This chapter will focus on domain enumeration. Even if the methodology looks obvious and straightforward, the process itself can seem daunting, and reconnaissance is a crucial stepping stone toward successful compromise. Moreover, it is important to reiterate enumeration after every move, as new paths may open up. Sometimes enumeration can lead to a direct compromise; for example, a compromised user could read Local Administrator Password Solution (LAPS) or Group Managed Service Accounts (gMSA) passwords or could have administrator privileges on the box with unconstrained delegation.

We will briefly refresh the reconnaissance methodology and start comprehensive enumeration in different ways. We will cover the usage of built-in PowerShell modules, Windows Management Instrumentation (WMI), and net.exe commands, and utilize LDAP search capabilities. As a next step, we will use the PowerView and BloodHound tools. We will finish our journey with service...

For this chapter, the technical requirements are as follows:

• VMware Workstation or Oracle VirtualBox with at least 16 GB of RAM, 8 CPU cores, and at least 55 GB of total space (more if you take snapshots)
• A Linux-based operating system is strongly recommended
• Vagrant installed with a plugin for a corresponding virtualization platform and Ansible
• A deployed version of DetectionLab for ATA cases (https://www.detectionlab.network/introduction/prerequisites/)
• From the GOADv2 project, we will use DC01, DC02, SRV01, and SRV03

In our scenario, we have established an initial foothold, successfully identifying and evading defensive security measures. For the next step, we need a better understanding of the environment we have landed in. All our reconnaissance actions could be under close monitoring by the blue team. Later, we will run various commands and tools, examine Windows event logs, and generate traffic. The purpose of such an exercise is to understand what protocols are used under the hood and what indicators of compromise can be left during enumeration.

Before jumping to the hands-on part, let us go through a brief overview of the enumeration methodology we are going to follow. My approach will be to go from a higher level of abstraction to a low one.

PowerShell cmdlet

We are going to enumerate an Active Directory environment, starting with forests, domains, and trust relationships between them. For the next step, we will enumerate each domain separately...

The most common tools used for domain enumeration are PowerView or SharpView and SharpHound together with BloodHound.

SharpView/PowerView

SharpView[10] is a .NET port of PowerView[11]. This tool has a wide variety of methods that can improve and speed up the enumeration process in complex environments. I can recommend reading the PowerView wiki[12], as it explains in detail how the tool runs queries. Let us grab the version from GitHub, compile it, and follow our methodology. We will not run Wireshark for every command, but choose one as an example to understand what traces are left behind us. To make our life easier, I used the Get-DomainSID command:

Figure 3.10 – Result of the Get-DomainSID command

The following Wireshark capture shows a few DNS requests for the domain LDAP SRV, then a mix of CLDAP and LDAP queries/responses, together with Kerberos authentication. Overall, 265 packets were captured:

...

To continue our enumeration, the next step will be to identify available services, file and SQL servers, and the privileged users’ activity in the domain. As we discussed at the beginning of this chapter, our target is to get access to critical data and services in the compromised environment.

SPN

Service Principal Names (SPNs) are the names by which a Kerberos client uniquely identifies instances of a service for a given Kerberos target computer. There is a comprehensive list of known SPNs for Active Directory held by PyroTek3[20]. We can use them to better understand what services are present in the domain and use Kerberos authentication.

We can enumerate SPN in the domain by using the setspn utility or SharpView with the following commands to find users and computers with SPNs:

Get-DomainComputer -ServicePrincipalName "*"
Get-DomainUser -SPN

To get all SPNs with the setspn utility, we can run the following...

Enumeration can be a noisy process if tools are used without precautions. Also, defenders hunt for reconnaissance activities by using security products and deception methods. These methods are like a hidden bell in a dark room – you need to know where it is located to avoid detection. We will cover Microsoft ATA and its successor – Defender for Identity (MDI) together with honey tokens.

Microsoft ATA

Microsoft Advanced Threat Analytics (ATA) is an on-premises platform that helps to protect enterprises from threats. Extended support ends in 2026, so it makes sense to quickly cover it.

In this section, we will discuss only detections for recon methods; other attacks and bypasses will be covered in respective chapters. In general, ATA parses the network traffic of multiple protocols to detect malicious activity. It’s important to mention that it will take time for the tool to learn the normal behavior of the users and machines...

In this chapter, we discussed available tools and protocols that attackers can use for enumeration activity. We briefly covered tooling internals to get a clear insight into the traces we left. Our methodology was to enumerate from a high level to a low level inside the environment. One of the key ideas was that enumeration is a constant process. At the end of the chapter, we went through some OpSec concerns and saw how a blue team can deceive attackers.

In the next chapter, we will cover credential access from a domain point of view. We will not spend time on endpoint credential access, rather we will explore things such as Kerberoasting, GMSA, LAPS, different types of coerced authentication, how to abuse writable shares, and more.

1. ADModule: https://github.com/samratashok/ADModule
2. WMI basics series: https://0xinfection.github.io/posts/wmi-basics-part-1/
3. Bloodhound inner workings: https://blog.compass-security.com/2022/05/bloodhound-inner-workings-part-1/, https://blog.compass-security.com/2022/05/bloodhound-inner-workings-part-2/ and https://blog.compass-security.com/2022/05/bloodhound-inner-workings-part-3/
4. LDAP wiki: https://ldapwiki.com/wiki/Main
5. LDAP and Kerberos: https://blog.ropnop.com/talk/2018/funwithldapkerb/
6. New look on NULL session enumeration: https://sensepost.com/blog/2018/a-new-look-at-null-sessions-and-user-enumeration/
7. UserEnum: https://github.com/sensepost/UserEnum
8. Ldapsearch: https://malicious.link/post/2022/ldapsearch-reference/
9. Windapsearch: https://github.com/ropnop/windapsearch
10. SharpView: https://github.com/tevora-threat/SharpView
11. PowerView: https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
12. PowerView recon...

These will aid further study and allow you to dive deeper into the attacks covered in the chapter:

• More details about WMI from Microsoft: https://learn.microsoft.com/en-us/windows/win32/wmisdk/about-wmi
• Enumerate Active Directory using WMI: https://0xinfection.github.io/posts/wmi-ad-enum/
• LDAP APIs in Windows: https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ldap/lightweight-directory-access-protocol-ldap-api