Hello fellow hackers and enthusiasts! DSQuery is a powerful command-line tool that enables querying Active Directory (AD) for information about objects within a domain. While primarily designed for system administrators, red teamers can leverage DSQuery to enumerate AD environments and identify potential misconfigurations, privilege relationships, and attack paths.
In this guide, we’ll explore how to use DSQuery for Active Directory reconnaissance, providing practical command examples and real-world scenarios that red teamers encounter during engagements.
What is DSQuery?
DSQuery is a command-line tool included in the Active Directory Domain Services (AD DS) Tools feature of the Remote Server Administration Tools (RSAT) package. It can search for and retrieve information about the objects within the Active Directory environment. Some of the objects that can be queried with DSQuery include:
- User accounts
- Computer accounts
- Security groups
- Organizational Units (OU)
- Domain controllers
DSQuery can query information about these objects based on specific criteria, such as the object’s name, description, or attributes. It can also perform more complex searches using LDAP filters.
Red Team Applications
DSQuery provides red teamers with critical reconnaissance capabilities for Active Directory environments. The information gathered can reveal:
- User enumeration: Usernames, email addresses, group memberships, and account status
- Computer discovery: Hostnames, IP addresses, operating systems, and service accounts
- Group analysis: Security group memberships, nested groups, and permission inheritance
- Infrastructure mapping: Domain controllers, organizational units, and trust relationships
- Policy assessment: Group Policy Objects (GPOs) and their applied settings
This intelligence enables red teamers to identify attack paths, privilege escalation opportunities, and lateral movement vectors within the target environment.
Practical DSQuery Commands for Red Teaming
Here are essential DSQuery commands organized by reconnaissance objectives:
Querying user accounts
DSQuery can be used to query information about user accounts in Active Directory. The following command can be used to retrieve a list of all user accounts in the domain:
dsquery user domainroot -limit 0
This command will return a list of all user accounts in the domain. Red teamers can use this information to identify potential targets for social engineering attacks or to gather information about potential privileged accounts.
To retrieve specific information about a particular user account, the following command can be used:
dsquery user domainroot -samid username
Replace “username” with the name of the user account you wish to query. This command will return information about the user account, including group memberships and attributes.
Querying computer accounts
DSQuery can also query information about Active Directory’s computer accounts. The following command can be used to retrieve a list of all computer accounts in the domain:
dsquery computer domainroot -limit 0
This command will return a list of all computer accounts in the domain. Red teamers can use this information to identify potential targets for network-based attacks or gather information about possible social engineering attacks.
To retrieve specific information about a particular computer account, the following command can be used:
dsquery computer domainroot -samid computername$
Replace “computername” with the name of the computer account you wish to query. This command will return information about the specified computer account, including its hostname, IP address, and operating system.
Querying security groups
DSQuery can also query information about security groups in Active Directory. The following command can be used to retrieve a list of all security groups in the domain:
dsquery group domainroot -limit 0
This command will return a list of all security groups in the domain. Red teamers can use this information to identify potential targets for privilege escalation attacks or gather information about possible social engineering attacks.
To retrieve specific information about a particular security group, the following command can be used:
dsquery group domainroot -samid groupname
Replace “groupname” with the name of the security group you wish to query. This command will return information about the specified security group, including its members and permissions.
Querying domain controllers
DSQuery can also query information about domain controllers in Active Directory. The following command can be used to retrieve a list of all domain controllers in the domain:
dsquery server domainroot
This command will return a list of all domain controllers in the domain. Red teamers can use this information to identify potential targets for privilege escalation attacks or to gather information about the domain infrastructure.
To retrieve specific information about a particular domain controller, the following command can be used:
dsquery server -name domaincontrollername
Replace “domaincontrollername” with the domain controller name you wish to query. This command will return information about the specified domain controller, including its IP address, operating system, and service pack level.
Querying organizational units (OU)
DSQuery can also query information about organizational units (OU) in Active Directory. The following command can be used to retrieve a list of all organizational units in the domain:
dsquery ou domainroot -limit 0
This command will return a list of all organizational units in the domain. Red teamers can use this information to identify potential targets for privilege escalation attacks or to gather information about the domain structure.
To retrieve specific information about a particular organizational unit, the following command can be used:
dsquery ou -name "ou name"
Replace “ou name” with the name of the organizational unit you wish to query. This command will return information about the specified organizational unit, including its distinguished name and the names of its child objects.
Querying group policy objects (GPO)
DSQuery can also query information about group policy objects (GPO) in Active Directory. The following command can be used to retrieve a list of all GPOs in the domain:
dsquery gpo domainroot -limit 0
This command will return a list of all GPOs in the domain. Red teamers can use this information to identify potential targets for privilege escalation attacks or to gather information about the domain policy settings.
To retrieve specific information about a particular GPO, the following command can be used:
dsquery gpo -name "gpo name"
Replace “gpo name” with the name of the GPO you wish to query. This command will return information about the specified GPO, including its distinguished name and the policy settings that it contains.
Real-World Red Teaming Scenario
Consider this typical engagement scenario: You’ve gained initial access to a workstation and need to understand the Active Directory environment for lateral movement.
Phase 1: Initial Reconnaissance
# Discover domain structure
dsquery ou domainroot -limit 0
# Identify domain controllers
dsquery server domainroot
# Find all users for potential targets
dsquery user domainroot -limit 0
Phase 2: Privilege Analysis
# Find administrative groups
dsquery group domainroot -name "*admin*"
# Identify members of Domain Admins
dsquery group domainroot -samid "Domain Admins" | dsget group -members -expand
# Find service accounts
dsquery user domainroot -name "*svc*"
Phase 3: Infrastructure Mapping
# Discover servers
dsquery computer domainroot -name "*server*"
# Find computers in IT department OU
dsquery computer "OU=IT,DC=domain,DC=com" -name *
# Analyze GPOs for security misconfigurations
dsquery gpo domainroot -limit 0
This systematic approach helps red teamers build a comprehensive picture of the target environment and identify the most promising attack vectors.
Security Considerations and Best Practices
When using DSQuery for red teaming engagements, consider these important factors:
Detection and Logging:
- DSQuery operations generate Windows Security Event Log entries (Event ID 4661)
- Domain controllers log all LDAP queries by default
- Consider using alternative tools like PowerView or BloodHound for stealthier enumeration
Authorization and Scope:
- Ensure proper authorization before conducting Active Directory enumeration
- Limit queries to authorized scope and timeframe
- Document all activities for engagement reporting
Tool Limitations:
- DSQuery requires domain credentials or local admin access
- Some queries may be restricted by Group Policy settings
- Large domains may require query optimization to avoid timeouts
- Commands may fail if RSAT tools are not installed or if user lacks sufficient permissions
- Network connectivity issues can cause query failures in distributed environments
Conclusion
DSQuery remains a fundamental tool for Active Directory reconnaissance, providing red teamers with essential intelligence about domain structure, user accounts, and security configurations. While newer tools offer enhanced capabilities, DSQuery’s native Windows integration and comprehensive query options make it valuable for both initial reconnaissance and detailed analysis.
Remember that successful red teaming requires not just technical proficiency with tools like DSQuery, but also strategic thinking about how the gathered intelligence can be leveraged for privilege escalation, lateral movement, and ultimately, achieving engagement objectives.