See: enumeration
Getting Started
Common commands
net user /domain
net user $user /domain
net group /domain
Get-ADUser
Get-ADGroup
# etc. (typically only installed on DC)Also consider using this custom PowerShell AD searcher to perform LDAP queries.
User
- NetWkstaUserEnum API: requires admin privileges; returns users logged in on a target workstation
- NetSessionEnum API: requires regular domain user; returns active user sessions on all servers
Once a AD machine is compromised, try to use NetWkstaUserEnum on other machines to enumerate users (PowerView: Get-NetLoggedon -ComputerName THIS_COMPUTER_NAME) and see if current user is an admin on any other machine)
Use NetSessionEnum (PowerView: Get-NetSession -ComputerName DC_NAME) to enumerate logged-in server users.
net user [$USER] /domain (shows max ten group memberships)
net group [$GROUP] /domain
net accounts /domain (passpol)
Services
Use the searcher to look for services: $Searcher.filter='(serviceprincipalname=*http*)'