# AD Manual Enumeration

## Operators to use with Filter

* `-eq` Equal to
* `-le` Less than or equal to
* `-ge` Greater than or equal to
* `-ne` Not equal to
* `-lt` Less than
* `-gt` Greater than
* `-approx` Approximately equal to
* `-bor` Bitwise OR
* `-band` Bitwise AND
* `-recursivematch` Recursive match
* `-like` Like
* `-notlike` Not like
* `-and` Boolean AND
* `-or` Boolean OR
* `-not` Boolean NOT
* Example

  ```
  Get-ADUser -Filter "name -eq 'jane doe'"
  Get-ADUser -Filter {name -eq 'jane doe'}
  Get-ADUser -Filter'name -eq "jane doe"'
  ```

## Basic LDAP Filters

* `&` and
* `|` or
* `!` not

## Example of useful queries

* `Get-ADGroup -Identity "<GROUP NAME" -Properties *` Get information about an AD group
* `whoami /priv` View a user's current rights
* `Get-WindowsCapability -Name RSAT* -Online \| Select-Object -Property Name, State` Check if RSAT tools are installed
* `Get-WindowsCapability -Name RSAT* -Online \| Add-WindowsCapability –Online` Install all RSAT tools
* `runas /netonly /user:htb.local\jackie.may powershell` Run a utility as another user
* `Get-ADObject -LDAPFilter '(objectClass=group)' \| select cn` LDAP query to return all AD groups
* `Get-ADUser -LDAPFilter '(userAccountControl:1.2.840.113556.1.4.803:=2)' \| select name` List disabled users
* `Get-ADUser -SearchBase "OU=Employees,DC=DOMAIN-NAME,DC=LOCAL" -Filter *).count` Count all users in an OU
* `get-ciminstance win32_product \| fl` Query for installed software
* `get-ciminstance win32_product -Filter "NOT Vendor like '%Microsoft%'" | fl` Query for software that are not microsoft
* `Get-ADComputer -Filter "DNSHostName -like 'SQL*'"` Get hostnames with the word "SQL" in their hostname
* `Get-ADGroup -Filter "adminCount -eq 1" \| select Name` Get all administrative groups
* `Get-ADUser -Filter {adminCount -eq '1' -and DoesNotRequirePreAuth -eq 'True'}` Find admin users that don't require Kerberos Pre-Auth
* `Get-ADUser -Filter {adminCount -gt 0} -Properties admincount,useraccountcontrol` Enumerate UAC values for admin users
* `Get-WmiObject -Class win32_group -Filter "Domain='DOMAIN-NAME'"` Get AD groups using WMI
* `([adsisearcher]"(&(objectClass=Computer))").FindAll()` Use ADSI to search for all computers
* `(Get-ADGroup -Identity "Help Desk" -Properties *).Member.Count` Get number of users in Help Desk Group
* `(Get-ADUser -filter * | select Name).count`Get number of Users in domain
* `(Get-ADComputer -filter * | select Name).count` Get number of Computers in domain
* `(Get-ADGroup -filter * | select Name).count` Get number of groups in domain
* `Get-ADUser -Filter {adminCount -eq '1' -and DoesNotRequirePreAuth -eq 'True'}` Filter Admin users
* `(Get-ADUser -Filter * -SearchBase "OU=IT,OU=Employees,DC=DOMAIN-NAME,DC=LOCAL").count` Find the number of users in the IT OU
* `(Get-ADUser -SearchBase "OU=Employees,DC=DOMAIN-NAME,DC=LOCAL" -Filter *).count` Count all AD Users
* `Get-ADUser -Properties * -LDAPFilter '(userAccountControl:1.2.840.113556.1.4.803:=524288)' | select Name,memberof,servicePrincipalName,TrustedForDelegation` Find user accounts marked trusted for delegation
* `Get-ADUser -Filter * -SearchBase "OU=Pentest,OU=Employees,DC=DOMAIN-NAME,DC=LOCAL"` | List user in Pentest OU
* `Get-ADGroup -filter * -Properties MemberOf | Where-Object {$_.MemberOf -ne $null} | Select-Object Name,MemberOf` Find all nested groups in the Domain
* `Get-ADDomain | Select-Object NetBIOSName, DNSRoot, InfrastructureMaster`
* `Get-ADForest | Select-Object Domains`
* `Get-ADTrust -Filter * | Select-Object Direction,Source,Target`

## Other useful native tools or cmd

* `gpresult /h gpo_report.html` Enumerate infos on Group Policy Objects (collection of policy settings) in html
* `gpresult /r /user:first.last` Get GPO for user
* `gpresult /r /S HOST` Get GPO for host

## Useful Powershell cmd

* `Set-ExecutionPolicy Unrestricted` will let you execute any ps1 script, answer A to the prompt
* `ls -force` is the equivalent of `ls -la`

## Resources

{% embed url="<https://academy.hackthebox.com/path/preview/active-directory-enumeration>" %}
AD on HTB Academy
{% endembed %}

{% embed url="<http://woshub.com/get-aduser-getting-active-directory-users-data-via-powershell/>" %}
Get AD User Data via Powershell
{% endembed %}

{% embed url="<https://vschamarti.wordpress.com/2019/11/02/powershell-commands-for-managing-active-directory/>" %}
Powershell commands for managing AD
{% endembed %}

{% embed url="<http://www.kouti.com/tables/userattributes.htm>" %}
User Attributes - Inside Active Directory
{% endembed %}

{% embed url="<http://www.kouti.com/tables/baseattributes.htm>" %}
Base Attributes - Inside Active Directory
{% endembed %}

{% embed url="<https://ldapwiki.com/wiki/>" %}
LDAP Wiki
{% endembed %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://csbygb.gitbook.io/pentips/windows/post-compromise-enum/manual-enum-ad.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.