ADSearch

ADSearch is a C# tool designed to work seamlessly with C2 frameworks like Cobalt Strike and Sliver using execute-assembly, enabling efficient and stealthy in-memory Active Directory enumeration. Unlike PowerShell-based tools like PowerView, which often rely on disk or process creation, ADSearch can be loaded directly into memory through the C2's implant. It supports custom LDAP queries, LDAPS connections, and JSON output for structured data collection.

AD Enumeration

Users

# User enumeration
ADSearch.exe --users

# Same with LDAP query
ADSearch.exe '--search "(&(objectCategory=person)(objectClass=user))"'

# Filter attributes
ADSearch.exe '--search "(samaccountname=administrator)" --attributes cn,logoncount,description'

Computers

# Enumerate computer objects
ADSearch.exe --computers

Groups

Enumerate memberships on the current domain:

# Enumerate Domain Admins
ADSearch.exe --domain-admins

If a bidirectional trust exist, cross-domain enumeration can be perfomed with the use of credentials to avoid the Kerberos Double Hop issue:

# Enumerate Enterprise Admins
ADSearch.exe '--search "(&(objectCategory=group)(cn=enterprise admins))" --attributes cn,member --domain moneycorp.local --username "x7331" --password "P@ss123!"'

OUs

# Enumerate Organizational Units
ADSearch.exe '--search "(objectCategory=organizationalunit)" --attributes name'

GPOs

# Enumerate Group Policy Objects
ADSearch.exe '--search "(objectCategory=groupPolicyContainer)" --attributes displayname'

To enumerate the GPOs applied to the a specific OU, the gplink attribute must first be retrieved. This attribute holds references to GPOs linked to the OU and is not returned by default in a standard LDAP query:

# Enumerate the gplink attribute
ADSearch.exe '--search "(ou=devops)" --attributes gplink'

# List the GPO that corresponds to the target gplink
ADSearch.exe '--search "(&(objectCategory=groupPolicyContainer)(|(name={0BF8D01C-1F62-4BDC-958C-57140B67D147})))" --attributes displayname'

Trusts

The (objectClass=trustedDomain) query returns all objects representing trusted domains. To focus only on relevant trust-related data, the --attributes argument can be used to extract specific properties such as trust direction, type, and attributes (trustAttributes, trustDirection):

# Enumerate all trusts
ADSearch.exe '-d dollarcorp.moneycorp.local --search "(objectClass=trustedDomain)" --attributes cn,flatName,objectClass,trustAttributes,trustDirection,trustPartner --json'

# Enumerate external cross-forest trusts (trustAttributes=0x00000004)
ADSearch.exe '-d moneycorp.local --search "(trustAttributes=4)" --attributes cn,flatName,name,objectClass,trustAttributes,trustDirection,trustPartner --json'

# Enumerate external domain-specific trusts
ADSearch.exe '-d dollarcorp.moneycorp.local --search "(trustAttributes=4)" --attributes cn,flatName,name,objectClass,trustAttributes,trustDirection,trustPartner --json'

If an external trust is found, then information can be extracted from the trusted domain:

ADSearch.exe '-d eurocorp.local --search "(objectClass=trustedDomain)" --attributes cn,flatName,name,objectClass,trustAttributes,trustDirection,trustPartner --json'

Second Tab