Dec 29 2022

Active Directory Exploitation Cheat Sheet

Category: Cheat Sheet,Windows SecurityDISC @ 12:59 pm

Active Directory is a Microsoft service run in the Server that predominantly used to manage various permission and resources around the network, also it performs an authenticates and authorizes all users and computers in a Windows domain type networks.

Recent cyber-attacks are frequently targeting the vulnerable active directory services used in enterprise networks where the organization handling the 1000’s of computers in the single point of control called “Domain controller” which is one of the main targeted services by the APT Hackers.

Though exploiting Active directory is a challenging task, It is certain to activate directory exploitation Cheat Sheet which contains common enumeration and attack methods which including the several following phases to make it simple.

  • Recon
  • Domain Enum
  • Local Privilege Escalation
  • User Hunting
  • Domain Admin Privileges
  • Database Hunting
  • Data Exfiltration
  • Active Directory Exploitation Tools


Recon Phase contains various modules, including Port scan that performs the following operations.

Import-Module Invoke-Portscan.ps1
Invoke-Portscan -Hosts "websrv.domain.local,wsus.domain.local,apps.domain.local" -TopPorts 50 echo websrv.domain.local | Invoke-Portscan -oG test.gnmap -f -ports "80,443,8080" Invoke-Portscan -Hosts -T 4 -TopPorts 25 -oA localnet


The secret to being able to run AD enumeration commands from the AD Powershell module on a system without RSAT installed, is the DLL located in C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.ActiveDirectory.Management on a system that has the RSAT installed.

Set up your AD VM, install RSAT, extract the dll and drop it to the target system used to enumerate the active directory.

Import-Module .\Microsoft.ActiveDirectory.Management.dll
Get-Command get-adcom*

Domain Enumeration


  • Get current domain
Get-NetDomain (PowerView)
Get-ADDomain (ActiveDirectory Module)
  • Get object of another domain
Get-NetDomain -Domain domain.local
Get-ADDomain -Identity domain.local
  • Get domain SID for the current domain
  • Get domain policy for the current domain
(Get-DomainPolicy)."system access"
  • Get domain policy for another domain
(Get-DomainPolicy -domain domain.local)."system access"
  • Get domain controllers for the current domain
  • Get domain controllers for another domain
Get-NetDomainController -Domain domain.local
Get-ADDomainController -DomainName domain.local -Discover

More on: To Get a list of users in the current domain

Infosec books | InfoSec tools | InfoSec services

Tags: Active Directory Exploitation Cheat Sheet

Leave a Reply

You must be logged in to post a comment. Login now.