# AD Enumeration Commands (LotL) ## Host & Network Recon | Command | Description | | ------------------------------------------------------- | ---------------------------- | | `hostname` | PC's Name | | `[System.Environment]::OSVersion.Version` | OS version and revision | | `wmic qfe get Caption,Description,HotFixID,InstalledOn` | Patches and hotfixes | | `ipconfig /all` | Network adapter state | | `set` | Environment variables (CMD) | | `echo %USERDOMAIN%` | Domain name (CMD) | | `echo %logonserver%` | Domain Controller name (CMD) | | `systeminfo` | Comprehensive host summary | ## PowerShell Enumeration | Cmdlet | Description | | ------------------------------------------------------------------------------------------ | ------------------------------- | | `Get-Module` | List available modules | | `Get-ExecutionPolicy -List` | Execution policy settings | | `Set-ExecutionPolicy Bypass -Scope Process` | Bypass for current process only | | `Get-ChildItem Env: \| ft Key,Value` | Environment variables | | `Get-Content $env:APPDATA\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt` | PowerShell command history | ### PowerShell Downgrade (Evasion) ```powershell # Check current version Get-host # Downgrade to v2 (no Script Block Logging) powershell.exe -version 2 ``` ## Active Directory PowerShell Module ```powershell Import-Module ActiveDirectory # Domain info Get-ADDomain # Users with SPNs (Kerberoastable) Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName # Trust relationships Get-ADTrust -Filter * # Group enumeration Get-ADGroup -Filter * | select name # Group membership Get-ADGroupMember -Identity "Backup Operators" ``` ## Security Controls Checks ### Windows Defender ```powershell Get-MpComputerStatus ``` ### AppLocker ```powershell Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections ``` ### Constrained Language Mode ```powershell $ExecutionContext.SessionState.LanguageMode ``` ### LAPS Enumeration ```powershell # Find delegated groups Find-LAPSDelegatedGroups # Check extended rights Find-AdmPwdExtendedRights # Get LAPS passwords (if you have access) Get-LAPSComputers ``` ### Firewall ```powershell netsh advfirewall show allprofiles ``` ### Windows Defender Service ```cmd sc query windefend ``` ## Network Commands | Command | Description | | ------------------------------------ | --------------------------- | | `arp -a` | Known hosts in ARP table | | `ipconfig /all` | Adapter settings | | `route print` | Routing table (IPv4 & IPv6) | | `netsh advfirewall show allprofiles` | Firewall status | ## WMI Commands | Command | Description | | ------------------------------------------------------------------------------------ | ----------------------------- | | `wmic computersystem get Name,Domain,Manufacturer,Model,Username,Roles /format:List` | Host info | | `wmic process list /format:list` | All processes | | `wmic ntdomain list /format:list` | Domain and DC info | | `wmic useraccount list /format:list` | All local and domain accounts | | `wmic group list /format:list` | Local groups | | `wmic sysaccount list /format:list` | System/service accounts | ## Net Commands | Command | Description | | ---------------------------------------- | ---------------------------------- | | `net accounts` | Password requirements | | `net accounts /domain` | Domain password and lockout policy | | `net group /domain` | Domain groups | | `net group "Domain Admins" /domain` | Domain admin members | | `net group "domain computers" /domain` | Domain-joined PCs | | `net group "Domain Controllers" /domain` | Domain Controllers | | `net localgroup` | All local groups | | `net localgroup administrators` | Local admins | | `net share` | Current shares | | `net user /domain` | User info | | `net user /domain` | All domain users | | `net view` | List computers | | `net view /domain` | PCs in the domain | * **Tip:** Use `net1` instead of `net` to potentially avoid detection ## Dsquery (on DCs or hosts with AD DS role) ```powershell # User search dsquery user # Computer search dsquery computer # Wildcard search in OU dsquery * "CN=Users,DC=INLANEFREIGHT,DC=LOCAL" # Users with PASSWD_NOTREQD dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))" -attr distinguishedName userAccountControl # Domain Controllers dsquery * -filter "(userAccountControl:1.2.840.113556.1.4.803:=8192)" -limit 5 -attr sAMAccountName # Users with descriptions (may contain passwords) dsquery * -filter "(&(objectClass=user)(description=*))" -attr samAccountName description ``` ### LDAP Filter OID Match Strings * `1.2.840.113556.1.4.803` - Bit value must match completely (AND) * `1.2.840.113556.1.4.804` - Any bit match (OR) * `1.2.840.113556.1.4.1941` - Match Distinguished Name (recursive membership) ## Check Who Else is Logged In ```powershell qwinsta ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.ice-wzl.xyz/domain-controllers/ad-enumeration-commands.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.