# Emulating FIN6 - Active Directory Enumeration Made EASY

## Метаданные

- **Канал:** HackerSploit
- **YouTube:** https://www.youtube.com/watch?v=Iwxmscx3XXc
- **Дата:** 17.02.2025
- **Длительность:** 20:22
- **Просмотры:** 10,786

## Описание

In this episode of the FIN6 Adversary Emulation series, we focus on Active Directory (AD) enumeration—a critical phase in FIN6’s discovery techniques. Understanding how adversaries enumerate Active Directory environments will help you refine your tradecraft or improve your detection and mitigation capabilities if you are a Blue Teamer.

In this video, you will learn how FIN6 performs Active Directory enumeration, and how to use native Windows commands like "net" and PowerShell's "Get-AD*" cmdlets for AD Enumeration. You will also learn how to utilize "AdFind.exe" to extract information from an Active Directory Environment. 

The lab environment used in this demonstration is available for free on CYBER RANGES, allowing you to follow along and practice these techniques in a safe and controlled setting.

// CYBER RANGES Adversary Emulation Labs
► New to CYBER RANGES? Register for a free account here: https://bit.ly/42VxDu5
► Access the FIN6 AD Enumeration Lab: https://bit.ly/3XsXFRZ
► Adversary Emulation Fundamentals Labs (Free): https://bit.ly/4gQd8SB

🔗 Video Resources & References
CTID Adversary Emulation Library: https://github.com/center-for-threat-informed-defense/adversary_emulation_library

🎥 Have an idea for a video? make your submission here: https://forms.gle/VDwwMsuudzQfT9VM6


// MORE RESOURCES
HACKERSPLOIT BLOG  ►► https://bit.ly/3qjvSjK
HACKERSPLOIT FORUM  ►► https://bit.ly/39r2kcY
HACKERSPLOIT ACADEMY ►► https://bit.ly/39CuORr
CYBER RANGES (LABS) ►► https://app.cyberranges.com

// SOCIAL NETWORKS
TWITTER ►► https://bit.ly/3sNKXfq
INSTAGRAM ►► https://bit.ly/3sP1Syh
LINKEDIN ►► https://bit.ly/360qwlN
PATREON ►► https://bit.ly/365iDLK
MERCHANDISE ►► https://bit.ly/3c2jDEn

// MY BOOKS
Privilege Escalation Techniques ►► https://amzn.to/3ylCl33
Docker Security Essentials (FREE) ►► https://bit.ly/3pDcFuA

// SUPPORT THE CHANNEL
NordVPN Affiliate Link (73% Off) ►► https://bit.ly/3DEPbu5
Get $100 In Free Linode Credit ►► https://bit.ly/3yagvix

// CYBERTALK PODCAST 
Spotify ►► https://spoti.fi/3lP65jv
Apple Podcasts ►► https://apple.co/3GsIPQo

// WE VALUE YOUR FEEDBACK
We hope you enjoyed the video and found value in the content. We value your feedback, If you have any questions or suggestions feel free to post them in the comments section or contact us directly via our social platforms.

// THANK YOU!
Thanks for watching!
Благодарю за просмотр!
Kiitos katsomisesta
Danke fürs Zuschauen!
感谢您观看
Merci d'avoir regardé
Obrigado por assistir
دیکھنے کے لیے شکریہ
देखने के लिए धन्यवाद
Grazie per la visione
Gracias por ver
شكرا للمشاهدة

-----------------------------------------------------------------------------------
#pentesting #cybersecurity #hacker

## Содержание

### [0:00](https://www.youtube.com/watch?v=Iwxmscx3XXc) Segment 1 (00:00 - 05:00)

hey guys hack exploit here back again with another video Welcome Back to the adversary emulation Series where we explore the process of emulating and or simulating the tradecraft and ttps of real world threat actors and AP groups in this video we will be resuming our finix adversary emulation campaign that we started a few videos back um and our objective in this video is to emulate fix's active directory enumeration techniques so you know uh before we actually proceed I'm just going to give you a refresher as to you know what uh what type of group um finix is and you know what their objectives are but more so um sort of contextualize what we'll be covering in this video so as the title suggests finix uh we're going to be emulating fin 6's uh active directory uh enumeration techniques now finix is known to perform extensive enumeration Andor Discovery in active directory environments and they typically utilize native windows and poell commands or command lets if you will to facilitate this enumeration however or I should say in addition to this they're also known to rely heavily on tools like ad find to you know simplify the enumeration so our objective in this video is to emulate fix's active directory specific enumeration techniques uh or ttps if you will uh we're then you know going to you know instead of just getting this data or enumerating blindly we're going to follow their trade craft by collecting and aggregating the information that we're enumerating uh in a format that is suitable for exfiltration so we're going to be enumerating and then staging this information for exfiltration and then further analysis and that's one of the things that finix uh does uh you know when they gain access to an active directory environment uh they enumerate you know pretty much um all the key info from the active directory environment and then uh exfiltrate it out for analysis before they begin phase two of their attack so uh before we get started I just want to point out that uh this video assumes that you have uh watched the previous or the first video uh or you know the first um section of the uh finix emulation series where we obtained initial access so I'm going to assume you have already obtained initial access either via a meterpreter session or a power shell and as I mentioned we've covered the in the initial access phase in the finix initial access video you should see a card pop up on your screen uh to watch you know that you know will take you to that video if this is your first time watching this series alternatively I've also added the previous relevant videos in the description section now um again if you're new to this series uh in order to demonstrate these techniques we're going to be utilizing the adversary emulation fundamentals Labs on the Cyber Rangers platform and uh the this particular set of labs is accessible freely on the Cyber Rangers platform so if you're new to the Cyber Rangers platform just navigate to app. cyber rangers. com uh you can register for an account it's uh you know 100% free and the labs in question are 100 uh% free um a link to the Cyber Rangers platform will be in the description section once you've registered for an account just head over to the community/ free section and you'll see the playlist of labs that I'm referring to it's the MIT attack Defender adversary emulation series or ad adversary emulation fundamentals playlist so uh for the finix emulation plan we are we have been using lab 1. 3 and we're going to be continuing off you know from where we left off in the initial access video so you know once you're you've registered for an account just click on this lab and it'll provide you with access to a you know the pre-configured environment where you have access to a Cali Linux system and the target uh active directory environment has already been set up again if you're new to this series please watch the first video where I go over the lab and how it works uh but you know I I'll sort of be walking through this so this is the lab we're going to be using 1. 3 and you can just you know click on start and you should be good to go again a link to this particular playlist and the specific lab will be in the description section 100% free um you can also check out some of my other labs that I've built on the Cyber Rangers platform like the hack exploit red team tradecraft Labs right over here uh but with that being said let's get started uh just fire up lab 1. 3 which I've already done and I have access to it here so let's get started all right now before we get started I think it's important to sort of revisit the emulation plan um a link

### [5:00](https://www.youtube.com/watch?v=Iwxmscx3XXc&t=300s) Segment 2 (05:00 - 10:00)

to this will be in the description section but you know we pretty much went over it in the first video when we're exploring the initial access phase but as you can see the emulation plan is sort of broken down into two phases um each comprising of their own subphases if you will so we've done initial access when we're now doing discovery which is pretty much going to Encompass active directory enumeration so um you can see the discovery phase is explained here so after gaining access to the Target Network fin6 enumerates the network and active director environment and the second objective of phase one is to conduct internal reconnaissance the intent of this phase is to identify opportunities for escalation lateral movement systems for staging and systems of interest for phase two of the operation and as it says here fin6 is believed to have used ad find for this purpose on at least one occasion um for the purposes of emulation we suggest a defined but you know they've recommended Alternatives in this particular emulation plan in any case I set up or designed a um an attack Navigator layer to sort of outline the specific ttps and the other specific techniques and sub techniques uh that will be emulating and you can see that uh right from here so T1 087 account Discovery we're focusing on enumerating uh domain accounts and then uh we have uh the other you know techniques here like the domain trust Discovery uh you know domain group Discovery um and then remote system discovery which is quite important for lateral movement and then over here you can see system network configuration Discovery so these are the techniques we'll be emulating so once you've started up uh the Mad adverse rul lab 1. 3 on Cyber ranges um you would need to gain initial access you can follow the walkth through in the overview which uh you know as I said make sure you go through the previous video but once you're good to go you can just fire up your C Linux system and again if you have access VI interpreter that'll work just fine if you choose to use uh your own you know po Shell that's fine as well although we would require some um functionality from um from interpreter that again is in alignment with the emulation plan so I'll uh see you in a few seconds once I've gained access to my MPR session all right so I have uh fired up the cinic system and I've obtained um interpreter session on the target domain control as we did in the initial access video and uh I'm just going to move this into full screen let me just reload it um you can access the Cali Linux system that's provided to you via RDP in your browser so you know you don't need VPN uh but with that being said uh you can see right over here we have the meterpreter session and I'll just confirm um you know that we are in fact on the domain controller like so there we are so proceeding on um if you remember again the previous video uh in the emulation plan finix is known to use po shell as its command and scripting interpreter so uh you need to use uh or load po shell in interpreter if you're following along so you can just uh load that by typing in load Powershell and I already have it going so I can then say Powershell um and shell like so um and what we're going to do now is we are going to navigate to the public uh the public user home directory that's where we're going to be staging all the data that we're enumerating for exfiltration which we'll cover in the next video so I'm just going to navigate to see um users and public this is you know very well-known directory that's uh you know commonly used for staging of both uh files and tools but also files for exfiltration so if I list out the con uh you know the um the files in this particular directory um you know you can disregard the PowerAll scripts here these were used to set up um this particular domain controller but this is where you know the directory where we're going to be saving all the data we enumerate and we're then going to be preparing the archive for exfiltration so first things first what's the first technique that we want to emulate well that is account Discovery domain accounts right and again in this particular case finix is known to use a defined which is already loaded on the target system and is not a malicious program um so we would say ained and uh we want to you know get the object um category um and that's going to be equal to person so a users as it were and instead of you know just displaying it on the screen we're going to save this into files which is what fin 6 does so they typically name their files quite well or have quite descriptive file names and this case we will just call

### [10:00](https://www.youtube.com/watch?v=Iwxmscx3XXc&t=600s) Segment 3 (10:00 - 15:00)

ours um U ad users. txt so we can just hit enter and that's going to enumerate that info there we are and then we can say type um ad users. txt just to see whether that data was output successfully um so there we are we can see that all the relevant uh ad user uh enumeration was uh you know performed um by a Define and then it's saved in that file uh they alternatively they also use the net command so net user domain and then you know we'll also save this as ad uh users uh just so that we have some alternate um data sources so ad users um net. dxt just so we can distinguish between the two like so and uh once we have that done we can move on to the next technique which is um remote system Discovery so in this case we want to discover computers um or to essentially check the ad environment for all objects with within the category uh computer right and um the reason for that is quite important uh or you know self-explanatory in the context of lateral movement or pivoting but we can again utilize a. exe and we just specify the format here um you know that's going to be uh object category is equal to computer and we then going to say uh save this as ad computers. txt all right and we're going to analyze this info in the next video once we have exfiltrated it again because we're emulating finix so uh we want to make sure we follow their techniques exactly how they perform them so I'll just hit enter now and uh there we are uh the the alternate net command that can be used to do this as well is as you know net group and then we just query the domain uh the active directory domain group that is called domain computers so domain computers and then uh domain um and then we'll save that as ad uh computers uhor net just to distinguish between the two so there we are I'm just going to hit enter now and uh we have that done uh the next bit of enumeration is going to be domain uh you know domain trust Discovery so again we can utilize a Define to query active directory for all objects that um with the category or that have the category Set uh you know organizational unit um so what we're doing here is just enumerating the OU first so a. exe and then um we'll specify the object category and that's going to be um if I remember correctly organizational unit uppercase U like so and we're then going to save this as ad o. txt all right and we should have that there and let's perform a quick check just to see we have all the files that we're generating there we are so we have ad computers. net ad ous users Etc again this process or this particular technique can also be replicated as they have done you know they don't just rely on a defined if that tool is unavailable or they can't get it in then they would rely on net um and in this case we would say net group um uh yeah in this particular case uh actually would that be allow us to do this no we would need to use NL test but we can also utilize um because we are on the domain controller we can utilize the get um ad um or organizational unit commandlet so um and then we would say uh filter this particular case uh we would say name and then that's going to be like and then we can specify World card there like so and then pipe this and then format it a little so we want a table format so format um table and uh we would then say the column so name and then we would say distinguished name um distinguish name and then just zoomed out there a little bit so uh a and then now we would say um ad o 's um let's say powell.

