π΄ββ οΈLiving Off the Land
π Overview
"Living Off the Land" refers to using only native Windows tools and commands for Active Directory enumeration and reconnaissance. This approach is essential when external tools cannot be uploaded, when operating in restricted environments, or when maintaining maximum stealth. By leveraging built-in Windows utilities, PowerShell cmdlets, and AD-integrated tools, we can perform comprehensive enumeration without introducing foreign binaries that might trigger security controls.
π― Strategic Context
π‘οΈ When to Use Living Off the Land
Restricted Environments: No internet access or file upload capabilities
Stealth Operations: Minimizing detection by avoiding external tool signatures
Managed Hosts: Client-provided systems with restrictive policies
EDR Evasion: Built-in tools are less likely to trigger alerts
Baseline Operations: Understanding what's possible with native capabilities
β οΈ Operational Considerations
Logging Awareness: Many commands generate logs in Event Viewer
PowerShell Monitoring: Script Block Logging captures command history
EDR Detection: Even native tools can trigger behavioral analysis
Version Dependencies: Tool availability varies across Windows versions
Privilege Requirements: Some commands require elevated privileges
π§ Basic Environmental Reconnaissance
π Host Information Gathering
Essential System Commands
Command
Purpose
Output
hostname
Computer name
Host identifier
[System.Environment]::OSVersion.Version
OS version
Build and revision details
wmic qfe get Caption,Description,HotFixID,InstalledOn
Patch level
Security updates applied
ipconfig /all
Network configuration
Adapter settings and IPs
set
Environment variables
System and user variables
echo %USERDOMAIN%
Domain name
Current domain affiliation
echo %logonserver%
Domain controller
Authenticating DC
Comprehensive System Information
# Single command for complete system overview
systeminfo
# Key information retrieved:
# - Computer name and domain
# - OS version and build
# - Hardware details
# - Network configuration
# - Hotfix history
# - Time zone and boot timeExample Output Analysis:
C:\htb> systeminfo
Host Name: ACADEMY-EA-MS01
OS Name: Microsoft Windows Server 2019 Standard
OS Version: 10.0.17763 N/A Build 17763
Domain: INLANEFREIGHT.LOCAL
Logon Server: \\ACADEMY-EA-DC01
Network Card(s): 2 NIC(s) Installed
[01]: Intel(R) 82574L Gigabit Network Connection
Connection Name: Ethernet
DHCP Enabled: No
IP address(es)
[01]: 172.16.5.25
[02]: fe80::f98a:4f63:8384:d1d0
Hotfix(s): 15 Hotfix(s) Installed
[01]: KB4580422
[02]: KB4512577β‘ PowerShell Reconnaissance
π PowerShell Environment Analysis
# Check available modules
Get-Module
# Execution policy assessment
Get-ExecutionPolicy -List
# Environment variable enumeration
Get-ChildItem Env: | Format-Table Key,Value
# Command history discovery
Get-Content $env:APPDATA\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
# Current user context
whoami
whoami /priv
whoami /groupsExample PowerShell Environment Check:
PS C:\htb> Get-Module
ModuleType Version Name ExportedCommands
---------- ------- ---- ----------------
Manifest 1.0.1.0 ActiveDirectory {Add-ADCentralAccessPolicyMember, Add-ADComputerServiceAcc...}
Manifest 3.1.0.0 Microsoft.PowerShell.Utility {Add-Member, Add-Type, Clear-Variable, Compare-Object...}
Script 2.0.0 PSReadline {Get-PSReadLineKeyHandler, Get-PSReadLineOption, Remove-PS...}
PS C:\htb> Get-ExecutionPolicy -List
Scope ExecutionPolicy
----- ---------------
MachinePolicy Undefined
UserPolicy Undefined
Process Undefined
CurrentUser Undefined
LocalMachine RemoteSigned
PS C:\htb> Get-ChildItem Env: | Format-Table Key,Value
Key Value
--- -----
ALLUSERSPROFILE C:\ProgramData
APPDATA C:\Windows\system32\config\systemprofile\AppData\Roaming
COMPUTERNAME ACADEMY-EA-MS01
USERDOMAIN INLANEFREIGHT
USERNAME ACADEMY-EA-MS01$
USERPROFILE C:\Windows\system32\config\systemprofileπ PowerShell Version Downgrade (Stealth Technique)
# Check current PowerShell version
Get-Host
# Downgrade to PowerShell v2.0 (bypasses Script Block Logging)
powershell.exe -version 2
# Verify downgrade success
Get-Host
# Note: PowerShell v2.0 lacks many modern logging capabilities
# This technique can evade Script Block Logging (PowerShell 3.0+)Example Downgrade Process:
PS C:\htb> Get-Host
Name : ConsoleHost
Version : 5.1.19041.1320
InstanceId : 18ee9fb4-ac42-4dfe-85b2-61687291bbfc
PS C:\htb> powershell.exe -version 2
Windows PowerShell
Copyright (C) 2009 Microsoft Corporation. All rights reserved.
PS C:\htb> Get-Host
Name : ConsoleHost
Version : 2.0
InstanceId : 121b807c-6daa-4691-85ef-998ac137e469
# Script Block Logging now bypassed!π‘οΈ Security Controls Assessment
π₯ Windows Firewall Enumeration
# Complete firewall profile analysis
netsh advfirewall show allprofiles
# Specific profile checks
netsh advfirewall show domainprofile
netsh advfirewall show privateprofile
netsh advfirewall show publicprofile
# Firewall rules enumeration
netsh advfirewall firewall show rule name=allExample Firewall Analysis:
PS C:\htb> netsh advfirewall show allprofiles
Domain Profile Settings:
----------------------------------------------------------------------
State OFF
Firewall Policy BlockInbound,AllowOutbound
LocalFirewallRules N/A (GPO-store only)
LocalConSecRules N/A (GPO-store only)
InboundUserNotification Disable
RemoteManagement Disable
Private Profile Settings:
----------------------------------------------------------------------
State OFF
Firewall Policy BlockInbound,AllowOutbound
Public Profile Settings:
----------------------------------------------------------------------
State OFF
Firewall Policy BlockInbound,AllowOutboundπ‘οΈ Windows Defender Assessment
# Service status check
sc query windefend
# Detailed configuration analysis (PowerShell)
Get-MpComputerStatus
# Threat detection settings
Get-MpPreference
# Exclusion lists
Get-MpPreference | Select-Object ExclusionPath, ExclusionExtension, ExclusionProcessExample Defender Analysis:
C:\htb> sc query windefend
SERVICE_NAME: windefend
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PS C:\htb> Get-MpComputerStatus
AMEngineVersion : 1.1.19000.8
AMProductVersion : 4.18.2202.4
AMRunningMode : Normal
AMServiceEnabled : True
AntispywareEnabled : True
AntivirusEnabled : True
BehaviorMonitorEnabled : True
IoavProtectionEnabled : True
IsTamperProtected : True
RealTimeProtectionEnabled : Trueπ₯ Session and User Analysis
# Active sessions enumeration
qwinsta
# Logged on users
query user
# Current session details
query session
# User logon information
wmic computersystem get usernameExample Session Analysis:
PS C:\htb> qwinsta
SESSIONNAME USERNAME ID STATE TYPE DEVICE
services 0 Disc
>console forend 1 Active
rdp-tcp 65536 Listenπ Network Intelligence Gathering
π Network Configuration Discovery
# ARP table analysis (known hosts)
arp -a
# Routing table enumeration
route print
# Network interfaces
ipconfig /all
# DNS configuration
ipconfig /displaydns
# Network statistics
netstat -an
netstat -rnExample Network Discovery:
PS C:\htb> arp -a
Interface: 172.16.5.25 --- 0x8
Internet Address Physical Address Type
172.16.5.5 00-50-56-b9-08-26 dynamic # Domain Controller
172.16.5.130 00-50-56-b9-f0-e1 dynamic # File Server
172.16.5.240 00-50-56-b9-9d-66 dynamic # Mail Server
PS C:\htb> route print
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.16.5.1 172.16.5.25 261
172.16.4.0 255.255.254.0 On-link 172.16.5.25 261
172.16.5.25 255.255.255.255 On-link 172.16.5.25 261
172.16.5.255 255.255.255.255 On-link 172.16.5.25 261π Network Intelligence Analysis
ARP Entries: Recently contacted hosts (potential targets)
Routing Table: Known network segments (lateral movement opportunities)
DNS Cache: Previously resolved domains and hosts
Active Connections: Current network activity and services
π WMI (Windows Management Instrumentation)
π Core WMI Queries
System and Domain Information
# Patch and hotfix information
wmic qfe get Caption,Description,HotFixID,InstalledOn
# Basic host information
wmic computersystem get Name,Domain,Manufacturer,Model,Username,Roles /format:List
# Process enumeration
wmic process list /format:list
