StandIn

StandIn is a .NET-based Active Directory post-compromise toolkit built to support operations like resource-based constrained delegation (RBCD) from within C2 environments using execute-assembly. Originally developed to meet the need for a native, in-memory-compatible solution during internal red team engagements, it has since grown to include additional features that streamline AD post-exploitation tasks.

AD Enumeration

Users

The key distinction between the --ldap and --object flags is the former's capability to query multiple directory objects simultaneously. In contrast, the latter is specifically designed for targeting and querying individual objects. Thus, --ldap is better suited for broader enumeration, while --object is optimal for focused, single-entity inspection.

# User enumeration
StandIn.exe '--ldap "(&(objectCategory=person)(objectClass=user))" --limit 10'

# User-specific enumeration with --object
StandIn.exe '--object samaccountname=administrator --filter lastlogon,description'

# Mutliple user-specific enumeration with --ldap
StandIn.exe '--ldap "(|(samaccountname=administrator)(samaccountname=guest))" --filter lastlogon,description'

# Query for multiple users
StandIn.exe '--ldap (samaccountname=*admin*) --filter name'

Computers

# Enumerate computer objects
StandIn.exe '--ldap "(objectCategory=computer)" --filter samaccountname'

Groups

Enumerate memberships on the current domain:

# Enumerate Domain Admins
StandIn.exe '--group "domain admins"'
StandIn.exe '--object "(samaccountname=domain admins)" --filter member'

If a bidirectional trust exist, cross-domain enumeration can be perfomed with the use of credentials to avoid the Kerberos Double Hop issue:

# Enumerate Enterprise Admins
StandIn.exe '--group "enterprise admins" --domain moneycorp.local --user "x7331" --pass "P@ass123!"'

OUs

# Enumerate Organizational Units
StandIn.exe '--ldap "(objectCategory=organizationalunit)" --filter name'

# Enumerate a specific OU
StandIn.exe '--ldap "(OU=DevOps)" --filter name'

GPOs

# Enumerate Group Policy Objects
StandIn.exe '--ldap "(objectCategory=groupPolicyContainer)" --filter displayname'
StandIn.exe --gpo

To enumerate the GPOs applied to the a specific OU, the gplink attribute must first be retrieved. This attribute holds references to GPOs linked to the OU and is not returned by default in a standard LDAP query:

# Enumerate the gplink attribute
StandIn.exe '--ldap "(ou=devops)" --filter gplink'

# List the GPO that corresponds to the target gplink
StandIn.exe '--ldap "(&(objectCategory=groupPolicyContainer)(|(name={0BF8D01C-1F62-4BDC-958C-57140B67D147})))" --filter displayname'