StandIn
StandIn is a .NET-based Active Directory post-compromise toolkit built to support operations like resource-based constrained delegation (RBCD) from within C2 environments using execute-assembly. Originally developed to meet the need for a native, in-memory-compatible solution during internal red team engagements, it has since grown to include additional features that streamline AD post-exploitation tasks.
AD Enumeration
The key distinction between the --ldap and --object flags is the former's capability to query multiple directory objects simultaneously. In contrast, the latter is specifically designed for targeting and querying individual objects. Thus, --ldap is better suited for broader enumeration, while --object is optimal for focused, single-entity inspection.
# User enumeration
StandIn.exe '--ldap "(&(objectCategory=person)(objectClass=user))" --limit 10'
# User-specific enumeration with --object
StandIn.exe '--object samaccountname=administrator --filter lastlogon,description'
# Mutliple user-specific enumeration with --ldap
StandIn.exe '--ldap "(|(samaccountname=administrator)(samaccountname=guest))" --filter lastlogon,description'
# Query for multiple users
StandIn.exe '--ldap (samaccountname=*admin*) --filter name'# Enumerate computer objects
StandIn.exe '--ldap "(objectCategory=computer)" --filter samaccountname'Enumerate memberships on the current domain:
# Enumerate Domain Admins
StandIn.exe '--group "domain admins"'
StandIn.exe '--object "(samaccountname=domain admins)" --filter member'If a bidirectional trust exist, cross-domain enumeration can be perfomed with the use of credentials to avoid the Kerberos Double Hop issue:
# Enumerate Enterprise Admins
StandIn.exe '--group "enterprise admins" --domain moneycorp.local --user "x7331" --pass "P@ass123!"'# Enumerate Organizational Units
StandIn.exe '--ldap "(objectCategory=organizationalunit)" --filter name'
# Enumerate a specific OU
StandIn.exe '--ldap "(OU=DevOps)" --filter name'# Enumerate Group Policy Objects
StandIn.exe '--ldap "(objectCategory=groupPolicyContainer)" --filter displayname'
StandIn.exe --gpoTo enumerate the GPOs applied to the a specific OU, the gplink attribute must first be retrieved. This attribute holds references to GPOs linked to the OU and is not returned by default in a standard LDAP query:
# Enumerate the gplink attribute
StandIn.exe '--ldap "(ou=devops)" --filter gplink'
# List the GPO that corresponds to the target gplink
StandIn.exe '--ldap "(&(objectCategory=groupPolicyContainer)(|(name={0BF8D01C-1F62-4BDC-958C-57140B67D147})))" --filter displayname'Last updated
Was this helpful?