Enumeration

Without Active Directory module installed

Get Current Domain Info

[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

Get Domain Trusts

([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()

Get Forest Info

[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()

Get Forest Trust Relationships

([System.DirectoryServices.ActiveDirectory.Forest]::GetForest((New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest', 'forest-of-interest.local')))).GetAllTrustRelationships()

Enumerate Domain Users

set u

List all Usernames

([adsisearcher]"(&(objectClass=User)(samaccountname=*))").FindAll().Properties.samaccountname

List Administrators

([adsisearcher]"(&(objectClass=User)(admincount=1))").FindAll().Properties.samaccountname

List all Info about specific user

([adsisearcher]"(&(objectClass=User)(samaccountname=$UserName))").FindAll().Properties

View All Users with Description Field Set

([adsisearcher]"(&(objectClass=group)(samaccountname=*))").FindAll().Properties | % { Write-Host $_.samaccountname : $_.description }

Using Active Directory PowerShell module

View all Active Directory commands

Get-Command -Module ActiveDirectory

Display Basic Domain Information

Get-ADDomain

Get Domain SID

Get-DomainSID

Enumerate other Domains:

Get-ADDomain -Identity $DomainName

List Domain Controllers

Get-ADDomainController
Get-ADDomainController -Identity $DomainName

Get all Domain Controllers by Hostname and Operating System

Get-ADDomainController -filter * | select hostname, operatingsystem

Enumerate Domain Computers:

Get-ADComputer -Filter * -Properties *
Get-ADGroup -Filter *

Enumerate Domain Trust:

Get-ADTrust -Filter *
Get-ADTrust -Identity $DomainName

Enumerate Forest Trust:

Get-ADForest
Get-ADForest -Identity $ForestName

#List Domains in a Forest
(Get-ADForest).Domains

Enumerate Local AppLocker Effective Policy:

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

Get all Fine Grained Password Policies

Get-ADFineGrainedPasswordPolicy -filter *

Get Domain Default Password Policy

Gets the password policy from the logged in domain

Get-ADDefaultDomainPasswordPolicy

Backup Active Directory System State Remotely

This will back up the domain controllers system state data. Change DC-Name to your server name and change the Backup-Path. The backup path can be a local disk or a UNC path

Invoke-Command -ComputerName $DC_Name -scriptblock {wbadmin start systemstateback up -backupTarget:"Backup-Path" -quiet}

AD User Enumeration

Get User and List All Properties (attributes)

For the variable $username use the samAccountName of the account

Get-ADUser $username -Properties *

Get User and list only specific properties

Get-ADUser $username -Properties * | Select name, department, title

Find a specific string in a certain user's attribute

Get-ADUser -Filter 'Description -like "*pass*"' -Properties Description | select Name, Description

Get All Active Directory Users in Domain

Get-ADUser -Filter *

Get All Users From a Specific OU

OU = Full distinguished path of the OU

Get-ADUser -SearchBase “OU=Domain Users,dc=test,dc=local” -Filter *

Get AD Users by Name

This command will find all users that have the word bob in the name.

Get-Aduser -Filter {name -like "*bob*"}

Get All Disable User Accounts

Search-ADAccount -AccountDisabled | select name

Disable User Account

Disable-ADAccount -Identity $UserName

Enable User Account

Enable-ADAccount -Identity $UserName

Get All Accounts with Password Set to Never Expire

Get-Aduser -filter * -properties Name, PasswordNeverExpires | where {$_.passwordNeverExpires -eq "true" } | Select-Object DistinguishedName,Name,Enabled

Find All Locked User Accounts

Search-ADAccount -LockedOut

Unlock User Account

Unlock-ADAccount –Identity $UserName

List all Disabled User Accounts

Search-ADAccount -AccountDisabled

Force Password Change at Next Login

Set-ADUser -Identity $UserName -ChangePasswordAtLogon $true

Move a Single User to a New OU

You will need the distinguishedName of the user and the target OU

Move-ADObject -Identity "CN=bob,OU=Users,DC=ad,DC=test,DC=local" -TargetPath "OU=HR,OU=Users,DC=ad,DC=ad,DC=com"

Move Users from one OU to another using a CSV file

Create a csv with a name field containing a list of the users SamAccountName's. Then just change the target OU path to move the users.

