Credentialed Enumeration - from Windows
Enumeration from a Windows attack host using domain credentials. Tools include the ActiveDirectory PowerShell module, PowerView/SharpView, Snaffler, and SharpHound/BloodHound. Some findings may be informational (e.g., ability to run BloodHound freely, user account attributes) but still valuable for reporting. Focus on misconfigurations, permission issues, trust relationships, and sensitive data in file shares.
ActiveDirectory PowerShell Module
Built-in PowerShell module with 147+ cmdlets for AD administration. Stealthier than dropping tools since it’s a native Windows component.
Load the Module
Import-Module ActiveDirectory
Get-Module
Domain Information
Get-ADDomain
Key fields: DomainSID, DomainMode, ChildDomains, Forest, DomainControllersContainer, ReplicaDirectoryServers
Users with SPNs (Kerberoastable)
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
Trust Relationships
Get-ADTrust -Filter *
Key fields to examine:
| Field | Meaning |
|---|---|
Direction | Bidirectional, Inbound, or Outbound |
IntraForest | True = within same forest; False = external forest trust |
ForestTransitive | Whether the trust extends across forests |
TrustType | Uplevel (Windows 2000+), Downlevel, etc. |
Group Enumeration
Get-ADGroup -Filter * | select name
Get-ADGroup -Identity "Backup Operators"
Get-ADGroupMember -Identity "Backup Operators"
Note groups of interest: Backup Operators, Domain Admins, Enterprise Admins, IT admin groups, any group with service accounts.
Useful AD Module Cmdlets
| Cmdlet | Purpose |
|---|---|
Get-ADDomain | Domain info (SID, mode, child domains, DCs) |
Get-ADUser | Query users with filters |
Get-ADGroup | Query groups |
Get-ADGroupMember | List group members |
Get-ADTrust | Domain trust relationships |
Get-ADComputer | Query computers |
PowerView
PowerShell tool for AD situational awareness. More manual than BloodHound but can reveal subtle misconfigurations. Part of PowerSploit (deprecated) — maintained fork by BC-Security for Empire 4.
Key Functions Reference
| Category | Function | Description |
|---|---|---|
| Utility | Export-PowerViewCSV | Append results to CSV |
ConvertTo-SID | Convert name to SID | |
Get-DomainSPNTicket | Request Kerberos ticket for SPN account | |
| Domain/LDAP | Get-Domain | Current/specified domain object |
Get-DomainController | List domain controllers | |
Get-DomainUser | All/specific users | |
Get-DomainComputer | All/specific computers | |
Get-DomainGroup | All/specific groups | |
Get-DomainOU | All/specific OUs | |
Find-InterestingDomainAcl | ACLs with modification rights for non-built-in objects | |
Get-DomainGroupMember | Members of a group | |
Get-DomainFileServer | Likely file servers | |
Get-DomainDFSShare | Distributed file systems | |
| GPO | Get-DomainGPO | All/specific GPOs |
Get-DomainPolicy | Default domain/DC policy | |
| Computer | Get-NetLocalGroup | Local groups on machine |
Get-NetLocalGroupMember | Members of local group | |
Get-NetShare | Open shares | |
Get-NetSession | Session info | |
Test-AdminAccess | Test local admin access | |
| Meta | Find-DomainUserLocation | Where users are logged in |
Find-DomainShare | Reachable shares | |
Find-InterestingDomainShareFile | Interesting files on readable shares | |
Find-LocalAdminAccess | Machines where current user is local admin | |
| Trust | Get-DomainTrust | Domain trusts |
Get-ForestTrust | Forest trusts | |
Get-DomainForeignUser | Users in groups outside their domain | |
Get-DomainForeignGroupMember | Groups with external members | |
Get-DomainTrustMapping | Enumerate all trusts for current domain |
Detailed User Info
Get-DomainUser -Identity mmorgan -Domain inlanefreight.local | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset,lastlogontimestamp,accountexpires,admincount,userprincipalname,serviceprincipalname,useraccountcontrol
Recursive Group Membership
Get-DomainGroupMember -Identity "Domain Admins" -Recurse
The -Recurse flag reveals nested group membership — if a group like Secadmins is a member of Domain Admins, all members of Secadmins inherit DA rights.
Trust Mapping
Get-DomainTrustMapping
Shows all trusts with source, target, type (WITHIN_FOREST, FOREST_TRANSITIVE), and direction.
Test Local Admin Access
Test-AdminAccess -ComputerName ACADEMY-EA-MS01
Users with SPNs (Kerberoastable)
Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName
SharpView
.NET port of PowerView for environments where PowerShell is restricted or blocked.
.\SharpView.exe Get-DomainUser -Identity forend
.\SharpView.exe Get-DomainUser -Help
Supports many of the same functions as PowerView with the same argument names.
Snaffler
Tool for hunting credentials and sensitive data across SMB shares in AD. Must be run from a domain-joined host or in a domain-user context.
Execution
.\Snaffler.exe -s -d inlanefreight.local -o snaffler.log -v data
| Flag | Purpose |
|---|---|
-s | Print results to console |
-d | Domain to search |
-o | Output log file |
-v | Verbosity level (data = results only, recommended) |
What Snaffler Finds
- Credential files (
.kdb,.kwallet,.psafe3) - Key files (
.key,.keypair,.ppk,.keychain) - Database dumps (
.sqldump,.mdf) - Config files (
.tblk, VPN configs) - Color-coded output: Red = high interest, Green = shares, Black = notable files
Tips
- Output can be large — always write to a log file
- Provide raw output to clients as supplemental data to help them prioritize share lockdown
- Look for passwords, SSH keys, config files with hardcoded credentials
SharpHound / BloodHound (from Windows)
SharpHound is the C# data collector for BloodHound, run from domain-joined Windows hosts.
Run SharpHound
.\SharpHound.exe -c All --zipfilename ILFREIGHT
Key SharpHound Flags
| Flag | Purpose |
|---|---|
-c | Collection methods (Default, All, DCOnly, Session, LoggedOn, Group, ACL, etc.) |
-d | Target domain |
-s / --searchforest | Search all domains in the forest |
--stealth | Stealth collection (prefer DCOnly) |
--zipfilename | Output zip file name |
--computerfile | File with specific computer targets |
Load Data into BloodHound
sudo neo4j start
bloodhound
- Click “Upload Data” button
- Select the zip file from SharpHound
- Wait for all JSON files to show 100% complete
Useful Built-in Queries
| Query | What It Reveals |
|---|---|
| Find Shortest Paths to Domain Admins | Attack paths to DA |
| Find Computers with Unsupported OS | Legacy systems (Win7, Server 2008) — validate if live |
| Find Computers where Domain Users are Local Admin | Over-permissioned hosts — any domain user can access |
| Find Principals with DCSync Rights | Users that can perform DCSync |
| Find Kerberoastable Accounts | SPNs set on user accounts |
| Shortest Paths from Owned Principals | Paths from compromised nodes |
BloodHound Workflow Tips
- Mark compromised users/computers as “Owned” to find paths from current position
- Unsupported OS hosts may not be live — validate before reporting
- Domain Users as local admin on any host = any account can be used for access
- Always document files transferred to/from hosts and clean up at engagement end
Summary
| Tool | Type | Best For |
|---|---|---|
| AD PowerShell Module | Built-in | Stealthy enumeration — blends with admin activity |
| PowerView | PowerShell script | Deep AD enumeration — users, groups, ACLs, trusts, shares |
| SharpView | .NET executable | Same as PowerView when PowerShell is restricted |
| Snaffler | .NET executable | Hunting credentials and sensitive files in shares |
| SharpHound | .NET executable | Collecting AD data for BloodHound visualization |
| BloodHound | GUI | Visualizing attack paths and relationships |