redttps

Enumerating AD with ADSI

Description

ADSI (Active Directory Service Interfaces) is a set of COM interfaces provided by Windows that allows scripts or programs to interact with Active Directory. Red teams and attackers can use ADSI in PowerShell or VBScript to query domain objects (users, groups, computers, OUs) without importing any external tools, making it stealthy and effective.


Domain Enumeration Using PowerShell

  1. List DCs:
    2. ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).DomainControllers | ForEach-Object { $_.Name }
  2. List DCs 2:
    3. ([adsisearcher]'(&(objectCategory=computer)(primaryGroupID=516))').FindAll()
  3. Get information about a user:
    4. $userSearcher = [System.DirectoryServices.DirectorySearcher]'(&(objectClass=user)(sAMAccountName='Username'))'
$userSearcher.FindOne().Properties
  4. List groups:
    5. ([ADSISearcher]"(&(ObjectClass=group))").FindAll() | ForEach-Object { $_.Properties['member'] | ForEach-Object { $_ } }
  5. Show members of a group:
    6. ([ADSISearcher]"(&(ObjectClass=group)(sAMAccountName='GroupName'))").FindOne().Properties['member'] | ForEach-Object { $_ }
  6. Show which groups a user belongs to:
    7. ([ADSISearcher]"(&(ObjectClass=user)(sAMAccountName='Username'))").FindOne().Properties['memberOf'] | ForEach-Object { $_ }
  7. List all computers in the domain:
    8. ([ADSISearcher]"ObjectClass=computer").FindAll() | ForEach-Object { $_.Properties['name'][0] }
  8. Returns information about a computer:
    9. ([ADSISearcher]"(&(ObjectClass=computer)(ObjectCategory=computer)(cn='Computer Name'))").FindOne().Properties
  9. Lists and returns information about the OUs (Organizational Units):
    10. ([ADSISearcher]"ObjectClass=organizationalUnit").FindAll() | ForEach-Object { $_.Properties }
  10. Returns information about GPOs (Group Policy Objects):
    11. ([ADSISearcher]"ObjectClass=groupPolicyContainer").FindAll() | ForEach-Object { $_.Properties }
  11. Enumerates all users in the domain:
    12. ([ADSISearcher]"ObjectClass=user").FindAll() | ForEach-Object { $_.Properties['sAMAccountName'][0] }
  12. Returns users who are members of protected groups:
    13. ([adsisearcher]'(&(objectClass=user)(adminCount=1))').FindAll()
  13. Returns accounts configured with Unconstrained Delegation:
    14. ([adsisearcher]'(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=524288))').FindAll()
  14. Enumerates all ACLs:
    15. $ADSI=[ADSI]"LDAP://DC=dominio,DC=com"
$ADSI.psbase.get_ObjectSecurity().getAccessRules($true, $true,[system.security.principal.NtAccount])