# Specify target OU. 
$TargetOU = "OU=HR,OU=Users,DC=ad,DC=test,DC=local"

# Read user SAMAccountNames from csv file (field labeled "Name"). 
Import-Csv -Path $csvFile | ForEach-Object { 

  # Retrieve the distinguishedName of the User. 
  $UserDN = (Get-ADUser -Identity $_.Name).distinguishedName 

  # Move user to target OU. 
  Move-ADObject -Identity $UserDN -TargetPath $TargetOU 
}

AD Group Commands

Get All members of a Security group

Get-ADGroupMember -identity $GroupName

Get All Security Groups

This will list all security groups in a domain

Get-ADGroup -filter *

Add User to Group

Add-ADGroupMember -Identity $GroupName -Members $user1, $user2

Export Users From a Group

This will export group members to a CSV, change group-name to the group you want to export.

Get-ADGroupMember -identity $GroupName | select name | Export-csv -Path $OutCsv -NoTypeInformation

Get Group by keyword

Get-AdGroup -filter * | Where-Object {$_.name -like "*$GroupName*"}

Import a List of Users to a Group

$members = Import-CSV $csvFile | Select-Object -ExpandProperty samaccountname | Add-ADGroupMember -Identity $GroupName -Members $members

AD Computer Commands

List All Computers

Get-AdComputer -filter *

List All Computers by Name

Get-ADComputer -filter * | select name

Get All Computers from a specific OU

Get-ADComputer -SearchBase "OU=$DistinguishedName" -Filter *

Get a Count of All Computers in Domain

Get-ADComputer -filter * | measure

Get all Windows 10 Computers

Get-ADComputer -filter {OperatingSystem -Like '*Windows 10*'} -property * | select name, operatingsystem

Get a Count of All computers by Operating System

This will provide a count of all computers and group them by the operating system. A great command to give you a quick inventory of computers in AD.

Get-ADComputer -Filter "name -like '*'" -Properties operatingSystem | group -Property operatingSystem | Select Name,Count

Delete a single Computer

Remove-ADComputer -Identity "$ComputerName"

Delete a List of Computer Accounts

Add the hostnames to a text file and run the command below.

Get-Content -Path $ComputerList | Remove-ADComputer

Delete Computers From an OU

Get-ADComputer -SearchBase "OU=$DistinguishedName" -Filter * | Remote-ADComputer

Using PowerView

  • Get Current Domain: Get-NetDomain

  • Enumerate other Domains: Get-NetDomain -Domain $DomainName

  • Get Domain SID: Get-DomainSID

  • Get Domain Policy:

    Get-DomainPolicy
    
    #Will show us the policy configurations of the Domain about system access or kerberos
    (Get-DomainPolicy)."system access"
    (Get-DomainPolicy)."kerberos policy"
  • Get Domain Controllers:

    Get-NetDomainController
    Get-NetDomainController -Domain $DomainName
  • Enumerate Domain Users:

    Get-NetUser
    Get-NetUser -SamAccountName $user
    Get-NetUser | select cn
    Get-UserProperty
    
    #Check last password change
    Get-UserProperty -Properties pwdlastset
    
    #Get a spesific "string" on a user's attribute
    Find-UserField -SearchField Description -SearchTerm "wtver"
    
    #Enumerate user logged on a machine
    Get-NetLoggedon -ComputerName $ComputerName
    
    #Enumerate Session Information for a machine
    Get-NetSession -ComputerName $ComputerName
    
    #Enumerate domain machines of the current/specified domain where specific users are logged into
    Find-DomainUserLocation -Domain $DomainName | Select-Object UserName, SessionFromName
  • Enumerate Domain Computers:

    Get-NetComputer -FullData
    Get-DomainGroup
    
    #Enumerate Live machines 
    Get-NetComputer -Ping
  • Enumerate Groups and Group Members:

    Get-NetGroupMember -GroupName "$GroupName" -Domain $DomainName
    
    #Enumerate the members of a specified group of the domain
    Get-DomainGroup -Identity $GroupName | Select-Object -ExpandProperty Member
    
    #Returns all GPOs in a domain that modify local group memberships through Restricted Groups or Group Policy Preferences
    Get-DomainGPOLocalGroup | Select-Object GPODisplayName, GroupName
  • Enumerate Shares

