Attackers leverage standard tools and legitimate privileges to conduct reconnaissance in Active Directory (AD). If undetected, this phase enables lateral movement and privilege escalation. This article dissects advanced commands used in real-world attacks and provides defensive countermeasures.
1. π΅οΈ Attack Phase Breakdown: Key Reconnaissance Commands
1-1. Initial Information Gathering (Low-Privilege Context)
# Domain Structure Discovery π
nltest /dsgetdc:(DomainName) # Identify Domain Controllers
Get-ADDomain | FL DNSRoot,DistinguishedName # Extract DNS Data
# User/Group Enumeration π₯
net group "Domain Admins" /domain # List Privileged Group Members
Get-ADUser -Filter * -Properties MemberOf | Where {$_.MemberOf -match "Admin"} # Extract Admin Accounts
Attacker Objectives:
Identify admin/service accounts, outdated password policies, and legacy systems.
1-2. Detailed Mapping (Domain User Privileges Required)
# Group Policy Object (GPO) Analysis βοΈ
Get-GPO -All | ForEach { Get-GPOReport -Guid $_.Id -ReportType Xml } # Dump GPO Settings
# Trust Relationship Enumeration π€
nltest /domain_trusts # List Domain Trusts
Get-ADTrust -Filter * | Format-Table Name,TrustDirection,TrustType
# Service Principal Name (SPN) Scanning π
setspn -T (DomainName) -Q */* # Kerberoasting Preparation
Attacker Objectives:
- Identify GPO misconfigurations for privilege escalation
- Map cross-domain attack paths
- Harvest Kerberos tickets for offline cracking
1-3. Privilege Escalation Recon (Targeting Admin Rights)
:: Service Discovery π―
sc query state= all | findstr "SERVICE_NAME" # List Running Services
tasklist /SVC # Map Processes to Services
:: Vulnerable ACL Identification β οΈ
accesschk.exe -uwcqv "Authenticated Users" * # Find Writable Objects
Get-ACL "AD:(ObjectDN)" | Select -ExpandProperty Access # PowerShell ACL Analysis
Attacker Objectives:
- Identify service accounts for takeover
- Exploit misconfigured access controls
2. π₯ Advanced Stealth Techniques (Log Evasion)
2-1. Memory-Based PowerShell Execution
# Log-Free AD Recon π»
$sess = New-PSSession -ComputerName DC01
Invoke-Command -Session $sess -ScriptBlock {
Get-ADComputer -Filter * | Export-Clixml C:\Windows\Temp\report.xml
}
# Exfiltrate via DNS Tunneling π
2-2. WMI-Based Reconnaissance
$query = "SELECT * FROM Win32_UserAccount WHERE Domain='(DomainName)'"
Get-WmiObject -Query $query -Namespace root\cimv2 -ComputerName DC01 |
Where-Object { $_.SID -like '*-500' } # Filter Admin Accounts
2-3. LDAP Anonymous Binding
# Direct LDAP Queries π
ldapsearch -x -H ldap://dc01:389 -b "DC=domain,DC=com" "(objectClass=user)" sAMAccountName memberOf
3. π‘οΈ Defensive Detection & Mitigation
3-1. Critical Windows Event IDs
| Activity | Event ID | Key Fields |
|---|---|---|
| Account Enumeration | 4661 | ObjectType=SAM_USER |
| GPO Access | 5136 | ObjectClass=groupPolicyContainer |
| SPN Query | 4769 | Spike in ServiceName requests |
3-2. PowerShell Logging Configuration
# Enable Module Logging (Admin Required)
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging" `
-Name EnableModuleLogging -Value 1 -Force
# Script Block Logging (v5+)
Enable-ScriptBlockLogging
3-3. Attack Simulation Tools
# BloodHound Analysis π©Έ
Invoke-BloodHound -CollectionMethod All -Domain (DomainName) -ZipFilename recon.zip
# Identify Dangerous Paths
MATCH p=(u:User)-[:AdminTo]->(c:Computer) RETURN p
4. βοΈ Proactive Defense Strategies
4-1. Micro-Segmentation Implementation
# Restrict DC Access (Example: Block PowerShell Remoting)
Set-NetFirewallRule -Name "WINRM-HTTP-In-TCP" -Action Block -Profile Domain
4-2. Privileged Access Workstation (PAW) Model
- Dedicated admin workstations for DC management
- Physical separation from general-purpose devices
4-3. Credential Guard Deployment
# Enable via Group Policy (Device Guard)
bcdedit /set {0cb3b530-2bc8-11e7-8f78-8b1a4a2e6d7b} vsmlaunchtype auto
5. π Hunting Attacker Traces: SIEM Query Examples
Splunk Search
index=windows EventCode=4688
| search "ProcessName=C:\\Windows\\System32\\net.exe" "CommandLine=*group*"
| stats count by user, CommandLine
Microsoft Sentinel KQL
SecurityEvent
| where EventID == 4662
| where ObjectType == "SAM_USER"
| project TimeGenerated, AccountName, ClientAddress, ObjectName
Conclusion: Think Like an Attacker
AD reconnaissance thrives on blending legitimacy with exploitation. Key defenses:
- Baseline Deviation Detection π―: Monitor for anomalous command patterns
- Layered Defense π‘οΈ: Combine command restrictions, logging, and access controls
- Continuous Testing π: Regular simulations with BloodHound/ADAttackPathAnalyzer
Leverage Microsoft’s Active Directory Security Assessment Guide and MITRE ATT&CK TA0007 for ongoing improvements.
π§ Technical References
- Microsoft: Securing Privileged Access
- AD Security: Top 10 AD Vulnerabilities
- SANS: Detecting AD Attacks
π¨ Remember: “Normal” commands often pose the greatest risk!