ADExplorer - cómo enumerar un dominio cuando el antivirus no está de acuerdo

ADExplorer - how to list a domain when antivirus disagrees

June 24, 2024 Celia Catalán

In today's installment we are going to be talking about how to list a domain when the antivirus does not agree.

During a security audit, enumerating the domain is a crucial task to obtain a complete view of the corporate domain infrastructure, for which collection tools such as SharpHound or PowerView are used. However, these tools are often detected and blocked by antivirus and other security measures in place. Furthermore, given the time constraints typical of an audit, it is not always possible to successfully evade these defenses to perform the desired enumeration.

In these cases, the need arises to look for alternatives that are not only effective, but also discreet. An excellent alternative is ADExplorer.exe , a tool provided by Sysinternals and signed by Microsoft. Being signed by a recognized entity such as Microsoft, ADExplorer is generally considered non-malicious and is therefore less likely to be blocked by antiviruses.

However, if an attacker is exploiting tools like ADExplorer. There may be an occasion where the LDAP query may contain objectClass=* or objectGuid=*. This is not necessarily ideal because, depending on the size of the organization, this could contain a large amount of data to recover and could disrupt communications between a C2 and the workstation the agent is running on.

Starting from having a domain user, ADExplorer allows you to inspect the domain and take a snapshot of the Active Directory in a .dat file. Although this snapshot does not contain as much detailed information as a full extraction performed by SharpHound (no sessions are enumerated, does not provide an attack path, etc.), it is still a very useful starting point for domain enumeration.

One of the significant advantages of using ADExplorer is the ability to convert the generated .dat file into a more usable format for further analysis. Using the ADExplorerSnapshot.py tool, the .dat file can be converted to .json format. This conversion allows the data to be imported into a BloodHound GUI, a widely used platform for the analysis and visualization of Active Directory information. In this way, you can make the most of the information collected, facilitating a better understanding of the network infrastructure and potential vulnerabilities.

Additionally, ADExplorer generates traffic that many network monitoring systems do not consider malicious. This feature can be very interesting for red team exercises, where the objective is to collect the necessary information without being detected. By not raising suspicions with its traffic, ADExplorer becomes a strategic tool for security professionals looking to perform a comprehensive audit without alerting the network's defense systems.