ADSearch

ADSearch is a C# tool designed to work seamlessly with C2 frameworks like Cobalt Strike and Sliver using execute-assembly, enabling efficient and stealthy in-memory Active Directory enumeration. Unlike PowerShell-based tools like PowerView, which often rely on disk or process creation, ADSearch can be loaded directly into memory through the C2's implant. It supports custom LDAP queries, LDAPS connections, and JSON output for structured data collection.

AD Enumeration

Users

# User enumeration
ADSearch.exe --users

# Same with LDAP query
ADSearch.exe '--search "(&(objectCategory=person)(objectClass=user))"'

# Filter attributes
ADSearch.exe '--search "(samaccountname=administrator)" --attributes cn,logoncount,description'

Computers

Groups

OUs

GPOs

Trusts

The (objectClass=trustedDomain) query returns all objects representing trusted domains. To focus only on relevant trust-related data, the --attributes argument can be used to extract specific properties such as trust direction, type, and attributes (trustAttributes, trustDirection):

# Enumerate all trusts
ADSearch.exe '-d dollarcorp.moneycorp.local --search "(objectClass=trustedDomain)" --attributes cn,flatName,objectClass,trustAttributes,trustDirection,trustPartner --json'

# Enumerate external cross-forest trusts (trustAttributes=0x00000004)
ADSearch.exe '-d moneycorp.local --search "(trustAttributes=4)" --attributes cn,flatName,name,objectClass,trustAttributes,trustDirection,trustPartner --json'

# Enumerate external domain-specific trusts
ADSearch.exe '-d dollarcorp.moneycorp.local --search "(trustAttributes=4)" --attributes cn,flatName,name,objectClass,trustAttributes,trustDirection,trustPartner --json'

If an external trust is found, then information can be extracted from the trusted domain:

ADSearch.exe '-d eurocorp.local --search "(objectClass=trustedDomain)" --attributes cn,flatName,name,objectClass,trustAttributes,trustDirection,trustPartner --json'

Second Tab