See: enumeration

Getting Started

Common commands

net user /domain
net user $user /domain
net group /domain
 
Get-ADUser
Get-ADGroup
# etc. (typically only installed on DC)

Also consider using this custom PowerShell AD searcher to perform LDAP queries.

User

  • NetWkstaUserEnum API: requires admin privileges; returns users logged in on a target workstation
  • NetSessionEnum API: requires regular domain user; returns active user sessions on all servers

Once a AD machine is compromised, try to use NetWkstaUserEnum on other machines to enumerate users (PowerView: Get-NetLoggedon -ComputerName THIS_COMPUTER_NAME) and see if current user is an admin on any other machine) Use NetSessionEnum (PowerView: Get-NetSession -ComputerName DC_NAME) to enumerate logged-in server users.

net user [$USER] /domain (shows max ten group memberships) net group [$GROUP] /domain net accounts /domain (passpol)

Services

Use the searcher to look for services: $Searcher.filter='(serviceprincipalname=*http*)'