Using ActiveDirectory module for Domain Enumeration from PowerShell Constrained Language Mode

This is a quick post to make notes of something which I have been using and teaching for sometime.

We can use Micorosft's PowerShell ActiveDirectory module without RSAT and administrative privileges. I came to know about this from this blog post.

So, if you have access to a Server which has the module installed (like a DC), copy the Microsoft.ActiveDirectory.Management.dll from C:WindowsMicrosoft.NETassemblyGAC_64Microsoft.ActiveDirectory.Management to your own machine and then use the Import-Module cmdlet to import the DLL:

PS C:> Import-Module C:ADModuleMicrosoft.ActiveDirectory.Management.dll -Verbose

Please note that if you run Get-Command -Module ActiveDirectory, it would not return anything. To get that, copy the module directory as well from the server from following location: C:WindowsSystem32WindowsPowerShellv1.0ModulesActiveDirectory. Then, use Import-Module, first the DLL and then the module:

PS C:> Import-Module C:ADModuleMicrosoft.ActiveDirectory.Management.dll -Verbose
PS C:> Import-Module C:ADToolsADModuleActiveDirectoryActiveDirectory.psd1
PS C:> Get-Command -Module ActiveDirectory

UPDATE (16-Nov-2018) - It is now possible to load the module from memory by using Import-ActiveDirectory.ps1. Thanks to a PR by @D1iv3:

There are many benefits like very low chances of detection by AV, very wide coverage by cmdlets (I leave the usage of cmdlets for a later post :P), good filters for cmdlets, signed by Microsoft etc.

I have uploaded a copy of module from Server 2016 on Github: https://github.com/samratashok/ADModule

The biggest benefit is that this module works flawlessly in PowerShell Constrained Language Mode (CLM) 🙂

That is all!