AD Manual Enumeration

Operators to use with Filter

  • -eq Equal to

  • -le Less than or equal to

  • -ge Greater than or equal to

  • -ne Not equal to

  • -lt Less than

  • -gt Greater than

  • -approx Approximately equal to

  • -bor Bitwise OR

  • -band Bitwise AND

  • -recursivematch Recursive match

  • -like Like

  • -notlike Not like

  • -and Boolean AND

  • -or Boolean OR

  • -not Boolean NOT

  • Example

    Get-ADUser -Filter "name -eq 'jane doe'"
    Get-ADUser -Filter {name -eq 'jane doe'}
    Get-ADUser -Filter'name -eq "jane doe"'

Basic LDAP Filters

  • & and

  • | or

  • ! not

Example of useful queries

  • Get-ADGroup -Identity "<GROUP NAME" -Properties * Get information about an AD group

  • whoami /priv View a user's current rights

  • Get-WindowsCapability -Name RSAT* -Online \| Select-Object -Property Name, State Check if RSAT tools are installed

  • Get-WindowsCapability -Name RSAT* -Online \| Add-WindowsCapability –Online Install all RSAT tools

  • runas /netonly /user:htb.local\jackie.may powershell Run a utility as another user

  • Get-ADObject -LDAPFilter '(objectClass=group)' \| select cn LDAP query to return all AD groups

  • Get-ADUser -LDAPFilter '(userAccountControl:1.2.840.113556.1.4.803:=2)' \| select name List disabled users

  • Get-ADUser -SearchBase "OU=Employees,DC=DOMAIN-NAME,DC=LOCAL" -Filter *).count Count all users in an OU

  • get-ciminstance win32_product \| fl Query for installed software

  • get-ciminstance win32_product -Filter "NOT Vendor like '%Microsoft%'" | fl Query for software that are not microsoft

  • Get-ADComputer -Filter "DNSHostName -like 'SQL*'" Get hostnames with the word "SQL" in their hostname

  • Get-ADGroup -Filter "adminCount -eq 1" \| select Name Get all administrative groups

  • Get-ADUser -Filter {adminCount -eq '1' -and DoesNotRequirePreAuth -eq 'True'} Find admin users that don't require Kerberos Pre-Auth

  • Get-ADUser -Filter {adminCount -gt 0} -Properties admincount,useraccountcontrol Enumerate UAC values for admin users

  • Get-WmiObject -Class win32_group -Filter "Domain='DOMAIN-NAME'" Get AD groups using WMI

  • ([adsisearcher]"(&(objectClass=Computer))").FindAll() Use ADSI to search for all computers

  • (Get-ADGroup -Identity "Help Desk" -Properties *).Member.Count Get number of users in Help Desk Group

  • (Get-ADUser -filter * | select Name).countGet number of Users in domain

  • (Get-ADComputer -filter * | select Name).count Get number of Computers in domain

  • (Get-ADGroup -filter * | select Name).count Get number of groups in domain

  • Get-ADUser -Filter {adminCount -eq '1' -and DoesNotRequirePreAuth -eq 'True'} Filter Admin users

  • (Get-ADUser -Filter * -SearchBase "OU=IT,OU=Employees,DC=DOMAIN-NAME,DC=LOCAL").count Find the number of users in the IT OU

  • (Get-ADUser -SearchBase "OU=Employees,DC=DOMAIN-NAME,DC=LOCAL" -Filter *).count Count all AD Users

  • Get-ADUser -Properties * -LDAPFilter '(userAccountControl:1.2.840.113556.1.4.803:=524288)' | select Name,memberof,servicePrincipalName,TrustedForDelegation Find user accounts marked trusted for delegation

  • Get-ADUser -Filter * -SearchBase "OU=Pentest,OU=Employees,DC=DOMAIN-NAME,DC=LOCAL" | List user in Pentest OU

  • Get-ADGroup -filter * -Properties MemberOf | Where-Object {$_.MemberOf -ne $null} | Select-Object Name,MemberOf Find all nested groups in the Domain

  • Get-ADDomain | Select-Object NetBIOSName, DNSRoot, InfrastructureMaster

  • Get-ADForest | Select-Object Domains

  • Get-ADTrust -Filter * | Select-Object Direction,Source,Target

Other useful native tools or cmd

  • gpresult /h gpo_report.html Enumerate infos on Group Policy Objects (collection of policy settings) in html

  • gpresult /r /user:first.last Get GPO for user

  • gpresult /r /S HOST Get GPO for host

Useful Powershell cmd

  • Set-ExecutionPolicy Unrestricted will let you execute any ps1 script, answer A to the prompt

  • ls -force is the equivalent of ls -la


Last updated