1. Home
  2. Software
  3. dsquery

dsquery

dsquery is a command-line utility that can be used to query Active Directory for information from a system within a domain. [1] It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.

ID: S0105
Associated Software: dsquery.exe
Type: TOOL
Platforms: Windows
Version: 1.4
Created: 31 May 2017
Last Modified: 04 January 2023
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

dsquery can be used to gather information on user accounts within a domain.[1][2]
Enterprise T1482 Domain Trust Discovery

dsquery can be used to gather information on domain trusts with dsquery * -filter "(objectClass=trustedDomain)" -attr *.[3]
Enterprise T1069 .002 Permission Groups Discovery: Domain Groups

dsquery can be used to gather information on permission groups within a domain.[1][2]
Enterprise T1082 System Information Discovery

dsquery has the ability to enumerate various information, such as the operating system and host name, for systems within a domain.[2]

Groups That Use This Software

ID Name References
G0061 FIN8

[4]
G0096 APT41

[2]

Campaigns

ID Name Description
C0017 C0017

During C0017, APT41 used multiple dsquery commands to enumerate various Active Directory objects within a compromised environment.[2]
C0012 Operation CuckooBees

[5]
C0014 Operation Wocao

During Operation Wocao, threat actors used dsquery to retrieve all subnets in the Active Directory.[6]

References

  1. Microsoft. (n.d.). Dsquery. Retrieved April 18, 2016.
  2. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
  3. Schroeder, W. (2017, October 30). A Guide to Attacking Domain Trusts. Retrieved February 14, 2019.
  1. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  2. Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022.
  3. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.