### [15:00](https://www.youtube.com/watch?v=Iwxmscx3XXc&t=900s) Segment 4 (15:00 - 20:00)

dxt and in this particular case we're using the get ad organizational unit commandlet to pretty much get all OU and then you know it formats the output to include the name and distinguish name and we're saving it in that particular file like so um so that's done um we can also utilize the uh Adine tool in conjunction with the trust dump feature here to you know perform a full Forest search for trust objects and then we can save that as well so um this is the technique or the procedure sorry that finix utilizes for identifying trust objects so. exe then I know we would say uh GCB uh and then SC uh trust dump and then we can output that to ad uh Trust dump. dxt um and let's hit enter so there we go and then we can say the alternative procedure that's utilized is NL test which is again quite powerful if you've ever you know done ad numeration we can then say domain uh trusts and I'll explain what this does in a few seconds so domain trusts and we then save this as ad um we'll just say uh trust dump um NL test. txt um and uh yeah we can hit enter so in this particular case we're using the NL test utility to enumerate the trusts um and this is another you know uh procedure that finix uses so we're sort of you know encompassing all the procedures used for every technique or sub technique if that makes sense um and then they also perform system network uh configuration Discovery or enumeration if you will uh where they uh you know essentially query the active directory environment or domain for all objects with the category subnet um and in this case we can utilize or follow their the their primary procedure which is a defined um and then we specify subnets and then over here we need to specify the format so um object um category and that's going to be equal to just subnet like so and we'll save this as ad sub nets um. txt all right cool now that should do it yeah and then the alternative um procedure that they utilize for system network configuration Discovery is the uh get ad replication subnet commandlet so G uh get sorry what am I saying ad uh replication subnet and then the filter we can use in here is just also wild card and then we'll save this as ad sub Nets um Parell txt so we can sort between the different procedures of the output from different tools or procedures and then we uh we have the final um the final enumeration step which involves um you know permission groups Discovery or enumeration which pretty much means enumerating domain groups and in this case again they utilize a. exe um and in this case we just need to set the um object category um we're going to set that to uh let's see uh group I believe we shouldn't um yeah there shouldn't be anything special to specify there so we'll just say Ad group. dxt save that in there with ad find and then we're going to showcase the other procedure which is just using the net command so we can say net group domain and then we going to say adgroup um net. dxt all right so we'll just save that there and I think we are done in terms of emulating their a ad enumeration uh techniques and consequently the procedures so now the uh in the next video we're going to be taking a look at staging all of this information that we've enumerated for exfiltration and then uh performing the exfiltration um and you know hopefully that'll be interesting so that that's going to be it for this video I Want to Break these videos down into smaller chunks so that they're easily consumable the next video we'll also explore privilege escalation in addition to um exfiltration so uh you know that's going to be it for this video uh do keep um keep your eyes open for the next video if you have any questions or suggestions leave them in the comment section if you like this video found value in it uh leave a like down below and don't forget to check out the lab on Cyber ranges play through it and uh yeah with that you know without uh wasting too much

### [20:00](https://www.youtube.com/watch?v=Iwxmscx3XXc&t=1200s) Segment 5 (20:00 - 20:00)

time that's going to be it for me and I'll be seeing you in the next video

---
*Источник: https://ekstraktznaniy.ru/video/20355*