ADSearch

ADSearch is a C# tool designed to work seamlessly with C2 frameworks like Cobalt Strike and Sliver using execute-assembly, enabling efficient and stealthy in-memory Active Directory enumeration. Unlike PowerShell-based tools like PowerView, which often rely on disk or process creation, ADSearch can be loaded directly into memory through the C2's implant. It supports custom LDAP queries, LDAPS connections, and JSON output for structured data collection.

AD Enumeration

Users

# User enumeration
ADSearch.exe --users

# Same with LDAP query
ADSearch.exe '--search "(&(objectCategory=person)(objectClass=user))"'

# Filter attributes
ADSearch.exe '--search "(samaccountname=administrator)" --attributes cn,logoncount,description'

Computers

# Enumerate computer objects
ADSearch.exe --computers

Groups

Enumerate memberships on the current domain:

# Enumerate Domain Admins
ADSearch.exe --domain-admins

If a bidirectional trust exist, cross-domain enumeration can be perfomed with the use of credentials to avoid the Kerberos Double Hop issue:

# Enumerate Enterprise Admins
ADSearch.exe '--search "(&(objectCategory=group)(cn=enterprise admins))" --attributes cn,member --domain moneycorp.local --username "x7331" --password "P@ss123!"'

OUs

# Enumerate Organizational Units
ADSearch.exe '--search "(objectCategory=organizationalunit)" --attributes name'

GPOs

# Enumerate Group Policy Objects
ADSearch.exe '--search "(objectCategory=groupPolicyContainer)" --attributes displayname'

To enumerate the GPOs applied to the a specific OU, the gplink attribute must first be retrieved. This attribute holds references to GPOs linked to the OU and is not returned by default in a standard LDAP query:

# Enumerate the gplink attribute
ADSearch.exe '--search "(ou=devops)" --attributes gplink'

# List the GPO that corresponds to the target gplink
ADSearch.exe '--search "(&(objectCategory=groupPolicyContainer)(|(name={0BF8D01C-1F62-4BDC-958C-57140B67D147})))" --attributes displayname'