AD Enumeration

Initial Active Directory Enumeration

Active Directory Enumeration

Domain Enumeration

Get current domain

PV: Get-Domain
ADM: Get-ADDomain

Get object of another domain

PV: Get-Domain -Domain evilcorp.local
ADM: Get-ADDomain -Identity evilcorp.local

Get domain SID for the current domain

PV: Get-DomainSID
ADM: (Get-ADDomain).DomainSID

Get domain policy for the current domain

PV: Get-DomainPolicyData
ADM: (Get-DomainPolicyData).systemaccess

Get domain policy for another domain

ADM: (Get-DomainPolicyData -domain evilcorp.local).systemaccess

Get domain controllers for current domain

PV: Get-DomainController
ADM: Get-ADDomainController

Get domain controllers for another domain

PV: Get-DomainController -Domain evilcorp.local
ADM: Get-ADDomainController -DomainName evilcorp.local -Discover

User Enumeration

Get users in current domain

PV: Get-DomainUser
PV: Get-DomainUser -Identity <username>
ADM: Get-ADUser -Filter * -Properties *
ADM: Get-ADUser -Identity <username> -Properties *

Get list of properties for users in the current domain

PV: Get-DomainUser -Identity <username> -Properties *
PV: Get-DomainUser -Properties samaccountname,logoncount
ADM: Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member -MemberType *Property | select Name
ADM: Get-ADUser -Filter * -Properties * | select name,logoncount,@{expression={[datetime]::fromFileTime($_.pwdlastset)}}

Search for a particular string in a user's attributes

PV: Get-DomainUser -LDAPFilter "Description=*built*" | select name,description
ADM: Get-ADUser -Filter 'Description -like "*built*"' -Properties Description | select name,description

Computers

Get list of computers in the current domain

PV: Get-DomainComputer | select name
PV: Get-DomainComputer -OperatingSystem "*Server 2022*"
PV: Get-DomainComputer -Ping
ADM: Get-ADComputer -Filter * | select name
ADM: Get-ADComputer -Filter * -Properties *
ADM: Get-ADComputer -Filter 'OperatingSystem -like "*Server 2022*"' -Properties OperatingSystem | select name,operatingsystem
ADM: Get-ADComputer -Filter * -Properties DNSHostName | %{Test-Connection -Count 1 -ComputerName $_.DNSHostName}

Groups

Get all the groups in the current domain

PV: Get-DomainGroup | select name
PV: Get-DomainGroup -Domain evilcorp.local
PV: Get-DomainGroup *admin*
PV: Get-DomainGroup *admin* -Domain evilcorp.local | select name
ADM: Get-ADGroup -Filter * | select name
ADM: Get-ADGroup -Filter * -Properties *
ADM: Get-ADGroup -Filter 'Name -like "*admin*"' | select name

Get all the members of the Domain Admins group

PV: Get-NetGroupMember $groupname -Domain -Recurse
PV: Get-DomainGroupMember -Identity "Domain Admins" -Recurse
ADM: Get-ADGroupMember -Identity "Domain Admins" -Recursive

Get group membership for a user

PV: Get-NetGroup -UserName $username | select samaccountname
PV: Get-DomainGroup -UserName $username
PV: Get-DomainGroup -UserName $username | select name
ADM: Get-ADPrincipalGroupMembership -Identity $username

List all the local groups on a machine (needs administrator privs on non-dc machines)

PV: Get-NetLocalGroup -ComputerName evilcorp-dc

Get members of the local group "Administrators" on a machine (needs administrator privs on non-dc machines)

Get-NetLocalGroupMember -ComputerName evilcorp-dc -GroupName Administrators

Logged On Users

Get actively logged on users on a computer (needs local admin rights on the target)

Get-NetLoggedon -ComputerName evilcorp.local

Get locally logged users on a computer (needs remote registry on the target - enabled by defualt on server OS)

Get-LoggedonLocal -ComputerName evilcorp.local

Get the last logged user on a computer (needs administrative rights and remote registry on the target)

