CheatSheet

Windows Active Directory Enumeration

Enumeration and privilege escalation techniques for Windows Active Directory.

Local Enumeration (Windows AD)

Users and Groups

Active Directory LDAP Script `function.ps1`

function LDAPSearch {
    param (
        [string]$LDAPQuery
    )

    $PDC = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().PdcRoleOwner.Name
    $DistinguishedName = ([adsi]'').distinguishedName

    $DirectoryEntry = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$PDC/$DistinguishedName")

    $DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher($DirectoryEntry, $LDAPQuery)

    return $DirectorySearcher.FindAll()

}

Importing Script

Import-Module .\function.ps1

Users

$users= LDAPSearch -LDAPQuery "(objectClass=user)"
$users.properties.name
net user /domain

Domain Groups

foreach ($group in $(LDAPSearch -LDAPQuery "(objectCategory=group)")) {$group.properties | select {$_.cn}, {$_.member}}
net group /domain

Current User Group Membership

whoami /all
net user stephanie /domain

Enumerating Sales Department

$sales = foreach ($group in $(LDAPSearch -LDAPQuery "(&(objectCategory=group)(name=Sales Department))")) {$group.properties}
$sales | format-table -wrap

Enumerating Group

Get-ObjectAcl -Identity "Sales Department" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights

Administrators Group Members

$admin = foreach ($group in $(LDAPSearch -LDAPQuery "(&(objectCategory=group)(name=*Admin*))")) {$group.properties | select {$_.cn}, {$_.member}}
$admin | format-table -wrap
net group "Domain Administrators" /domain

Current User Privileges

whoami /priv

System

System Information

systeminfo

Patch Information

Get-CimInstance -Class win32_quickfixengineering | Where-Object { $_.Description -eq "Security Update" }
wmic qfe get Description,HotFixID,InstalledOn | findstr /i "Security Update"

Network

Local Interfaces

ipconfig /all

Active Connections

netstat -aon

Applications

32bit Applications

Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname,installlocation
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall" /s | findstr /i "DisplayName InstallLocation"

64bit Applications

Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname,installlocationclear
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s | findstr /i "DisplayName InstallLocation"

Software for Current User

Get-ItemProperty "HKLM:\SOFTWARE\*" | select displayname,installlocationclear
reg query "HKCU\SOFTWARE"

Software System Wide

Get-ItemProperty "HKLM:\SOFTWARE\*" | select displayname,installlocationclear
reg query "HKLM\SOFTWARE"

Processes

Running Processes

Get-Process
tasklist

Services

List of All Background Services

Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'} | Format-Table -Wrap

Active Services

Get-Service | Format-Table -Wrap
sc query state= all

List All Services

Get-CimInstance -ClassName Win32_Service | Select Name,StartMode,State,PathName | Format-Table -Wrap
sc query state= all

Inactive Services

Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Stopped'} | Format-Table -Wrap
sc query state= inactive

Scheduled Tasks

Listing Tasks with Paths

Get-ScheduledTask | Select-Object TaskName, @{Name='ExecutablePath'; Expression={$_.Actions.Execute}} | Format-Table -Wrap
schtasks /query /fo LIST /v

Powershell Command History

Check History

Get-History

Get Path to History File from PSReadline

(Get-PSReadlineOption).HistorySavePath

Checking Credential Manager

Code

cmdkey /list

Searching Registry for Credentials

Query Local Machine Registry

reg query HKLM /f password /t REG_SZ /s

Query Current User Registry

reg query HKCU /f password /t REG_SZ /s

Query WinLogon Registry

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

Query SNMP Registry

reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"

Query Putty Registry

reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"

Interesting Files to Investigate

Looking For **Unattended Windows Setup Utility**

Get-ChildItem -Path . -File -Recurse -Include *unattended.xml,*unattend.xml,attend.xml -ErrorAction SilentlyContinue

Directory Search (Any Files)

Get-ChildItem -Path . -File -Recurse -ErrorAction SilentlyContinue
dir /s /b /a:-d 2>nul

Directory Search (Any Files && Hidden Files)

Get-ChildItem -Path . -File -Recurse -ErrorAction SilentlyContinue -Hidden
dir /s /b /a:h-d 2>nul

