Mastering Active Directory Enumeration With

Introduction

Active Directory (AD) enumeration is a critical phase in penetration testing and red teaming, enabling attackers (and defenders) to gather vital information about domain infrastructure. Fady Assaad, a Senior Cybersecurity CSA at Microsoft, recently shared an update on Invoke-DomainEnumeration, a PowerShell tool that enhances AD reconnaissance. This article explores key checks added to the tool, including MAQ, DC enumeration, ADCS web enrollment, and HTTP NTLM authentication detection.

Learning Objectives

Understand the role of `Invoke-DomainEnumeration` in AD security assessments.
Learn how to enumerate domain controllers, ADCS web enrollment, and NTLM authentication.
Apply PowerShell commands to perform efficient AD reconnaissance.

1. Enumerating MAQ (Machine Account Quota)

Command:

Invoke-DomainEnumeration -MAQ

What It Does:

This command retrieves the Machine Account Quota (MAQ), which defines how many computer accounts a user can add to the domain. A high MAQ could allow attackers to create malicious machine accounts for persistence.

Step-by-Step Guide:

1. Open PowerShell with administrative privileges.

2. Load the module (if not auto-imported):

Import-Module .\Invoke-DomainEnumeration.ps1

3. Execute the command to check MAQ:

Invoke-DomainEnumeration -MAQ

4. Review the output for the `ms-DS-MachineAccountQuota` attribute.

2. Discovering Domain Controllers and OS Versions

Command:

Invoke-DomainEnumeration -DCs

What It Does:

Lists all domain controllers (DCs) along with their operating systems. Older OS versions (e.g., Windows Server 2012) may have unpatched vulnerabilities.

Step-by-Step Guide:

Run the command in a domain-joined PowerShell session:
```
Invoke-DomainEnumeration -DCs 
```
Analyze the output for DC names and OS versions.
Cross-reference with known exploits (e.g., ZeroLogon for older DCs).

3. Checking for ADCS Web Enrollment

Command:

Invoke-DomainEnumeration -ADCSWebEnrollment

What It Does:

Identifies if Active Directory Certificate Services (ADCS) web enrollment is enabled, which could be abused for privilege escalation (e.g., Certifried attack).

Step-by-Step Guide:

1. Execute the command:

Invoke-DomainEnumeration -ADCSWebEnrollment

2. If enabled, check for misconfigurations:

Get-ChildItem -Path Cert:\LocalMachine\My

3. Exploit vulnerable templates using tools like Certify.

4. Detecting HTTP NTLM Authentication

Command:

Invoke-DomainEnumeration -NTLM

What It Does:

Scans for HTTP endpoints allowing NTLM authentication, which is susceptible to NTLM relay attacks.

Step-by-Step Guide:

1. Run the command:

Invoke-DomainEnumeration -NTLM

2. If NTLM is enabled, test for relay vulnerabilities:

sudo ntlmrelayx.py -tf targets.txt -smb2support

3. Mitigate by disabling NTLM or enforcing SMB signing.

5. Bonus: Combining Checks for Full Enumeration

Command:

Invoke-DomainEnumeration -Full

What It Does:

Performs all checks (MAQ, DCs, ADCS, NTLM) in a single sweep for comprehensive reconnaissance.

Step-by-Step Guide:

1. Execute the full scan:

Invoke-DomainEnumeration -Full

2. Export results for reporting:

Invoke-DomainEnumeration -Full | Out-File "AD_Report.txt"

What Undercode Say

Key Takeaway 1: `Invoke-DomainEnumeration` streamlines AD reconnaissance, reducing manual effort for red teams and defenders.
Key Takeaway 2: MAQ, DC OS versions, ADCS, and NTLM checks are critical for identifying attack paths in AD environments.

Analysis:

Fady Assaad’s update highlights the evolving sophistication of AD enumeration tools. As attackers refine techniques like NTLM relay and certificate theft, defenders must automate checks to harden environments. Expect more PowerShell-based tools to integrate with MITRE ATT&CK frameworks, enabling real-time threat detection.

Prediction

AD enumeration tools will increasingly incorporate AI-driven anomaly detection, flagging suspicious queries (e.g., excessive DC scans) to thwart attackers. Meanwhile, red teams will leverage generative AI to craft stealthier PowerShell scripts, escalating the arms race in cybersecurity.

For more offensive security insights, follow Fady Assaad on LinkedIn or explore his certifications (OSCP, CISSP, CRTO, etc.).

IT/Security Reporter URL:

Reported By: Fadyassaadhimself Htb – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Listen to this Post

Introduction

Learning Objectives

1. Enumerating MAQ (Machine Account Quota)

Command:

What It Does:

Step-by-Step Guide:

1. Open PowerShell with administrative privileges.

2. Load the module (if not auto-imported):

3. Execute the command to check MAQ:

4. Review the output for the `ms-DS-MachineAccountQuota` attribute.

2. Discovering Domain Controllers and OS Versions

Command:

What It Does:

Step-by-Step Guide:

3. Checking for ADCS Web Enrollment

Command:

What It Does:

Step-by-Step Guide:

1. Execute the command:

2. If enabled, check for misconfigurations:

3. Exploit vulnerable templates using tools like Certify.

4. Detecting HTTP NTLM Authentication

Command:

What It Does:

Step-by-Step Guide:

1. Run the command:

5. Bonus: Combining Checks for Full Enumeration

Command:

What It Does:

Step-by-Step Guide:

1. Execute the full scan:

2. Export results for reporting:

What Undercode Say

Analysis:

Prediction

IT/Security Reporter URL:

Join Our Cyber World:

Related Posts: