PowerShell Domain Enumeration

Enumerate All Users

$Searcher = New-Object DirectoryServices.DirectorySearcher
$Searcher.Filter = "(&(objectclass=user))"
$Searcher.SearchRoot = ''
$Searcher.FindAll()

Enumerate All Domain-Joined Machines

$Searcher = New-Object DirectoryServices.DirectorySearcher
$Searcher.Filter = "(&(objectclass=computer))"
$Searcher.SearchRoot = ''
$Searcher.FindAll()

Addendum For Line 2 To Add SPN

$Searcher.Filter = " (&(!(samaccountname=krbtgt))(objectclass=user)(objectcategory=user)(servicePrincipalName=*))"

Enumerate Domain Trusts

([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()

PreviousClient Side Attacks NextRoasting

Last updated 3 years ago