HackNotes

Appearance

Active Directory Enumeration ​

This section covers various ways to enumerate an Active Directory environment.

Basic Enumeration ​

Get current domain information ​

Retrieve details about the current domain:

powershell
Get-NetDomain
powershell
Get-ADDomain

If you want to get information about another domain:

powershell
Get-Domain –Domain example.local
powershell
Get-ADDomain -Identity example.local

Get domain SID ​

Retrieve the Security Identifier (SID) for the domain:

powershell
Get-DomainSID
powershell
(Get-ADDomain).DomainSID

Get domain policy ​

Retrieve the domain policy settings for the current domain:

powershell
Get-DomainPolicyData
(Get-DomainPolicyData).systemaccess

If you want to get the domain policy settings for another domain:

powershell
(Get-DomainPolicyData –domain example.local).systemaccess

Get domain controllers ​

List all domain controllers in the current domain:

powershell
Get-DomainController
powershell
Get-ADDomainController

If you want to get the domain controllers for another domain:

powershell
Get-DomainController –Domain example.local
powershell
Get-ADDomainController -DomainName example.local -Discover

Get a list of all users ​

Retrieve all users in the domain:

powershell
Get-DomainUser
Get-DomainUser –Identity <username> # Get information about a specific user
powershell
Get-ADUser -Filter * -Properties *
Get-ADUser -Identity <username> -Properties * # Get information about a specific user

The -Properties parameter provides useful information about users in the current domain, helping with situational awareness.

For example, to get the last logon time of all users:

powershell
Get-DomainUser -Properties lastlogon
powershell
Get-ADUser -Filter * -Properties lastlogon

Search for a particular string in user attributes ​

For example, to search for the string "built" in the Description attribute of all users:

powershell
Get-DomainUser -LDAPFilter "Description=*built*" | select name,Description
powershell
Get-ADUser -Filter 'Description -like "*built*"' -Properties Description | select name,Description

Get a list of computers in the current domain ​

Retrieve all computers in the current domain:

powershell
Get-DomainComputer | select Name
Get-DomainComputer –OperatingSystem "Windows Server 2019 Standard" # Filter by operating system
Get-DomainComputer -Ping # Check if the computer is online
powershell
Get-ADComputer -Filter * | select Name
Get-ADComputer -Filter 'OperatingSystem -like "*Windows Server 2019 Standard*"' -Properties OperatingSystem | select Name,OperatingSystem
Get-ADComputer -Filter * -Properties DNSHostName | %{TestConnection -Count 1 -ComputerName $_.DNSHostName}

Get a list of groups in the current domain ​

Retrieve all groups in the current domain:

powershell
Get-DomainGroup | select Name
Get-DomainGroup –Domain example.local
powershell
Get-ADGroup -Filter * | select Name 
Get-ADGroup -Filter * -Properties *

You can also search groups that contain a specific word in their name:

powershell
Get-DomainGroup *admin*
powershell
Get-ADGroup -Filter 'Name -like "*admin*"' | select Name

Get members of a group ​

Retrieve members of a specific group:

powershell
Get-DomainGroupMember -Identity "Domain Admins" -Recurse
powershell
Get-ADGroupMember -Identity "Domain Admins" -Recursive

To get group membership for a specific user:

powershell
Get-DomainGroupMember -Identity <username>
powershell
Get-ADPrincipalGroupMembership -Identity <username>

Enumerate local groups Administrative privileges required ​

Get all the local groups on a machine:

powershell
Get-NetLocalGroup -ComputerName <computername>

Get the members of a local group:

powershell
Get-NetLocalGroupMember -ComputerName <computername> -GroupName "Administrators"

Finding machines where the current user has local admin rights ​

To identify all machines in the current domain where the logged-in user has local administrator privileges, use the following PowerView command:

powershell
Find-LocalAdminAccess –Verbose

This function queries the Domain Controller for a list of computers (Get-DomainComputer) and then uses multi-threaded Test-AdminAccess to check administrative access on each machine.

This can also be done with the help of remote administration tools like WMI and PowerShell remoting. Pretty useful in cases ports (RPC and SMB) used by Find-LocalAdminAccess are blocked.

See Find-WMILocalAdminAccess.ps1 and Find-PSRemotingLocalAdminAccess.ps1

Find machines where a domain admin (or specified user/group) has sessions ​

To identify all machines in the current domain where a domain admin has active sessions, use the following PowerView command:

powershell
Find-DomainUserLocation -Verbose
Find-DomainUserLocation -UserGroupIdentity "Domain Admins" -Verbose
Find-DomainUserLocation -CheckAccess # Check if the current user has access to the machine

This function queries the Domain Controller for members of the specified group (defaulting to "Domain Admins") using Get-DomainGroupMember. It then retrieves a list of domain computers using Get-DomainComputer and checks each machine for active sessions and logged-on users using Get-NetSession and Get-NetLoggedon.

