🕵️ Mastering Domain Enumeration: Theory, Practice & Process

This master guide consolidates the theory of Active Directory, the step-by-step enumeration process using PowerShell/PowerView, and the critical knowledge required to pass technical interviews.

📚 Part 1: Core Concepts & Terminology

Before typing a command, you must speak the language of the domain.

🛠️ Part 2: The Toolset

We rely on PowerShell because it interacts natively with the .NET framework and AD objects.

1. PowerView (Dev/Main): The industry standard for offensive enumeration.
2. Active Directory Module: Built-in Microsoft module (signed, trusted, but sometimes less flexible).
3. Invisi-Shell: Used to bypass logging (ScriptBlock Logging) and AMSI by hooking .NET assemblies.

Bypass Execution Policy: powershell -ExecutionPolicy bypass (This is a usability feature, not a security boundary).

🔄 Part 3: The Enumeration Methodology (Process & Commands)

Follow this 6-phase process to map the network methodically.

🔹 Phase 1: Situational Awareness (Where am I?)

Goal: Identify the domain, the controllers, and the rules of engagement (policies).

Get Domain Info:

1. PowerView: `Get-Domain`
2. AD Module: `Get-ADDomain`

Get Domain Controllers: (These hold the database ntds.dit)

1. PowerView: `Get-DomainController`

Get Domain Policy: (CRITICAL for password spraying and tickets)

1. `Get-DomainPolicyData`
2. `(Get-DomainPolicyData).SystemAccess` (Check `LockoutThreshold` and `PasswordComplexity`).

🔹 Phase 2: Mapping Entities (Who is here?)

Goal: Build a target list of users and machines.

User Enumeration:

1. List all: `Get-DomainUser`
2. **Hunt for Decoys:** Check `logonCount` and `badPwdCount`. If `logonCount` is 0, it's likely a decoy/honeypot.

3. **Search Attributes:** `Get-DomainUser -LDAPFilter "Description=*admin*"`  **Computer Enumeration:**
  
1. List all: `Get-DomainComputer`
2. Find Live Hosts: `Get-DomainComputer -Ping`
3. Find Server OS: `Get-DomainComputer -OperatingSystem "*Server 2022*"`.

🔹 Phase 3: Infrastructure & Configuration (How is it managed?)

Goal: Understand the layout and control mechanisms.

Group Enumeration:

1. List Groups: `Get-DomainGroup`
2. Find Admin Groups: `Get-DomainGroup *admin*`
3. List Members: `Get-DomainGroupMember -Identity "Domain Admins" -Recurse`.

GPO (Group Policy) Enumeration:

1. List Policies: `Get-DomainGPO`
2. **Map GPO to OU:** `Get-DomainGPO -Identity "{GUID}"`. This tells you what settings (like restricted groups) apply to which machines.

🔹 Phase 4: Permissions (The Hidden Paths)

Goal: Find “Edit” or “Write” access on high-value objects.

ACL Enumeration:

1. Get Permissions on a User: `Get-DomainObjectAcl -SamAccountName <TargetUser> -ResolveGUIDs`
2. **Find Interesting ACLs:** `Find-InterestingDomainAcl -ResolveGUIDs`
    *Look for `GenericAll`, `WriteDacl`, or `ResetPassword` rights held by low-priv users.*.

🔹 Phase 5: Trusts (The Way Out)

Goal: Identify paths to other domains or forests.

Map Trusts: Get-DomainTrust or Get-ForestTrust.

Trust Types:

1. **Parent-Child:** Automatic, Two-Way, Transitive (Easy lateral movement).
2. **External:** Manual, often One-Way (Harder).
* **Forest:** Connects two separate organizations.

🔹 Phase 6: User Hunting (The Attack Path)

Goal: Find where the Domain Admin is logged in so you can steal their token.

Find Local Admin Access: Find-LocalAdminAccess (Scans network for boxes YOU can control).

