# AD Recycle Bin

## Theory

its members have permissions to read deleted AD object. Juicy information can be found in there.

## Practice

{% tabs %}
{% tab title="UNIX-like" %}
ldapsearch can be use to enumerate deleted AD objects

```bash
ldapsearch -x -H ldap://$IP -D "Ad_Recyle_Bin_User@contoso.local" -w 'Password!' -b "CN=Deleted Objects,DC=contoso,DC=local" -E '!1.2.840.113556.1.4.417' '(&(objectClass=*)(isDeleted=TRUE))'
```

{% endtab %}

{% tab title="Windows" %}
Using the [ActiveDirectory powerhsell module](https://learn.microsoft.com/en-us/powershell/module/activedirectory/?view=windowsserver2022-ps), we can enumerate deleted AD objects

```powershell
Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *
```

{% endtab %}
{% endtabs %}