Enumeration

Powershell

Users

net user /domain
net user zoe.marshall /domain

Groups

net group /domain
net group "Tier 1 Admins" /domain

Enumeration Tools

• Seatbelt: Used for enumeration from configuration files.

• Bloodhound/ SharpHound: Tools for Active Directory (AD) enumeration.

• LDAP enumeration : Perform LDAP searches to gather information from AD.

• PowerView : Legacy tool for AD enumeration (no longer supported).

• Windows Management Instrumentation (WMI) : Get-WmiObject -Namespace root\directory\ldap -Class ds_* -List

Domain Information

Retrieve basic domain details:

Get-WmiObject -Namespace root\directory\ldap -Class ds_domain | Select-Object ds_dc, ds_distinguishedname, pscomputername

Domain Policies

Retrieve domain policy details such as password requirements and lockout thresholds:

Get-WmiObject -Namespace root\directory\ldap -Class ds_domain | Select-Object ds_lockoutduration, ds_lockoutobservationwindow, ds_lockoutthreshold, ds_maxpwdage, ds_minpwdage, ds_minpwdlength, ds_pwdhistorylength, ds_pwdproperties

Domain Controllers (DCs)

Identify domain controllers:

Get-WmiObject -Namespace root\directory\ldap -Class ds_computer | Where-Object { $_.ds_useraccountcontrol -match 532480 } | Select-Object ds_cn, ds_dnshostname, ds_operatingsystem, ds_lastlogon, ds_pwdlastset

User Type	Hex Value	Constants
Normal User	0x200	512
Workstation/Server	0x1000	4096
Domain Controller	0x82000	532480

---

User and Group Enumeration

User Accounts

Account Type	Identifier	Constant
Temporary Duplicate Account	UF_TEMP_DUPLICATE_ACCOUNT	256
Normal Account	UF_NORMAL_ACCOUNT	512
Interdomain Trust Account	UF_INTERDOMAIN_TRUST_ACCOUNT	2048
Workstation Trust Account	UF_WORKSTATION_TRUST_ACCOUNT	4096
Server Trust Account	UF_SERVER_TRUST_ACCOUNT	8192

List all user accounts:

Get-WmiObject -Class win32_useraccount | Select-Object name, domain, accounttype

List user accounts in a specific domain (e.g., "infected"):

Get-WmiObject -Class win32_useraccount -Filter 'domain="infected"' | Select-Object caption

Currently Logged-On Users

Enumerate currently logged-on users (e.g., users on domain "infected"):

Get-WmiObject -Class win32_loggedonuser | Where-Object { $_ -match 'infected' } | ForEach-Object { [wmi]$_.antecedent }
Get-ADUser -Filter * -Properties * | select Name,SamAccountName,Description

Groups

Enumerate groups:

Get-WmiObject -Class win32_groupindomain | ForEach-Object { [wmi]$_.partcomponent }

Find users in the "Domain Admins" group:

Get-WmiObject -Class win32_groupuser | Where-Object { $_.groupcomponent -match 'domain admins' } | ForEach-Object { [wmi]$_.partcomponent }

Find groups containing a specific user (e.g., "Administrator"):

Get-WmiObject -Class win32_groupuser | Where-Object { $_.partcomponent -match 'Administrator' } | ForEach-Object { [wmi]$_.groupcomponent }

---

Machine Enumeration

Find Machines in the Domain

Retrieve a list of all machines in the domain:

Get-WmiObject -Namespace root\directory\ldap -Class ds_computer | Select-Object ds_cn

Enumerate Admin Privileges Across AD

Identify machines in the domain where the user has admin privileges:

$pcs = Get-WmiObject -Namespace root\directory\ldap -Class ds_computer | Select-Object -ExpandProperty ds_cn
foreach ($pc in $pcs) {(Get-WmiObject -Class win32_computersystem -ComputerName $pc -ErrorAction SilentlyContinue).name}

---

This organization separates tools, commands, and their purposes into logical sections, making it easier to navigate and use. Let me know if you'd like to refine this further!