LinkedInGitHub

ActiveDirectory Module - OPSEC

Domain enum

https://github.com/samratashok/ADModule

Import-Module ADModule-master\Microsoft.ActiveDirectory.Management.dll
Import-Module ADModule-master\ActiveDirectory\ActiveDirectory.psd1

You can enumerate other domains in the Forest as well

Get-ADDomain
Get-ADDomain -Identity moneycorp.local
(Get-ADDomain).DomainSID

Policy data will be important for password policies and Kerberos ticket information (needed for forging tickets, must match for OPSEC)

(Get-DomainPolicyData).systemaccess
(Get-DomainPolicyData -domain moneycorp.local).systemaccess
Get-ADDomainController
Get-ADDomainController -DomainName moneycorp.local -Discover

Users enum

Get-ADUser -Filter * -Properties *
Get-ADUser -Identity student1 -Properties *

Properties of users are important. Check login counts to see who might be a HONEYPOT!!

  • Less than 5-10 logon counts

  • Last logon time

  • Bad password time (should be wrong at least once)

Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member -MemberType 
*Property | select Name

Get-ADUser -Filter * -Properties * | select
name,logoncount,@{expression={[datetime]::fromFileTime($_.pwdlastset
)}}

Grep out a specific string

Get-ADUser -Filter 'Description -like "*built*"' -
Properties Description | select name,Description

Computer enum

Computer objects and Computers are different things

Check the logon count to find out

Get-ADComputer -Filter * -Properties * | select Name,logoncount
Get-ADComputer -Filter * | select Name
Get-ADComputer -Filter * -Properties *
Get-ADComputer -Filter 'OperatingSystem -like "*Server 2022*"' -
Properties OperatingSystem | select Name,OperatingSystem

Get-ADComputer -Filter * -Properties DNSHostName | %{TestConnection 
-Count 1 -ComputerName $_.DNSHostName}

Group enum

Get-ADGroup -Filter * | select Name
Get-ADGroup -Filter * -Properties *

Need to specify the domain for Enterprise Admins and others to show

Get-ADGroup -Filter 'Name -like "*admin*"' -Domain <domain> | select Name 
Get-ADGroup -Filter 'Name -like "*admin*"' | select Name

Domain Group Membership

Helpful to rename the local machine Administrators for post enumeration

SID will be the same for domain Admin

ALSO having a target user in multiple groups helps with privileges to other objects down the road

Get-ADGroupMember -Identity "Domain Admins" -Recursive 
Get-ADPrincipalGroupMembership -Identity student1

Organizational Units

Get-ADOrganizationalUnit -Filter * -Properties *
PreviousPowerViewNextUser Hunting

Last updated