Active Directory Enumeration Workflow

Overview

The objective of this workflow is to convert raw domain access into a structured attack graph: who owns what, who can act on whom, and where the most valuable misconfigurations live. The workflow scales from a single low-privileged user account up to post-compromise administrative inspection.

Phase 1 — Domain Discovery

• Verify domain context, trust topology, and forest layout.
• Enumerate domain controllers and replication partners.
• List FSMO role holders and identify single points of failure.

Representative read-only queries:

nltest /dclist:<domain>
Get-ADDomain
Get-ADTrust -Filter *
Get-ADForest

Phase 2 — Users, Groups & SPNs

• Enumerate users, groups, group memberships, and protected groups (Domain Admins, Enterprise Admins, etc.).
• Pull all servicePrincipalName values for Kerberoasting candidate selection.
• Identify accounts with DONT_REQUIRE_PREAUTH for AS-REP roasting opportunities.
• Map password policies and any fine-grained PSOs.

Phase 3 — BloodHound Collection & Triage

Collect with SharpHound (or BloodHound.py from a Linux pivot), then triage edges that lead toward high-value targets. Priority queries:

1. Shortest paths from owned principals to Domain Admins.
2. Kerberoastable accounts with paths to high-value targets.
3. Unconstrained & constrained delegation primitives.
4. ACL abuse: WriteDacl, WriteOwner, GenericAll, ForceChangePassword.
5. GPO edits that affect Tier-0 systems.

Phase 4 — Detection & Mitigation

Each technique has a corresponding detection opportunity. The blue team brief should include:

• Anomalous LDAP queries from non-administrative workstations.
• High-frequency Kerberos service ticket requests (Event ID 4769) for unique SPNs.
• BloodHound-style enumeration patterns at the LDAP layer.
• Privileged group membership changes outside change windows.