Queries are not complete and are meant to be a reference. If you are using them for hunting use a contains
within the query language.
- Kerberoasting
- (&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
- (&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(!msds-supportedencryptiontypes:1.2.840.113556.1.4.804:=24))
- (&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(msds-supportedencryptiontypes:1.2.840.113556.1.4.804:=24))
- Attributes with passwords
- (userpassword=*)
- (ms-msc-admpwd=*)
- (unicodePwd=*)
- (unixUserPassword=*)
- (msSFU30Password=*)
- (os400Password=*)
- TrustedDomains
- (objectclass=trusteddomain)
- User & Groups
- Basic user’s
- (objectclass=user)
- Can have objectCategory=person
- "(&(objectCategory=Person)(sAMAccountName=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" from SharpSpray
- (objectclass=user)
- Service Accounts with passwords last set under a certain time
- (objectclass=user)(pwdlastset)
- Domain Admins
- (objectclass=group)(samaccountname=domain admins)
- Any Admin group
- (objectclass=group)(samaccountname=admins)
- Basic user’s
- Computers
- Domain Controllers:
- (objectclass=computer)(name=DC)
- Domain Controllers:
- PKI - look at certify by will and lee
- LAPS passwords
- ms-MCS-AdmPwd=*
- From SharpLAPS
"(&(objectCategory=computer)(ms-MCS-AdmPwd=*)(sAMAccountName=" + target + "))"
- From SharpLAPS
- ms-MCS-AdmPwd=*
- All GPOs
- (objectClass=groupPolicyContainer)
- All OUs
- (objectCategory=organizationalUnit)
- All Trusts
- (objectClass=trustedDomain)
- All Security Groups
- (groupType:1.2.840.113556.1.4.803:=2147483648)
- All users
- (&(objectCategory=person)(objectClass=user))
- All groups
- (objectClass=group)
- All users (more effective)
- (sAMAccountType=805306368)
- All users with the account configuration 'Password never expires'
- (&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)
- All domain controllers
- (&(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))
- Accounts Trusted for Delegation
- (userAccountControl:1.2.840.113556.1.4.803:=524288)