Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
---
2
queries:
3
  - action: ENUM_ACCOUNTS
4
    description: 'Dump info about all known user accounts in the domain.'
5
    filter: '(|(objectClass=organizationalPerson)(sAMAccountType=805306368)(objectcategory=user)(objectClass=user))'
6
    attributes:
7
      - dn
8
      - name
9
      - description
10
      - displayName
11
      - sAMAccountName
12
      - objectSID
13
      - userPrincipalName
14
      - userAccountControl
15
      - homeDirectory
16
      - homeDrive
17
      - profilePath
18
      - memberof
19
      - lastLogoff
20
      - lastLogon
21
      - lastLogonDate
22
      - logonCount
23
      - badPwdCount
24
      - pwdLastSet
25
      - SmartcardLogonRequired
26
      - LastBadPasswordAttempt
27
      - PasswordLastSet
28
      - PaswordNeverExpires
29
    references:
30
      - http://www.ldapexplorer.com/en/manual/109050000-famous-filters.htm
31
      - https://adsecurity.org/wp-content/uploads/2016/08/DEFCON24-2016-Metcalf-BeyondTheMCSE-RedTeamingActiveDirectory.pdf
32
  - action: ENUM_AD_CS_CAS
33
    description: 'Enumerate AD Certificate Service certificate authorities.'
34
    base_dn_prefix: 'CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration'
35
    filter: '(objectClass=pKIEnrollmentService)'
36
    attributes:
37
      - cn
38
      - name
39
      - cACertificateDN
40
      - dNSHostname
41
      - certificateTemplates
42
      - objectGUID
43
      - caCertificate
44
    references:
45
      - https://aaroneg.com/post/2018-05-15-enterprise-ca/
46
  - action: ENUM_AD_CS_CERT_TEMPLATES
47
    description: 'Enumerate AD Certificate Service certificate templates.'
48
    base_dn_prefix: 'CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration'
49
    filter: '(objectClass=pkicertificatetemplate)'
50
    attributes:
51
      - cn
52
      - name
53
      - displayName
54
      - msPKI-Cert-Template-OID
55
      - msPKI-Template-Schema-Version
56
      - msPKI-Enrollment-Flag
57
      - msPKI-Certificate-Name-Flag
58
      - msPKI-Private-Key-Flag
59
      - msPKI-RA-Signature
60
      - pKIExtendedKeyUsage
61
    references:
62
      - https://web.archive.org/web/20220818094600if_/https://specterops.io/assets/resources/Certified_Pre-Owned.pdf
63
  - action: ENUM_ADMIN_OBJECTS
64
    description: 'Dump info about all objects with protected ACLs (i.e highly privileged objects).'
65
    filter: '(adminCount=1)'
66
    attributes:
67
      - dn
68
      - description
69
      - distinguishedName
70
      - name
71
      - samAccountName
72
      - objectSID
73
      - objectGUID
74
      - objectCategory
75
      - member
76
      - memberof
77
    references:
78
      - https://troopers.de/downloads/troopers19/TROOPERS19_AD_Fun_With_LDAP.pdf
79
  - action: ENUM_ALL_OBJECT_CATEGORY
80
    description: 'Dump all objects containing any objectCategory field.'
81
    filter: '(objectCategory=*)'
82
    attributes:
83
      - dn
84
      - objectCategory
85
  - action: ENUM_ALL_OBJECT_CLASS
86
    description: 'Dump all objects containing any objectClass field.'
87
    filter: '(objectClass=*)'
88
    attributes:
89
      - dn
90
      - objectClass
91
  - action: ENUM_COMPUTERS
92
    description: 'Dump all objects containing an objectCategory or objectClass of Computer.'
93
    filter: '(|(objectCategory=computer)(objectClass=computer))'
94
    attributes:
95
      - dn
96
      - name
97
      - description
98
      - displayName
99
      - sAMAccountName
100
      - objectSID
101
      - distinguishedName
102
      - dNSHostName
103
      - givenName
104
      - operatingSystem
105
      - operatingSystemVersion
106
      - operatingSystemServicePack
107
      - lastLogonTimestamp
108
      - servicePrincipalName
109
      - primaryGroupId
110
    references:
111
      - http://www.ldapexplorer.com/en/manual/109050000-famous-filters.htm
112
      - https://adsecurity.org/wp-content/uploads/2016/08/DEFCON24-2016-Metcalf-BeyondTheMCSE-RedTeamingActiveDirectory.pdf
113
  - action: ENUM_CONSTRAINED_DELEGATION
114
    description: 'Dump info about all known objects that allow contrained delegation.'
115
    filter: '(userAccountControl:1.2.840.113556.1.4.803:=16777216)'
116
    attributes:
117
      - cn
118
      - sAMAccountName
119
      - objectCategory
120
      - msds-allowedtodelegateto
121
      - servicePrincipalName
122
    references:
123
      - https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties
124
      - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-kerberos-constrained-delegation
125
  - action: ENUM_DNS_RECORDS
126
    description: 'Dump info about DNS records the server knows about using the dnsNode object class.'
127
    filter: '(objectClass=dnsNode)'
128
    attributes:
129
      - dc
130
      - cn
131
      - dnsRecord
132
      - dnsTombstoned
133
      - name
134
    references:
135
      - https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/
136
      - https://github.com/dirkjanm/krbrelayx/blob/master/dnstool.py
137
  - action: ENUM_DNS_ZONES
138
    description: 'Dump all known DNS zones using the dnsZone object class under the DC DomainDnsZones. Without A BASEDN prefix you can miss certain entries.'
139
    filter: '(objectClass=dnsZone)'
140
    base_dn_prefix: 'DC=DomainDnsZones'
141
    attributes:
142
      - name
143
      - distinguishedName
144
    references:
145
      - https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
146
  - action: ENUM_DOMAIN
147
    description: 'Dump info about the Active Directory domain.'
148
    filter: '(objectClass=domain)'
149
    attributes:
150
      - ms-DS-MachineAccountQuota
151
      - objectSID
152
      - name
153
      - lockoutduration
154
      - lockoutthreshold
155
      - minpwdage
156
      - maxpwdage
157
      - minpwdlength
158
  - action: ENUM_DOMAIN_CONTROLLERS
159
    description: 'Dump all known domain controllers.'
160
    filter: '(&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))'
161
    attributes:
162
      - dn
163
      - displayName
164
      - distinguishedName
165
      - dNSHostName
166
      - description
167
      - givenName
168
      - name
169
      - operatingSystem
170
      - operatingSystemVersion
171
      - operatingSystemServicePack
172
    references:
173
      - http://www.ldapexplorer.com/en/manual/109050000-famous-filters.htm
174
      - https://adsecurity.org/wp-content/uploads/2016/08/DEFCON24-2016-Metcalf-BeyondTheMCSE-RedTeamingActiveDirectory.pdf
175
  - action: ENUM_EXCHANGE_RECIPIENTS
176
    description: 'Dump info about all known Exchange recipients.'
177
    filter: '(|(mailNickname=*)(proxyAddresses=FAX:*))'
178
    attributes:
179
      - dn
180
      - mailNickname
181
      - proxyAddresses
182
      - name
183
    references:
184
      - http://www.ldapexplorer.com/en/manual/109050000-famous-filters.htm
185
  - action: ENUM_EXCHANGE_SERVERS
186
    description: 'Dump info about all known Exchange servers.'
187
    filter: '(&(objectClass=msExchExchangeServer)(!(objectClass=msExchExchangeServerPolicy)))'
188
    attributes:
189
      - dn
190
      - displayName
191
      - distinguishedName
192
      - dNSHostName
193
      - description
194
      - givenName
195
      - name
196
      - operatingSystem
197
      - operatingSystemVersion
198
      - operatingSystemServicePack
199
    references:
200
      - http://www.ldapexplorer.com/en/manual/109050000-famous-filters.htm
201
      - https://adsecurity.org/wp-content/uploads/2016/08/DEFCON24-2016-Metcalf-BeyondTheMCSE-RedTeamingActiveDirectory.pdf
202
  - action: ENUM_GMSA_HASHES
203
    description: 'Dump info about GMSAs and their password hashes if available.'
204
    filter: '(objectClass=msDS-GroupManagedServiceAccount)'
205
    attributes:
206
      - cn
207
      - displayName
208
      - msDS-ManagedPassword
209
    references:
210
      - https://stealthbits.com/blog/securing-gmsa-passwords/
211
      - https://o365blog.com/post/gmsa/
212
      - https://adsecurity.org/?p=4367
213
  - action: ENUM_GROUPS
214
    description: 'Dump info about all known groups in the LDAP environment.'
215
    filter: '(|(objectClass=group)(objectClass=groupOfNames)(groupType:1.2.840.113556.1.4.803:=2147483648)(objectClass=posixGroup)(objectcategory=group))'
216
    attributes:
217
      - cn
218
      - name
219
      - description
220
      - groupType
221
      - memberof
222
      - member
223
      - owner
224
      - adminCount
225
      - managedBy
226
      - groupAttributes
227
      - objectSID
228
    references:
229
      - http://www.ldapexplorer.com/en/manual/109050000-famous-filters.htm
230
  - action: ENUM_GROUP_POLICY_OBJECTS
231
    description: 'Dump info about all known Group Policy Objects (GPOs) in the LDAP environment.'
232
    filter: '(objectClass=groupPolicyContainer)'
233
    attributes:
234
      - displayName
235
      - gPCFileSysPath
236
      - objectCategory
237
      - objectGUID
238
    references:
239
      - https://troopers.de/downloads/troopers19/TROOPERS19_AD_Fun_With_LDAP.pdf
240
  - action: ENUM_HOSTNAMES
241
    description: 'Dump info about all known hostnames in the LDAP environment.'
242
    filter: '(dnsHostName=*)'
243
    attributes:
244
      - dn
245
      - name
246
      - dnsHostName
247
      - serverName
248
    references:
249
      - https://troopers.de/downloads/troopers19/TROOPERS19_AD_Fun_With_LDAP.pdf
250
      - https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
251
  - action: ENUM_LAPS_PASSWORDS
252
    description: 'Dump info about computers that have LAPS enabled, and passwords for them if available.'
