Manual Enumeration Techniques#

These techniques leverage built-in Windows tools for enumerating Active Directory, without relying on external scripts. They are especially valuable in stealthier engagements.

Microsoft Management Console#

Starting Position: From a Windows domain-joined machine or a Windows machine with injected credentials (via runas /netonly)

The MMC provides snap-ins such as Active Directory Users and Computers (ADUC) or Group Policy Management. With valid credentials, an attacker can browse AD objects, group memberships, and policies directly through a GUI.

Command Prompt#

Starting Position: From a Windows domain-joined machine as the net command must be executed from a domain-joined machine.

Command Prompt supports classic tools like net command for enumeration.

net user /domain
net user "<username>" /domain

net group /domain
net group "Domain Admins" /domain

-- enumerate password policy
net accounts /domain

PowerShell#

Starting Position: From a Windows domain-joined machine or a Windows machine with injected credentials (via runas /netonly)

PowerShell is far more powerful and scriptable than cmd.exe, offering access to modern enumeration cmdlets.

Get-ADDomain
Get-ADUser -Identity <username> -Properties *
Get-ADGroupMember "Domain Admins"

Manual Enumeration Techniques

Contents

Manual Enumeration Techniques#

Microsoft Management Console#

Command Prompt#

PowerShell#