Forest Enumeration ​

Get details about the current forest ​

Retrieve details about the current forest:

powershell
Get-Forest
powershell
Get-ADForest

Get all domains in the forest ​

Retrieve all domains in the current forest:

powershell
Get-ForestDomain
powershell
(Get-ADForest).Domains

Map the trust relationships in the forest ​

Retrieve the trust relationships between domains in the forest:

powershell
Get-ForestTrust
powershell
Get-ADTrust -Filter 'intraForest -ne $True' -Server (GetADForest).Name

Group Policy (GPO) Enumeration ​

Group Policy Objects (GPOs) are used to manage user and computer configuration settings in Active Directory. Enumerating GPOs can provide valuable information about the security posture of the domain.

Get all GPOs ​

Retrieve all Group Policy Objects in the current domain:

powershell
Get-DomainGPO
Get-DomainGPO -ComputerIdentity <computername> # Get GPOs linked to a specific computer

Get GPOs that use Restricted Groups ​

You can identify GPOs that involve Restricted Groups, which might contain sensitive user or group membership information:

powershell
Get-DomainGPOLocalGroup

Get users which are in a local group of a machine using GPO ​

Retrieve all users that are members of a local group on a specific machine using GPO:

powershell
Get-DomainGPOUserLocalGroupMapping -ComputerIdentity <computername> -Verbose

Get machines where the given user is member of a specific group ​

Retrieve all machines where a specific user is a member of a specific group:

powershell
Get-DomainGPOUserLocalGroupMapping -Identity <username> -Verbose

Organizational Unit (OU) Enumeration ​

Organizational Units (OUs) are containers within Active Directory that can hold users, groups, computers, and other OUs. Enumerating OUs can help understand the structure of the domain.

Get all OUs ​

Retrieve all Organizational Units in the current domain:

powershell
Get-DomainOU
powershell
Get-ADOrganizationalUnit -Filter * -Properties *

Get GPO applied to an OU ​

Retrieve the Group Policy Objects (GPOs) applied to a specific Organizational Unit (OU):

powershell
Get-DomainGPO -Identity '{GPOname}'

Access Control List (ACL) Enumeration ​

Access Control Lists (ACLs) define the permissions that users, groups, and computers have on Active Directory objects. Enumerating ACLs can help identify misconfigurations and security weaknesses.

Understanding the Access Control Model ​

The Active Directory access control model regulates how users and processes interact with objects and resources. It is based on the following components:

  • Access Tokens – Represent the security context of a process, including the user's identity and privileges.
  • Security Descriptors – Define permissions for objects and consist of:
    • Owner SID – Identifies the owner of the object.
    • Access Control List (ACL) – A set of rules that define access to the object. It consists of:
      • Discretionary ACL (DACL) – Specifies which users or groups have access and their level of permission.
      • System ACL (SACL) – Logs success and failure audit messages when an object is accessed.

An ACL consists of Access Control Entries (ACEs), which define specific permissions for users or groups on an object. Each ACE determines:

  • Who has access (user, group, or service account).
  • What actions they can perform (read, write, modify, etc.).

For more information, I recommend reading the Microsoft documentation on the Access Control Model.

Properly analyzing ACLs can help identify security risks, such as excessive privileges or unintended access rights.

Get the ACLs associated with a specified object ​

Retrieve the Access Control List (ACL) associated with a specific object:

powershell
Get-DomainObjectAcl -Identity <username> –ResolveGUIDs

Get the ACLs associated with the specified LDAP path ​

Retrieve the Access Control List (ACL) associated with a specific LDAP path:

powershell
Get-DomainObjectAcl -LDAP "LDAP://CN=Domain Admins,CN=Users,DC=us,DC=example,DC=local" -ResolveGUIDs -Verbose
powershell
(Get-Acl 'AD:\CN=Administrator,CN=Users,DC=us,DC=example,DC=local').Access

Search for interesting ACEs ​

Search for interesting Access Control Entries (ACEs) in the ACLs:

powershell
Find-InterestingDomainAcl -ResolveGUIDs

Get the ACLs associated with the specified path ​

Retrieve the Access Control List (ACL) associated with a specific path:

powershell
Get-PathAcl -Path "\\us-dc\sysvol"