ACTIVE DIRECTORY
Domain Enumeration with Active Directory PowerShell Module
Post-exploitation enumeration of windows domain controller with PowerShell
The PowerShell Active Directory module consists of cmdlets that domain admins use to query and manage objects in the Active Directory. It is a part of the utilities and modules in Remote Server Administration Tools (RSAT).
To enable the module, it can be installed as part of the RSAT package through Windows Features. However, installing the package on a machine requires admin privileges.
To work around this issue, we can obtain the Microsoft Active Directory Management DLL from a machine with RSAT installed and then copy it to the Windows machine you want to use for enumeration.
This guide will outline the steps for importing the DLL and PowerShell modules and using them to perform basic domain post-exploitation enumeration to retrieve information about the computers, users, and groups.
We will use the Resolute machine from Hack the Box to demonstrate the steps.
Table of Contents
- Prerequisite Tools
- Domain Enumeration
– Get-ADDomain
– Get-ADDomainController - User Enumeration
– Get-ADUser - Computer Enumeration
– Get-ADComputer - Group Enumeration
– Get-ADGroup
– Get-ADGroupMember - Resrouces
Prerequisite Tools
- Microsoft Active Directory Management DLL
- PowerShell Active Directory module ActiveDirectory.psd1 — samratashok GitHub repo
- ActiveDirectory.Format.ps1xml file — samratashok GitHub repo
No Admin Privileges needed to import the DLL or use the PS module.
Copy the Microsoft.ActiveDirectory.Management DLL from a machine with the RSAT installed and place it in the system where we want to use this module. Below is the location of the DLL.
Import the DLL by running the PS command Import-Module.
Import-Module .\Microsoft.ActiveDirectory.Management.dll
Import the PowerShell Module “ActiveDirectory.psd1” using the same command of Import-Module. Ensure that the “ActiveDirectory.psd1" file and the DLL are located on the same path as the PowerShell script to prevent import errors, like the one shown in the screenshot below.
Now that we imported the module, we can run a quick test with one of the PS cmdlet (Get-Command get-adcom*) to verify the module imported successfully.
Domain Enumeration
Here is a complied list of basic AD enumeration that we can use when we compromise a domain controller to gather information about the domain and leverage it for privesc vectors or lateral movements.
Get-ADDomain
The command lists all the properties related to the current domain
- We can run the command alone or specify a domain.
Get-ADDomainController
The command lists all the domain controllers in a specified domain.
- Running the cmdlet without specifying a domain will return all the DCs in the current domain.
Get-ADDomainController- What properties to look for — Operating system version, Operating System Hotfix, and Service Pack information. These properties help define the privilege escalation vectors.
Get-ADDomainController -DomainName megabank.local -Discover
Get-ADUser
The command lists all the users in the current domain.
- It can’t run alone; you need to pass specified parameters to get the output.
- To get all users and their prosperities, we need to use the Filter parameter with an asterisk (*)
Get-ADUser -Filter *
- We can filter SAM Accounts using the “select” parameter
Get-ADUser -Filter * | Select SamAccountName
📍 Note: Not all returned users are active users. The command above returns all of the users in the current DC.
- To specify active users we can look for Enabled accounts through the Enable equals True property.
Get-AdUser -Filter * | ?{ $_.Enabled -eq "true" }
- We can get detailed information about a user account by including the Identity and Properties parameters.
Get-ADUser -Identity USER -Properties *
We can also use the Logoncount Property to check for the Active users.
Enumerating active users helps avoid decoy or dormant accounts in environments with defense deception technologies to avoid detection.
🔔 Tips:
- Always choose the user that has a reasonable logon count.
- Decoy users either have a very high logoncount or very low.
Get-AdUser -Filter * -Properties * | Select Name, logonCount
Description Property is another good property to check for interesting information such passwords of service accounts.
get-ADUser -Filter 'Description -like "*built*"' -properties description | select name, description
Get-ADComputer
The command lists all the computer objects in the current domain or a specified one.
📍 Computer objects not necessarily represent the active or in use physical or virtual machines in a domain.
- Computer objects are created when a domain user joins a machine.
Get-AdComputer -Filter *Get-AdComputer -Filter * | select Name
To filter active computers, check LastlogonDate, Lastlogon, and IP addresses properties
Get-AdComputer -Filter * -Properties * | select Name, LastLogonDate, lastLogon, IPv4Address
Get-ADGroup
The command lists all the groups in the current or specified domain.
Get-ADGroup -Filter * | select name
- Add the Properties parameter with an asterisk to get group details.
Get-ADGroup -Filter * -Properties *
Get-ADGroupMember
Lists all the members in a specified group.
- Use the Identity parameter with the group name to get its members.
- Interesting groups are “Domain Admins”, “DNSAdmins”, “Remote Desktop Users”, “Print Operators”
Get-ADGroupMember -Identity "DNSAdmins" -Recursive 
As we see Ryan is the only user in DNSAdmins group
- We also can search the groups that a member belongs to using the Identity parameter and the user name.
Get-ADPrincipalGroupMembership -Identity RyanRyan is a member of two groups : Domain Users (default) and Contractors
Today, we walked through importing the PowerShell AD module and use it in gathering relevant data that helps us uncover flaws and misconfigurations we can leverage in privilege escalation attacks or later movements.
🛎️ All of the modified code and the used commands can be found at R3d-Buck3T — Notion.
Thanks for stopping by.
