From 57f80bd46023ae3b8eac2e21dfe0ca9d5aa00675 Mon Sep 17 00:00:00 2001 From: gurkenhabicht Date: Fri, 10 Apr 2026 02:14:03 +0200 Subject: [PATCH] more info and cleanup --- .../Active Directory/AD Enumeration.md | 98 ++++++++++++++----- Forensics/Windows Event Logs.md | 7 +- 2 files changed, 81 insertions(+), 24 deletions(-) diff --git a/Cryptography/Active Directory/AD Enumeration.md b/Cryptography/Active Directory/AD Enumeration.md index ab48b1f..7198ba9 100644 --- a/Cryptography/Active Directory/AD Enumeration.md +++ b/Cryptography/Active Directory/AD Enumeration.md @@ -29,57 +29,111 @@ dir \\%HOSTNAME%\SYSVOL\ * `Win` + `r` -> `MMC` -> File -> Add/Remove Snap-in -> add 3 AD feature snap-ins -> right click `Active Directory Sites and Services` -> `Change Forest` -> Add root domain -> right click `Active Directory Users and Computers` -> Change Domain -> enter root domain -> right click `Active Directory Users and Computers ` -> View -> Advanced Features * Start enumerating via click on the domain object in the tree on the left * Take a look at `People` directory -> right click on them to see properties - * Change or create user or change groups - * Also use `MMC` to enumerate + * Change or create user or change groups + * Also use `MMC` to enumerate ## CMD enumeration -Execute from domain joined machine +Execute the following commands from any domain joined machine after inital access has been done. + +Specific user -* Users -```sh -net user /domain -``` -* Specific user ```sh net user /domain ``` -* Groups + +Accounts & Groups + ```sh +net user /domain net group /domain ``` -* Specific group + +Specific groups like admins + ```sh net group /domain +net group "Domain Admins" /domain +net group "Enterprise Admins" /domain ``` -* Password Policy via accounts + +For local admin accounts: + +```sh +net localgroup administrators +``` + +Password Policy via accounts + ```sh net accounts /domain ``` +Machines on the network: + +```sh +net view +``` + +Shares on specific remote systems: + +```sh +net view \$SERVER_NAME /all +``` + +Domain/Trust, which is domain controllers in the current env first and further +trusted domains: + +```sh +nltest /dclist:domain +nltest /domain_trust +``` + ## Powershell Cmdlets -* User details via +User details via: + ```sh - Get-ADUser -Identity -Server -Properties * +Get-ADUser -Filter * +Get-ADUser -Identity -Server -Properties * ``` -* Groups + +Groups: + ```sh -Get-ADGroup -Identity Administrators -Server exampleDC.com -Properties * +Get-ADGroup -Identity Administrators -Server exampleDC.com -Properties * ``` -* Group membership + +Group membership: + ```sh Get-ADGroupMember -Identity Administrators -Server exampleDC.com ``` -* Generic AD objects + +Admin group members: + ```sh -Get-ADObject -Filter -includeDeletedObjects -Server exampleDC.com +Get-ADGroupMember "Domain Admins" +``` + +Generic AD objects: + +```sh +Get-ADObject -Filter -includeDeletedObjects -Server exampleDC.com Get-ADObject -Filter 'badPwdCount -gt 0' -Server exampleDC.com ``` -* Domains + +Domains: + ```sh Get-ADDomain -Server exampleDC.com -``` +``` + +All Computer accounts which joined the domain: + +```sh +Get-ADComputer -Filter * +``` ## Sharphound and Bloodhound @@ -89,7 +143,7 @@ Get-ADObject -Filter 'badPwdCount -gt 0' -Server exampleDC.com * Sharphound.ps1 * sharphound.exe * Azurehound.ps1 - + * For example ```sh Sharphound.exe --CollectionMethods --Domain example.com --ExcludeDCs @@ -112,7 +166,7 @@ bloodhound --no-sandbox ## LDAP -## PowerView +## PowerView Registered Machines in the domain diff --git a/Forensics/Windows Event Logs.md b/Forensics/Windows Event Logs.md index 6259777..a2b5041 100644 --- a/Forensics/Windows Event Logs.md +++ b/Forensics/Windows Event Logs.md @@ -80,6 +80,8 @@ The `Logon ID` is the session identifier. * **4624**: Successful logon/login, Session created on target resource * **4625**: Failed logon/login * **4634** and **4647**: Logoff +* **4648**: Login Using Explicit Credentials (e.g. from another user through + `net use /user:`) * **4779**: Session disconnect ### Active Directory Objects @@ -92,10 +94,10 @@ The `Logon ID` is the session identifier. ### Logon Types * **2**: Interactive -* **3**: Network +* **3**: Network (e.g. SMB, PsExec) * **4**: Batch * **5**: Service -* **7**: Unlock +* **7**: Unlock, when Session is already established in some other way * **10**: RDP ### Scheduled Tasks @@ -111,6 +113,7 @@ The `Logon ID` is the session identifier. ### System * **7045**: Service installation +* **17**: Service creates named pipes for stdin, stdout and stderr ### Security