whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

more info and cleanup

This commit is contained in:
gurkenhabicht 2026-04-10 02:14:03 +02:00
parent d69f8dc1bb
commit 57f80bd460
2 changed files with 81 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

98
Cryptography/Active Directory/AD Enumeration.md
View File

@ -29,57 +29,111 @@ dir \\%HOSTNAME%\SYSVOL\
* `Win` + `r` -> `MMC` -> File -> Add/Remove Snap-in -> add 3 AD feature snap-ins -> right click `Active Directory Sites and Services` -> `Change Forest` -> Add root domain -> right click `Active Directory Users and Computers` -> Change Domain -> enter root domain -> right click `Active Directory Users and Computers ` -> View -> Advanced Features * `Win` + `r` -> `MMC` -> File -> Add/Remove Snap-in -> add 3 AD feature snap-ins -> right click `Active Directory Sites and Services` -> `Change Forest` -> Add root domain -> right click `Active Directory Users and Computers` -> Change Domain -> enter root domain -> right click `Active Directory Users and Computers ` -> View -> Advanced Features
* Start enumerating via click on the domain object in the tree on the left * Start enumerating via click on the domain object in the tree on the left
* Take a look at `People` directory -> right click on them to see properties * Take a look at `People` directory -> right click on them to see properties
* Change or create user or change groups * Change or create user or change groups
* Also use `MMC` to enumerate * Also use `MMC` to enumerate
## CMD enumeration ## CMD enumeration
Execute from domain joined machine Execute the following commands from any domain joined machine after inital access has been done.
Specific user
* Users
```sh
net user /domain
```
* Specific user
```sh ```sh
net user <username> /domain net user <username> /domain
``` ```
* Groups
Accounts & Groups
```sh ```sh
net user /domain
net group /domain net group /domain
``` ```
* Specific group
Specific groups like admins
```sh ```sh
net group <groupname> /domain net group <groupname> /domain
net group "Domain Admins" /domain
net group "Enterprise Admins" /domain
``` ```
* Password Policy via accounts
For local admin accounts:
```sh
net localgroup administrators
```
Password Policy via accounts
```sh ```sh
net accounts /domain net accounts /domain
``` ```
Machines on the network:
```sh
net view
```
Shares on specific remote systems:
```sh
net view \$SERVER_NAME /all
```
Domain/Trust, which is domain controllers in the current env first and further
trusted domains:
```sh
nltest /dclist:domain
nltest /domain_trust
```
## Powershell Cmdlets ## Powershell Cmdlets
* User details via User details via:
```sh ```sh
Get-ADUser -Identity <username> -Server <fqdn/or/DCdomain> -Properties * Get-ADUser -Filter *
Get-ADUser -Identity <username> -Server <fqdn/or/DCdomain> -Properties *
``` ```
* Groups
Groups:
```sh ```sh
Get-ADGroup -Identity Administrators -Server exampleDC.com -Properties * Get-ADGroup -Identity Administrators -Server exampleDC.com -Properties *
``` ```
* Group membership
Group membership:
```sh ```sh
Get-ADGroupMember -Identity Administrators -Server exampleDC.com Get-ADGroupMember -Identity Administrators -Server exampleDC.com
``` ```
* Generic AD objects
Admin group members:
```sh ```sh
Get-ADObject -Filter <filterstuff> -includeDeletedObjects -Server exampleDC.com Get-ADGroupMember "Domain Admins"
```
Generic AD objects:
```sh
Get-ADObject -Filter <filterstuff> -includeDeletedObjects -Server exampleDC.com
Get-ADObject -Filter 'badPwdCount -gt 0' -Server exampleDC.com Get-ADObject -Filter 'badPwdCount -gt 0' -Server exampleDC.com
``` ```
* Domains
Domains:
```sh ```sh
Get-ADDomain -Server exampleDC.com Get-ADDomain -Server exampleDC.com
``` ```
All Computer accounts which joined the domain:
```sh
Get-ADComputer -Filter *
```
## Sharphound and Bloodhound ## Sharphound and Bloodhound
@ -89,7 +143,7 @@ Get-ADObject -Filter 'badPwdCount -gt 0' -Server exampleDC.com
* Sharphound.ps1 * Sharphound.ps1
* sharphound.exe * sharphound.exe
* Azurehound.ps1 * Azurehound.ps1
* For example * For example
```sh ```sh
Sharphound.exe --CollectionMethods <Default/Session/All> --Domain example.com --ExcludeDCs Sharphound.exe --CollectionMethods <Default/Session/All> --Domain example.com --ExcludeDCs
@ -112,7 +166,7 @@ bloodhound --no-sandbox
## LDAP ## LDAP
## PowerView ## PowerView
Registered Machines in the domain Registered Machines in the domain

7
Forensics/Windows Event Logs.md
View File

@ -80,6 +80,8 @@ The `Logon ID` is the session identifier.
* **4624**: Successful logon/login, Session created on target resource * **4624**: Successful logon/login, Session created on target resource
* **4625**: Failed logon/login * **4625**: Failed logon/login
* **4634** and **4647**: Logoff * **4634** and **4647**: Logoff
* **4648**: Login Using Explicit Credentials (e.g. from another user through
`net use /user:`)
* **4779**: Session disconnect * **4779**: Session disconnect
### Active Directory Objects ### Active Directory Objects
@ -92,10 +94,10 @@ The `Logon ID` is the session identifier.
### Logon Types ### Logon Types
* **2**: Interactive * **2**: Interactive
* **3**: Network * **3**: Network (e.g. SMB, PsExec)
* **4**: Batch * **4**: Batch
* **5**: Service * **5**: Service
* **7**: Unlock * **7**: Unlock, when Session is already established in some other way
* **10**: RDP * **10**: RDP
### Scheduled Tasks ### Scheduled Tasks
@ -111,6 +113,7 @@ The `Logon ID` is the session identifier.
### System ### System
* **7045**: Service installation * **7045**: Service installation
* **17**: Service creates named pipes for stdin, stdout and stderr
### Security ### Security