I am using these ldap queries to find weak AD accounts since Bloodhound can be noisy.
Anyone have some to add to these?
check for “do not require kerberos pre auth” enabled
(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=4194304))
check for “store password with reversible encryption” enabled on user accounts
(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=128))
check for user accounts with SPN set
(&(objectCategory=person)(objectClass=user)(servicePrincipalName=*))
check for accounts in domain admins/enterprise admins groups
(&(objectClass=user)(adminCount=1))
4 Likes
These are great. Thanks for sharing these queries!
one more
check for accounts with unconstrained delegation (kerberos only)
(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=524288))
1 Like
You may want to check out some of the great stuff that harmj0y and the powershell mafia came up with for more ideas.
1 Like
yea Im currently looking into how to use ICON and PowerView and or the AD module for PowerShell.
got one more
look for computers with unconstrained delegation
(&(objectCategory=Computer)(useraccountcontrol:1.2.840.113556.1.4.803:=524288))
and to exclude DCs
(&(objectCategory=Computer)(useraccountcontrol:1.2.840.113556.1.4.803:=524288)(!(primaryGroupID=516)))