AD-Attacks

Domain Enumeration in Active Directory

Domain Enumeration Techniques Cover

Comprehensive guide to Domain Enumeration techniques in Active Directory environments, including user, group, and computer enumeration, as well as advanced discovery methods.

Domain Enumeration Techniques

User Enumeration
User Enumeration illustration
Discover and list all user accounts in the Active Directory domain.
PowerView
ADExplorer
BloodHound
Group Enumeration
Group Enumeration illustration
Identify and analyze all groups within the Active Directory structure.
net group
Get-ADGroup
ADSI Edit
Computer Enumeration
Computer Enumeration illustration
Locate and catalog all computer objects in the domain.
PowerView
Get-ADComputer
nmap
Domain Trust Enumeration
Domain Trust Enumeration illustration
Map out trust relationships between domains and forests.
nltest
Get-ADTrust
PowerView
GPO Enumeration
GPO Enumeration illustration
Discover and analyze Group Policy Objects applied in the domain.
gpresult
Get-GPO
Group Policy Management Console
LDAP Querying
LDAP Querying illustration
Use LDAP queries to extract detailed information from Active Directory.
ldapsearch
ADExplorer
PowerShell LDAP scripts
Service Principal Name (SPN) Enumeration
Service Principal Name (SPN) Enumeration illustration
Identify service accounts and potential Kerberoasting targets.
SetSPN
Get-ADUser -Filter {ServicePrincipalName -ne "$null"}
Impacket GetUserSPNs.py
ACL Enumeration
ACL Enumeration illustration
Analyze Access Control Lists to identify misconfigurations and potential attack paths.
PowerView
BloodHound
ADACLScanner
DNS Record Enumeration
DNS Record Enumeration illustration
Discover and analyze DNS records associated with the Active Directory domain.
dnscmd
Get-DnsServerResourceRecord
nslookup
LAPS Enumeration
LAPS Enumeration illustration
Enumerate Local Administrator Password Solution (LAPS) configurations and permissions.
Get-LAPSComputers
Find-AdmPwdExtendedRights
LAPSToolkit
Exchange Server Enumeration
Exchange Server Enumeration illustration
Discover and analyze Exchange Server configurations within the domain.
Get-ExchangeServer
ExchangeRelayX
Ruler
Privileged Account Enumeration
Privileged Account Enumeration illustration
Identify and catalog high-privilege accounts and groups in the domain.
PowerView
ADExplorer
PingCastle
Domain Controller Enumeration
Domain Controller Enumeration illustration
Identify and analyze Domain Controllers in the Active Directory forest.
nltest
Get-ADDomainController
dcdiag
Site and Subnet Enumeration
Site and Subnet Enumeration illustration
Discover Active Directory sites, subnets, and their associations.
Get-ADReplicationSite
Get-ADReplicationSubnet
repadmin
FSMO Roles Enumeration
FSMO Roles Enumeration illustration
Identify servers holding Flexible Single Master Operation (FSMO) roles.
netdom query fsmo
Get-ADDomain
Get-ADForest
Domain Password Policy Enumeration
Domain Password Policy Enumeration illustration
Discover and analyze domain-wide and fine-grained password policies.
net accounts
Get-ADDefaultDomainPasswordPolicy
Get-ADFineGrainedPasswordPolicy
Service Account Enumeration
Service Account Enumeration illustration
Identify and analyze service accounts, including managed service accounts.
Get-ADServiceAccount
Get-WmiObject
sc query
Organizational Unit (OU) Enumeration
Organizational Unit (OU) Enumeration illustration
Discover and map the Organizational Unit structure within Active Directory.
Get-ADOrganizationalUnit
dsquery
ADExplorer

Related Articles

Defending Against Domain Enumeration

While understanding domain enumeration techniques is crucial for security assessments, it's equally important to implement strong defensive measures. Here are some key strategies to protect your Active Directory environment against enumeration attempts:

  • Implement the principle of least privilege for domain enumeration tools and scripts
  • Use network segmentation to limit the scope of enumeration attempts
  • Implement and maintain strong password policies
  • Regularly audit and review Active Directory permissions and configurations
  • Enable and monitor Windows Event Logs for suspicious enumeration activities
  • Implement Just-In-Time (JIT) administration and Privileged Access Workstations (PAWs)
  • Use Microsoft Advanced Threat Analytics (ATA) or Azure Advanced Threat Protection (ATP) for anomaly detection
  • Implement LDAP channel binding and LDAP signing
  • Regularly conduct security assessments and penetration tests
  • Train IT staff on secure Active Directory management practices
  • Implement and maintain an up-to-date incident response plan
  • Use tools like Microsoft Security Compliance Toolkit to baseline and secure Active Directory settings
  • Implement strict controls on DNS zone transfers and LDAP anonymous binds
  • Regularly review and update Group Policy Objects (GPOs) to enforce security settings
  • Implement and maintain a robust patch management process for all domain systems
  • Use Active Directory Administrative Center (ADAC) for fine-grained password policies management
  • Implement and maintain a comprehensive asset management system
  • Regularly review and update service account permissions and passwords
  • Use Microsoft Local Administrator Password Solution (LAPS) to manage local admin passwords
  • Implement network access control (NAC) to restrict unauthorized devices from connecting to the domain

For more detailed information on defending against these techniques and implementing a robust Active Directory security strategy, visit our Defensive Techniques page.

Explore Defensive Techniques