Find Domain Admin Sessions: Find-DomainUserLocation -UserGroupIdentity "Domain Admins"

1. *This queries DCs to see where DAs are active. If you have Local Admin on that box, you win.*.

❓ Part 4: Interview Corner (10 Essential Questions)

Q1: What is the difference between a Forest and a Domain?

Answer: A Domain is a container for objects sharing a database. A Forest is the collection of domains sharing a schema and acts as the ultimate security boundary.

Q2: Why is Find-LocalAdminAccess heavily monitored by SOCs?

Answer: It generates massive noise by attempting to connect to the RPC/SMB ports of every machine in the network to check permissions. It looks like a port scan.

Q3: What is a Transitive Trust?

Answer: It means if A trusts B, and B trusts C, then A automatically trusts C. Parent-Child trusts are transitive by default.

Q4: How do you identify a “Honeypot” user account?

Answer: Check the logonCount and pwdLastSet attributes. If the user has never logged in (logonCount=0) or the password hasn’t changed in years despite strict policies, it’s likely a trap.

Q5: What is the difference between a DACL and a SACL?

Answer: A DACL controls access (who can do what). A SACL controls auditing (who gets logged when they access an object).

Q6: To forge a Golden Ticket, what specific domain policy setting do you need?

Answer: You need the Kerberos Policy settings, specifically the ticket lifetime (MaxServiceAge), to ensure the forged ticket isn’t rejected for having an invalid duration.

Q7: How does “User Hunting” (Find-DomainUserLocation) work technically?

Answer: It queries the Domain Controllers to enumerate active sessions (via Get-NetSession) or logged-on users, mapping high-value users to specific IP addresses.

Q8: Can you run PowerShell tools if powershell.exe is blocked?

Answer: Yes. PowerShell is just a wrapper for System.Management.Automation.dll. You can run PowerShell scripts using C# binaries or unmanaged code that loads the DLL directly, bypassing the executable block.

Q9: What information does the Global Catalog provide?

Answer: It provides a searchable index of every object in the entire forest, allowing you to find users or groups in other domains without querying their specific Domain Controllers directly.

Q10: If you find a GPO applied to an OU, what does that imply?

Answer: It implies that every computer and user object residing in that OU (and its sub-OUs) will inherit the configuration settings defined in that GPO, unless inheritance is blocked.

🎭 Part 5: Scenario-Based Questions (Bar Raiser)

Scenario 1: The “Impossible” Share

Context: You are trying to list files in \\fileserver\secret, but you get “Access Denied.” You want to know why without spamming access attempts.

Action: Run Get-PathAcl -Path "\\fileserver\secret". This reads the ACL of the shared folder, letting you verify if your SID or group is present in the “Allow” list before you try again.

Scenario 2: The Silent Admin

Context: You have compromised a machine but don’t know who uses it. You want to see who is logged in right now.

Action: If you are a local admin, run Get-NetLoggedOn -ComputerName <Target>. If you only have remote registry access, use Get-LoggedOnLocal. These commands query the API to list active sessions.

Scenario 3: The Cross-Domain Attack

Context: You are in dev.corp.local and want to attack prod.corp.local.

Action: First, run Get-DomainTrust to verify the relationship. Since they share a namespace (corp.local), it is likely a Parent-Child trust, which is two-way transitive. You can attempt to query users in prod directly or find paths to escalate privileges across the trust.

Scenario 4: Evading AV

Context: Your PowerView.ps1 script is getting deleted by Windows Defender immediately.

Action: Use AMSITrigger to scan the script and identify the exact string signatures triggering the AV. Modify those strings/variables, or use Invisi-Shell to hook the .NET assembly and bypass the AMSI scan entirely.

Scenario 5: The Policy Check Context: You want to password spray the domain, but you’re afraid of locking out users. Action: Immediately run (Get-DomainPolicyData).SystemAccess. Look for LockoutThreshold. If it is 3, spraying is dangerous. If it is 0 (disabled) or high, you can spray safely. Always check the policy before attacking authentication.