253
    filter: '(ms-MCS-AdmPwd=*)'
254
    attributes:
255
      - cn
256
      - displayName
257
      - ms-MCS-AdmPwd
258
    references:
259
      - https://ppn.snovvcrash.rocks/pentest/infrastructure/ad/ldap-ldaps
260
  - action: ENUM_LDAP_SERVER_METADATA
261
    description: 'Dump metadata about the setup of the domain.'
262
    filter: '(objectClass=*)'
263
    attributes:
264
      - dn
265
      - defaultNamingContext
266
      - domainFunctionality
267
      - forestFunctionality
268
      - domainControllerFunctionality
269
      - dnsHostName
270
    references:
271
      - https://troopers.de/downloads/troopers19/TROOPERS19_AD_Fun_With_LDAP.pdf
272
  - action: ENUM_MACHINE_ACCOUNT_QUOTA
273
    description: 'Dump the number of computer accounts a user is allowed to create in a domain.'
274
    filter: '(objectClass=domain)'
275
    attributes:
276
      - ms-DS-MachineAccountQuota
277
    references:
278
      - https://learn.microsoft.com/en-us/windows/win32/adschema/a-ms-ds-machineaccountquota
279
  - action: ENUM_ORGROLES
280
    description: 'Dump info about all known organization roles in the LDAP environment.'
281
    filter: '(objectClass=organizationalRole)'
282
    attributes:
283
      - displayName
284
      - name
285
      - description
286
  - action: ENUM_ORGUNITS
287
    description: 'Dump info about all known organizational units in the LDAP environment.'
288
    filter: '(objectClass=organizationalUnit)'
289
    attributes:
290
      - displayName
291
      - name
292
      - description
293
    references:
294
      - http://www.ldapexplorer.com/en/manual/109050000-famous-filters.htm
295
  - action: ENUM_UNCONSTRAINED_DELEGATION
296
    description: 'Dump info about all known objects that allow unconstrained delegation.'
297
    filter: '(userAccountControl:1.2.840.113556.1.4.803:=524288)'
298
    attributes:
299
      - cn
300
      - sAMAccountName
301
      - objectCategory
302
      - memberof
303
      - member
304
    references:
305
      - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation
306
      - https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties
307
  - action: ENUM_USER_ACCOUNT_DISABLED
308
    description: 'Dump info about disabled user accounts.'
309
    filter: '(userAccountControl:1.2.840.113556.1.4.803:=2)'
310
    attributes:
311
      - cn
312
      - displayName
313
      - description
314
      - sAMAccountName
315
      - userPrincipalName
316
      - userAccountControl
317
  - action: ENUM_USER_ACCOUNT_LOCKED_OUT
318
    description: 'Dump info about locked out user accounts.'
319
    filter: '(userAccountControl:1.2.840.113556.1.4.803:=16)'
320
    attributes:
321
      - cn
322
      - displayName
323
      - sAMAccountName
324
      - userPrincipalName
325
      - userAccountControl
326
    references:
327
      - https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties
328
  - action: ENUM_USER_ASREP_ROASTABLE
329
    description: 'Dump all users who are configured not to require kerberos pre-authentication, i.e. AS-REP roastable.'
330
    filter: '(&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304))'
331
    attributes:
332
      - cn
333
      - displayName
334
      - description
335
      - sAMAccountName
336
      - userPrincipalName
337
      - userAccountControl
338
    references:
339
      - http://www.ldapexplorer.com/en/manual/109050000-famous-filters.htm
340
      - https://burmat.gitbook.io/security/hacking/domain-exploitation
341
  - action: ENUM_USER_PASSWORD_NEVER_EXPIRES
342
    description: 'Dump info about all users whose password never expires.'
343
    filter: '(userAccountControl:1.2.840.113556.1.4.803:=65536)'
344
    attributes:
345
      - cn
346
      - displayName
347
      - description
348
      - sAMAccountName
349
      - userPrincipalName
350
      - userAccountControl
351
    references:
352
      - https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties
353
  - action: ENUM_USER_PASSWORD_NOT_REQUIRED
354
    description: 'Dump info about all users whose password never expires and whose account is still enabled.'
355
    filter: '(&(userAccountControl:1.2.840.113556.1.4.803:=32)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))'
356
    attributes:
357
      - cn
358
      - displayName
359
      - description
360
      - sAMAccountName
361
      - userPrincipalName
362
      - userAccountControl
363
    references:
364
      - https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties
365
  - action: ENUM_USER_SPNS_KERBEROAST
366
    description: 'Dump info about all user objects with Service Principal Names (SPNs) for kerberoasting.'
367
    filter: '(&(&(servicePrincipalName=*)(userAccountControl:1.2.840.113556.1.4.803:=512))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))'
368
    attributes:
369
      - cn
370
      - sAMAccountName
371
      - servicePrincipalName
372
    references:
373
      - https://malicious.link/post/2022/ldapsearch-reference/
374
      - https://burmat.gitbook.io/security/hacking/domain-exploitation
375
      - https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties
376

377