Enumerating Active Directory TryHackMe

Overview

This room moves from unauthenticated discovery into authenticated AD enumeration. Once you have a valid domain credential pair, you can enumerate the domain through Windows-native tools, PowerShell, RSAT snap-ins, and BloodHound to uncover attack paths, privilege escalation opportunities, and lateral movement routes.

Core idea: once you get even low-privileged AD credentials, the environment becomes far more observable. Authenticated enumeration often reveals the exact relationships you need for the next compromise step.

1) Why Authenticated AD Enumeration Matters

The room emphasizes that AD attacks are iterative.

Enumerate with the privileges you currently have.
Exploit a discovered attack path or weakness.
Enumerate again from the new privilege level.

This repeat loop is how red team operations and internal AD assessments usually progress.

2) Getting Initial Credentials Working

After receiving a valid credential pair, the first practical problem is using it on a system you control.

RDP and SSH to the provided jump host are supported in the room.
DNS must be configured correctly for the domain so hostnames resolve.
Authenticated tools depend on working name resolution, especially in AD environments.

Important habit: if AD tooling behaves strangely, check DNS first. In these environments, it really is often DNS.

3) Credential Injection with Runas

The room highlights runas.exe /netonly as a key Windows-native technique when you have domain credentials but are not on a domain-joined system.

runas.exe /netonly /user:domain\username cmd.exe injects credentials for network authentication.
Local commands still run as your local user.
Network authentication from that process uses the injected AD account.

This is especially useful for launching tools like MMC, SQL clients, or browsers against NTLM/Kerberos-backed resources.

4) Verifying the Credentials

The room uses SYSVOL access as a reliable test of whether the injected credentials are valid.

dir \\za.tryhackme.com\SYSVOL\ forces a network authentication attempt.
Any valid AD user should be able to read SYSVOL.
Using the hostname encourages Kerberos; using an IP may force NTLM instead.

This distinction matters because authentication protocol choice can affect both functionality and detection.

5) Enumeration with MMC and RSAT

The GUI-based method in this room uses Microsoft Management Console with the Active Directory RSAT snap-ins.

Active Directory Users and Computers
Active Directory Domains and Trusts
Active Directory Sites and Services

Launching MMC from the runas /netonly shell allows these snap-ins to authenticate to the target domain even from a non-domain-joined system.

Main value: MMC gives a fast visual understanding of OUs, users, computers, and group relationships, which is very useful early in an engagement.

6) What MMC Is Good At

The room points out specific strengths of GUI enumeration:

quick searching for users, computers, and OUs,
reviewing group memberships and object properties,
understanding the domain structure visually,
making direct changes if your privileges allow it.

Its weakness is that it is not ideal for broad, domain-wide bulk extraction of attributes.

7) Enumeration with Command Prompt

For quick authenticated checks, Command Prompt still works well through the net command family.

net user /domain lists domain users.
net user username /domain gives details about a specific user.
net group /domain lists domain groups.
net group "Group Name" /domain lists members of a target group.
net accounts /domain reveals password policy information.

This is especially useful when you need quick results, when PowerShell may be watched closely, or when operating through a constrained shell or RAT.

8) PowerShell, BloodHound, and Broader Enumeration

The room also frames PowerShell RSAT cmdlets and BloodHound as major authenticated-enumeration methods.

PowerShell AD cmdlets: good for structured, scriptable querying of users, groups, policies, and computers.
BloodHound: excellent for mapping privilege relationships and attack paths graphically.

These tools become more important as the environment gets larger and the relationships get more complex.

9) Practical AD Enumeration Mindset

This room is really about making low-privileged credentials count.

Inject and validate the credentials.
Use GUI tools for fast structure awareness.
Use command-line tools for fast lookups and policies.
Use PowerShell and BloodHound when you need depth and scale.
Keep cycling between enumeration and exploitation as privileges improve.

Exam Notes (PT1)

Authenticated AD enumeration begins once you have a valid low-privileged credential pair.
runas.exe /netonly is the key trick for using domain credentials from a non-domain-joined Windows host.
SYSVOL is a good low-noise place to verify that the credentials work.
MMC/RSAT is strong for visual enumeration; net user, net group, and net accounts /domain are strong for quick command-line checks.
BloodHound and PowerShell AD cmdlets are essential when you need broader attack-path mapping and scripted enumeration.