Net Commands (From Domain-Joined Host)
PowerShell AD Module
dsquery
ldapsearch (Linux)
Users
Groups
Domain Admins
SPNs (Kerberoastable)
Key Objects to Enumerate
| Object | Why |
|---|---|
| Domain Admins | High-value targets |
| Service accounts | Kerberoasting candidates |
| Domain Controllers | Core infrastructure |
| Trusts | Lateral movement paths |
| GPOs | Policy misconfigurations |
| OUs | Structure understanding |
| DNS records | Internal host discovery |
Quick Reference
| Task | Command |
|---|---|
| List users | net user /domain |
| Domain admins | net group "Domain Admins" /domain |
| LDAP enum | ldapsearch -x -H ldap://DC -b "DC=dom,DC=local" |
| SPNs | ldapsearch ... "(servicePrincipalName=*)" |
| Trusts | nltest /domain_trusts |