Command Prompt (cmd)

cmd can be a useful tool when enumerating AD, as it is not commonly monitored by defence systems such as antivirus or the blue team. Moreover, it can be embedded in phishing payloads such as with VBScript, or any other macro languages to perform initial enumeration.

net command

For the full list of available options, refer to the official documentation in the link below:

Net Commands for Operating Systems - Windows ServerMicrosoftLearn

1. USERS

net USERS /DOMAIN
net USERS <username> /DOMAIN

2. GROUPS

net GROUPS /DOMAIN
net GROUPS <group> /DOMAIN

Example

net GROUPS /DOMAIN
The request will be processed at a domain controller for domain xxxx.com.


Group Accounts for \\THMDC.xxxx.com                                     
                                                                                
------------------------------------------------------------------------------- 
*Cloneable Domain Controllers
*DnsUpdateProxy
*Domain Admins
...

3. ACCOUNTS

net ACCOUNTS /DOMAIN

Example

net ACCOUNTS /DOMAIN
The request will be processed at a domain controller for domain xxxx.com.

Force user logoff how long after time expires?:       Never
Minimum password age (days):                          0
Maximum password age (days):                          Unlimited
Minimum password length:                              0
Length of password history maintained:                None
Lockout threshold:                                    Never
Lockout duration (minutes):                           30
Lockout observation window (minutes):                 30
Computer role:                                        PRIMARY

Options overview

• /DOMAIN

Performs the operation on a domain controller of the current domain. Otherwise, the operation is performed on the local computer.