T1087.002.md

T1087.002 - Domain Account

Description from ATT&CK

Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior.

Commands such as net user /domain and net group /domain of the Net utility, dscacheutil -q groupon macOS, and ldapsearch on Linux can list domain users and groups.

Atomic Tests

• Atomic Test #1 - Enumerate all accounts (Domain)

• Atomic Test #2 - Enumerate all accounts via PowerShell (Domain)

• Atomic Test #3 - Enumerate logged on users via CMD (Domain)

• Atomic Test #4 - Automated AD Recon (ADRecon)

• Atomic Test #5 - Adfind -Listing password policy

Atomic Test #1 - Enumerate all accounts (Domain)

Enumerate all accounts Upon exection, multiple enumeration commands will be run and their output displayed in the PowerShell session

Supported Platforms: Windows

Attack Commands: Run with command_prompt!

net user /domain
net group /domain

Atomic Test #2 - Enumerate all accounts via PowerShell (Domain)

Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed.

Supported Platforms: Windows

Attack Commands: Run with powershell!

net user /domain
get-localgroupmember -group Users
get-aduser -filter *

Atomic Test #3 - Enumerate logged on users via CMD (Domain)

Enumerate logged on users. Upon exeuction, logged on users will be displayed.

Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
computer_name	Name of remote system to query	String	$env:COMPUTERNAME

Attack Commands: Run with command_prompt!

query user /SERVER:#{computer_name}

Atomic Test #4 - Automated AD Recon (ADRecon)

ADRecon extracts and combines information about an AD environement into a report. Upon execution, an Excel file with all of the data will be generated and its path will be displayed.

Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
adrecon_path	Path of ADRecon.ps1 file	Path	$env:TEMP\ADRecon.ps1

Attack Commands: Run with powershell!

Invoke-Expression #{adrecon_path}

Cleanup Commands:

Remove-Item #{adrecon_path} -Force -ErrorAction Ignore | Out-Null
Get-ChildItem $env:TEMP -Recurse -Force | Where{$_.Name -Match "^ADRecon-Report-"} | Remove-Item -Force -Recurse

Dependencies: Run with powershell!

Description: ADRecon must exist on disk at specified location (#{adrecon_path})

Check Prereq Commands:

if (Test-Path #{adrecon_path}) {exit 0} else {exit 1} 

Get Prereq Commands:

Invoke-WebRequest -Uri "https://raw.githubusercontent.com/sense-of-security/ADRecon/38e4abae3e26d0fa87281c1d0c65cabd4d3c6ebd/ADRecon.ps1" -OutFile #{adrecon_path}

Atomic Test #5 - Adfind -Listing password policy

Adfind tool can be used for reconnaissance in an Active directory environment. The example chosen illustrates adfind used to query the local password policy. reference- http://www.joeware.net/freetools/tools/adfind/, https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx

Supported Platforms: Windows

Attack Commands: Run with powershell!

PathToAtomicsFolder\T1087.002\src\AdFind -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties