Overview
A summary of the AD enumeration content
I will attempt to be flexible and offer as many alternatives as possible when it comes to operational tradecraft. In each of the sections within the RT Codex, I will list where I can the different techniques / commands to achieve the same goal.
When enumerating Domain objects, we have a myriad of options and techniques to do this, but certain techniques may be required in your specific scenario.
For example, It is entirely possible, from experience, during an engagement that certain techniques such as powershell.exe / cmd.exe / net.exe are off the table due to whatever detection / protection may be in place, therefore as operators we need alternatives.
The data should mostly be split up into pivot tables like below where possible.
Windows
PowerView
.NET
Native PowerShell
C:\> echo %USERDNSDOMAIN%
PS C:\> Get-Domain
System.Environment.UserDomainName
PS C:\> Get-ADDomain
Copy link