CMD and PowerShell enumeration

Command Prompt Enumeration

User Enumeration:

  • To list all domain users:

    net user /domain

  • To retrieve detailed information for a specific user:

    net user [USER] /domain

Group Enumeration:

  • To list all domain groups:

    net group /domain

  • To view members of a specific group:

    net group "[Group]" /domain

Password Policy:

  • To access the domain's password policy:

    net accounts /domain

PowerShell Enumeration:

User Enumeration:

  • To list all domain users using PowerShell:

    Get-ADUser

  • To retrieve detailed information for a specific user on a specific domain controller:

    Get-ADUser -Identity [USER] -Server [DCHOST] -Properties *

  • To search for users whose names match a specific pattern:

    Get-ADUser -Filter 'Name -like "*[USER]"' -Server [DCHOST] | Format-Table Name, SamAccountName -AutoSize

  • To list all group memberships for a user:

    (Get-ADUser -Identity 'USERNAME' -Properties MemberOf | Select-Object MemberOf).MemberOf

Group Enumeration:

To list all domain groups using PowerShell:

Get-ADGroup

To retrieve information about a specific group on a specific domain controller:

Get-ADGroup -Identity Administrators -Server [DCHOST]

To list members of a specific group on a specific domain controller:

Get-ADGroupMember -Identity Administrators -Server [DCHOST]

Get Domain Admins

Get-ADGroupMember -Identity "Domain Admins" -Server [DCHOST]

Get groups that are members of Domain Admins. This script will look through all direct members and their group members. It will only show groups, not users (use Bloodhound).

# Authenticate against AD
$credentials = Get-Credential
$server = 'DC HOSTNAME'

# Get the 'Domain Admins' group from Active Directory
$domainAdminsGroup = Get-ADGroup -Identity "Domain Admins" -Server $server -Credential $credentials

# Retrieve all groups that are members of the 'Domain Admins' group
$memberOf = Get-ADGroup -LDAPFilter "(member:1.2.840.113556.1.4.1941:=$($domainAdminsGroup.DistinguishedName))" -Server $server -Credential $credentials

# Iterate through each found group and retrieve their member groups
foreach ($group in $memberOf) {
    Write-Host "`nGroups that are members of $($group.Name):"
    $memberGroups = Get-ADGroup -LDAPFilter "(member:1.2.840.113556.1.4.1941:=$($group.DistinguishedName))" -Server $server -Credential $credentials | Select Name, GroupCategory, GroupScope
    $memberGroups 
}

AD Objects:

  • To perform a generic search for AD objects based on a specified date:

    $ChangeDate = New-Object DateTime(2022, 02, 28, 12, 00, 00)
Get-ADObject -Filter 'whenChanged -gt $ChangeDate' -includeDeletedObjects -Server [DCHOST]

  • To enumerate accounts with a bad password count greater than 0:

    Get-ADObject -Filter 'badPwdCount -gt 0' -Server [DCHOST]

Domains:

  • To retrieve domain information on a specific domain controller:

    Get-ADDomain -Server [DCHOST]

For Comprehensive Enumeration:

For more comprehensive enumeration, consider using tools like Sharphound and Bloodhound.

PreviousAD ExploreNextCertificates in AD

Last updated