The Power of Windows Native Command-Line Utilities in Active Directory Pentesting and Internal Red Teaming

Active Directory Pentesting has evolved significantly over the last few years. Gone are the days when attackers or red teamers could reliably depend on dropping Python tools, importing PowerShell scripts, or executing offensive scripts/tools without resistance. Modern enterprise environments are heavily defended with EDR, Microsoft Defender for Endpoint, AMSI, Attack Surface Reduction (ASR) rules, DLP solutions, and 24×7 SOC monitoring. Although there are bypasses present for most of it, with bypasses, protection mechanism are also evolving with it.

In real-world internal red team and assumed breach engagements, you do not get to choose the initial foothold system. The target endpoint may be:

• Fully patched
• Heavily monitored
• PowerShell Constrained or logged
• Python absent
• Execution policies enforced
• Script block logging enabled
• Application whitelisting (WDAC/AppLocker) in place

Despite all types of hardening, one thing remains consistently available “The Windows operating system itself and its native command-line utilities"

Understanding and mastering Windows built-in commands and PowerShell without external modules is no longer optional, it is a core skill for modern Active Directory pentesting.

Why Native Windows Commands Matter in AD Pentesting

1. Tools Blocked

In real enterprise networks:

• Python binaries are often missing or blocked
• PowerShell scripts trigger AMSI or Defender
• Offensive PowerShell frameworks are flagged instantly
• Unsigned binaries are quarantined

However, native Windows binaries (LOLBins) such as net.exe, wmic.exe, sc.exe, certutil.exe, klist.exe, and ADSI-based PowerShell queries are expected to exist and operate.

2. You Don’t Control the Foothold

In assumed breach scenarios, the foothold might be:

• A finance workstation
• A call-center system
• A jump host
• A locked-down VDI

You must work within the restrictions of that system, not against them. Native commands allow enumeration without dropping tools or changing system state.

3. Windows Dominates Enterprise Environments

Based on multiple industry studies, Windows accounts for approximately 70% or more of global enterprise desktop environments. Active Directory is still the backbone of corporate identity and access management. If you are performing internal pentesting or red teaming, Windows command-line proficiency is mandatory and not optional.

Levels Based AD Pentesting – Proposed Approach

Level 1: Command Prompt (cmd.exe) – lowest noise, universally available
Level 2: PowerShell (no external scripts or modules) – ADSI-based queries
Level 3: PowerShell AD Module (if available) – still native, no downloads
Level 4: External tools – only when absolutely necessary

Active Directory Enumeration Using Native Windows Commands – Command Prompt (CMD)

Domain Information:
Retrieves the domain name the system is joined to, helping confirm whether the host is part of an Active Directory environment and identifying the current AD context.

systeminfo | findstr /i "Domain"

Domain Controller Enumeration:
Enumerates domain controllers for the specified domain and identifies the DC currently used for authentication, which is critical for understanding authentication flow and potential attack paths.

nltest /dclist:DOMAIN_NAME
echo %LOGONSERVER%

Domain User Enumeration:
Lists all domain user accounts and provides detailed information about a specific user, including password policies, group memberships, and account status.

net user /domain
net user username /domain

Domain Group & Privilege Enumeration:
Enumerates domain groups and reveals membership of highly privileged groups, allowing identification of users with administrative control over the domain or forest.

net group /domain
net group "Domain Admins" /domain
net group "Enterprise Admins" /domain

User Privilege Enumeration (Local Context):
Displays the current user context, group memberships, and token privileges, which helps assess local privilege level and possible escalation opportunities.

whoami
whoami /groups
whoami /priv

Users With No Password / Password Never Expires:
Shows password-related attributes of a domain account, enabling identification of weak configurations such as passwords not required or set to never expire.

net user username /domain

Computer Account Enumeration:
Lists all computer accounts visible in the domain, providing insight into the size of the environment and potential lateral movement targets.

net view /domain

OS & System Information:
Displays detailed operating system, patch, and hardware information, which is useful for vulnerability assessment and exploit compatibility analysis.