Directory Search (Text Files)

Get-ChildItem -Path . -Include *.txt -File -Recurse -ErrorAction SilentlyContinue
dir /s /b /a:-d *.txt 2>nul

Directory Search (Config Files)

Get-ChildItem -Path . -Include *.config -File -Recurse -ErrorAction SilentlyContinue
dir /s /b /a:-d *.config 2>nul

Directory Search (Microsoft Office Suite Files)

Get-ChildItem -Path . -Include *.xls,*.xlsx,*.xlsm,*.xltx,*.xltm,*.doc,*.docx,*.docm,*.dotm,*.ppt,*.pptx,*.pptm,*.potx,*potm,*.accdb,*.pst,*.oft -File -Recurse -ErrorAction SilentlyContinue
(for %E in (xls xlsx xlsm xltx xltm doc docx docm dotm ppt pptx pptm potx potm accdb pst oft) do @dir /s /b /a:-d *.%E 2>nul)

Directory Search (PDF Files)

Get-ChildItem -Path . -Include *.pdf -File -Recurse -ErrorAction SilentlyContinue
dir /s /b /a:-d *.pdf 2>nul

Directory Search (xml Files)

Get-ChildItem -Path . -Include *.xml -File -Recurse -ErrorAction SilentlyContinue
dir /s /b /a:-d *.xml 2>nul

Directory Search (init Files)

Get-ChildItem -Path . -Include *.ini,*.init -File -Recurse -ErrorAction SilentlyContinue
(for %E in (ini init) do @dir /s /b /a:-d *.%E 2>nul)

Directory Search ( All Potential Programming Files)

Get-ChildItem -Path . -Include *.c,*.cpp,*.cc,*.cxx,*.h,*.hpp,*.hh,*.hxx,*.ino,*.cs,*.java,*.py,*.pyw,*.pyi,*.pyx,*.pxd,*.js,*.mjs,*.cjs,*.ts,*.tsx,*.php,*.phtml,*.php3,*.php4,*.php5,*.phps,*.rb,*.erb,*.pl,*.pm,*.t,*.pod,*.go,*.rs,*.swift,*.kt,*.kts,*.scala,*.sc,*.r,*.R,*.Rmd,*.jl,*.d,*.m,*.mm,*.f,*.for,*.f90,*.f95,*.pas,*.pp,*.dpr,*.adb,*.ads,*.asm,*.s,*.a51,*.html,*.htm,*.xhtml,*.css,*.scss,*.sass,*.less,*.ejs,*.mustache,*.hbs,*.twig,*.jinja,*.njk,*.md,*.markdown,*.rst,*.adoc,*.bat,*.cmd,*.ps1,*.psm1,*.psd1,*.sh,*.bash,*.zsh,*.vbs,*.vba,*.wsf,*.wsc,*.m,*.hs,*.lhs,*.erl,*.hrl,*.ex,*.exs,*.ml,*.mli,*.lisp,*.cl,*.el,*.scm,*.rkt,*.clj,*.cljs,*.cljc,*.edn,*.pro,*.cbl,*.cob,*.cpy,*.fs,*.fsi,*.fsx,*.m,*.prolog,*.sql,*.psql,*.dbml,*.json,*.json5,*.yaml,*.yml,*.toml,*.ini,*.cfg,*.conf,*.env,*.properties,*.cmake,*.mak,*.gradle -File -Recurse -ErrorAction SilentlyContinue
(for %E in (c cpp cc cxx h hpp hh hxx ino cs java py pyw pyi pyx pxd js mjs cjs ts tsx php phtml php3 php4 php5 phps rb erb pl pm t pod go rs swift kt kts scala sc r R Rmd jl d m mm f for f90 f95 pas pp dpr adb ads asm s a51 html htm xhtml css scss sass less ejs mustache hbs twig jinja njk md markdown rst adoc bat cmd ps1 psm1 psd1 sh bash zsh vbs vba wsf wsc m hs lhs erl hrl ex exs ml mli lisp cl el scm rkt clj cljs cljc edn pro cbl cob cpy fs fsi fsx m prolog sql psql dbml json json5 yaml yml toml ini cfg conf env properties cmake mak gradle) do @dir /s /b /a:-d *.%E 2>nul)