Windows Environment Mapping

windows_privilege_escalation active_directory_enumeration_attacks adenumeration windowsprivesc20

Windows Users-Related Functions

  • whoami: username
  • whoami /groups: current user groups
  • whoami /priv: current user privileges
  • Get-LocalGroup or net localgroup: list groups
  • Get-LocalUser: list users
  • net user username: info about a user
  • net localgroup users: list users in the group "users"
  • net localgroup administrators: list local administrators
  • qwinsta: currently logged users

Windows Security-Related Functions

  • Get-MpComputerStatus: Windows defender status
  • sc query windefend: Windows defender status
  • wmic qfe or Get-HotFix | ft -AutoSize: installed hotfixes
  • netsh advfirewall show allprofiles: network policy
  • List all AppLocker rules or Query status given user and program
PS> Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
PS> Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone
  • UAC status
PS> reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA
PS> reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin
  • net accounts: Password and Lockout Policy
Force user logoff how long after time expires?:       Never
Minimum password age (days):                          0
Maximum password age (days):                          42
Minimum password length:                              0
Length of password history maintained:                None
Lockout threshold:                                    Never
Lockout duration (minutes):                           30
Lockout observation window (minutes):                 30
Computer role:                                        SERVER

Windows Machine-Related Functions

  • ver (cmd-only): see Windows version
  • [environment]::OSVersion.Version (powershell): see Windows version
  • systeminfo: info about the system (OS+Product+System info...)
  • hostname: info about the host (ex: website-dev -> role of the user)
  • netstat: see real-time networking requests
  • netstat -ano: list connections
  • ipconfig /all, arp -a, and route print
  • ls Env: or set: see environment variables
  • wmic product get name,version,vendor: list software installed using "normal" means, e.g., using the OS
  • tasklist /svc: list running processes
  • query user: list logged users
  • Refer to wmic commands.

Windows Active Directory-Related Functions

Enumeration (often monitored, not all results)

  • net groups /domain: list domain groups
  • net group "Domain Admins" /dom: list domain administrators
  • net accounts /domain: password policy
  • net share: list shares
  • net user /domain: list all users within a domain
  • net user "username" /domain: query information about a specific user

Utilities

  • %logonserver%: domain controller name
  • %USERDOMAIN%/$Env:USERDOMAIN: active directory domain name
  • nltest /dsgetdc:<domain_name>: domain controller information
  • wmic ntdomain: domain and domain controller information

We may be able to use the active directory module or install it.

PS> Import-Module ActiveDirectory
PS> # Add -Server "example.com" domain on external workstations
PS> Get-ADDomain                                     # List domain information
PS> Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
PS> Get-ADUser -Filter 'Name -like "*xxx"' -Properties ServicePrincipalName
PS> Get-ADUser -Filter 'userAccountControl -band 128' -Properties userAccountControl
PS> Get-ADUser -Identity username [...]
PS> Get-ADTrust -Filter *                            # List Domain Trusts
PS> Get-ADGroup -Filter * | select name              # List groups
PS> Get-ADGroup -Identity "Backup Operators"         # Group Details
PS> Get-ADGroup -Identity "XXX" -Properties * | Select -ExpandProperty Members
PS> Get-ADGroupMember -Identity "Backup Operators"   # Group Members
PS> Get-ADObject -Filter 'badPwdCount -gt 0' -includeDeletedObjects # Search Objects
PS> Get-ADTrust -Filter * # AD Module

The tool dsquery may be available. It must be run in an elevated prompt. Refer to LDAP Filters to find specific accounts.

PS> dsquery user
PS> dsquery computer
PS> dsquery * "CN=Users,DC=example,DC=com"
PS> dsquery * -filter "..."
PS> dsquery * -filter "..." -attr [...]
PS> dsquery * -filter "..." -attr a b -limit 5
PS> dsquery [...] | dsget user -desc

You can use PowerView or SharpView:

PS> Get-DomainUser -Identity username -Domain example.com
PS> Get-DomainGroupMember -Identity "Domain Admins" -Recurse
PS> Get-DomainTrustMapping
PS> Test-AdminAccess -ComputerName TARGET_HOST
PS> Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName
PS> .\SharpView.exe Get-DomainUser -Identity username

You can use BloodHound to collect and analyze the data.

You can use Microsoft Management Console to browse AD objects as if you were on the domain controller and maybe edit them too.

Refer to LAPS to enumerate for accounts related to LAPS.

Microsoft Management Console (MMC)

adenumeration

Microsoft Management Console (MMC) is always installed on Windows hosts, while AD snap-ins may not. It can be used to allow some employees to browse and edit objects such as users.

To open it: Windows + R and enter MMC.

See also: Remote Server Administration Tools (RSAT).

Installing The Snap-Ins

If you are using your own machine as administrator.

On Windows 11 Pro, open optional features using the search bar. Click on view features and install RSAT: Active Directory Domain Services and Lightweight Directory Tools.

Use Click File -> Add/Remove Snap-in to add all three AD snap-in. Configure each using Change Forest/Domain and set the domain/root domain to the target domain.

Using Microsoft Management Console (MMC)

A few random notes:

  • Click on View -> Advanced Features to view all objects/attributes
  • Click on Active Directory Users and Computers to view all OUs