Get-LastLoggedOn -ComputerName evilcorp.local

Shares

Find shares on hosts in current domain

Invoke-ShareFinder -Verbose

Find sensitive files on computers in the domain

Invoke-FileFinder -Verbose

Get all fileservers of the domain

Get-NetFileServer

Group Policy Objects

Get list of GPO in current domain

Get-DomainGPO
Get-DomainGPO | select DisplayName
Get-DomainGPO -ComputerIdentity $computer

Get GPOs which use Restricted Groups or groups.xml for interesting users

Get-DomainGPOLocalGroup

Get Local Resultant Set of Policy (local machine only)

rsop.msc

Get users which are in a local group of a machine using GPO

Get-DomainGPOComputerLocalGroupMapping -ComputerIdentity $computer

Get machines where the given user is a member of a specific group

Get-DomainGPOUserLocalGroupMapping -Identity $computer -Verbose

Organizational Units

Get OUs in a domain

PV: Get-DomainOU | select name
PV: Get-DomainOU -Identity <OU Name>
ADM: Get-ADOrganizationalUnit -Filter * -Properties *

Get GPO applied on an OU. Read GPOname from gplink attribute from Get-NetOU

Get-DomainGPO -Identity "{cn of OU gplink}"

Get computers in a OU

(Get-DomainOU -Identity Computers).distinguishedname | %{Get-DomainComputer -SearchBase $_} | select name
Get-DomainComputer -SearchBase 'OU=<Computers>,DC=evil-dc,DC=evilcorp,DC=local' | select name

Access Control Model

  • Enables control on the ability of a process to access objects and other resources in active directory based on:

    • Access Tokens (security context of a process - identity and privs of user)

    • Security Descriptors (SID of the owner, Discretionary ACL (DACL) and System ACL (SACL))

Access Control Lists (ACL)

  • List of Access Control Entries (ACE) - ACE corresponds to indivirual permission or audits access.

    • DACL - Defines the permissions trustees (a user or group) have on an object

    • SACL - Logs success and failure audit messages when an object is accessed

  • ACLs are vital to security architecture of AD

Get the ACLs associated with an object

Get-DomainObjectAcl -SamAccountName $username -ResolveGUIDs

Get the ACLs associated with the specified prefix to be used for search

Get-DomainObjectAcl -SearchBase "LDAP://CN=Domain Admins,CN=Users,DC=evil-dc,DC=evilcorp,DC=local" -ResolveGUIDs -Verbose

Enumerate ACLs using AD Module with resolving GUIDs

ADM: (Get-Acl 'AD:\CN=Administrator,CN=Users,DC=evil-dc,DC=evilcorp,DC=local').Access

Search for interesting ACEs

Find-InterestingDomainAcl -ResolveGUIDs
Find-InterestingDomainAcl -ResolveGUIDs | ?{_.IdentityReferenceName -match 'RDPUsers'}

Get the ACLs associated with the specified path

Get-PathAcl -Path "\\evil-dc.evilcorp.local\sysvol"

Trusts

  • Relationship between two domains or forests that allows users of one domain or forest to access resources in the other domain or forest

  • Trust can be automatic (parent-child, same forest, etc.) or established (forest, external)

  • Trusted Domain Objects (TDOs) represent the trust relationship in a domain

Direction

  • One-way trust - Unidirectional. Users in the trusted domain can access resources in the trusting domain but the reverse is not true

  • Two-way trust - Bi-directional. Users of both domains can access resources in the other domain

  • Transitive - Can be extended to establish trust relationships with other domains

    • All the defaul intra-forest trust relationships (Tree-root, Parent-Child) between domains within a same forest are transitive two-way trusts

  • Nontransitive - Cannot be extended to other domains in the forest. Can be two-way or one-way

    • This is the default trust (called external trust) between two domains in different forests when forests do not have a trust relationship

