2.14-Gather AD Structure Information
Task Gather AD Structure Information¶
Conditions¶
Given a suspected compromised network segment(s), access to a system that can gather the structure of the suspected domain.
Standards¶
- The team member identifies possibly compromised network segment(s).
- The team member accesses a system that can enumerate the domain
- The team member utilizes various Powershell cmdlets to enumerate the domain structure and/or users
- Task 2.14 – Gather AD structure information
- The resulting enumerated data is compared to a known good AD configuration file to determine any anomalies present in the domain.
End State¶
The structure of the domain is enumerated based on the specific sub-task accomplished and any anomalies on the domain will be identified.
Manual Steps¶
-
Get information of the current domain
-
Get structure of domain
PS C:\Users\btadmin\Desktop> Get-ADObject -Filter { ObjectClass -eq 'organizationalunit' } -PropertiesCanonicalName | Select-Object -Property CanonicalName CanonicalName ------------- team01.tgt/Domain Controllers team01.tgt/Microsoft Exchange Security Groups team01.tgt/Groups team01.tgt/Chula Vista --snipped--
Output should be in the format identified in 'output_format_template.csv' and named [mm/dd/yyyy_hh
ss_AD_Structure_(xx.xx.xx.xx/x)]
Notify mission element lead and intelligence analyst of completion of this battle drill
Running Script¶
-
Download script from 2.14_Gather_AD_Structure_Information
-
Run scripts
-
The logfile will be saved to CyberSurfers directory for analysis
Dependencies¶
N/A
Other available tools¶
N/A
References¶
N/A