AD Manual Enumeration
Operators to use with Filter
-eqEqual to-leLess than or equal to-geGreater than or equal to-neNot equal to-ltLess than-gtGreater than-approxApproximately equal to-borBitwise OR-bandBitwise AND-recursivematchRecursive match-likeLike-notlikeNot like-andBoolean AND-orBoolean OR-notBoolean NOTExample
Basic LDAP Filters
&and|or!not
Example of useful queries
Get-ADGroup -Identity "<GROUP NAME" -Properties *Get information about an AD groupwhoami /privView a user's current rightsGet-WindowsCapability -Name RSAT* -Online \| Select-Object -Property Name, StateCheck if RSAT tools are installedGet-WindowsCapability -Name RSAT* -Online \| Add-WindowsCapability –OnlineInstall all RSAT toolsrunas /netonly /user:htb.local\jackie.may powershellRun a utility as another userGet-ADObject -LDAPFilter '(objectClass=group)' \| select cnLDAP query to return all AD groupsGet-ADUser -LDAPFilter '(userAccountControl:1.2.840.113556.1.4.803:=2)' \| select nameList disabled usersGet-ADUser -SearchBase "OU=Employees,DC=DOMAIN-NAME,DC=LOCAL" -Filter *).countCount all users in an OUget-ciminstance win32_product \| flQuery for installed softwareget-ciminstance win32_product -Filter "NOT Vendor like '%Microsoft%'" | flQuery for software that are not microsoftGet-ADComputer -Filter "DNSHostName -like 'SQL*'"Get hostnames with the word "SQL" in their hostnameGet-ADGroup -Filter "adminCount -eq 1" \| select NameGet all administrative groupsGet-ADUser -Filter {adminCount -eq '1' -and DoesNotRequirePreAuth -eq 'True'}Find admin users that don't require Kerberos Pre-AuthGet-ADUser -Filter {adminCount -gt 0} -Properties admincount,useraccountcontrolEnumerate UAC values for admin usersGet-WmiObject -Class win32_group -Filter "Domain='DOMAIN-NAME'"Get AD groups using WMI([adsisearcher]"(&(objectClass=Computer))").FindAll()Use ADSI to search for all computers(Get-ADGroup -Identity "Help Desk" -Properties *).Member.CountGet number of users in Help Desk Group(Get-ADUser -filter * | select Name).countGet number of Users in domain(Get-ADComputer -filter * | select Name).countGet number of Computers in domain(Get-ADGroup -filter * | select Name).countGet number of groups in domainGet-ADUser -Filter {adminCount -eq '1' -and DoesNotRequirePreAuth -eq 'True'}Filter Admin users(Get-ADUser -Filter * -SearchBase "OU=IT,OU=Employees,DC=DOMAIN-NAME,DC=LOCAL").countFind the number of users in the IT OU(Get-ADUser -SearchBase "OU=Employees,DC=DOMAIN-NAME,DC=LOCAL" -Filter *).countCount all AD UsersGet-ADUser -Properties * -LDAPFilter '(userAccountControl:1.2.840.113556.1.4.803:=524288)' | select Name,memberof,servicePrincipalName,TrustedForDelegationFind user accounts marked trusted for delegationGet-ADUser -Filter * -SearchBase "OU=Pentest,OU=Employees,DC=DOMAIN-NAME,DC=LOCAL"| List user in Pentest OUGet-ADGroup -filter * -Properties MemberOf | Where-Object {$_.MemberOf -ne $null} | Select-Object Name,MemberOfFind all nested groups in the DomainGet-ADDomain | Select-Object NetBIOSName, DNSRoot, InfrastructureMasterGet-ADForest | Select-Object DomainsGet-ADTrust -Filter * | Select-Object Direction,Source,Target
Other useful native tools or cmd
gpresult /h gpo_report.htmlEnumerate infos on Group Policy Objects (collection of policy settings) in htmlgpresult /r /user:first.lastGet GPO for usergpresult /r /S HOSTGet GPO for host
Useful Powershell cmd
Set-ExecutionPolicy Unrestrictedwill let you execute any ps1 script, answer A to the promptls -forceis the equivalent ofls -la
Resources
Last updated