# Domain and trust information
wmic ntdomain list /format:list
# User account information
wmic useraccount list /format:list
# Local groups
wmic group list /format:list
# Service accounts
wmic sysaccount list /format:listExample WMI Domain Discovery:
PS C:\htb> wmic ntdomain get Caption,Description,DnsForestName,DomainName,DomainControllerAddress
Caption Description DnsForestName DomainControllerAddress DomainName
ACADEMY-EA-MS01 ACADEMY-EA-MS01
INLANEFREIGHT INLANEFREIGHT INLANEFREIGHT.LOCAL \\172.16.5.5 INLANEFREIGHT
LOGISTICS LOGISTICS INLANEFREIGHT.LOCAL \\172.16.5.240 LOGISTICS
FREIGHTLOGISTIC FREIGHTLOGISTIC FREIGHTLOGISTICS.LOCAL \\172.16.5.238 FREIGHTLOGISTICAdvanced WMI Techniques
# Remote system information
wmic /node:"TARGETHOST" computersystem get Name,Domain
# Service enumeration
wmic service get name,displayname,pathname,startmode
# Installed software
wmic product get name,version,vendor
# Startup programs
wmic startup get caption,command,location
# Share enumeration
wmic share list fullπ Net Commands
π Essential Net Command Reference
Command
Purpose
Example Usage
net accounts
Password policy
Local account settings
net accounts /domain
Domain password policy
Domain-wide policies
net group /domain
Domain groups
All domain security groups
net group "Domain Admins" /domain
Group membership
Privileged users
net user /domain
Domain users
All domain user accounts
net user USERNAME /domain
User details
Specific user information
net localgroup
Local groups
Host-specific groups
net localgroup administrators
Admin group
Local administrators
net share
Shared resources
Available network shares
net view
Network hosts
Visible domain computers
net view /domain
Domain computers
Domain-joined systems
π Domain Enumeration Examples
# Domain groups discovery
net group /domain
# Domain Admins identification
net group "Domain Admins" /domain
# User account details
net user /domain wrouse
# Password policy analysis
net accounts /domain
# Local administrators
net localgroup administrators /domain
# Network shares
net view \\HOSTNAME /ALL
# Domain computers
net view /domainExample Domain Group Enumeration:
PS C:\htb> net group /domain
The request will be processed at a domain controller for domain INLANEFREIGHT.LOCAL.
Group Accounts for \\ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
-------------------------------------------------------------------------------
*Accounting
*Backup Operators
*Billing
*CEO
*CFO
*Cloneable Domain Controllers
*Compliance Management
*Domain Admins
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*File Share G Drive
*File Share H Drive
*Help Desk Level 1
*VPN UsersExample User Information:
PS C:\htb> net user /domain wrouse
User name wrouse
Full Name Christopher Davis
Comment
Account active Yes
Account expires Never
Password last set 10/27/2021 10:38:01 AM
Password expires Never
Password changeable 10/28/2021 10:38:01 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships
Global Group memberships *File Share G Drive *File Share H Drive
*Warehouse *Printer Access
*Domain Users *VPN Users
*Shared Calendar Readπ Net1 Stealth Technique
# Use net1 instead of net to avoid potential monitoring triggers
net1 group /domain
net1 user /domain
net1 localgroup administrators
# Functions identically to net commands but may evade basic string detectionπ Dsquery (Directory Services Query)
π Overview
Dsquery is a native Active Directory command-line tool for LDAP-based queries. It exists on all domain-joined systems and provides powerful search capabilities without requiring additional tools.
