T1087.002
Account Discovery: Domain Account
Description from ATT&CK
Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior.
Commands such as <code>net user /domain</code> and <code>net group /domain</code> of the Net utility, <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code> on Linux can list domain users and groups. https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/
Atomic Tests
Atomic Test #1 - Enumerate all accounts (Domain)
Enumerate all accounts Upon exection, multiple enumeration commands will be run and their output displayed in the PowerShell session
Supported Platforms: windows
auto_generated_guid: 6fbc9e68-5ad7-444a-bd11-8bf3136c477e
Inputs:
None
Attack Commands: Run with command_prompt!
1
2
3
net user /domain
net group /domain
Atomic Test #2 - Enumerate all accounts via PowerShell (Domain)
Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed.
Supported Platforms: windows
auto_generated_guid: 8b8a6449-be98-4f42-afd2-dedddc7453b2
Inputs:
None
Attack Commands: Run with powershell!
1
2
3
4
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
Atomic Test #3 - Enumerate logged on users via CMD (Domain)
Enumerate logged on users. Upon exeuction, logged on users will be displayed.
Supported Platforms: windows
auto_generated_guid: 161dcd85-d014-4f5e-900c-d3eaae82a0f7
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| computer_name | Name of remote system to query | String | $env:COMPUTERNAME |
Attack Commands: Run with command_prompt!
1
2
query user /SERVER:#{computer_name}
Atomic Test #4 - Automated AD Recon (ADRecon)
ADRecon extracts and combines information about an AD environement into a report. Upon execution, an Excel file with all of the data will be generated and its path will be displayed.
Supported Platforms: windows
auto_generated_guid: 95018438-454a-468c-a0fa-59c800149b59
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| adrecon_path | Path of ADRecon.ps1 file | Path | $env:TEMP\ADRecon.ps1 |
Attack Commands: Run with powershell!
1
2
Invoke-Expression #{adrecon_path}
Cleanup Commands:
1
2
3
Remove-Item #{adrecon_path} -Force -ErrorAction Ignore | Out-Null
Get-ChildItem $env:TEMP -Recurse -Force | Where{$_.Name -Match "^ADRecon-Report-"} | Remove-Item -Force -Recurse
Dependencies: Run with powershell!
Description: ADRecon must exist on disk at specified location (#{adrecon_path})
Check Prereq Commands:
1
2
if (Test-Path #{adrecon_path}) {exit 0} else {exit 1}
Get Prereq Commands:
1
2
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/sense-of-security/ADRecon/38e4abae3e26d0fa87281c1d0c65cabd4d3c6ebd/ADRecon.ps1" -OutFile #{adrecon_path}
Atomic Test #5 - Adfind -Listing password policy
Adfind tool can be used for reconnaissance in an Active directory environment. The example chosen illustrates adfind used to query the local password policy. reference- http://www.joeware.net/freetools/tools/adfind/, https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
Supported Platforms: windows
auto_generated_guid: 736b4f53-f400-4c22-855d-1a6b5a551600
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder\T1087.002\src\AdFind.exe |
Attack Commands: Run with command_prompt!
1
2
#{adfind_path} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Dependencies: Run with powershell!
Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
Check Prereq Commands:
1
2
if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
Get Prereq Commands:
1
2
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
Atomic Test #6 - Adfind - Enumerate Active Directory Admins
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Admin accounts reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.com/blog/fun-with-active-directorys-admincount-attribute/
Supported Platforms: windows
auto_generated_guid: b95fd967-4e62-4109-b48d-265edfd28c3a
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder\T1087.002\src\AdFind.exe |
Attack Commands: Run with command_prompt!
1
2
#{adfind_path} -sc admincountdmp
Dependencies: Run with powershell!
Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
Check Prereq Commands:
1
2
if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
Get Prereq Commands:
1
2
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
Atomic Test #7 - Adfind - Enumerate Active Directory User Objects
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory User Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
Supported Platforms: windows
auto_generated_guid: e1ec8d20-509a-4b9a-b820-06c9b2da8eb7
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder\T1087.002\src\AdFind.exe |
Attack Commands: Run with command_prompt!
1
2
#{adfind_path} -f (objectcategory=person)
Dependencies: Run with powershell!
Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
Check Prereq Commands:
1
2
if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
Get Prereq Commands:
1
2
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
Atomic Test #8 - Adfind - Enumerate Active Directory Exchange AD Objects
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Exchange Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
Supported Platforms: windows
auto_generated_guid: 5e2938fb-f919-47b6-8b29-2f6a1f718e99
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder\T1087.002\src\AdFind.exe |
Attack Commands: Run with command_prompt!
1
2
#{adfind_path} -sc exchaddresses
Dependencies: Run with powershell!
Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
Check Prereq Commands:
1
2
if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
Get Prereq Commands:
1
2
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
Atomic Test #9 - Enumerate Default Domain Admin Details (Domain)
This test will enumerate the details of the built-in domain admin account
Supported Platforms: windows
auto_generated_guid: c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef
Inputs:
None
Attack Commands: Run with command_prompt!
1
2
net user administrator /domain