12.Credentialed Enumeration - from Windows

1. Active Directory PowerShell Module

Function: Administers Active Directory from the command line.

Key Cmdlets:

Get-Module: Lists available modules.
Import-Module ActiveDirectory: Loads the module.
Get-ADDomain: Retrieves domain information.
Get-ADUser: Retrieves user information.
Get-ADTrust: Retrieves domain trust relationships.
Get-ADGroup: Retrieves group information.
Get-ADGroupMember: Retrieves group membership.

Commands:

Get-Module
Import-Module ActiveDirectory
Get-ADDomain
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
Get-ADTrust -Filter *
Get-ADGroup -Filter * | select name
Get-ADGroup -Identity "Backup Operators"
Get-ADGroupMember -Identity "Backup Operators"

Significance: Built-in and stealthy enumeration.

2. PowerView/SharpView

Function: Gains situational awareness within an AD environment.

Key Functions (PowerView):

Get-DomainUser: Retrieves user information.
Get-DomainGroupMember: Retrieves group membership.
Get-DomainTrustMapping: Retrieves domain trust mappings.
Test-AdminAccess: Tests for local admin access.
Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName: Finds users with SPN.
Get-DomainGPO: Enumerates Group Policy Objects.
Get-DomainUser -TrustedToAuth: Finds users with unconstrained delegation.

Key Functions (SharpView):

Get-DomainUser: Retrieves user information.

PowerView Commands:

Get-DomainUser -Identity mmorgan -Domain inlanefreight.local | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset,lastlogontimestamp,accountexpires,admincount,userprincipalname,serviceprincipalname,useraccountcontrol
Get-DomainGroupMember -Identity "Domain Admins" -Recurse
Get-DomainTrustMapping
Test-AdminAccess -ComputerName ACADEMY-EA-MS01
Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName
Get-DomainGPO
Get-DomainUser -TrustedToAuth

SharpView Commands:

.\SharpView.exe Get-DomainUser -Identity forend
.\SharpView.exe Get-DomainUser -Help

Significance: Comprehensive enumeration and relationship mapping.

3. Snaffler

Function: Acquires credentials and sensitive data from file shares.

Commands:

Snaffler.exe -s -d inlanefreight.local -o snaffler.log -v data
Snaffler.exe -s \\fileserver\shared -o snaffler.log -v data

Significance: Efficient sensitive data discovery.

Key Takeaways:

Windows-based enumeration provides access to powerful tools.
The ActiveDirectory PowerShell module offers stealthy built-in capabilities.
PowerView/SharpView excels at relationship mapping and situational awareness.
Snaffler quickly finds sensitive data within file shares.
Always use the -help flag to learn available options.

Additional Considerations:

PowerShell's Get-Help:
```
Get-Help Get-ADUser -Full
```
- Similar to Linux man pages, PowerShell has built-in help.
PowerShell Module Discovery:
```
Get-Command -Module ActiveDirectory
```
- This helps in discovering available cmdlets.
PowerView Loading:
```
Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process
Import-Module .\PowerView.ps1
```
- Required since PowerView is not a built-in module and may need an execution policy bypass.
Snaffler Output Handling:
```
Select-String -Path snaffler.log -Pattern "password|creds|admin"
```
- Filters results for sensitive keywords.

Checking Active Directory Replication Metadata:

Get-ADReplicationMetadata -Object "CN=Administrator,CN=Users,DC=domain,DC=com" -Server DC01

Useful for investigating AD replication.

Previous11. Credentialed Enumeration - from Linux Next13. Living Off the Land

Last updated 8 months ago

hashtagKey Takeaways:

hashtagAdditional Considerations:

Key Takeaways:

Additional Considerations: