Skip to content

Instantly share code, notes, and snippets.

@jsecurity101

jsecurity101/LDAPQueries.md

Created October 25, 2023 15:05
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
  • Save jsecurity101/9c7e94f95b8d90f9252d64949562ba5d to your computer and use it in GitHub Desktop.
Save jsecurity101/9c7e94f95b8d90f9252d64949562ba5d to your computer and use it in GitHub Desktop.
Download ZIP
List of known LDAP queries used by attackers
Raw
LDAPQueries.md

List was compiled by Jonathan Johnson (@jsecurity101) and Carlos Perez (@Carlos_Perez)

Queries are not complete and are meant to be a reference. If you are using them for hunting use a contains within the query language.

  • Kerberoasting
    • (&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
    • (&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(!msds-supportedencryptiontypes:1.2.840.113556.1.4.804:=24))
    • (&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(msds-supportedencryptiontypes:1.2.840.113556.1.4.804:=24))
  • Attributes with passwords
    • (userpassword=*)
    • (ms-msc-admpwd=*)
    • (unicodePwd=*)
    • (unixUserPassword=*)
    • (msSFU30Password=*)
    • (os400Password=*)
  • TrustedDomains
    • (objectclass=trusteddomain)
  • User & Groups
    • Basic user’s
      • (objectclass=user)
        • Can have objectCategory=person
        • "(&(objectCategory=Person)(sAMAccountName=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" from SharpSpray
    • Service Accounts with passwords last set under a certain time
      • (objectclass=user)(pwdlastset)
    • Domain Admins
      • (objectclass=group)(samaccountname=domain admins)
    • Any Admin group
      • (objectclass=group)(samaccountname=admins)
  • Computers
    • Domain Controllers:
      • (objectclass=computer)(name=DC)
  • PKI - look at certify by will and lee
  • LAPS passwords
    • ms-MCS-AdmPwd=*
      • From SharpLAPS "(&(objectCategory=computer)(ms-MCS-AdmPwd=*)(sAMAccountName=" + target + "))"
  • All GPOs
    • (objectClass=groupPolicyContainer)
  • All OUs
    • (objectCategory=organizationalUnit)
  • All Trusts
    • (objectClass=trustedDomain)
  • All Security Groups
    • (groupType:1.2.840.113556.1.4.803:=2147483648)
  • All users
    • (&(objectCategory=person)(objectClass=user))
  • All groups
    • (objectClass=group)
  • All users (more effective)
    • (sAMAccountType=805306368)
  • All users with the account configuration 'Password never expires'
    • (&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)
  • All domain controllers
    • (&(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))
  • Accounts Trusted for Delegation
    • (userAccountControl:1.2.840.113556.1.4.803:=524288)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment