Red Team Codex
  • Welcome to Red Team Codex (RTC)
  • Posts
    • Red Teaming
      • Initial Foothold Reconnaissance
  • Active Directory Enumeration
    • Overview
    • Domain Enumeration
      • Domain Name
      • Domain Forest Trusts
      • Password Policy
    • Computer Enumeration
      • Domain Controllers
    • User Enumeration
    • Group Enumeration
    • AppLocker Enumeration
  • Payload Development
    • VBA Macros and the Windows API
      • Windows Defender
  • AV / EDR
    • Windows Advanced Threat Protection (ATP)
  • Remote Process Injection
    • CreateRemoteThread()
    • QueueUserAPC()
    • QueueUserAPC() + NtTestAlert()
    • SetWindowsHookEx()
    • SetThreadContext()
    • Process Hollowing
  • My Config Files
    • Windows Terminal
    • Tmux Configuration
    • .bashrc and PS1 Environment
Powered by GitBook
On this page

Was this helpful?

  1. Active Directory Enumeration

User Enumeration

This details various different techniques and methods required to enumerate domain users and user properties within Active Directory.

Enumerate single user

C:\> net user maurice.moss /domain

Enumerate all users

C:\> net user /domain

Enumerate single user

PS C:\> Get-DomainUser Mero.Vingian

Enumerate all users

PS C:\> Get-DomainUser

Enumerate all users with specific properties

PS C:\> Get-DomainUser -properties samaccountname,logoncount,admincount | ft

Enumerate all users with a Service Principal Name (SPN)

PS C:\> Get-DomainUser -SPN

Enumerate single user

PS C:\> ([ADSISearcher]"(&(objectClass=user)(samAccountType=805306368)(samaccountname=maurice.moss))").FindAll().Properties

Enumerate all users

PS C:\> ([ADSISearcher]"(&(objectClass=user)(samAccountType=805306368))").FindAll()|ft

Enumerate all users returning specific properties

PS C:\> ([ADSISearcher]"(&(objectClass=user)(samAccountType=805306368))").FindAll() | %{ $_.Properties["samaccountname"] }

Enumerate all users with a Service Principal Name (SPN)

PS C:\> ([ADSISearcher]"(&(objectClass=user)(servicePrincipalName=*)(samAccountType=805306368))").FindAll()

PreviousDomain ControllersNextGroup Enumeration

Last updated 4 years ago

Was this helpful?