systeminfo
ver

SMB Shares & Network Visibility:
Enumerates accessible SMB shares locally and on remote systems, helping identify misconfigured or overly permissive file shares.

net view
net view \TARGET

RDP:
Initiates a Remote Desktop session to the target host, commonly used for lateral movement when valid credentials are available.

mstsc /v:TARGET

Run Commands as Another User:
Allows execution of commands under a different user context, useful for privilege validation or lateral movement using known credentials.

runas /user:DOMAIN\username cmd

WMIC: A Goldmine in Hardened Systems:
Queries system, user, service, and installed software information using built-in Windows management interfaces, often allowed even in hardened environments.

wmic os get caption,version
wmic useraccount get name,sid
wmic service list brief
wmic product get name,version

Scheduled Tasks Enumeration:
Lists all scheduled tasks with verbose details, helping identify tasks running with elevated privileges or containing hardcoded credentials.

schtasks /query /fo LIST /v

Printer Spooler Service Check:
Checks whether the Print Spooler service is running, which is relevant due to its history of privilege escalation and lateral movement vulnerabilities.

sc query spooler

Firewall Status:
Displays the status of Windows Firewall across all profiles, helping assess network exposure and defensive posture.

netsh advfirewall show allprofiles

LSA Protection Checks:
Determines whether LSA Protection (RunAsPPL) is enabled, which impacts credential dumping resistance and overall system hardening.

reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL

DPAPI & Credential Artifacts:
Locates DPAPI master key storage directories, which may contain encrypted credential material relevant during post-exploitation.

dir %APPDATA%\Microsoft\Protect
dir C:\Windows\System32\Microsoft\Protect

Kerberos Tickets:
Displays cached Kerberos tickets for the current session, useful for understanding authentication context and potential ticket abuse scenarios.

klist

ADCS Presence:
Checks for the presence of Active Directory Certificate Services, a common source of privilege escalation when misconfigured.

certutil -config - -ping

Certificate Templates:
Enumerates available certificate templates in the domain, enabling review of enrollment permissions and risky configurations.

certutil -template

Vulnerable Templates:
Filters certificate templates that allow requester-supplied subject names, a common indicator of exploitable ADCS misconfigurations.

certutil -template | findstr /i "ENROLLEE"

File & Permission Enumeration:
Displays file or directory permissions, helping identify weak ACLs that could be abused for privilege escalation.

icacls C:\SensitivePath

Domain Trust Enumeration:
Lists trust relationships with other domains or forests, revealing potential cross-domain or cross-forest attack paths.

nltest /domain_trusts

NetBIOS & Services:
Enumerates NetBIOS names and services locally and on remote hosts, useful for legacy service discovery and network mapping.

nbtstat -n
nbtstat -A TARGET

Registry & Policy Tools Availability:
Checks whether registry and group policy editors are accessible, indicating the level of local system restriction.

where regedit
where gpedit.msc

Windows Defender Active/Inactive:
Checks the status of Windows Defender Antivirus service to determine whether built-in endpoint protection is active.

sc query WinDefend

Check Windows Defender Real-Time Protection:
Identifies whether real-time protection is disabled via registry configuration, which may indicate a weakened security posture.

reg query "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection"

Identify Local Administrators:
Lists all users and groups with local administrator privileges, highlighting accounts capable of full system compromise.

net localgroup administrators

Saved Credentials in Windows:
Displays stored credentials cached on the system, which may be reused for lateral movement or privilege escalation.

cmdkey /list

Unquoted Service Path Vulnerability:
Identifies auto-starting services with unquoted paths, which can be abused for privilege escalation when writable directories exist in the path.

wmic service get name,displayname,pathname,startmode | findstr /i "auto"

Exploitable Windows Services (Privilege Escalation Paths):
Examines service configuration, permissions, and associated binaries to identify services that can be modified or hijacked for privilege escalation.

sc qc ServiceName
sc sdshow ServiceName
icacls "C:\Path\To\Service.exe"

ACL & Abuse Vector Enumeration:
Reviews file system and registry ACLs to uncover overly permissive permissions that could be leveraged for abuse.

icacls C:\SensitivePath
icacls "HKLM\SOFTWARE\SensitiveKey"
icacls C:\ | findstr /i "Everyone Users"

Hardcoded Credentials Search:
Searches common configuration and text files for plaintext credentials or sensitive secrets stored insecurely.

findstr /si /n "password pwd secret key token" C:*.txt C:*.ini C:*.config

Registry Credential Discovery:
Recursively searches the Windows registry for stored plaintext credentials or sensitive configuration values.

