Five commands attackers use to find Domain Administrators in Active Directory

The purpose of this blog is to provide examples of commands that attackers would use to retrieve privileged group members in Active Directory Domain Services.

A common way attackers start an attack is to get control over a domain-joined PC. Then they look for more credentials and use these new accounts to query the domain for more information and continue the attack until they achieve their goals.

The domain administrator accounts are the accounts with the highest privileges in a domain and therefore of the most value to attackers. Knowing the queries to find these accounts helps defenders detect this kind of discovery activity in their networks.

It helps that these queries are not commonly observed in the day-to-day operation of enterprise networks. Therefore, detecting them is a strong indicator of malicious behaviour that security teams should investigate further.

Targeting Domain Administrators

Domain administrator accounts have full access to all domain-joined computers, servers, and file shares. For example, they can change domain policies, change user permissions and add new users.

These accounts get their privileges by being members of the built-in Domain Admins security group.

Once attackers have compromised a domain administrator account, they can encrypt and ransom or exfiltrate data from domain-joined computers and servers.

The attackers could then gain persistence in the domain by capturing credentials and other information, allowing them to continue their campaign if detected.

If attackers have compromised a domain administrator account, the recovery would require bringing the domain offline and resetting passwords for every account which would cause a significant business impact.

Commands to find Domain Administrators

Objects in Active Directory are accessed using Lightweight Directory Access Protocol (LDAP) or Active Directory Service Interfaces (ADSI) in Windows.

LDAP is a standard protocol to query for information stored in a directory service. It is vendor-agnostic, supported by Active Directory and by other directory services products. Any authenticated user in an AD domain can run LDAP queries. ADSI is a set of Windows interfaces that enable common directory administrative tasks, such as adding new users, managing printers, and locating resources.

Here are examples of five Windows CLI commands to retrieve members of the Domain Admins security group.

net.exe

net.exe is a native Windows binary used to manage network resources, and a command adversary groups execute most often. The “net group” command adds, displays, or modifies groups in domains.

net group “domain admins” /domain

dsquery

Dsquery is included in the Windows Remote Server Administrations Tools (RSAT) package.

It is a set of tools used for managing roles and features that run on a Windows Server. In Windows 10 RSAT can be installed as a “Features on Demand” package.

dsquery * -filter “(&(objectclass=group)(samaccountname=Domain Admins))” -attr name samaccountname member

adfind

Adfind is a popular free Active Directory query tool that is also used by adversary groups . This command will show the members of the Domain Admins group.

adfind -f “&(objectcategory=group)(cn=Domain Admins)” member

Powershell

ADSISearcher alias allows access to the .NET ADSI namespace in Powershell. It searches for objects using LDAP filters.

([ADSISearcher]”(distinguishedname=CN=domain admins,CN=Users,DC=<yourdomain>)”).FindOne().Properties.member

WMIC

Windows Management Instrumentation (WMI) manages data and operations in Windows operating systems. WMIC is a command-line interface for WMI and comes pre-installed on Windows. The WMI Directory Services Provider mirrors classes and instances from Active Directory into the WMI Lightweight Directory Access Protocol (LDAP) namespace.

wmic /NAMESPACE:\\root\directory\ldap PATH ds_group where “ds_samaccountname=’Domain Admins’” Get ds_member /Value

There are many other ways to perform domain reconnaissance. For example, post-exploitation tools like Cobalt Strike or Metasploit include Active Directory enumeration features.

Attivo Networks ADSecure solution intercepts these and other queries attempting AD discovery. It hides the real responses and inserts decoy information such as account names. This provides both an opportunity for early detection and misdirects malicious activity to decoy accounts.

In future blogs we plan to explore methods and tools that attackers use to exploit Active Directory. Your feedback is always welcome.