Credentialed Enumeration From Windows

Active Directory Credentialed Enumeration (Windows)

1️⃣ PowerShell & Active Directory Module

PowerShell’s built-in ActiveDirectory module provides essential tools for querying and managing Active Directory objects.

Loading the Module

Get-Module → Lists available PowerShell modules
Import-Module ActiveDirectory → Loads the Active Directory module if not already imported

Domain & User Enumeration

Get-ADDomain → Displays general domain information
Get-ADTrust -Filter * → Checks for domain trust relationships
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName → Identifies Kerberoastable accounts
Get-ADGroup -Filter * | Select-Object Name → Lists all AD groups
Get-ADGroup -Identity "Administrators" → Retrieves details of a specific group
Get-ADGroupMember -Identity "Domain Admins" → Lists members of a specified group

2️⃣ PowerView

Basic Enumeration Commands

Get-Domain → Retrieves details about the Active Directory domain
Get-DomainUser → Lists users in the domain
Get-DomainComputer → Enumerates domain-joined computers
Get-DomainController → Identifies domain controllers
Get-DomainGroup → Lists all domain groups
Get-DomainOU → Enumerates Organizational Units (OUs)
Find-InterestingDomainAcl → Detects modification rights in domain ACLs

Privilege & Access Enumeration

Find-DomainUserLocation → Identifies machines where users are logged in
Find-DomainShare → Discovers accessible file shares in the domain
Find-InterestingDomainShareFile → Searches for potentially sensitive files in shares
Test-AdminAccess → Verifies administrative privileges on a remote machine

Trust & Group Membership Analysis

Get-DomainTrust → Retrieves domain trust relationships
Get-ForestTrust → Identifies forest-level trust relationships
Get-DomainForeignUser → Lists users who belong to groups outside their primary domain
Get-DomainForeignGroupMember → Finds groups with members from outside domains
Get-DomainTrustMapping → Maps domain trust relationships

3️⃣ SharpView

SharpView is a .NET alternative to PowerView, offering similar enumeration functionality in a compiled format.

.\SharpView.exe Get-DomainUser -Identity "john.doe" → Retrieves details about a specific user

4️⃣ BloodHound & SharpHound

BloodHound is a powerful tool used for visualizing Active Directory attack paths. The SharpHound.exe collector gathers necessary information.

.\SharpHound.exe -c All --zipfilename DataCollection → Executes full AD enumeration

Once collected, transfer the results to an attacker-controlled machine and analyze them in BloodHound.

5️⃣ Snaffler - File Scavenging Tool

Snaffler.exe -s -d corp.local -o findings.log -v data → Runs a deep scan for valuable files

6️⃣ Additional Recon Tools & Methods

General System Enumeration

Get-NetLocalGroup → Lists local groups on a machine
Get-NetLocalGroupMember → Enumerates members of a local group
Get-NetShare → Identifies accessible shared directories
Get-NetSession → Retrieves active session details on a machine

Service Principal Name (SPN) Enumeration

Get-DomainSPNTicket → Requests Kerberos tickets for Service Principal Name (SPN) accounts (potential Kerberoasting targets)

By leveraging these techniques, an attacker or pentester can gather valuable information about an Active Directory environment while minimizing detection. 🚀

PreviousCredentialed Enumeration From Linux NextKerberoasting - From Linux

Last updated 16 days ago

Was this helpful?