    #Enumerate Domain Shares
    Find-DomainShare
    
    #Enumerate Domain Shares the current user has access
    Find-DomainShare -CheckShareAccess
  • Enumerate Group Policies:

    Get-NetGPO
    
    # Shows active Policy on specified machine
    Get-NetGPO -ComputerName $ComputerName
    Get-NetGPOGroup
    
    #Get users that are part of a Machine's local Admin group
    Find-GPOComputerAdmin -ComputerName $ComputerName
  • Enumerate OUs:

    Get-NetOU -FullData 
    Get-NetGPO -GPOname $GPO_GUID
  • Enumerate ACLs:

    # Returns the ACLs associated with the specified account
    Get-ObjectAcl -SamAccountName $AccountName -ResolveGUIDs
    Get-ObjectAcl -ADSprefix 'CN=Administrator, CN=Users' -Verbose
    
    #Search for interesting ACEs
    Invoke-ACLScanner -ResolveGUIDs
    
    #Check the ACLs associated with a specified path (e.g smb share)
    Get-PathAcl -Path $Share_Path
  • Enumerate Domain Trust:

    Get-NetDomainTrust
    Get-NetDomainTrust -Domain $DomainName
  • Enumerate Forest Trust:

    Get-NetForestDomain
    Get-NetForestDomain Forest $ForestName
    
    #Domains of Forest Enumeration
    Get-NetForestDomain
    Get-NetForestDomain Forest $ForestName
    
    #Map the Trust of the Forest
    Get-NetForestTrust
    Get-NetDomainTrust -Forest $ForestName
  • User Hunting:

    #Finds all machines on the current domain where the current user has local admin access
    Find-LocalAdminAccess -Verbose
    
    #Find local admins on all machines of the domain:
    Invoke-EnumerateLocalAdmin -Verbose
    
    #Find computers were a Domain Admin OR a spesified user has a session
    Invoke-UserHunter
    Invoke-UserHunter -GroupName "RDPUsers"
    Invoke-UserHunter -Stealth
    
    #Confirming admin access:
    Invoke-UserHunter -CheckAccess

    Escalate Privileges to Domain Admin with User Hunting:

    • If you have local admin access on a machine

    • If A Domain Admin has a session on that machine

    • Steal their token and impersonate them!

PowerView 3.0 Tricks

Using BloodHound

#Using .exe ingestor
.\SharpHound.exe --CollectionMethod All --LDAPUser $UserName --LDAPPass $Password --JSONFolder $OutFile_Path

#Using powershell module ingestor
.\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All  -LDAPUser $UserName -LDAPPass $Password -OutputDirectory $OutFile_Path

Group Policy

Get-Command -Module grouppolicy

Get all GPOs by status

Get-GPO -all | select DisplayName, gpostatus

Backup all GPOs in the Domain

Backup-Gpo -All -Path E:GPObackup

Enumeration using nltest and .Net

Get Domain Information

nltest /DCLIST:DomainName
nltest /DCNAME:DomainName
nltest /DSGETDC:DomainName

Get Current Domain Info

nltest /dsgetdc:test.local

set l

View Domain Forest Info

nltest /domain_trusts

View Domain Trust Information

([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()

([System.DirectoryServices.ActiveDirectory.Forest]::GetForest((New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest', 'forest-name.local')))).GetAllTrustRelationships()

View All Domain Controllers

nltest /dclist:$domainFQDN
net group "domain controllers" /domain

View DC for Current Session

nltest /dsgetdc:$domainFQDN

Kerberos

Get domain name and DC the user authenticated to

klist

Get All Logged on Sessions, Includes NTLM & Kerberos

klist sessions

View Current Kerberos Tickets

klist

View Cached Krbtgt

klist tgt

Other useful AD enumeration tools

  • LDAPDomainDump Information dumper via LDAP, Gathers the AD schema details.

  • adidnsdump Integrated DNS dumping by any authenticated user

  • ACLight Advanced Discovery of Privileged Accounts

  • ADRecon Detailed Active Directory Recon Tool

  • ADExplorer easily navigate an AD database, save snapshots of an AD database for off-line viewing.

Last updated

Was this helpful?