AD Enumeration cheatsheet

Don’t let the pic fool you, this cheatsheet is from this year
Set-Location C:\TempImport-Module .\Microsoft.ActiveDirectory.Management.dllImport-Module .\ActiveDirectory.psd1
Get-NetOUGet-ADOrganizationalUnit -Filter * | Select-Object DistinguishedName, Name
Get-NetOU StudentMachines -FullDataGet-ADOrganizationalUnit -Filter {Name -eq “StudentMachines”} -Properties *
Get-NetOU <OU name> | @{Get-NetComputer -ADSPath $_}Get-ADComputer -Filter * -Properties * -SearchBase “ou=<OU name>,dc=<child domain>,dc=<parent domain>,dc=local” | Select-Object CanonicalName
dsquery computer “OU=<OU name>,DC=<child domain>,DC=<parent domain>,DC=local” -o rdn
Get-NetGPOGet-GPO -All
(Get-ADOrganizationalUnit “ou=clients,dc=test,dc=local” -Properties *).gpLink
Get-NetForestDomain -Verbose(Get-ADForest).Domains
Get-NetDomainTrustGet-ADTrust -Filter * | Select-Object Source, Target, TrustType, Direction
Get-NetForestDomain -Verbose | Get-NetDomainTrustGet-ADForest | %{Get-ADTrust -Filter *} | Select-Object Source, Target, TrustType, Direction
Get-NetForestDomain -Verbose | Get-NetDomainTrust | ?{$_.TrustType -eq ‘External’}(Get-ADForest).Domains | %{Get-ADTrust -Filter ‘(intraForest -ne $True) -and (ForestTransitive -ne $True)’ -Server $_}
Get-NetDomainTrust | ?{$_.TrustType -eq ‘External’}Get-ADTrust -Filter ‘(intraForest -ne $True) -and (ForestTransitive -ne $True)’ | Select-Object Source, Target, TrustType, Direction
Get-NetForestDomain -Forest <external domain name> -Verbose | Get-NetDomainTrustGet-ADTrust -Server <external domain name> -Filter * | Select-Object Source, Target, TrustType, Direction
Get-NetUser | select -ExpandProperty SamAccountNameGet-ADUser -Prop * | Select-Object SamAccountName
Get-NetComputerGet-ADComputer -Filter * -Properties * | Select-Object CanonicalName
Get-NetGroupMember -GroupName “Enterprise Admins” -Domain OtherDomain.localGet-ADgroupMember -Identity “Enterprise Admins” -Server OtherDomain.local
Get-NetGroup -GroupName “Domain Admins” -FullDataGet-ADGroup -Identity “Domain Admins”
Get-NetGroupMember -GroupName “Domain Admins”Get-ADGroupMember -Identity “Domain Admins”
Invoke-ShareFinder -ExcludeStandard -ExcludePrint -ExcludeIPC –Verbose
netdom query fsmo
$env:username ; $env:computername
whoami /groups
Get-ADUser $env:username -Properties * | Select-Object MemberOf | Format-List
Get-ADUser -Filter * -Properties * | Select-Object SamAccountName, UserPrincipalName, ServicePrincipalName, SID
(Get-ADUser -Filter * -SearchBase “OU=THM,DC=thmredteam,DC=com”).Count
Get-ADUser -Filter {ServicePrincipalName -ne “$null”} -Properties * | Select-Object SamAccountName, ServicePrincipalName, MemberOf
Get-ADComputer -Filter {TrustedForDelegation -eq $true}
Get-ADUser -Filter {Description -like “*password*”} -Properties * | Select-Object SamAccountName, Description
Flags & passwords redacted as per THM’s writeup guidance
Get-ADUser -Filter * | Where-Object {$_.SID -like “*-500”}
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} -Properties * | Select-Object SAMAccountName
Get-ADUser -Filter * -Properties * | Where-Object {$_.SID -like “*-500”} | Select-Object SamAccountName, Enabled, LastLogonDate, PasswordLastSet, PasswordExpired
$BruteForceMe = (Get-ADUser -Filter * -Properties * | Where-Object {$_.SID -like “*-500”}).SamAccountName
xfreerdp /v: /u:kkidd
evil-winrm -i -u Administrator -H 03df526c49c8684ebed22fdb3ec5c533
evil-winrm -i -u Administrator -p <password>



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store



I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from work or the lab.