official report for the AdHuntTool. C# Script used for Red Team. It can be used by Cobalt Strike execute-assembly or as standalone executable.
Note that DumpCertificateTemplates
and DumpPasswordPolicy
need the full base
Ex: domain name is ringzer0.local
you need to specify the domain as ringzer0,DC=local
This will generate the following query under the hood
beacon> execute-assembly C:\users\dev\Desktop\ADHuntTool.exe dumpcertificatetemplates ringzer0,DC=local -verbose
CA Name is:
Connecting to: LDAP://CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=ringzer0,DC=local
Querying: (&(!name=AIA))
name : RINGZER0-RZDC-CA
Connecting to: LDAP://CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ringzer0,DC=local
Querying: (&(name=*))
name : User
displayName : User
distinguishedName : CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=RINGZER0,DC=local
msPKI-Cert-Template-OID : 1.3.6.1.4.1.311.21.8.7352012.6162934.10046593.3535065.1065136.82.1.1
msPKI-Enrollment-Flag : 41
List of supported features
You can specify the -acl
switch to dump access control for each item
ADHuntTool.exe DumpCertificateTemplates RINGZER0,DC=CA -acl
CA Name is:
Connecting to: LDAP://CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=RINGZER0,DC=CA
Querying: (&(!name=AIA))
ntSecurityDescriptor : Group: RINGZER0\Enterprise Admins
DACL
------------
Type: Access Allowed
Permissions: Create All Child Objects|Delete All Child Objects|List Contents|All Validated Writes|Read All Properties|Write All Properties|Delete Subtree|List Object|All Extended Rights|Delete|Read Permissions|Modify Permissions|Modify Owner
Trustee: Domain Administrators
------------
Type: Access Allowed
Permissions: Create All Child Objects|Delete All Child Objects|List Contents|All Validated Writes|Read All Properties|Write All Properties|Delete Subtree|List Object|All Extended Rights|Delete|Read Permissions|Modify Permissions|Modify Owner
Trustee: RINGZER0\Enterprise Admins
------------
...
The command output can be redirected to a file using the -tofile
. Filename is the unixtimestamp
Standard commands
Usage: ADHuntTool.exe options domain [arguments]
ADHuntTool.exe Set
ADHuntTool.exe DumpLocalAdmin RingZer0 *optional*computername
ADHuntTool.exe DumpLocalGroup RingZer0 *optional*computername
ADHuntTool.exe DumpRemoteSession RingZer0 *optional*computername
ADHuntTool.exe DumpWkstaSession RingZer0 *optional*computername
ADHuntTool.exe CheckAdmin RingZer0 *optional*computername
ADHuntTool.exe DumpTrust RingZer0
ADHuntTool.exe DumpSamAccount RingZer0
ADHuntTool.exe DumpAllUsers RingZer0
ADHuntTool.exe DumpUser RingZer0 mr.un1k0d3r
ADHuntTool.exe DumpUsersEmail RingZer0
ADHuntTool.exe DumpAllComputers RingZer0
ADHuntTool.exe DumpComputer RingZer0 DC01
ADHuntTool.exe DumpAllGroups RingZer0
ADHuntTool.exe DumpGroup RingZer0 "Domain Admins"
ADHuntTool.exe DumpPasswordPolicy Ringzer0,DC=local
ADHuntTool.exe DumpCertificateTemplates Ringzer0,DC=local
ADHuntTool.exe DumpPwdLastSet RingZer0
ADHuntTool.exe DumpLastLogon RingZer0
ADHuntTool.exe CheckManaged RingZer0
ADHuntTool.exe DumpLapsPassword RingZer0 *optional*computername
ADHuntTool.exe DumpUserPassword RingZer0
ADHuntTool.exe DumpRemoteSession RingZer0 *optional*computername
ADHuntTool.exe PasswordBruteForce RingZer0 *optional*username (samaccountname)
ADHuntTool.exe GetShare target *optional*Domain\Username Password
ADHuntTool.exe GetService target *optional*Domain\Username Password
The -verbose
switch can be added to get verbose output.
Search through DC event log user using domain name, username or ip.
ADHuntUser.exe username mrun1k0d3r
ADHuntUser.exe domain RINGZER0
ADHuntUser.exe ip 192.168.1.10
Mr.Un1k0d3r RingZer0 Team
Tazz0 RingZer0 Team