Enumeration

Powershell

Users

net user /domain
net user zoe.marshall /domain

Groups

net group /domain
net group "Tier 1 Admins" /domain

Enumeration Tools

Domain Information

Retrieve basic domain details:

Get-WmiObject -Namespace root\directory\ldap -Class ds_domain | Select-Object ds_dc, ds_distinguishedname, pscomputername

Domain Policies

Retrieve domain policy details such as password requirements and lockout thresholds:

Get-WmiObject -Namespace root\directory\ldap -Class ds_domain | Select-Object ds_lockoutduration, ds_lockoutobservationwindow, ds_lockoutthreshold, ds_maxpwdage, ds_minpwdage, ds_minpwdlength, ds_pwdhistorylength, ds_pwdproperties

Domain Controllers (DCs)

Identify domain controllers:

Get-WmiObject -Namespace root\directory\ldap -Class ds_computer | Where-Object { $_.ds_useraccountcontrol -match 532480 } | Select-Object ds_cn, ds_dnshostname, ds_operatingsystem, ds_lastlogon, ds_pwdlastset
User Type
Hex Value
Constants

Normal User

0x200

512

Workstation/Server

0x1000

4096

Domain Controller

0x82000

532480

User and Group Enumeration

User Accounts

Account Type
Identifier
Constant

Temporary Duplicate Account

UF_TEMP_DUPLICATE_ACCOUNT

256

Normal Account

UF_NORMAL_ACCOUNT

512

Interdomain Trust Account

UF_INTERDOMAIN_TRUST_ACCOUNT

2048

Workstation Trust Account

UF_WORKSTATION_TRUST_ACCOUNT

4096

Server Trust Account

UF_SERVER_TRUST_ACCOUNT

8192

List all user accounts:

Get-WmiObject -Class win32_useraccount | Select-Object name, domain, accounttype

List user accounts in a specific domain (e.g., "infected"):

Get-WmiObject -Class win32_useraccount -Filter 'domain="infected"' | Select-Object caption

Currently Logged-On Users

Enumerate currently logged-on users (e.g., users on domain "infected"):

Get-WmiObject -Class win32_loggedonuser | Where-Object { $_ -match 'infected' } | ForEach-Object { [wmi]$_.antecedent }
Get-ADUser -Filter * -Properties * | select Name,SamAccountName,Description

Groups

Enumerate groups:

Get-WmiObject -Class win32_groupindomain | ForEach-Object { [wmi]$_.partcomponent }

Find users in the "Domain Admins" group:

Get-WmiObject -Class win32_groupuser | Where-Object { $_.groupcomponent -match 'domain admins' } | ForEach-Object { [wmi]$_.partcomponent }

Find groups containing a specific user (e.g., "Administrator"):

Get-WmiObject -Class win32_groupuser | Where-Object { $_.partcomponent -match 'Administrator' } | ForEach-Object { [wmi]$_.groupcomponent }

Machine Enumeration

Find Machines in the Domain

Retrieve a list of all machines in the domain:

Get-WmiObject -Namespace root\directory\ldap -Class ds_computer | Select-Object ds_cn

Enumerate Admin Privileges Across AD

Identify machines in the domain where the user has admin privileges:

$pcs = Get-WmiObject -Namespace root\directory\ldap -Class ds_computer | Select-Object -ExpandProperty ds_cn
foreach ($pc in $pcs) {(Get-WmiObject -Class win32_computersystem -ComputerName $pc -ErrorAction SilentlyContinue).name}

This organization separates tools, commands, and their purposes into logical sections, making it easier to navigate and use. Let me know if you'd like to refine this further!

PreviousBreach ADNextCredentials Harvesting

Last updated