Welcome back to our PowerShell for Hackers series! Today, we’ll explore a more advanced topic: PowerShell and LDAP filters. These tools allow precise searches within Active Directory (AD). LDAP is a protocol used for querying directory services to retrieve details about user accounts, computers, groups, or policies. By using LDAP filters in PowerShell scripts, you […]
The post Powershell for Hackers, Part 2: LDAP Filters for Active Directory Reconnaissance first appeared on Hackers Arise.
Welcome back to our PowerShell for Hackers series!
Today, we’ll explore a more advanced topic: PowerShell and LDAP filters. These tools allow precise searches within Active Directory (AD). LDAP is a protocol used for querying directory services to retrieve details about user accounts, computers, groups, or policies. By using LDAP filters in PowerShell scripts, you can quietly gather detailed information from a domain without immediately alerting defenders. These filters use a structured syntax with logical operators to refine searches based on attributes such as group membership, administrative privileges, or account status.
Since LDAP filtering is read-only and uses legitimate protocols, it often goes unnoticed, providing a discreet way to map the environment, uncover trust relationships, and plan further actions within the network.
In this guide, we’ll work with a complex domain featuring multiple trusts and thousands of computers to demonstrate these concepts clearly. Don’t worry about older Windows versions, skilled operators should feel confident navigating any Windows terminal.
PowerShell Filters
Here are some useful PowerShell filters to help you enumerate systems efficiently.
Listing Installed Software
This command reveals installed software on a computer, helping identify its purpose and potential misconfigurations that could allow privilege escalation. We’ll exclude Microsoft software to focus the output.
PS > Get-CimInstance win32_product -Filter “NOT Vendor like ‘%Microsoft%'” | fl
Filtering Users
Older domains often retain inactive accounts, such as those of former employees. To narrow the search, let’s target usernames starting with “adm” for potential administrative accounts.
PS > Get-ADUser -filter {name -like “adm*”}
Filtering Computers
In a domain with thousands of computers, you can locate specific types, like SQL servers, to focus your efforts.
PS > Get-ADComputer -Filter “DNSHostName -like ‘*SQL*'”
Servers with cameras are also helpful, as you know
Filtering Administrative Groups
This command finds groups with an adminCount of 1, which are protected by AdminSDHolder and typically controlled by Domain Admins. These groups have significant permissions in Active Directory.
PS > Get-ADGroup -Filter “adminCount -eq 1” | Select-Object Name
Filtering AS-REP Roastable Admins
An AS-REP roastable user is an account in Active Directory that has Kerberos pre‑authentication turned off. An attacker can request a ticket for that account, receive an encrypted response (the AS‑REP) without needing valid credentials, and then crack that encrypted blob offline to recover the user’s password. Because it requires no interaction with the live network beyond the initial request, it’s a low‑noise way to steal weak or reused passwords.
PS > Get-ADUser -Filter {adminCount -eq 1 -and DoesNotRequirePreAuth -eq $true}
Filtering Kerberoastable Admins
Kerberoastable users are accounts in Active Directory that have one or more Service Principal Names (SPNs) registered to them. An SPN is a unique identifier that maps a service instance to a service logon account. For example, a SQL Server service or a web application pool identity. Because Kerberos uses these SPNs to issue service tickets (TGS) automatically when a client wants to connect, any account with an SPN becomes a target as the domain controller will encrypt the ticket with that account’s password hash.
In a Kerberoasting attack, we discover all accounts with SPNs by querying the Active Directory. Then request service tickets for each SPN, no special privileges are needed beyond a normal domain user. The domain controller hands back the TGS ticket, which contains a payload encrypted under the service account’s hash. We capture those tickets and crack them offline using tools like Hashcat or John the Ripper. If the account’s password is weak or poorly chosen, it will be recovered, giving us legitimate credentials we can use to escalate privileges or move laterally within the network.
PS > Get-ADUser -Filter “adminCount -eq ‘1’” -Properties * | where servicePrincipalName -ne $null | select SamAccountName,MemberOf,ServicePrincipalName | fl
Filtering a User
After we have found a vulnerable user, let’s pull some more information about the account
PS > Get-ADUser -Identity sql_service -Properties * | Select-Object * | Format-List
Filtering PasswordNotRequired Accounts
Accounts with the “PasswordNotRequired” flag in Active Directory can have blank passwords, allowing authentication without credentials. Though rare, such misconfigurations exist and are important to identify.
PS > Get-ADUser -Filter * -Properties PasswordNotRequired | Where-Object { $_.PasswordNotRequired } | Select-Object SamAccountName, Name
Filtering User Descriptions
User description fields sometimes contain sensitive information, like credentials, due to misconfigurations. This command helps uncover them.
PS > Get-ADUser -Filter * -Properties Description | Select-Object SamAccountName, Name, Description
Filtering Domain Admins
Domain Admins and Enterprise Admins are considered the most prized “gems” in Active Directory, because they have virtually unlimited power over the environment. A member of the Domain Admins group has full control of every domain‑joined computer and of the domain itself, allowing you to create or delete accounts, push out malware via Group Policy, read or change any data stored in the domain, or even issue your own Kerberos tickets. Gaining DA or EA rights is essentially equivalent to owning every machine and user account in the domain.
Here is how you list the domain admins:
PS > Get-ADGroupMember -Identity “Domain Admins” -Recursive | Where-Object { $_.objectClass -eq ‘user’ } | Select-Object Name, SamAccountName
Filtering PasswordLastChanged
The PasswordLastChanged attribute records the exact time a user’s password was last updated. A hacker who knows when the defender has rotated or reset credentials can find a vulnerable account even after an incident response. This helped us regain valid access quickly after the blue team forced a password reset.
PS > Get-ADUser -Identity username -Properties PasswordLastSet | Select-Object SamAccountName, Name, @{Name=’PasswordLastChanged’;Expression={$_.PasswordLastSet}}
To find admin accounts with passwords unchanged for over a month:
PS > Get-ADUser -Filter “samAccountName -like ‘Adm*'” -Properties PasswordLastSet | Where-Object { -not $_.PasswordLastSet -or $_.PasswordLastSet -lt (Get-Date).AddMonths(-1) } | Select-Object samAccountName, @{Name=’PasswordLastChanged’;Expression={$_.PasswordLastSet}}
Counting Users
Counting users in a domain provides insight into its size and potential for misconfigurations, even in smaller environments.
PS > (Get-ADUser -SearchBase “OU=Employees,DC=DOMAIN,DC=RU” -Filter *).Count
Note, that you might have to replace “Employees” with something else.
LDAP Filters
LDAP filters are text-based expressions in parentheses that specify which Active Directory objects to retrieve. They use LDAP syntax to make queries faster and more precise.
Filtering User Descriptions
This LDAP filter retrieves users with any description, which may reveal sensitive details.
PS > Get-ADUser -Properties * -LDAPFilter ‘(&(objectCategory=user)(description=*))’ | select samaccountname, description
Filtering Trusted Accounts
These filters identify accounts trusted for delegation, which can be exploited to impersonate high-privilege users in delegation attacks without needing their passwords.
For trusted users:
PS > Get-ADUser -Properties * -LDAPFilter ‘(userAccountControl:1.2.840.113556.1.4.803:=524288)’ | select Name, memberof, servicePrincipalName, TrustedForDelegation | fl
For trusted computers:
PS > Get-ADComputer -Properties * -LDAPFilter ‘(userAccountControl:1.2.840.113556.1.4.803:=524288)’ | select DistinguishedName, servicePrincipalName, TrustedForDelegation | fl
Filtering Windows Distributions
These filters help identify specific Windows versions, such as servers, to tailor attack strategies. Servers are prioritized since they allow multiple sessions without closing active ones.
For Windows Server 2012:
PS > Get-ADComputer -LDAPFilter ‘(samAccountType=805306369)(!(primaryGroupId=516))(objectCategory=computer)(operatingSystem=Windows Server 2012*)’ -Properties OperatingSystem | Select Name, OperatingSystem
For Windows Server 2008:
PS > Get-ADComputer -LDAPFilter ‘(samAccountType=805306369)(!(primaryGroupId=516))(objectCategory=computer)(operatingSystem=Windows Server 2008*)’ -Properties OperatingSystem | Select Name, OperatingSystem
For Windows Server 2003:
PS > Get-ADComputer -LDAPFilter ‘(samAccountType=805306369)(!(primaryGroupId=516))(objectCategory=computer)(operatingSystem=Windows Server 2003*)’ -Properties OperatingSystem | Select Name, OperatingSystem
The domain we used for this class was first created in the early 2000s. The company behind it is one of Russia’s largest, and as you have already discovered, this legacy infrastructure presents a multitude of potential attack vectors.
Conclusion
By mastering PowerShell LDAP filters, you gain the ability to perform precise, low‑noise queries against Active Directory to uncover users, groups, delegation settings and more without overwhelming the network or raising alarms. In our next article, we will introduce PowerView, a script that wraps these complex LDAP operations into simple, reliable commands so you can speed up your enumeration and focus on the most valuable targets with ease.
Look for our new Powershell for Hackers training March 10-12, 2026. Part of our Subscriber training package.
The post Powershell for Hackers, Part 2: LDAP Filters for Active Directory Reconnaissance first appeared on Hackers Arise.
Source: HackersArise
Source Link: https://hackers-arise.com/powershell-for-hackers-part-2-filters/