AD Enumeration cheatsheet

Rich
5 min readSep 6, 2022

--

Don’t let the pic fool you, this cheatsheet is from this year

TL;DR this mostly comes from my CRTP notes with some handy stuff I learned elsewhere thrown in. This is a cheatsheet so if you want explanations then follow the links, for example regarding ASREPRoasting, Kerberoasting, etc.

Welcome to Part IV of our cheatsheet series!

Part I: Mimikatz cheatsheet

Part II: Set-Acl cheatsheet

Part III: Get-Acl cheatsheet

Part IV: Enumerating AD cheatsheet

Part V: Windows reverse shells cheatsheet

Part VI: MS Graph PowerShell cheatsheet

Part VII: Hash cracking cheatsheet

Part VIII: The Credential Theft Shuffle

Part IX: SACLs & Querying Collected Logs

Part X: Setting up a simple AD lab in Azure

How to get the AD module

If the system you are using does not have RSAT installed, just grab 4 files from here, from Microsoft, or from a system that already has RSAT.

  • Microsoft.ActiveDirectroy.Management.dll
  • ActiveDirectory.psd1
  • ActiveDirectory.Format.ps1xml
  • ActiveDirectory.Types.ps1xml

Drop them in a folder, C:\Temp for example, then:

Set-Location C:\TempImport-Module .\Microsoft.ActiveDirectory.Management.dllImport-Module .\ActiveDirectory.psd1

If you would like to keep using the AD module in future PS sessions then

Put Microsoft.ActiveDirectory.Management.dll in:

C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.ActiveDirectory.Management

Put ActiveDirectory.psd1 in:

C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\

I first started learning how to use the PS AD module after watching the AD portion of TCM’s Ethical Hacking course. He was showing everything in PowerView and I figured native PS should be able to do the job. I’m partial to native PS because

  • It doesn’t trip Defender, obviously
  • It’s on every Windows system already [you may just have to load the files above]
  • Hence no change request required :)

Additionally I’m really fond of PowerShell_ISE. However if you like PowerView then that’s great too. I list both below.

OU enumeration

PowerView command shown first, native PS command shown second.

List all OUs:

Get-NetOUGet-ADOrganizationalUnit -Filter * | Select-Object DistinguishedName, Name

List info about an OU:

Get-NetOU StudentMachines -FullDataGet-ADOrganizationalUnit -Filter {Name -eq “StudentMachines”} -Properties *

List all systems in a given OU:

Get-NetOU <OU name> | @{Get-NetComputer -ADSPath $_}Get-ADComputer -Filter * -Properties * -SearchBase “ou=<OU name>,dc=<child domain>,dc=<parent domain>,dc=local” | Select-Object CanonicalName

Alt, old school method:

dsquery computer “OU=<OU name>,DC=<child domain>,DC=<parent domain>,DC=local” -o rdn

List all GPOs:

Get-NetGPOGet-GPO -All

List GPOs applied to an OU, PS:

(Get-ADOrganizationalUnit “ou=clients,dc=test,dc=local” -Properties *).gpLink

Fully enumerating Group Policy though is honestly easier using RSOP.msc. It’ll show what settings are pushed to the system and what the GPO names are.

Please note that if you have local admin on a compromised system you can add RSAT. I did this during CRTP and it greatly helped visualize the domain using ADUC & GPMC. You can also upload any standalone installer, for example nmap. This will help you see what services are running on what systems in case you miss it during other enumeration methods.

Trust relationships

PowerView command shown first, native PS command shown second.

Find all domains in the current forest:

Get-NetForestDomain -Verbose(Get-ADForest).Domains

Map all trusts:

Get-NetDomainTrustGet-ADTrust -Filter * | Select-Object Source, Target, TrustType, Direction

Map all trusts of the forest:

Get-NetForestDomain -Verbose | Get-NetDomainTrustGet-ADForest | %{Get-ADTrust -Filter *} | Select-Object Source, Target, TrustType, Direction

List only external trusts in the the forest:

Get-NetForestDomain -Verbose | Get-NetDomainTrust | ?{$_.TrustType -eq ‘External’}(Get-ADForest).Domains | %{Get-ADTrust -Filter ‘(intraForest -ne $True) -and (ForestTransitive -ne $True)’ -Server $_}

ID external trusts of the current domain:

Get-NetDomainTrust | ?{$_.TrustType -eq ‘External’}Get-ADTrust -Filter ‘(intraForest -ne $True) -and (ForestTransitive -ne $True)’ | Select-Object Source, Target, TrustType, Direction

Finds trusts for an external domain that trusts us:

Get-NetForestDomain -Forest <external domain name> -Verbose | Get-NetDomainTrustGet-ADTrust -Server <external domain name> -Filter * | Select-Object Source, Target, TrustType, Direction

User, computer, group, share enumeration

PowerView command shown first, native PS command shown second.

