Additionally, Bloodhound can be used to map the Active Directory environment to understand the fastest way to the domain controller. These tools have been used in attacks, however, they have an inherent challenge.
They draw too much attention to themselves as third-party tools that generate traffic. They are chatty and somewhat overt, meaning they could be detected by security systems. Attackers are best served by simply "living-off-the-land" when they have access to a domain-joined endpoint or workload. This way they use tools that are native to the endpoint and don't generate any noise on the network.
Attackers can begin with basic CLI commands many of us are familiar with as an easy, discreet way to understand where they are and what they can do next. On a domain-joined client machine, commands like whoami will allow for the discovery of the system owner or user , and show an output similar to what is shown below.
This lets the attacker build an account profile of the compromised system to see what that account has access to. A quick look at the Active Directory groups that the machine is a part of lets the attacker discern that the user is for example, on the Finance team. The threat actor can also use a simple yet effective command like net users and associated switches to discover the name of the domain controller their compromised machine is joined to and the list of user accounts that exist on the domain controller.
From here, there is a clear set of important details that can aid their path to the domain controller. They can also see what is reachable given the routing table. This gives the attacker enough information to build out a basic map of network level connections. They can decipher whether or not their compromised machine is sitting on the same subnet as the Domain Controller or DNS Server. For this reason, it is imperative to have a micro-segmentation approach for which the security is workload dependent rather than network dependent even in a flat network architecture.
Security that follows the workload like a Domain Controller irrespective of subnet or location. They may also be able to decipher additional subnets and routes and their corresponding Gateways and corroborate that routing information with reverse DNS details of for example network share server names.
Most organizations use network shares for employees within the same team to share and sometimes archive information. Threat actors can leverage Windows network share detail from built-in utilities such as net use to locate File Servers or even domain controllers. These can be used to facilitate the spreading malware to other machines over the local SMB network or through a valid remote access VPN connection connected to an SMB network.
With this information, we can now see what shares and servers we have access to in Windows, below. Ross C. Ross 6, 15 15 gold badges 59 59 silver badges 81 81 bronze badges. Add a comment. Active Oldest Votes. Have a look at the output of this command: set. Improve this answer. Shadok Shadok 3, 22 22 silver badges 29 29 bronze badges.
FYI: Powershell didn't seem to have that variable set. I had to run it from basic command shell. This doesn't work when you're logged on as a local user and you're interested in how the computer is authenticated to the domain. For that, see the other answer referencing nltest. A note, here you get your logged in users controller.
Not the domain controller of the computer. ChristianBongiorno It works with powershell: it is a simple call on an environment variable.
Community Bot 1. Michael Knox Michael Knox 4 4 silver badges 2 2 bronze badges. JoshP 2, 2 2 gold badges 20 20 silver badges 28 28 bronze badges. Noel Noel 41 1 1 bronze badge. This only answers your question if you have Outlook: I found an interesting feature in Outlook. Supercereal Supercereal 8, 2 2 gold badges 29 29 silver badges 46 46 bronze badges.
Where I got this info: superuser. Kirk Bennet started writing for websites and online publications in He covers topics in nutrition, health, gardening, home improvement and information technology. By Kirk Bennet.
0コメント