4. Enumerating a Domain-Joined Machine

Goal: Understand the machine’s role, who’s logged in, what privileges are available, and how it connects to the rest of the domain.

Objectives

graph TD
    A[Foothold on Domain Machine] --> B[Check Current User and Groups]
    B --> C[Check Logged-on Users and Sessions]
    C --> D[Enumerate Local Shares and Services]
    D --> E[Run Domain Recon Tools e.g., PowerView, BloodHound]
    E --> F[Identify Next Targets or Priv Esc Vectors]

Techniques and Tools

Task Tool/Command Notes
Whoami and System Info whoami, hostname, systeminfo, $env:UserDomain Check context and domain membership
Logged-on Users quser, query user, Get-WmiObject See who else is active on the box
Local Groups and Members net localgroup, Get-LocalGroupMember, Get-NetLocalGroup Check for Admins, RDP users
Mapped Drives and Shares net share, net use, Get-SmbShare, smbclient Look for sensitive shares
Scheduled Tasks and Services schtasks /query, Get-Service Possible persistence or privilege escalation vector
AD Enumeration (PowerView) Get-DomainUser, Get-DomainGroup, Find-LocalAdminAccess Gather domain layout and privilege mapping
BloodHound Collection bloodhound-python, SharpHound.exe, IngestLDS.ps1 Build graph of attack paths
File System Hunting where, dir /s, search -f *.kdbx or *.xml, *.config Hunt for secrets, passwords, configs
Token Impersonation Check whoami /groups, whoami /priv Look for impersonation or delegation rights

Example: PowerView Basic Usage

Import-Module .\PowerView.ps1
Get-DomainUser -SPN
Get-DomainGroupMember -Identity "Domain Admins"
Find-LocalAdminAccess

Example: BloodHound Collection

bloodhound-python -u damundsen -p 'SQL1234!' -ns 172.16.5.5 -d inlanefreight.local -c all

Pro Tips