identity <username>
ADM: Get-ADUser -Filter * -Properties *
ADM: Get-ADUser -Identity <username> -Properties *

Get list of properties for users in the current domain

PV: Get-DomainUser -Identity <username> -Properties *
PV: Get-DomainUser -Properties samaccountname,logoncount
ADM: Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member -MemberType *Property | select Name
ADM: Get-ADUser -Filter * -Properties * | select name,logoncount,@{expression={[datetime]::fromFileTime($_.pwdlastset)}}

Search for a particular string in a user's attributes

PV: Get-DomainUser -LDAPFilter "Description=*built*" | select name,description
ADM: Get-ADUser -Filter 'Description -like "*built*"' -Properties Description | select name,description

Computers

Get list of computers in the current domain

PV: Get-DomainComputer | select name
PV: Get-DomainComputer -OperatingSystem "*Server 2022*"
PV: Get-DomainComputer -Ping
ADM: Get-ADComputer -Filter * | select name
ADM: Get-ADComputer -Filter * -Properties *
ADM: Get-ADComputer -Filter 'OperatingSystem -like "*Server 2022*"' -Properties OperatingSystem | select name,operatingsystem
ADM: Get-ADComputer -Filter * -Properties DNSHostName | %{Test-Connection -Count 1 -ComputerName $_.DNSHostName}

Groups

Get all the groups in the current domain

PV: Get-DomainGroup | select name
PV: Get-DomainGroup -Domain evilcorp.local
PV: Get-DomainGroup *admin*
PV: Get-DomainGroup *admin* -Domain evilcorp.local | select name
ADM: Get-ADGroup -Filter * | select name
ADM: Get-ADGroup -Filter * -Properties *
ADM: Get-ADGroup -Filter 'Name -like "*admin*"' | select name

Get all the members of the Domain Admins group

PV: Get-NetGroupMember $groupname -Domain -Recurse
PV: Get-DomainGroupMember -Identity "Domain Admins" -Recurse
ADM: Get-ADGroupMember -Identity "Domain Admins" -Recursive

Get group membership for a user

PV: Get-NetGroup -UserName $username | select samaccountname
PV: Get-DomainGroup -UserName $username
PV: Get-DomainGroup -UserName $username | select name
ADM: Get-ADPrincipalGroupMembership -Identity $username

List all the local groups on a machine (needs administrator privs on non-dc machines)

PV: Get-NetLocalGroup -ComputerName evilcorp-dc

Get members of the local group "Administrators" on a machine (needs administrator privs on non-dc machines)

Get-NetLocalGroupMember -ComputerName evilcorp-dc -GroupName Administrators

Logged On Users

Get actively logged on users on a computer (needs local admin rights on the target)

Get-NetLoggedon -ComputerName evilcorp.local

Get locally logged users on a computer (needs remote registry on the target - enabled by defualt on server OS)

Get-LoggedonLocal -ComputerName evilcorp.local

Get the last logged user on a computer (needs administrative rights and remote registry on the target)

Get-LastLoggedOn -ComputerName evilcorp.local

Find shares on hosts in current domain

Invoke-ShareFinder -Verbose

Find sensitive files on computers in the domain

Invoke-FileFinder -Verbose

Get all fileservers of the domain

Get-NetFileServer

Group Policy Objects

Get list of GPO in current domain

Get-DomainGPO
Get-DomainGPO | select DisplayName
Get-DomainGPO -ComputerIdentity $computer

Get GPOs which use Restricted Groups or groups.xml for interesting users

Get-DomainGPOLocalGroup

Get Local Resultant Set of Policy (local machine only)

rsop.msc

Get users which are in a local group of a machine using GPO

Get-DomainGPOComputerLocalGroupMapping -ComputerIdentity $computer

Get machines where the given user is a member of a specific group

Get-DomainGPOUserLocalGroupMapping -Identity $computer -Verbose

Organizational Units

Get OUs in a domain

PV: Get-DomainOU | select name
PV: Get-DomainOU -Identity <OU Name>
ADM: Get-ADOrganizationalUnit -Filter * -Properties *

Get GPO applied on an OU. Read GPOname from gplink attribute from Get-NetOU

Get-DomainGPO -Identity "{cn of OU gplink}"

Get computers in a OU

(Get-DomainOU -Identity Computers).distinguishedname | %{Get-DomainComputer -SearchBase $_} | select name
Get-DomainComputer -SearchBase 'OU=<Computers>,DC=evil-dc,DC=evilcorp,DC=local' | select name

Access Control Model

Enables control on the ability of a process to access objects and other resources in active directory based on:
- Access Tokens (security context of a process - identity and privs of user)
- Security Descriptors (SID of the owner, Discretionary ACL (DACL) and System ACL (SACL))

Access Control Lists (ACL)

List of Access Control Entries (ACE) - ACE corresponds to indivirual permission or audits access.
- DACL - Defines the permissions trustees (a user or group) have on an object
- SACL - Logs success and failure audit messages when an object is accessed
ACLs are vital to security architecture of AD

Get the ACLs associated with an object

Get-DomainObjectAcl -SamAccountName $username -ResolveGUIDs

Get the ACLs associated with the specified prefix to be used for search

Get-DomainObjectAcl -SearchBase "LDAP://CN=Domain Admins,CN=Users,DC=evil-dc,DC=evilcorp,DC=local" -ResolveGUIDs -Verbose

