StandIn

StandIn is a .NET-based Active Directory post-compromise toolkit built to support operations like resource-based constrained delegation (RBCD) from within C2 environments using execute-assembly. Originally developed to meet the need for a native, in-memory-compatible solution during internal red team engagements, it has since grown to include additional features that streamline AD post-exploitation tasks.

AD Enumeration

Users

The key distinction between the --ldap and --object flags is the former's capability to query multiple directory objects simultaneously. In contrast, the latter is specifically designed for targeting and querying individual objects. Thus, --ldap is better suited for broader enumeration, while --object is optimal for focused, single-entity inspection.

# User enumeration
StandIn.exe '--ldap "(&(objectCategory=person)(objectClass=user))" --limit 10'

# User-specific enumeration with --object
StandIn.exe '--object samaccountname=administrator --filter lastlogon,description'

# Mutliple user-specific enumeration with --ldap
StandIn.exe '--ldap "(|(samaccountname=administrator)(samaccountname=guest))" --filter lastlogon,description'

# Query for multiple users
StandIn.exe '--ldap (samaccountname=*admin*) --filter name'

Computers

Groups

OUs

GPOs