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

Scheduled Tasks With Credentials:
Identifies scheduled tasks that may run with elevated privileges or contain embedded credentials in task configuration.

schtasks /query /fo LIST /v

Startup Programs (Credential Leakage):
Enumerates startup programs and their execution commands, which may reveal hardcoded credentials or insecure execution paths.

wmic startup get Caption,Command

Active Directory Enumeration Using Native Windows Commands – PowerShell ADSI Based Queries

Domain Name:
Retrieves the Active Directory domain name the current system is joined to, confirming domain context and scope of enumeration.

([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).Name

Forest Name:
Identifies the Active Directory forest name, which is important for understanding cross-domain and cross-trust exposure.

([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).Name

Domain Controller Enumeration:
Enumerates all domain controllers for the current domain along with their IP addresses, aiding in authentication flow analysis and attack path mapping.

([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).DomainControllers | Select Name,IPAddress

Domain User Enumeration:
Lists all user objects in Active Directory using LDAP queries, providing a baseline view of identities without requiring the AD PowerShell module.

([adsisearcher]"(objectClass=user)").FindAll() | Select @{n="User";e={$_.Properties.samaccountname[0]}}

Privileged Users (Example:Domain Admins):
Retrieves members of the Domain Admins group, revealing accounts with full administrative control over the domain.

$group = [ADSI]"LDAP://CN=Domain Admins,CN=Users,$(([ADSI]'').distinguishedName)"
$group.member

Users With Password Never Expire:
Identifies user accounts configured with passwords that never expire, a common weakness often associated with service or legacy accounts.

([adsisearcher]"(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))").FindAll() | Select @{n="User";e={$_.Properties.samaccountname[0]}}

Users With No Password Required:
Enumerates accounts that do not require a password for authentication, representing a critical misconfiguration if enabled.

([adsisearcher]"(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))").FindAll() | Select @{n="User";e={$_.Properties.samaccountname[0]}}

Inactive Users (60+ Days):
Identifies stale user accounts that have not logged in for over 60 days, which are often overlooked and abused during internal attacks.

$days = (Get-Date).AddDays(-60).ToFileTime()
([adsisearcher]"(&(objectClass=user)(lastLogonTimestamp<=$days))").FindAll() | Select @{n="User";e={$_.Properties.samaccountname[0]}}

Computer Enumeration:
Lists all computer objects in the domain, helping identify potential lateral movement targets.

([adsisearcher]"(objectClass=computer)").FindAll() | Select @{n="Computer";e={$_.Properties.name[0]}}

Computers With Password Never Expire:
Detects computer accounts with non-expiring passwords, which may indicate weak machine account hygiene.

([adsisearcher]"(&(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=65536))").FindAll() | Select @{n="Computer";e={$_.Properties.name[0]}}

Operating System & Version:
Enumerates operating system information for domain-joined computers, useful for vulnerability assessment and prioritization.

([adsisearcher]"(objectClass=computer)").FindAll() | Select @{n="Computer";e={$_.Properties.name[0]}}, @{n="OS";e={$_.Properties.operatingsystem[0]}}

ADCS Presence Detection:
Checks for the presence of Active Directory Certificate Services, which is frequently abused for privilege escalation when misconfigured.

([adsisearcher]"(objectClass=pKIEnrollmentService)").FindAll() | Select @{n="CA";e={$_.Properties.name[0]}}

Vulnerable Certificate Templates (Basic Indicator):
Identifies certificate templates that allow requester-controlled subject names, a common prerequisite for ADCS abuse scenarios.

([adsisearcher]"(&(objectClass=pKICertificateTemplate)(msPKI-Enrollment-Flag=1))").FindAll() | Select @{n="Template";e={$_.Properties.name[0]}}

Domain Trust Enumeration:
Enumerates trust relationships with other domains or forests, revealing potential cross-domain authentication and attack paths.

([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()

Kerberos Pre-Authentication Disabled (AS-REP Roasting Candidates):
Identifies user accounts with Kerberos pre-authentication disabled, which can be abused for offline password cracking without valid credentials.

([adsisearcher]"(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))").FindAll() | Select @{n="User";e={$_.Properties.samaccountname[0]}}

Kerberoastable Users (SPN-Set Accounts):
Enumerates accounts with Service Principal Names configured, making them potential targets for Kerberoasting attacks.

([adsisearcher]"(&(objectClass=user)(servicePrincipalName=*))").FindAll() | Select @{n="User";e={$_.Properties.samaccountname[0]}}, @{n="SPN";e={$_.Properties.serviceprincipalname}}

Disabled Users (Accounts Not Deleted):
Lists disabled user accounts that still exist in Active Directory, which may retain group memberships and be re-enabled maliciously.

([adsisearcher]"(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))").FindAll() | Select @{n="User";e={$_.Properties.samaccountname[0]}}

Constrained Delegation (AD):
Identifies user accounts configured for constrained delegation, which can be abused to impersonate services if misconfigured.

([adsisearcher]"(&(objectClass=user)(msDS-AllowedToDelegateTo=*))").FindAll() | Select @{n="Account";e={$_.Properties.samaccountname}}, @{n="Delegation";e={$_.Properties.'msds-allowedtodelegateto'}}

Computer Accounts:
Enumerates computer accounts allowed to delegate to specific services, a critical check for Kerberos delegation abuse paths.

([adsisearcher]"(&(objectClass=computer)(msDS-AllowedToDelegateTo=*))").FindAll()

Unconstrained Delegation (AD):
Detects computers trusted for unconstrained delegation, which allows attackers to capture Kerberos tickets and escalate privileges.

([adsisearcher]"(&(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))").FindAll() | Select @{n="Computer";e={$_.Properties.name}}

AD Object ACL Enumeration (ADSI):
Retrieves access control entries on the domain object, enabling identification of dangerous permissions such as GenericAll, WriteDACL, or WriteOwner.

$root = [ADSI]"LDAP://RootDSE"
$domain = [ADSI]("LDAP://" + $root.defaultNamingContext)
$domain.psbase.ObjectSecurity.Access

Active Directory Enumeration Using Native Windows Commands – PowerShell AD Module

Load Active Directory Module incase its not present by using “Import-Module ActiveDirectory”.

Domain Information:
Retrieves core domain configuration details such as domain name, SID, functional level, and password policies.

Get-ADDomain

Forest Information:
Enumerates forest-level details including domains, global catalogs, trusts, and forest functional level.

Get-ADForest

Domain Controller Enumeration:
Lists all domain controllers in the domain along with their roles and site placement, useful for authentication flow and attack path analysis.

Get-ADDomainController -Filter *

Domain User Enumeration:
Enumerates all domain user accounts, providing a baseline view of identities present in Active Directory.

Get-ADUser -Filter * | Select SamAccountName

Domain Admins & Privileged Groups:
Identifies members of highly privileged AD groups with full control over the domain or forest.

Get-ADGroupMember "Domain Admins"
Get-ADGroupMember "Enterprise Admins"

Users With Password Never Expire:
Detects accounts configured with non-expiring passwords, a common weakness in service or legacy accounts.

Get-ADUser -Filter {PasswordNeverExpires -eq $true} | Select SamAccountName

Users Requiring No Password:
Identifies accounts that do not require a password for authentication, representing a critical security misconfiguration.

Get-ADUser -Filter {PasswordNotRequired -eq $true} | Select SamAccountName

Inactive Users (60+ Days):
Finds stale user accounts that have not logged in recently and may be forgotten or abused.

Get-ADUser -Filter * -Properties LastLogonDate | Where {$_.LastLogonDate -lt (Get-Date).AddDays(-60)} | Select SamAccountName,LastLogonDate

Computer Enumeration:
Lists all domain-joined computer objects, helping identify lateral movement targets.

Get-ADComputer -Filter * | Select Name

Computers With Password Never Expire:
Identifies computer accounts with weak password rotation policies, indicating poor machine account hygiene.

Get-ADComputer -Filter {PasswordNeverExpires -eq $true} | Select Name

Operating System & Version:
Retrieves OS information for domain computers, useful for vulnerability prioritization and attack planning.

Get-ADComputer -Filter * -Properties OperatingSystem | Select Name,OperatingSystem

ADCS Presence:
Checks whether Active Directory Certificate Services is deployed, a frequent source of privilege escalation when misconfigured.

Get-ADObject -Filter 'objectClass -eq "pKIEnrollmentService"' | Select Name

Certificate Templates:
Enumerates certificate templates available in the domain, forming the basis for ADCS abuse analysis.

Get-ADObject -Filter 'objectClass -eq "pKICertificateTemplate"' | Select Name

Vulnerable Certificate Templates (Basic):
Identifies templates with risky enrollment settings that may allow certificate-based privilege escalation.

Get-ADObject -Filter 'objectClass -eq "pKICertificateTemplate"' `-Properties msPKI-Enrollment-Flag,msPKI-Template-Schema-Version | Select Name,msPKI-Enrollment-Flag

Scheduled Tasks:
Lists scheduled tasks with verbose details, helping identify tasks running with elevated privileges or embedded credentials.

schtasks /query /fo LIST /v

WMIC Enumeration:
Uses built-in Windows management interfaces to enumerate OS details, users, and installed software in hardened environments.

wmic os get caption,version
wmic useraccount get name,sid
wmic product get name,version

Printer Spooler Service:
Checks whether the Print Spooler service is running, relevant due to its history of privilege escalation vulnerabilities.

Get-Service spooler

Firewall Status:
Displays the status of Windows Firewall across all profiles, helping assess host-level network exposure.

Get-NetFirewallProfile

AMSI Status:
Checks whether AMSI is enabled, which affects PowerShell and script content inspection.

Get-ItemProperty HKLM:\Software\Microsoft\AMSI

PowerShell Version:
Displays the installed PowerShell version, impacting available features and security controls.

$PSVersionTable

PowerShell Language Mode:
Indicates the current PowerShell language mode, revealing whether script execution is fully allowed or constrained.

$ExecutionContext.SessionState.LanguageMode

LSA Protection:
Determines whether LSA Protection is enabled, which affects credential theft resistance.

Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name RunAsPPL

DPAPI Master Keys:
Enumerates DPAPI master key locations, which may be relevant during post-exploitation credential access.

Get-ChildItem "$env:APPDATA\Microsoft\Protect" -Recurse
Get-ChildItem "C:\Windows\System32\Microsoft\Protect" -Recurse

LDSecSvc (Credential Guard):
Checks whether Credential Guard–related services are running, indicating hardened credential protection.

Get-Service LDSecSvc

Registry & Group Policy Editors:
Verifies availability of registry and group policy editors, reflecting the level of local system restriction.

Get-Command regedit
Get-Command gpedit.msc

Domain Trust Enumeration:
Enumerates trust relationships with other domains or forests, revealing cross-domain attack opportunities.

Get-ADTrust -Filter *

Ports & Services (Local):
Lists listening network ports and running services, helping identify exposed services and privilege escalation vectors.

Get-NetTCPConnection -State Listen
Get-Service

SMB Sessions:
Enumerates active SMB sessions and shared resources, useful for identifying data exposure and lateral movement paths.

Get-SmbSession
Get-SmbShare

AD Group Policy Enumeration:
Lists all Group Policy Objects, enabling review of security, credential, and session-related policies.

Get-GPO -All

Windows Defender Active/Inactive:
Checks whether Microsoft Defender Antivirus is running on the system.

Get-Service WinDefend

Check Windows Defender Real-Time Protection:
Determines whether Defender real-time protection is enabled or disabled.

Get-MpComputerStatus | Select RealTimeProtectionEnabled

Check Defender Tamper Protection:
Indicates whether Defender settings are protected against unauthorized modification.

Get-MpComputerStatus | Select IsTamperProtected

Check Defender Cloud Protection:

Get-MpComputerStatus | Select MAPSReporting

Check Defender Exclusion Paths:

Get-MpPreference | Select ExclusionPath
Get-MpPreference | Select ExclusionPath
Get-MpPreference | Select ExclusionExtension

Check Defender Script Scanning (AMSI):
Checks whether AMSI integration is active for script inspection.

Get-MpComputerStatus | Select AMSIEnabled

Check If PowerShell Is Monitored by Defender:
Indicates whether Defender actively scans PowerShell scripts for malicious content.

Get-MpPreference | Select EnableScriptScanning

Kerberos Pre-Authentication Disabled (AS-REP Roasting Candidates):
Identifies accounts vulnerable to AS-REP roasting, enabling offline password cracking without credentials.

Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} | Select SamAccountName,Enabled

Kerberoastable Users (SPN-Set Accounts):
Enumerates SPN-configured accounts that can be targeted for Kerberoasting attacks.

Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName | Select SamAccountName,ServicePrincipalName

Disabled Users (Accounts Not Deleted):
Lists disabled accounts that still exist in AD and may retain sensitive group memberships.

Get-ADUser -Filter {Enabled -eq $false} | Select SamAccountName,DistinguishedName

Session Timeout Policy Not Configured:
Identifies whether session timeout or idle policies are defined via Group Policy.

Get-GPO -All | Where-Object {$_.DisplayName -match "Idle|Session|Timeout"}

Identify Local Administrators:
Lists users and groups with local administrator privileges on the system.

Get-LocalGroupMember Administrators

Saved Credentials in Windows:
Locates stored credential files that may contain reusable authentication material.

dir $env:APPDATA\Microsoft\Credentials
dir C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials

PowerShell Execution Policy Bypass Check:
Validates whether PowerShell execution policies can be bypassed at runtime.

powershell -ExecutionPolicy Bypass -Command "Get-Date"

Unquoted Service Path Vulnerability:
Identifies auto-starting services with unquoted executable paths, a classic privilege escalation vector.

Get-WmiObject Win32_Service |
Where {
$_.StartMode -eq "Auto" -and
$_.PathName -notmatch '"' -and
$_.PathName -match ' '
} | Select Name,PathName,StartName

Hardcoded Credentials Search (Native Only):
Searches common file types for plaintext credentials or sensitive secrets stored insecurely.

Get-ChildItem C:\ -Include .txt,.ini,.config,.xml -Recurse -ErrorAction SilentlyContinue |
Select-String "password|pwd|secret|token|apikey"

Services Running as Domain Users:
Identifies services running under domain user accounts, which are frequently abused for lateral movement or privilege escalation.

Get-WmiObject Win32_Service |
Where {$_.StartName -notmatch "LocalSystem|NT AUTHORITY"} |
Select Name,StartName

Modern Active Directory pentesting is no longer about who has the best tools/scripts knowledge, it’s about who understands Windows the best. In live enterprise environments with EDR, Defender, DLP, and SOC oversight, Windows native command-line utilities remain one of the most reliable, stealthy, and effective ways to enumerate Active Directory. If you are performing Internal VAPT, Red team operations or Assumed breach assessments Windows command-line mastery is a primary weapon.

I have made scripts to automate these things, the same can also be checked from the below link:
https://github.com/KhukuriRimal/AD-Enumeration/

Tools may fail, Scripts may be blocked, But Windows will always be Windows and knowing how to use it well makes all the difference.