dsquery is a command-line utility that can be used to query Active Directory for information from a system within a domain. [1] It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.

ID: S0105
Associated Software: dsquery.exe
Type: TOOL
Platforms: Windows
Version: 1.3
Created: 31 May 2017
Last Modified: 13 October 2022

Techniques Used

Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

dsquery can be used to gather information on user accounts within a domain.[1]

Enterprise T1482 Domain Trust Discovery

dsquery can be used to gather information on domain trusts with dsquery * -filter "(objectClass=trustedDomain)" -attr *.[2]

Enterprise T1069 .002 Permission Groups Discovery: Domain Groups

dsquery can be used to gather information on permission groups within a domain.[1]

Groups That Use This Software

ID Name References
G0061 FIN8



ID Name Description
C0012 Operation CuckooBees


C0014 Operation Wocao

During Operation Wocao, threat actors used dsquery to retrieve all subnets in the Active Directory.[5]