Look for users with high-privs across the domain e.g. Domain Admins or Derivative Local Admins
Look for custom groups.
# get a list of all users in the domain
cmd> net user /domain
PS > Get-NetUser | select cn # Using PowerView.ps1
# get details about a specific user
cmd> net user [username] /domain # more than 10 group memberships, cmd will fail
PS > Get-ADUser -Identity <username> -Server asd.domain.com -Properties * # Powershell
# get list of all groups in the domain
cmd> net group /domain
PS > Get-ADUser -Filter 'Name -like "*lorenzo"' -Server asd.domain.com | Format-Table Name,SamAccountName -A
PS > Get-NetGroup -GroupName * # Using PowerView.ps1
# enumerate AD groups
PS > Get-ADGroup -Identity Administrators -Server asd.domain.com
# get details such as membership to a group
cmd> net group [groupname] /domain
PS > Get-ADGroupMember -Identity Administrators -Server domain.com # Powershell
# get the password policy of the domain
cmd> net accounts /domain
# get all AD objects that were changed after a specific date
PS > $ChangeDate = New-Object DateTime(2022, 02, 28, 12, 00, 00)
PS > Get-ADObject -Filter 'whenChanged -gt $ChangeDate' -includeDeletedObjects -Server asd.domain.com
# enumerate accounts that have a badPwdCount that is greater than 0
# useful to avoid these accounts in our bruteforce attacks
PS > Get-ADObject -Filter 'badPwdCount -gt 0' -Server domain.com
# get additional information about the specific domain
PS> Get-ADDomain -Server asd.domain.com
# get all computers in domain
cmd> net view
cmd> net view /domain
# get resources/shares of specified computer
cmd> net view \\[computer_name] /domain
# get a list of all operating systems on the domain
PS > Get-NetComputer -fulldata | select operatingsystem # Using PowerView.ps1
In the filter property, we can set any attribute of the object type we desire. For example, we can use the name property to create a filter for the Jeff_Admin user as shown below:
$Searcher.filter="name=Jeff_Admin"
Nested Groups
Locate all groups in the domain and print their names:
List the members of a group by setting an appropriate filter on the name property. In addition, we will only display the member attribute to obtain the group members.
A SPN is a unique name for a service on a host, used to associate with an Active Directory service account.
Enum SPNs to obtain the IP address and port number of apps running on servers integrated with Active Directory.
Query the Domain Controller in search of SPNs.
SPN Examples
CIFS/MYCOMPUTER$ - file share access.
LDAP/MYCOMPUTER$ - querying AD info via. LDAP.
HTTP/MYCOMPUTER$ - Web services such as IIS.
MSSQLSvc/MYCOMPUTER$ - MSSQL.
For example, let's update our PowerShell enumeration script to filter the serviceprincipalname property for the string *http*, indicating the presence of a registered web server: