PowerShell for Hackers: Finding Modules and Using dsquery for AD Recon
PowerShell is a useful tool for recon. It’s built into Windows. That makes it handy during engagements. In this post I show simple ways to find PowerShell modules, use dsquery, and run targeted AD queries. The focus is stealth and usefulness. Use these techniques responsibly.
Why this matters
Built-in tools blend in.
Importing a trusted module looks normal.dsquery is common on admin systems.
Small, focused queries are less noisy than wide sweeps.
If you run loud scans you’ll get noticed. Keep queries tight and purposeful.
Quick dsquery cheatsheet
dsquery talks LDAP. It works on many domain controllers and admin machines.
Basic commands:
List users
dsquery user
List computers
dsquery computer
List groups under the Users container
dsquery * "CN=Users,DC=DOMAIN,DC=LOCAL"
Find accounts with “password not required” (dangerous accounts)
dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))" -attr distinguishedName userAccountControl
Find domain controllers
dsquery * -filter "(userAccountControl:1.2.840.113556.1.4.804:=8192)" -limit 5 -attr sAMAccountName
Tip: Target OUs or specific filters. Avoid -limit 0 or domain-wide exports unless you need them.
Finding and using PowerShell modules
PowerShell modules give you trusted commands. The ActiveDirectory module is the most useful for AD recon.
Check available modules
Get-Module -ListAvailable
See if ActiveDirectory is loaded
Get-Module ActiveDirectory
Import it if present
Import-Module ActiveDirectory
List commands in a module
Get-Command -Module ActiveDirectory
Show examples / help for a command
Get-Help Get-ADUser -Examples
Get-Help Get-ADUser -Full
Update local help files (if you are online)
Update-Help
Run commands remotely without files
PowerShell remoting lets you run commands on other hosts without dropping tools.
Run a simple remote command
Invoke-Command -ComputerName dc01 -ScriptBlock { hostname }
Import AD module on remote host and list users
Invoke-Command -ComputerName dc01 -ScriptBlock {
Import-Module ActiveDirectory
Get-ADUser -Filter * -Properties mail,whenCreated | Select Name,SamAccountName,mail,whenCreated
}
This keeps activity on the remote host and can reduce local artifacts.
How to stay quiet
Use these rules to reduce detection risk:
- Scope queries narrowly. Target specific OUs or attributes.
- Avoid domain-wide dumps. They are loud.
- Run during normal admin hours when possible.
- Use legitimate accounts. Don’t spike failed authentications.
- Prefer remote execution on admin hosts or DCs. It looks normal.
- Randomize timing if you must run repeated queries.
What defenders look for
Defenders will watch for:
- Large, repeated LDAP queries.
- Module imports on non-admin machines.
- Remote commands from odd hosts.
- Unusual service account activity.
If you understand logging, you can shape queries to be less obviously malicious. But no method is guaranteed stealthy.
Summary
dsqueryis a simple, trusted LDAP tool. Use it for fast recon.- PowerShell modules like ActiveDirectory are powerful and common. Use them when available.
- Use
Invoke-Commandto run queries remotely and avoid local traces. - Keep queries small and targeted. Avoid domain-wide sweeps.
- Always act within legal and ethical bounds.
