Once inside a network, attackers disguise themselves as normal,authenticated users. This ensures they won’t be detected during any reconnaissance or lateral movement activities. Once completed, they return information about any and all resources inside, including: users, servers, applications, identities, and naming conventions. With this information, attackers then assemble their plan to move laterally and ultimately steal data, encrypt computers, or sabotage the organization.
Fundamental Reconnaissance
| Command | Description |
| whoami | Tells us which user we are authenticated as |
| gpresult | Gives us the effective userpermissions and the grouppolicies enabled of the account |
| nltest /dclist:domain.demo | Lists all Domain Controllers |
| [System.DirectoryServices. ActiveDirectory Forest]::GetCurrent Forest(). Sites | select Name, Subnets | Shows us the Subnets of the network |
Servers, Computers & Applications Reconnaissance
| Command | Description |
| net group "domain computers" /domain | Gives us a full list of all the workstations and servers joined to the domain |
| ([adsisearcher]”(&(objectClass= Computer)(name=**))”).FindAll ().properties | Giv es us all attribut es associated with a particular computer |
| ([adsisearcher]”(&(objectClass
=Computer)(servicePrincipal
Name=*X*))”).FindAll() | Enumerates all of the computers and servers in the domain that are running X application (dfs, MSSQL) |
Identities, Credentials & Privileged Users
Reconnaissance
| Command | Description |
| net group "domain admins" /domain | Gives us a list of the designated administrators joined to the domain |
| ([adsisearcher]”(&(objectClass=person)(objectClass=User)(admincount=1))”). FindAll() | Filters for all privileged accounts |
| ([adsisearcher]”(&(objectClass=person)(objectClass=User)(name=**))”).FindAll().properties | Gives usa ll attributes associated with a particular user |
| [adsisearcher]”(&(objectClass=User)(primarygroupid=513(servicePrincipalName=*))”).FindAll() | ForEach-Object{ "Name: $($_.properties.name)""SPN:$($_.properties.serviceprincipalname)""Path: $($_.Path)"""} | Enumerates all of the crackable service accounts |