Enumerate ACLs using AD Module with resolving GUIDs

ADM: (Get-Acl 'AD:\CN=Administrator,CN=Users,DC=evil-dc,DC=evilcorp,DC=local').Access

Search for interesting ACEs

Find-InterestingDomainAcl -ResolveGUIDs
Find-InterestingDomainAcl -ResolveGUIDs | ?{_.IdentityReferenceName -match 'RDPUsers'}

Get the ACLs associated with the specified path

Get-PathAcl -Path "\\evil-dc.evilcorp.local\sysvol"

Trusts

Relationship between two domains or forests that allows users of one domain or forest to access resources in the other domain or forest
Trust can be automatic (parent-child, same forest, etc.) or established (forest, external)
Trusted Domain Objects (TDOs) represent the trust relationship in a domain

Direction

One-way trust - Unidirectional. Users in the trusted domain can access resources in the trusting domain but the reverse is not true
Two-way trust - Bi-directional. Users of both domains can access resources in the other domain
Transitive - Can be extended to establish trust relationships with other domains
- All the defaul intra-forest trust relationships (Tree-root, Parent-Child) between domains within a same forest are transitive two-way trusts
Nontransitive - Cannot be extended to other domains in the forest. Can be two-way or one-way
- This is the default trust (called external trust) between two domains in different forests when forests do not have a trust relationship

Default / Automatic Trusts

Parent-child trust
- Created automatically between the new domain and the domain that precedes it in the namespace hierarchy, whenever a new domain is added in a tree. For example, livecorp.evilcorp.local is a child of evilcorp.local
- This trust is always two-way transitive
Tree-root trust
- Create automatically whenever a new domain tree is added to a forest root
- This trust is always two-way transitive

External Trusts

Between two domains in different forests when forests do not have a trust relationship
Can be one-way or two-way and is nontransitive

Forest Trusts

Between forest root domain
Cannot be extended to a third forst (no implicit trust)
Can be one-way or two-way and transitive or nontransitive

Domain Trust Mapping

Get a list of all domain trusts for the current domain

PV: Get-DomainTrust
PV: Get-DomainTrust -Domain livecorp.evilcorp.local
ADM: Get-ADTrust
ADM: Get-ADTrust -Identity livecorp.evilcorp.local

Forest Mapping

Get all domains in forest

PV: Get-NetForest
PV: Get-NetForestDomain
PV: Get-ForestDomain -Verbose

Get all global catalogs for the current forest

PV: Get-ForestGlobalCatalog
PV: Get-ForestGlobalCatalog -Forest evilcorp.local
ADM: Get-ADForest | select ExpandProperty GlobalCatalogs

Map trusts of a forest (no forest trusts in the lab)

PV: Get-ForestTrust
PV: Get-ForestTrust -Forest evilcorp.local
ADM: Get-ADTrust -Filter 'msDS-TrustForestTrustInfo -ne "$null"'

Get all external trusts in forest

PV: Get-ForestDomain | %{Get-DomainTrust -Domain $_.Name} | ?{$_.TrustAttributes -eq "FILTER_SIDS"}

Get domains in specified forest

Get-ForestDomain -Forest evil.local | %{Get-DomainTrust -Domain $_.Name}

Get domain trust relationships of domains in specified forest

Get-ForestDomain -Forest evil.local | %{Get-DomainTrust -Domain $_.Name}

User Hunting

Find all machines on the current domain where the current user has local admin access

Queries the DC of the current or provided domain for a list of computers (Get-NetComputer) and then use multi-threaded Invoke-CheckLocalAdminAccess on each machine
This can also be done with the help of remote administration tools like WMI and PowerShell remoting. Pretty useful in cases ports (RPC and SMB) used by Find-LocalAdminAccess are blocked
See Find-WMILocalAdminAccess.ps1 and Find-PSRemotingLocalAdminAccess.ps1

Find-LocalAdminAccess -Verbose
Invoke-CheckLocalAdminAccess

Find computers where a domain admin (or specified user/group) has sessions

Server 2019 and onwards require local administrator privilege to list sessions
Queries the DC of the current or provided domain for members of the given group (Domain Admins by default) using Get-DomainGroupMember, gets a list of computers (Get-DomainComputer) and list sessions and logged on users (Get-NetSession/Get-NetLoggedon) from each machine

Invoke-UserHunter -GroupName 'RDPUsers'
Invoke-UserHunter -CheckAccess
Find-DomainUserLocation -Verbose  
Find-DomainUserLocation -UserGroupIdentity "RDPUsers"

Find computers where a domain admin session is available and current user has admin access (uses Test-AdminAccess)

Find-DomainUserLocation -CheckAccess

Find computers (File Servers and Distributed File servers) where a domain admin session is available

Invoke-UserHunter -Stealth
Find-DomainUserLocation -Stealth

Tools

PowerView

https://github.com/ZeroDayLab/PowerSploit/blob/master/Recon/PowerView.ps1

Import-Module .\PowerView.ps1

ActiveDirectory PowerShell Module

https://github.com/samratashok/ADModule

Import-Module C:\AD\Tools\ADModule-master\Microsoft.ActiveDirectory.Management.dll
Import-Module C:\AD\Tools\ADModule-master\ActiveDirectory\ActiveDirectory.psd1

PreviousWindows Enumeration NextPrivilege Escalation

Last updated 2 years ago