Domain Enumeration in Active Directory
Comprehensive guide to Domain Enumeration techniques in Active Directory environments, including user, group, and computer enumeration, as well as advanced discovery methods.
Domain Enumeration Techniques
User Enumeration
Discover and list all user accounts in the Active Directory domain.
PowerView
ADExplorer
BloodHound
Group Enumeration
Identify and analyze all groups within the Active Directory structure.
net group
Get-ADGroup
ADSI Edit
Computer Enumeration
Locate and catalog all computer objects in the domain.
PowerView
Get-ADComputer
nmap
Domain Trust Enumeration
Map out trust relationships between domains and forests.
nltest
Get-ADTrust
PowerView
GPO Enumeration
Discover and analyze Group Policy Objects applied in the domain.
gpresult
Get-GPO
Group Policy Management Console
LDAP Querying
Use LDAP queries to extract detailed information from Active Directory.
ldapsearch
ADExplorer
PowerShell LDAP scripts
Service Principal Name (SPN) Enumeration
Identify service accounts and potential Kerberoasting targets.
SetSPN
Get-ADUser -Filter {ServicePrincipalName -ne "$null"}
Impacket GetUserSPNs.py
ACL Enumeration
Analyze Access Control Lists to identify misconfigurations and potential attack paths.
PowerView
BloodHound
ADACLScanner
DNS Record Enumeration
Discover and analyze DNS records associated with the Active Directory domain.
dnscmd
Get-DnsServerResourceRecord
nslookup
LAPS Enumeration
Enumerate Local Administrator Password Solution (LAPS) configurations and permissions.
Get-LAPSComputers
Find-AdmPwdExtendedRights
LAPSToolkit
Exchange Server Enumeration
Discover and analyze Exchange Server configurations within the domain.
Get-ExchangeServer
ExchangeRelayX
Ruler
Privileged Account Enumeration
Identify and catalog high-privilege accounts and groups in the domain.
PowerView
ADExplorer
PingCastle
Domain Controller Enumeration
Identify and analyze Domain Controllers in the Active Directory forest.
nltest
Get-ADDomainController
dcdiag
Site and Subnet Enumeration
Discover Active Directory sites, subnets, and their associations.
Get-ADReplicationSite
Get-ADReplicationSubnet
repadmin
FSMO Roles Enumeration
Identify servers holding Flexible Single Master Operation (FSMO) roles.
netdom query fsmo
Get-ADDomain
Get-ADForest
Domain Password Policy Enumeration
Discover and analyze domain-wide and fine-grained password policies.
net accounts
Get-ADDefaultDomainPasswordPolicy
Get-ADFineGrainedPasswordPolicy
Service Account Enumeration
Identify and analyze service accounts, including managed service accounts.
Get-ADServiceAccount
Get-WmiObject
sc query
Organizational Unit (OU) Enumeration
Discover and map the Organizational Unit structure within Active Directory.
Get-ADOrganizationalUnit
dsquery
ADExplorer
Related Articles
Defending Against Domain Enumeration
While understanding domain enumeration techniques is crucial for security assessments, it's equally important to implement strong defensive measures. Here are some key strategies to protect your Active Directory environment against enumeration attempts:
- Implement the principle of least privilege for domain enumeration tools and scripts
- Use network segmentation to limit the scope of enumeration attempts
- Implement and maintain strong password policies
- Regularly audit and review Active Directory permissions and configurations
- Enable and monitor Windows Event Logs for suspicious enumeration activities
- Implement Just-In-Time (JIT) administration and Privileged Access Workstations (PAWs)
- Use Microsoft Advanced Threat Analytics (ATA) or Azure Advanced Threat Protection (ATP) for anomaly detection
- Implement LDAP channel binding and LDAP signing
- Regularly conduct security assessments and penetration tests
- Train IT staff on secure Active Directory management practices
- Implement and maintain an up-to-date incident response plan
- Use tools like Microsoft Security Compliance Toolkit to baseline and secure Active Directory settings
- Implement strict controls on DNS zone transfers and LDAP anonymous binds
- Regularly review and update Group Policy Objects (GPOs) to enforce security settings
- Implement and maintain a robust patch management process for all domain systems
- Use Active Directory Administrative Center (ADAC) for fine-grained password policies management
- Implement and maintain a comprehensive asset management system
- Regularly review and update service account permissions and passwords
- Use Microsoft Local Administrator Password Solution (LAPS) to manage local admin passwords
- Implement network access control (NAC) to restrict unauthorized devices from connecting to the domain
For more detailed information on defending against these techniques and implementing a robust Active Directory security strategy, visit our Defensive Techniques page.
Explore Defensive Techniques