Active Directory
Introduction
Once the attacker has obtained a foothold on a computer inside an Active Directory network, its design must be understood, including the number of users, groups, computers, OUs, ACLs, and their relationships.
In this phase, the attacker should be focused on enumerating information that can be further used to elevate privileges or perform lateral movements.
Domain
General Information
Get current domain
Get current domain controller
Get domain policy data
Forest
Return the forest object
Get all domains from your current forest
Get the Global Catalogs of the forest
Trust
Return all domain trusts for the current or specified domain
Enumerate all trusts for the current domain and then enumerates all trusts for each domain it finds.
Return all forest trusts for the current forest or a specified forest.
Users
General Information
Obtain users
Built-in accounts
Get group memberships
Obtain the Last time a password was set of each user
Finds domain machines where specific users are logged into. By default 'Domain Admins'
Security
Kerberoast
AS-Reporoast
Search passwords on the description attribute
Show in which machine you are admin (based on your current privileges)
Constrained delegation
Groups
List all the groups in the current domain
List all the members in a specific group:
List groups of a user
Get GPOs of a group
ℹ️To obtain GPO name from
GPOUid
useGet-GPO -Guid "{...}"
Computers
General information
List computers
Return PCs that can be pinged
Get users logged on (Requires admin privileges)
Get locally logged on users
Enumerates local or groups on a machine (Requires admin privileges).
Returns the last user who logged onto the local machine (Requires administrative rights and remote registry enabled on the target)
Security
Enumerate all ACES for all domain computers that matches our current computer.
Need a privilege like WriteProperty, GenericAll, GenericWrite or WriteDacl on the computer object:
Group Policies Objects (GPO)s
General information
Get list of GPO in current domain.
Returns all GPOs that modify local group membership through Restricted Groups or Group Policy Preferences:
Enumerates the machines where a specific domain user/group is a member of a specific local group (Useful for finding where domain groups have local admin access):
Finds what users/groups are in the specified local group for a target machine through GPO correlation
Get Modifiable GPOs
Principals with "Create groupPolicyContainer objects" privilege
Organizational Units (OU)
Get Domain Organizational Units:
Get GPO applied to an OU
Access Control Lists (ACL)s
Enumerate user rights:
Returns the ACLs associated with a specific active directory object.
Finds interesting object ACLS in the current domain
Enumerate RDP Users permissions
Shares
Enumerate shares:
Enumerates the shares you have access
Find shares on hosts in current domain.
Get all fileservers of the domain
Searches for files matching specific criteria on readable shares in the domain
MSSQL
General information
Discover Active Directory Domain SQL Server Instances
Tests if the current Windows account or provided SQL Server login can log into an SQL Server.
Returns basic server and user information from target SQL Servers.
Links
Look for links to remote servers
Enumerate and follow MSSQL database links
Perform Queries
Perform queries
Perform queries using the linked database
CMDShell
Check if xp_cmdshell module is enabled
Enable xp_cmdshell
Execute commands
Tools
LinWinPwn: Automates a number of Active Directory Enumeration and Vulnerability checks.
PowerView: PowerShell tool to gain network situational awareness on Windows domains.
ADSearch: Perform LDAP queries.
PowerUPSQL: Module that includes functions that support SQL Server discovery, weak configuration auditing, privilege escalation on scale, and post-exploitation actions such as OS command execution.
ADModule: The Active Directory module for Windows PowerShell.
References
Last updated