CMD and PowerShell enumeration

Command Prompt Enumeration

User Enumeration:

To list all domain users:
```
net user /domain
```
To retrieve detailed information for a specific user:
```
net user [USER] /domain
```

Group Enumeration:

To list all domain groups:
```
net group /domain
```
To view members of a specific group:
```
net group "[Group]" /domain
```

Password Policy:

To access the domain's password policy:
```
net accounts /domain
```

PowerShell Enumeration:

User Enumeration:

To list all domain users using PowerShell:
```
Get-ADUser
```
To retrieve detailed information for a specific user on a specific domain controller:
```
Get-ADUser -Identity [USER] -Server [DCHOST] -Properties *
```

To search for users whose names match a specific pattern:

Get-ADUser -Filter 'Name -like "*[USER]"' -Server [DCHOST] | Format-Table Name, SamAccountName -AutoSize

To list all group memberships for a user:

(Get-ADUser -Identity 'USERNAME' -Properties MemberOf | Select-Object MemberOf).MemberOf

Group Enumeration:

To list all domain groups using PowerShell:

Get-ADGroup

To retrieve information about a specific group on a specific domain controller:

Get-ADGroup -Identity Administrators -Server [DCHOST]

To list members of a specific group on a specific domain controller:

Get-ADGroupMember -Identity Administrators -Server [DCHOST]

Get Domain Admins

Get-ADGroupMember -Identity "Domain Admins" -Server [DCHOST]

Get groups that are members of Domain Admins. This script will look through all direct members and their group members. It will only show groups, not users (use Bloodhound).

# Authenticate against AD
$credentials = Get-Credential
$server = 'DC HOSTNAME'

# Get the 'Domain Admins' group from Active Directory
$domainAdminsGroup = Get-ADGroup -Identity "Domain Admins" -Server $server -Credential $credentials

# Retrieve all groups that are members of the 'Domain Admins' group
$memberOf = Get-ADGroup -LDAPFilter "(member:1.2.840.113556.1.4.1941:=$($domainAdminsGroup.DistinguishedName))" -Server $server -Credential $credentials

# Iterate through each found group and retrieve their member groups
foreach ($group in $memberOf) {
    Write-Host "`nGroups that are members of $($group.Name):"
    $memberGroups = Get-ADGroup -LDAPFilter "(member:1.2.840.113556.1.4.1941:=$($group.DistinguishedName))" -Server $server -Credential $credentials | Select Name, GroupCategory, GroupScope
    $memberGroups 
}

AD Objects:

To perform a generic search for AD objects based on a specified date:

$ChangeDate = New-Object DateTime(2022, 02, 28, 12, 00, 00)
Get-ADObject -Filter 'whenChanged -gt $ChangeDate' -includeDeletedObjects -Server [DCHOST]

To enumerate accounts with a bad password count greater than 0:
```
Get-ADObject -Filter 'badPwdCount -gt 0' -Server [DCHOST]
```

Domains:

To retrieve domain information on a specific domain controller:
```
Get-ADDomain -Server [DCHOST]
```

For Comprehensive Enumeration:

For more comprehensive enumeration, consider using tools like Sharphound and Bloodhound.

PreviousAD Explore NextCertificates in AD

Last updated 1 year ago