PowEnum
Penetration testers commonly enumerate AD data – providing domain situational awareness and helping to identify soft targets. PowEnum helps automate the cartological view of your target domain.
PowEnum executes common PowerSploit Powerview functions and combines the output into a spreadsheet for easy analysis. All network traffic is only sent to the DC(s). PowEnum also leverages PowerSploit Get-GPPPassword and Harmj0y's ASREPRoast.
Syntax Examples:
- Invoke-PowEnum
- Invoke-PowEnum -FQDN test.domain.com
- Invoke-PowEnum -Mode SYSVOL
- Invoke-PowEnum -Credential test.domain.com\username -FQDN test.domain.com -Mode Special
Running PowEnum From Non-Domain Joined System
There are two choices. The first uses the runas command (this must be executed prior to using PowEnum). The second leverages the Invoke-UserImpersonation function in Powerview.
- runas /netonly /user:test.domain.com\username powershell.exe
- Invoke-PowEnum -Credential test.domain.com\username -FQDN test.domain.com
Modes
| Mode | Enumerates |
|---|---|
| Basic | Domain Admins Enterprise Admins Built-In Admins DC Local Admins Domain Users Domain Groups Schema Admin Account Operators Backup Operators Print Operators Server Operators Group Policy Creators Owners Cryptographic Operators AD Group Managers AdminCount=1 All [DC Aware] Net Sessions Domain Controllers Domain Computer IPs Domain Computers Subnets DNSRecords WinRM Enabled Hosts Potential Fileservers |
| Roasting | Kerberoast Service Accounts (Accounts w/ SPN) ASREPRoast User Accounts (No Preauth Req) |
| Special | Disabled Accounts Password Not Required Password Doesn't Expire Password Doesn't Expire & Not Required Smartcard Required |
| SYSVOL | Group Policy Passwords SYSVOL Script Files (potential hardcoded credentials) All Local Group Membership Modifications (GPO or GPP) |
| Forest | Domain Trusts Foreign [Domain] Users Foreign [Domain] Group Members |
| LargeEnv | Basic Enumeration without: Get-DomainUser Get-DomainGroup Get-DomainComputer |
*DC Local Admins might be different from built-in Administrators when an RODC is in use or there are replication issues.
Detection
- This enumeration will generate suspicious traffic between the PowEnum system and the target DC(s). If there are security products watching traffic to the DC(s) (i.e. Microsoft ATA) PowEnum will likely get flagged. For more reading about what ATA is detecting and not detecting:
https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Chris-Thompson-MS-Just-Gave-The-Blue-Teams-Tactical-Nukes-UPDATED.pdf - Kerberoasting detection techniques are highlighted in these articles:
Detecting Kerberoasting Activity - https://adsecurity.org/?p=3458
Detecting Kerberoasting Activity Part 2 – Creating a Kerberoast Service Account Honeypot- https://adsecurity.org/?p=3513
Mitigations
| Mode | Mitigations |
|---|---|
| Basic | Net Cease - Hardening Net Session Enumeration https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dcb5 SAMRi10 - Hardening SAM Remote Access in Windows 10/Server 2016 https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b Active Directory: Controlling Object Visibility https://social.technet.microsoft.com/wiki/contents/articles/29558.active-directory-controlling-object-visibility-list-object-mode.aspx http://windowsitpro.com/active-directory/hiding-active-directory-objects-and-attributes |
| Roasting | Kerberoasst mitigations revolve around using strong passwords or GMSA for affected accounts https://adsecurity.org/?p=2293 ASREPRoast mitigations revolve around using strong passwords or not checking "‘Do Not Require Kerberos Preauthentication" |
| Special | See Basic |
| SYSVOL | GPP Password Files - Install KB2962486 and remove affected xml files (https://adsecurity.org/?p=2288) SYSVOL Scripts - Monitor for changes to SYSVOL and remove affected files |
| Forest | See Basic |
| LargeEnv | See Basic |