Reconnaissance

User Hunting

Identify where high-value users are logged in, find admin sessions on compromisable systems, and map user-to-system relationships for targeted attacks.

flowchart TD A[Identify High-Value Users] --> B[Find User Sessions] B --> C[Locate Accessible Systems] C --> D[Plan Attack Path] A --> A1[Domain Admins] A --> A2[Service Accounts] A --> A3[IT Staff] B --> B1[Session Enum] B --> B2[Logged On Users] style A fill:#00ff00,stroke:#000,color:#000 style D fill:#ff6b6b,stroke:#000,color:#000

Identifying Target Users

High-Value Targets

bash 
# PowerView - Domain Admins
Get-DomainGroupMember -Identity "Domain Admins" -Recurse

# Enterprise Admins
Get-DomainGroupMember -Identity "Enterprise Admins" -Recurse

# Backup Operators (can extract NTDS.dit)
Get-DomainGroupMember -Identity "Backup Operators" -Recurse

# Users with adminCount (protected users)
Get-DomainUser -AdminCount | Select-Object samaccountname

Service Accounts

bash 
# Find service accounts - often overprivileged
Get-DomainUser -SPN | Select-Object samaccountname, serviceprincipalname, memberof

# Accounts with password never expires
Get-DomainUser -PasswordNeverExpires | Select-Object samaccountname, memberof

# gMSA accounts (PowerShell AD module)
Get-ADServiceAccount -Filter *

Session Enumeration

Warning

Session enumeration requires local admin on target systems or specific permissions. This generates logs and may be detected.

PowerView Session Hunting

bash 
# Find where domain admins are logged in
Find-DomainUserLocation -UserGroupIdentity "Domain Admins"

# Find sessions for specific user
Find-DomainUserLocation -UserIdentity "administrator"

# Check specific computers
Get-NetSession -ComputerName "WORKSTATION01"

# Get logged on users
Get-NetLoggedon -ComputerName "WORKSTATION01"

# Find local admin access - where current user is admin
Find-LocalAdminAccess

CrackMapExec Session Enum

bash 
# Enumerate sessions (requires admin)
crackmapexec smb targets.txt -u user -p password --sessions

# Find logged on users
crackmapexec smb targets.txt -u user -p password --loggedon-users

# NetExec version
nxc smb targets.txt -u user -p password --sessions
nxc smb targets.txt -u user -p password --loggedon-users

BloodHound Queries

Information

BloodHound Cypher queries help identify attack paths. Run these in the BloodHound GUI Raw Query box. Use the built-in queries for common searches.

Common BloodHound pre-built queries:

  • Find all Domain Admins
  • Find Shortest Path to Domain Admins
  • Find Computers where Domain Users are Local Admin
  • Shortest Path from Owned Principals
  • Find users with foreign domain group membership

Local Admin Hunting

Find Where You Have Admin

bash 
# PowerView - Check admin access
Find-LocalAdminAccess -Verbose

# Threaded version (faster)
Find-LocalAdminAccess -ComputerFile computers.txt -Threads 20

# CrackMapExec spray for admin access
crackmapexec smb targets.txt -u user -p password

# NetExec
nxc smb targets.txt -u user -p password

Local Admin Group Members

bash 
# Who is local admin on a computer
Get-NetLocalGroupMember -ComputerName "WORKSTATION01" -GroupName "Administrators"

# Find computers where a specific user is local admin
Get-DomainGPOUserLocalGroupMapping -Identity "targetuser"

Network Share Hunting

bash 
# Find interesting shares
Find-DomainShare -CheckShareAccess

# CrackMapExec spider shares
crackmapexec smb target -u user -p password -M spider_plus

# Manual share hunting
smbclient -L //TARGET -U user%password
smbclient //TARGET/share -U user%password

Attack Path Planning

flowchart TD A[Current Access] --> B[Admin on any system?] B -->|Yes| C[Check for DA sessions] B -->|No| D[Find credential opportunities] C --> E[DA session found?] E -->|Yes| F[Extract credentials] E -->|No| G[Pivot to new system] D --> H[LLMNR/Responder] D --> I[Kerberoast] D --> J[AS-REP Roast] F --> K[Domain Admin!] G --> B style K fill:#00ff00,stroke:#000,color:#000 style A fill:#a855f7,stroke:#000,color:#000

Strategy

bash 
# Step-by-step user hunting workflow

# 1. Find where you have admin access
Find-LocalAdminAccess > my_admin_access.txt

# 2. Identify high-value targets
Get-DomainGroupMember -Identity "Domain Admins" | Select-Object MemberName

# 3. Find where targets have sessions
Find-DomainUserLocation -UserGroupIdentity "Domain Admins"

# 4. Cross-reference with your access
# If DA is on system you have admin access to:
# - Dump credentials with Mimikatz
# - Token impersonation  
# - Hash extraction from LSASS

Quick Reference

Task Tool Command
Find DA sessions PowerView Find-DomainUserLocation -UserGroupIdentity "Domain Admins"
My admin access PowerView Find-LocalAdminAccess
Sessions on host CrackMapExec cme smb TARGET -u user -p pass --sessions
Logged on users CrackMapExec cme smb TARGET -u user -p pass --loggedon-users
Attack paths BloodHound Shortest Path to Domain Admin

Related Topics

AD Enumeration

Active Directory enumeration

Lateral Movement

Move to target systems

Credential Dumping

Extract credentials