π₯ User and Computer Enumeration
# All domain users
dsquery user
# All domain computers
dsquery computer
# Specific organizational unit
dsquery user "OU=Finance,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL"
# Wildcard searches
dsquery * "CN=Users,DC=INLANEFREIGHT,DC=LOCAL"
# Limited results
dsquery user -limit 10Example User Discovery:
PS C:\htb> dsquery user
"CN=Administrator,CN=Users,DC=INLANEFREIGHT,DC=LOCAL"
"CN=Guest,CN=Users,DC=INLANEFREIGHT,DC=LOCAL"
"CN=krbtgt,CN=Users,DC=INLANEFREIGHT,DC=LOCAL"
"CN=Htb Student,CN=Users,DC=INLANEFREIGHT,DC=LOCAL"
"CN=Annie Vazquez,OU=Finance,OU=Financial-LON,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL"
"CN=Paul Falcon,OU=Finance,OU=Financial-LON,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL"
"CN=Walter Dillard,OU=Finance,OU=Financial-LON,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL"π Advanced LDAP Filtering
# Users with password not required flag
dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))" -attr distinguishedName userAccountControl
# Domain Controllers
dsquery * -filter "(userAccountControl:1.2.840.113556.1.4.803:=8192)" -limit 5 -attr sAMAccountName
# Service accounts (SPNs)
dsquery * -filter "(&(objectCategory=person)(objectClass=user)(servicePrincipalName=*))" -attr sAMAccountName servicePrincipalName
# Administrative accounts
dsquery * -filter "(&(objectCategory=person)(objectClass=user)(adminCount=1))" -attr sAMAccountName
# Disabled accounts
dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))" -attr sAMAccountName descriptionπ§ LDAP Filter Components
OID (Object Identifier) Rules
OID
Function
Usage
1.2.840.113556.1.4.803
Bitwise AND
Exact bit match required
1.2.840.113556.1.4.804
Bitwise OR
Any matching bit
1.2.840.113556.1.4.1941
Distinguished Name
Membership/ownership chains
UserAccountControl Values
Value
Flag
Description
1
SCRIPT
Login script executed
2
ACCOUNTDISABLE
Account disabled
8
HOMEDIR_REQUIRED
Home directory required
16
LOCKOUT
Account locked out
32
PASSWD_NOTREQD
Password not required
64
PASSWD_CANT_CHANGE
Password cannot change
128
ENCRYPTED_TEXT_PWD_ALLOWED
Encrypted text password allowed
512
NORMAL_ACCOUNT
Normal user account
8192
SERVER_TRUST_ACCOUNT
Domain controller
65536
DONT_EXPIRE_PASSWORD
Password never expires
Logical Operators
# AND operator - all conditions must match
(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=64))
# OR operator - any condition matches
(|(objectClass=user)(objectClass=computer))
# NOT operator - condition must not match
(&(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))π― HTB Academy Lab Solutions
π Lab Questions & Solutions
π‘οΈ Question 1: "Enumerate the host's security configuration information and provide its AMProductVersion."
Solution Process:
# Method 1: PowerShell Get-MpComputerStatus
Get-MpComputerStatus | Select-Object AMProductVersion
# Method 2: WMI Query
wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpComputerStatus get AMProductVersion
# Method 3: Registry query
reg query "HKLM\SOFTWARE\Microsoft\Windows Defender" /s | findstr "AMProductVersion"
# Method 4: Detailed security enumeration
Get-MpComputerStatus | Format-ListExpected Output:
PS C:\htb> Get-MpComputerStatus | Select-Object AMProductVersion
AMProductVersion
----------------
4.18.2202.4Expected Answer: 4.18.2202.4
π₯ Question 2: "What domain user is explicitly listed as a member of the local Administrators group on the target host?"
Solution Process:
# Method 1: Net command
net localgroup administrators
# Method 2: WMI query
wmic group where name="Administrators" assoc:list
# Method 3: PowerShell
Get-LocalGroupMember -Group "Administrators"
# Method 4: Direct query
net localgroup administrators /domainExpected Output:
PS C:\htb> net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
INLANEFREIGHT\damundsen
INLANEFREIGHT\Domain Admins
The command completed successfully.Expected Answer: damundsen
π© Question 3: "Utilizing techniques learned in this section, find the flag hidden in the description field of a disabled account with administrative privileges. Submit the flag as the answer."
