dsquery

- Table of Contents

Open all sections | Close all sections


- Tool Overview

Category
Information Collection
Description
Acquires information, such as users and groups, from the Active Directory.
Example of Presumed Tool Use During an Attack
This tool is used to collect information on the Active Directory and select users and hosts that can be attack targets.

- Tool Operation Overview

Item Description
OS Windows Server
Belonging to Domain Not required
Rights Standard user (However, information that cannot be acquired exists depending on the user privileges.)
Communication Protocol 389/tcp
Service Active Directory Domain Services

- Information Acquired from Log

Standard Settings
  • Host
    • Execution history (Prefetch)
Additional Settings
  • Host
    • Execution history (Sysmon, audit policy)

- Evidence That Can Be Confirmed When Execution is Successful

- Main Information Recorded at Execution

- Domain Controller

Event log

# Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • CommandLine: Command line of the execution command (Path to the tool. Filter conditions can be identified.)
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (path to the tool)
  • User: Execute as user
2 Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Exit Status: Process return value (0x0 if successful)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Process Name: Path to the executable file (path to the tool)
3 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number (port: 389)
  • Protocol: Protocol (tcp)
  • Image: Path to the executable file (path to the tool)
  • ProcessGuid/ProcessId: Process ID
  • SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number

- Details: Domain Controller

- Event Log

# Event Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process
  • Image: Path to the executable file (path to the tool)
  • ParentCommandLine: Command line of the parent process
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Hashes: Hash value of the executable file
  • CommandLine: Command line of the execution command (Path to the tool. Filter conditions can be identified.)
Security 4688 Process Create A new process has been created.
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file (path to the tool)
  • Process Information > Token Escalation Type: Presence of privilege escalation
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
2 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • Image: Path to the executable file (path to the tool)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • DestinationPort: Destination port number (389)
  • SourcePort: Source port number (high port)
Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Bind local port (high port)
  • Application Information > Process ID: Process ID
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\[Path to Tool])
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (389)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (Domain Controller)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\[Path to Tool])
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (source host)
  • Application Information > Process ID: Process ID
3 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol
  • Image: Path to the executable file (C:\Windows\System32\lsass.exe)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (389)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (389)
  • Network Information > Destination Address: Destination IP address (source host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (Domain Controller)
  • Application Information > Process ID: Process ID
4 Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.
  • UtcTime: Process terminated date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (path to the tool)
Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Exit Status: Process return value (0x0 if successful)
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Process Name: Path to the executable file (path to the tool)
  • Subject > Logon ID: Session ID of the user who executed the process

- Remarks