-
Notifications
You must be signed in to change notification settings - Fork 13.9k
/
ldap_queries_default.yaml
375 lines (375 loc) · 13.6 KB
/
ldap_queries_default.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
---
queries:
- action: ENUM_ACCOUNTS
description: 'Dump info about all known user accounts in the domain.'
filter: '(|(objectClass=organizationalPerson)(sAMAccountType=805306368)(objectcategory=user)(objectClass=user))'
attributes:
- dn
- name
- description
- displayName
- sAMAccountName
- objectSID
- userPrincipalName
- userAccountControl
- homeDirectory
- homeDrive
- profilePath
- memberof
- lastLogoff
- lastLogon
- lastLogonDate
- logonCount
- badPwdCount
- pwdLastSet
- SmartcardLogonRequired
- LastBadPasswordAttempt
- PasswordLastSet
- PaswordNeverExpires
references:
- http://www.ldapexplorer.com/en/manual/109050000-famous-filters.htm
- https://adsecurity.org/wp-content/uploads/2016/08/DEFCON24-2016-Metcalf-BeyondTheMCSE-RedTeamingActiveDirectory.pdf
- action: ENUM_AD_CS_CAS
description: 'Enumerate AD Certificate Service certificate authorities.'
base_dn_prefix: 'CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration'
filter: '(objectClass=pKIEnrollmentService)'
attributes:
- cn
- name
- cACertificateDN
- dNSHostname
- certificateTemplates
- objectGUID
- caCertificate
references:
- https://aaroneg.com/post/2018-05-15-enterprise-ca/
- action: ENUM_AD_CS_CERT_TEMPLATES
description: 'Enumerate AD Certificate Service certificate templates.'
base_dn_prefix: 'CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration'
filter: '(objectClass=pkicertificatetemplate)'
attributes:
- cn
- name
- displayName
- msPKI-Cert-Template-OID
- msPKI-Template-Schema-Version
- msPKI-Enrollment-Flag
- msPKI-Certificate-Name-Flag
- msPKI-Private-Key-Flag
- msPKI-RA-Signature
- pKIExtendedKeyUsage
references:
- https://web.archive.org/web/20220818094600if_/https://specterops.io/assets/resources/Certified_Pre-Owned.pdf
- action: ENUM_ADMIN_OBJECTS
description: 'Dump info about all objects with protected ACLs (i.e highly privileged objects).'
filter: '(adminCount=1)'
attributes:
- dn
- description
- distinguishedName
- name
- samAccountName
- objectSID
- objectGUID
- objectCategory
- member
- memberof
references:
- https://troopers.de/downloads/troopers19/TROOPERS19_AD_Fun_With_LDAP.pdf
- action: ENUM_ALL_OBJECT_CATEGORY
description: 'Dump all objects containing any objectCategory field.'
filter: '(objectCategory=*)'
attributes:
- dn
- objectCategory
- action: ENUM_ALL_OBJECT_CLASS
description: 'Dump all objects containing any objectClass field.'
filter: '(objectClass=*)'
attributes:
- dn
- objectClass
- action: ENUM_COMPUTERS
description: 'Dump all objects containing an objectCategory or objectClass of Computer.'
filter: '(|(objectCategory=computer)(objectClass=computer))'
attributes:
- dn
- name
- description
- displayName
- sAMAccountName
- objectSID
- distinguishedName
- dNSHostName
- givenName
- operatingSystem
- operatingSystemVersion
- operatingSystemServicePack
- lastLogonTimestamp
- servicePrincipalName
- primaryGroupId
references:
- http://www.ldapexplorer.com/en/manual/109050000-famous-filters.htm
- https://adsecurity.org/wp-content/uploads/2016/08/DEFCON24-2016-Metcalf-BeyondTheMCSE-RedTeamingActiveDirectory.pdf
- action: ENUM_CONSTRAINED_DELEGATION
description: 'Dump info about all known objects that allow contrained delegation.'
filter: '(userAccountControl:1.2.840.113556.1.4.803:=16777216)'
attributes:
- cn
- sAMAccountName
- objectCategory
- msds-allowedtodelegateto
- servicePrincipalName
references:
- https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties
- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-kerberos-constrained-delegation
- action: ENUM_DNS_RECORDS
description: 'Dump info about DNS records the server knows about using the dnsNode object class.'
filter: '(objectClass=dnsNode)'
attributes:
- dc
- cn
- dnsRecord
- dnsTombstoned
- name
references:
- https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/
- https://github.com/dirkjanm/krbrelayx/blob/master/dnstool.py
- action: ENUM_DNS_ZONES
description: 'Dump all known DNS zones using the dnsZone object class under the DC DomainDnsZones. Without A BASEDN prefix you can miss certain entries.'
filter: '(objectClass=dnsZone)'
base_dn_prefix: 'DC=DomainDnsZones'
attributes:
- name
- distinguishedName
references:
- https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
- action: ENUM_DOMAIN
description: 'Dump info about the Active Directory domain.'
filter: '(objectClass=domain)'
attributes:
- ms-DS-MachineAccountQuota
- objectSID
- name
- lockoutduration
- lockoutthreshold
- minpwdage
- maxpwdage
- minpwdlength
- action: ENUM_DOMAIN_CONTROLLERS
description: 'Dump all known domain controllers.'
filter: '(&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))'
attributes:
- dn
- displayName
- distinguishedName
- dNSHostName
- description
- givenName
- name
- operatingSystem
- operatingSystemVersion
- operatingSystemServicePack
references:
- http://www.ldapexplorer.com/en/manual/109050000-famous-filters.htm
- https://adsecurity.org/wp-content/uploads/2016/08/DEFCON24-2016-Metcalf-BeyondTheMCSE-RedTeamingActiveDirectory.pdf
- action: ENUM_EXCHANGE_RECIPIENTS
description: 'Dump info about all known Exchange recipients.'
filter: '(|(mailNickname=*)(proxyAddresses=FAX:*))'
attributes:
- dn
- mailNickname
- proxyAddresses
- name
references:
- http://www.ldapexplorer.com/en/manual/109050000-famous-filters.htm
- action: ENUM_EXCHANGE_SERVERS
description: 'Dump info about all known Exchange servers.'
filter: '(&(objectClass=msExchExchangeServer)(!(objectClass=msExchExchangeServerPolicy)))'
attributes:
- dn
- displayName
- distinguishedName
- dNSHostName
- description
- givenName
- name
- operatingSystem
- operatingSystemVersion
- operatingSystemServicePack
references:
- http://www.ldapexplorer.com/en/manual/109050000-famous-filters.htm
- https://adsecurity.org/wp-content/uploads/2016/08/DEFCON24-2016-Metcalf-BeyondTheMCSE-RedTeamingActiveDirectory.pdf
- action: ENUM_GMSA_HASHES
description: 'Dump info about GMSAs and their password hashes if available.'
filter: '(objectClass=msDS-GroupManagedServiceAccount)'
attributes:
- cn
- displayName
- msDS-ManagedPassword
references:
- https://stealthbits.com/blog/securing-gmsa-passwords/
- https://o365blog.com/post/gmsa/
- https://adsecurity.org/?p=4367
- action: ENUM_GROUPS
description: 'Dump info about all known groups in the LDAP environment.'
filter: '(|(objectClass=group)(objectClass=groupOfNames)(groupType:1.2.840.113556.1.4.803:=2147483648)(objectClass=posixGroup)(objectcategory=group))'
attributes:
- cn
- name
- description
- groupType
- memberof
- member
- owner
- adminCount
- managedBy
- groupAttributes
- objectSID
references:
- http://www.ldapexplorer.com/en/manual/109050000-famous-filters.htm
- action: ENUM_GROUP_POLICY_OBJECTS
description: 'Dump info about all known Group Policy Objects (GPOs) in the LDAP environment.'
filter: '(objectClass=groupPolicyContainer)'
attributes:
- displayName
- gPCFileSysPath
- objectCategory
- objectGUID
references:
- https://troopers.de/downloads/troopers19/TROOPERS19_AD_Fun_With_LDAP.pdf
- action: ENUM_HOSTNAMES
description: 'Dump info about all known hostnames in the LDAP environment.'
filter: '(dnsHostName=*)'
attributes:
- dn
- name
- dnsHostName
- serverName
references:
- https://troopers.de/downloads/troopers19/TROOPERS19_AD_Fun_With_LDAP.pdf
- https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
- action: ENUM_LAPS_PASSWORDS
description: 'Dump info about computers that have LAPS enabled, and passwords for them if available.'
filter: '(ms-MCS-AdmPwd=*)'
attributes:
- cn
- displayName
- ms-MCS-AdmPwd
references:
- https://ppn.snovvcrash.rocks/pentest/infrastructure/ad/ldap-ldaps
- action: ENUM_LDAP_SERVER_METADATA
description: 'Dump metadata about the setup of the domain.'
filter: '(objectClass=*)'
attributes:
- dn
- defaultNamingContext
- domainFunctionality
- forestFunctionality
- domainControllerFunctionality
- dnsHostName
references:
- https://troopers.de/downloads/troopers19/TROOPERS19_AD_Fun_With_LDAP.pdf
- action: ENUM_MACHINE_ACCOUNT_QUOTA
description: 'Dump the number of computer accounts a user is allowed to create in a domain.'
filter: '(objectClass=domain)'
attributes:
- ms-DS-MachineAccountQuota
references:
- https://learn.microsoft.com/en-us/windows/win32/adschema/a-ms-ds-machineaccountquota
- action: ENUM_ORGROLES
description: 'Dump info about all known organization roles in the LDAP environment.'
filter: '(objectClass=organizationalRole)'
attributes:
- displayName
- name
- description
- action: ENUM_ORGUNITS
description: 'Dump info about all known organizational units in the LDAP environment.'
filter: '(objectClass=organizationalUnit)'
attributes:
- displayName
- name
- description
references:
- http://www.ldapexplorer.com/en/manual/109050000-famous-filters.htm
- action: ENUM_UNCONSTRAINED_DELEGATION
description: 'Dump info about all known objects that allow unconstrained delegation.'
filter: '(userAccountControl:1.2.840.113556.1.4.803:=524288)'
attributes:
- cn
- sAMAccountName
- objectCategory
- memberof
- member
references:
- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation
- https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties
- action: ENUM_USER_ACCOUNT_DISABLED
description: 'Dump info about disabled user accounts.'
filter: '(userAccountControl:1.2.840.113556.1.4.803:=2)'
attributes:
- cn
- displayName
- description
- sAMAccountName
- userPrincipalName
- userAccountControl
- action: ENUM_USER_ACCOUNT_LOCKED_OUT
description: 'Dump info about locked out user accounts.'
filter: '(userAccountControl:1.2.840.113556.1.4.803:=16)'
attributes:
- cn
- displayName
- sAMAccountName
- userPrincipalName
- userAccountControl
references:
- https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties
- action: ENUM_USER_ASREP_ROASTABLE
description: 'Dump all users who are configured not to require kerberos pre-authentication, i.e. AS-REP roastable.'
filter: '(&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304))'
attributes:
- cn
- displayName
- description
- sAMAccountName
- userPrincipalName
- userAccountControl
references:
- http://www.ldapexplorer.com/en/manual/109050000-famous-filters.htm
- https://burmat.gitbook.io/security/hacking/domain-exploitation
- action: ENUM_USER_PASSWORD_NEVER_EXPIRES
description: 'Dump info about all users whose password never expires.'
filter: '(userAccountControl:1.2.840.113556.1.4.803:=65536)'
attributes:
- cn
- displayName
- description
- sAMAccountName
- userPrincipalName
- userAccountControl
references:
- https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties
- action: ENUM_USER_PASSWORD_NOT_REQUIRED
description: 'Dump info about all users whose password never expires and whose account is still enabled.'
filter: '(&(userAccountControl:1.2.840.113556.1.4.803:=32)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))'
attributes:
- cn
- displayName
- description
- sAMAccountName
- userPrincipalName
- userAccountControl
references:
- https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties
- action: ENUM_USER_SPNS_KERBEROAST
description: 'Dump info about all user objects with Service Principal Names (SPNs) for kerberoasting.'
filter: '(&(&(servicePrincipalName=*)(userAccountControl:1.2.840.113556.1.4.803:=512))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))'
attributes:
- cn
- sAMAccountName
- servicePrincipalName
references:
- https://malicious.link/post/2022/ldapsearch-reference/
- https://burmat.gitbook.io/security/hacking/domain-exploitation
- https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties