Active Directory Reconnaissance: In-Depth Analysis of Attacker Techniques
Attackers leverage standard tools and legitimate privileges to conduct reconnaissance in Active Directory (AD). If undetected, this phase enables lateral movement and privilege escalation. This article dissects advanced commands used in real-world attacks and provides defensive countermeasures. 1. 🕵️ Attack Phase Breakdown: Key Reconnaissance Commands 1-1. Initial Information Gathering (Low-Privilege Context) # Domain Structure Discovery 🌐 nltest /dsgetdc:(DomainName) # Identify Domain Controllers Get-ADDomain | FL DNSRoot,DistinguishedName # Extract DNS Data # User/Group Enumeration 👥 net group "Domain Admins" /domain # List Privileged Group Members Get-ADUser -Filter * -Properties MemberOf | Where {$_.MemberOf -match "Admin"} # Extract Admin Accounts Attacker Objectives: Identify admin/service accounts, outdated password policies, and legacy systems. ...