Show all Domain Users:

Get-NetUser | select -ExpandProperty SamAccountNameGet-ADUser -Prop * | Select-Object SamAccountName

Show all Domain Computers:

Get-NetComputerGet-ADComputer -Filter * -Properties * | Select-Object CanonicalName

Get info on a group in another domain:

Get-NetGroupMember -GroupName “Enterprise Admins” -Domain OtherDomain.localGet-ADgroupMember -Identity “Enterprise Admins” -Server OtherDomain.local

See info on a given AD Group:

Get-NetGroup -GroupName “Domain Admins” -FullDataGet-ADGroup -Identity “Domain Admins”

Show members of Domain Admins group:

Get-NetGroupMember -GroupName “Domain Admins”Get-ADGroupMember -Identity “Domain Admins”

Find interesting shares (via PowerView):

Invoke-ShareFinder -ExcludeStandard -ExcludePrint -ExcludeIPC –Verbose

Handy stuff that wasn’t in my CRTP notes

Oldie but a goodie to show the DC that holds each role:

netdom query fsmo

Get basic info about the domain itself:

Get-ADDomain

Get the user you are logged in as and the system you are on:

$env:username ; $env:computername

Get your current group memberships, another oldie but a goodie:

whoami /groups

Get your current group memberships, PS version:

Get-ADUser $env:username -Properties * | Select-Object MemberOf | Format-List

Find some basic info on all users:

Get-ADUser -Filter * -Properties * | Select-Object SamAccountName, UserPrincipalName, ServicePrincipalName, SID

Get users from only a specified OU, in this case how many there are:

(Get-ADUser -Filter * -SearchBase “OU=THM,DC=thmredteam,DC=com”).Count

Find user accounts with SPNs [possibly Kerberoastable]:

Get-ADUser -Filter {ServicePrincipalName -ne “$null”} -Properties * | Select-Object SamAccountName, ServicePrincipalName, MemberOf

Find computer accounts with unconstrained delegation enabled (by default all DCs will show up in this query. You are looking for the ones that aren’t DCs):

Get-ADComputer -Filter {TrustedForDelegation -eq $true}

Find users with interesting info in their account description (Worth a shot in a CTF, and some very poorly run domains.):

Get-ADUser -Filter {Description -like “*password*”} -Properties * | Select-Object SamAccountName, Description
Flags & passwords redacted as per THM’s writeup guidance

Find a user with a known SID (worth a shot in CTFs & poorly run domains as SID 500 never locks out):

Get-ADUser -Filter * | Where-Object {$_.SID -like “*-500”}

Find users without pre-auth required, aka ASREPRoastable:

Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} -Properties * | Select-Object SAMAccountName

Example query for exact attributes:

Get-ADUser -Filter * -Properties * | Where-Object {$_.SID -like “*-500”} | Select-Object SamAccountName, Enabled, LastLogonDate, PasswordLastSet, PasswordExpired

Remember if you are going to set the query result to a variable it’s normally best to use (<query>).<thing> :

$BruteForceMe = (Get-ADUser -Filter * -Properties * | Where-Object {$_.SID -like “*-500”}).SamAccountName

Don’t actually waste time on brute force if you take CRTP. They are very clear in their exam instructions that it is highly unlikely to work.

Connecting from Linux

Connect to RDP using xfreerdp:

xfreerdp /v:10.10.188.175 /u:kkidd

PSRemote via evil-WinRM (using PTH):

evil-winrm -i 192.168.0.120 -u Administrator -H 03df526c49c8684ebed22fdb3ec5c533

If you have credentials:

evil-winrm -i 192.168.0.120 -u Administrator -p <password>

References:

Files required for PS AD module: https://github.com/samratashok/ADModule

Nikhil Mittal, howto use PS AD module without RSAT: http://www.labofapenetrationtester.com/2018/10/domain-enumeration-from-PowerShell-CLM.html

Ired, PS AD module without RSAT: https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges

--

--

Rich
Rich

Written by Rich

I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from auditing or the lab.