Default / Automatic Trusts

  • Parent-child trust

    • Created automatically between the new domain and the domain that precedes it in the namespace hierarchy, whenever a new domain is added in a tree. For example, livecorp.evilcorp.local is a child of evilcorp.local

    • This trust is always two-way transitive

  • Tree-root trust

    • Create automatically whenever a new domain tree is added to a forest root

    • This trust is always two-way transitive

External Trusts

  • Between two domains in different forests when forests do not have a trust relationship

  • Can be one-way or two-way and is nontransitive

Forest Trusts

  • Between forest root domain

  • Cannot be extended to a third forst (no implicit trust)

  • Can be one-way or two-way and transitive or nontransitive

Domain Trust Mapping

Get a list of all domain trusts for the current domain

PV: Get-DomainTrust
PV: Get-DomainTrust -Domain livecorp.evilcorp.local
ADM: Get-ADTrust
ADM: Get-ADTrust -Identity livecorp.evilcorp.local

Forest Mapping

Get all domains in forest

PV: Get-NetForest
PV: Get-NetForestDomain
PV: Get-ForestDomain -Verbose

Get all global catalogs for the current forest

PV: Get-ForestGlobalCatalog
PV: Get-ForestGlobalCatalog -Forest evilcorp.local
ADM: Get-ADForest | select ExpandProperty GlobalCatalogs

Map trusts of a forest (no forest trusts in the lab)

PV: Get-ForestTrust
PV: Get-ForestTrust -Forest evilcorp.local
ADM: Get-ADTrust -Filter 'msDS-TrustForestTrustInfo -ne "$null"'

Get all external trusts in forest

PV: Get-ForestDomain | %{Get-DomainTrust -Domain $_.Name} | ?{$_.TrustAttributes -eq "FILTER_SIDS"}

Get domains in specified forest

Get-ForestDomain -Forest evil.local | %{Get-DomainTrust -Domain $_.Name}

Get domain trust relationships of domains in specified forest

Get-ForestDomain -Forest evil.local | %{Get-DomainTrust -Domain $_.Name}

User Hunting

Find all machines on the current domain where the current user has local admin access

  • Queries the DC of the current or provided domain for a list of computers (Get-NetComputer) and then use multi-threaded Invoke-CheckLocalAdminAccess on each machine

  • This can also be done with the help of remote administration tools like WMI and PowerShell remoting. Pretty useful in cases ports (RPC and SMB) used by Find-LocalAdminAccess are blocked

  • See Find-WMILocalAdminAccess.ps1 and Find-PSRemotingLocalAdminAccess.ps1

Find-LocalAdminAccess -Verbose
Invoke-CheckLocalAdminAccess

Find computers where a domain admin (or specified user/group) has sessions

  • Server 2019 and onwards require local administrator privilege to list sessions

  • Queries the DC of the current or provided domain for members of the given group (Domain Admins by default) using Get-DomainGroupMember, gets a list of computers (Get-DomainComputer) and list sessions and logged on users (Get-NetSession/Get-NetLoggedon) from each machine

Invoke-UserHunter -GroupName 'RDPUsers'
Invoke-UserHunter -CheckAccess
Find-DomainUserLocation -Verbose  
Find-DomainUserLocation -UserGroupIdentity "RDPUsers"

Find computers where a domain admin session is available and current user has admin access (uses Test-AdminAccess)

Find-DomainUserLocation -CheckAccess

Find computers (File Servers and Distributed File servers) where a domain admin session is available

Invoke-UserHunter -Stealth
Find-DomainUserLocation -Stealth

Tools

PowerView

https://github.com/ZeroDayLab/PowerSploit/blob/master/Recon/PowerView.ps1

Import-Module .\PowerView.ps1

ActiveDirectory PowerShell Module

https://github.com/samratashok/ADModule

Import-Module C:\AD\Tools\ADModule-master\Microsoft.ActiveDirectory.Management.dll
Import-Module C:\AD\Tools\ADModule-master\ActiveDirectory\ActiveDirectory.psd1
PreviousWindows EnumerationNextPrivilege Escalation

Last updated