more info and cleanup

Cryptography/Active Directory/AD Enumeration.md

@@ -34,53 +34,107 @@ dir \\%HOSTNAME%\SYSVOL\
 
 ## CMD enumeration
 
-Execute from domain joined machine
+Execute the following commands from any domain joined machine after inital access has been done.
+
+Specific user
 
-* Users
-```sh
-net user /domain
-```
-* Specific user
 ```sh
 net user <username> /domain
 ```
-* Groups
+
+Accounts & Groups
+
 ```sh
+net user /domain
 net group /domain
 ```
-* Specific group
+
+Specific groups like admins
+
 ```sh
 net group <groupname> /domain
+net group "Domain Admins" /domain
+net group "Enterprise Admins" /domain
 ```
-* Password Policy via accounts
+
+For local admin accounts:
+
+```sh
+net localgroup administrators
+```
+
+Password Policy via accounts
+
 ```sh
 net accounts /domain
 ```
 
+Machines on the network:
+
+```sh
+net view
+```
+
+Shares on specific remote systems:
+
+```sh
+net view \$SERVER_NAME /all
+```
+
+Domain/Trust, which is domain controllers in the current env first and further
+trusted domains:
+
+```sh
+nltest /dclist:domain
+nltest /domain_trust
+```
+
 ## Powershell Cmdlets
 
-* User details via
+User details via:
+
 ```sh
- Get-ADUser -Identity <username> -Server <fqdn/or/DCdomain> -Properties *
+Get-ADUser -Filter *
+Get-ADUser -Identity <username> -Server <fqdn/or/DCdomain> -Properties *
 ```
-* Groups
+
+Groups:
+
 ```sh
 Get-ADGroup -Identity Administrators -Server exampleDC.com -Properties *
 ```
-* Group membership
+
+Group membership:
+
 ```sh
 Get-ADGroupMember -Identity Administrators -Server exampleDC.com
 ```
-* Generic AD objects
+
+Admin group members:
+
+```sh
+Get-ADGroupMember "Domain Admins"
+```
+
+Generic AD objects:
+
 ```sh
 Get-ADObject -Filter <filterstuff> -includeDeletedObjects -Server exampleDC.com
 Get-ADObject -Filter 'badPwdCount -gt 0' -Server exampleDC.com
 ```
-* Domains
+
+Domains:
+
 ```sh
  Get-ADDomain -Server exampleDC.com
 ```
 
+All Computer accounts which joined the domain:
+
+```sh
+Get-ADComputer -Filter *
+```
+
 ## Sharphound and Bloodhound
 
 * [BloodHound documentation](https://bloodhound.readthedocs.io/en/latest/index.html#)

Forensics/Windows Event Logs.md

@@ -80,6 +80,8 @@ The `Logon ID` is the session identifier.
 * **4624**: Successful logon/login, Session created on target resource
 * **4625**: Failed logon/login
 * **4634** and **4647**: Logoff
+* **4648**: Login Using Explicit Credentials (e.g. from another user through
+  `net use /user:`)
 * **4779**: Session disconnect
 
 ### Active Directory Objects
@@ -92,10 +94,10 @@ The `Logon ID` is the session identifier.
 ### Logon Types
 
 * **2**: Interactive
-* **3**: Network
+* **3**: Network (e.g. SMB, PsExec)
 * **4**: Batch
 * **5**: Service
-* **7**: Unlock
+* **7**: Unlock, when Session is already established in some other way
 * **10**: RDP
 
 ### Scheduled Tasks
@@ -111,6 +113,7 @@ The `Logon ID` is the session identifier.
 ### System
 
 * **7045**: Service installation
+* **17**: Service creates named pipes for stdin, stdout and stderr
 
 ### Security