Solution Process:
# Step 1: Find disabled users with administrative privileges
dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2)(adminCount=1))" -attr sAMAccountName description
# Step 2: Alternative - Find disabled users and check descriptions
dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))" -attr sAMAccountName description | findstr -i "flag\|htb\|{.*}"
# Step 3: PowerShell approach
Get-ADUser -Filter {(Enabled -eq $false) -and (adminCount -eq 1)} -Properties Description | Select-Object Name, Description
# Step 4: Net command verification (if specific user found)
net user [DISABLED_ADMIN_USER] /domain
# Step 5: WMI approach
wmic useraccount where "disabled=true" get name,descriptionExpected Output:
PS C:\htb> dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2)(adminCount=1))" -attr sAMAccountName description
sAMAccountName description
backup_svc HTB{...}Expected Answer: HTB{...}
π§ Advanced Native Techniques
π PowerShell One-Liners
# Domain user enumeration with details
Get-ADUser -Filter * -Properties * | Select-Object Name, SamAccountName, Enabled, LastLogonDate, AdminCount | Format-Table
# Group membership analysis
Get-ADGroupMember -Identity "Domain Admins" | ForEach-Object {Get-ADUser $_ -Properties LastLogonDate | Select-Object Name, LastLogonDate}
# Computer enumeration
Get-ADComputer -Filter * -Properties OperatingSystem, LastLogonDate | Sort-Object LastLogonDate
# Service Principal Name discovery
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName | Select-Object Name, ServicePrincipalName
# Find user accounts with interesting flags
Get-ADUser -Filter * -Properties UserAccountControl | Where-Object {$_.UserAccountControl -band 0x10000} | Select-Object Name, UserAccountControlπ WMI Remote Enumeration
# Remote system information
wmic /node:"TARGET_HOST" /user:"DOMAIN\USER" /password:"PASSWORD" computersystem get Name,Domain
# Remote process enumeration
wmic /node:"TARGET_HOST" process list brief
# Remote service enumeration
wmic /node:"TARGET_HOST" service get name,state,startmode
# Remote group enumeration
wmic /node:"TARGET_HOST" group get name,descriptionπ Registry-Based Discovery
# Domain information from registry
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History" /s
# Cached logons
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v CachedLogonsCount
# Auto-logon credentials
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword
# Installed software
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s | findstr "DisplayName"β‘ Quick Reference Commands
π§ Essential Command Matrix
Category
Command
Purpose
System Info
systeminfo
Complete system overview
Network
ipconfig /all
Network configuration
Network
arp -a
Known hosts discovery
Network
route print
Network topology
Security
netsh advfirewall show allprofiles
Firewall status
Security
Get-MpComputerStatus
Defender configuration
Sessions
qwinsta
Active sessions
Domain
net group /domain
Domain groups
Domain
net user /domain
Domain users
Domain
dsquery user
LDAP user query
Domain
dsquery computer
LDAP computer query
WMI
wmic ntdomain list /format:list
Domain information
π Rapid Enumeration Script
@echo off
echo === Basic Host Information ===
hostname
echo %USERDOMAIN%
echo %LOGONSERVER%
echo === Network Configuration ===
ipconfig /all | findstr /i "IP Address\|Subnet\|Gateway\|DNS"
echo === Domain Groups ===
net group /domain
echo === Local Administrators ===
net localgroup administrators
echo === Security Configuration ===
sc query windefend
echo === Active Sessions ===
qwinsta
echo === ARP Table ===
arp -a
echo === Domain Controllers ===
dsquery * -filter "(userAccountControl:1.2.840.113556.1.4.803:=8192)" -attr sAMAccountNameπ Key Takeaways
β
Native Tool Advantages
No File Transfer: Built-in tools eliminate upload requirements
Reduced Detection: Lower probability of triggering security controls
Legitimate Activity: Commands blend with normal administrative tasks
Universal Availability: Tools exist on all Windows domain systems
π― Strategic Enumeration Priorities
System Context: Understand host role and privilege level
Security Posture: Assess defensive capabilities and monitoring
Network Topology: Map accessible systems and network segments
Domain Structure: Identify users, groups, and trust relationships
Attack Vectors: Locate privilege escalation and lateral movement opportunities
β οΈ Operational Security Considerations
PowerShell Logging: Script Block Logging captures command history
Event Generation: Net commands and WMI queries create Event Log entries
Behavioral Analysis: Unusual command patterns may trigger EDR alerts
Version Downgrade: PowerShell v2.0 bypasses modern logging capabilities
Alternative Syntax: Use
net1instead ofnetto avoid string detection
π Escalation Pathways
After native enumeration, typical next steps include:
Credential Harvesting: Memory dumps, registry extraction, file hunting
Privilege Escalation: Service misconfigurations, scheduled tasks, permissions
Lateral Movement: PSRemoting, WMI execution, service account abuse
Persistence: Registry modifications, service creation, scheduled tasks
Living off the land demonstrates that comprehensive Active Directory enumeration is possible using only native Windows tools - proving that security through obscurity is insufficient and that proper access controls and monitoring are essential for domain protection.
Last updated