Module 12

Question 1

What is the primary goal of the ‘Discovery’ tactic [TA0007] in an adversarial attack?

Answer 1

An adversary attempts to enumerate information about the environment they are operating in.

Question 2

Why is ‘Discovery’ often considered a prerequisite step to Lateral Movement?

Answer 2

Adversaries need to know what systems and resources an impersonated user can access before they can move to other systems.

Question 3

What protocol do most domain enumeration tools leverage to query Active Directory?

Answer 3

LDAP (Lightweight Directory Access Protocol) or LDAPS (LDAP over SSL).

Question 4

What is ADWS, and how does it relate to LDAP?

Answer 4

Active Directory Web Services (ADWS) is a protocol that wraps LDAP queries in HTTP requests.

Question 5

Why is running a default BloodHound collector like SharpHound considered risky when emulating an advanced threat?

Answer 5

Many security vendors have signatured the hardcoded queries, session enumeration traffic, and inefficient data retrieval methods used by default collectors.

Question 6

What is a stealthier alternative to using default BloodHound collectors for data gathering?

Answer 6

Perform data collection using custom LDAP queries with a tool like ldapsearch and then parse the output for BloodHound.

Question 7

The Python script _____ is used to parse the output of tools like ldapsearch into BloodHound-compatible JSON files.

Answer 7

BOFHound

Question 8

What is the standard TCP port for unencrypted LDAP communication?

Answer 8

TCP port 389.

Question 9

What is the standard TCP port for LDAPS (LDAP over SSL)?

Answer 9

TCP port 636.

Question 10

In LDAP, what does the ‘objectClass’ attribute define for an object?

Answer 10

It defines the types of attributes the object can have.

Question 11

What is a potential issue when searching for LDAP objects with an objectClass of ‘user’ or ‘person’?

Answer 11

The search will also return computer accounts, as they share these object classes.

Question 12

What is the purpose of an LDAP filter?

Answer 12

An LDAP filter defines the criteria for a search to find specific objects in the directory.

Question 13

What sAMAccountType value corresponds to a standard user account in Active Directory?

Answer 13

The decimal value 805306368.

Question 14

In an LDAP filter, what character represents the logical ‘AND’ operator?

Answer 14

The ampersand character (&).

Question 15

In an LDAP filter, what character represents the logical ‘OR’ operator?

Answer 15

The pipe character (|).

Question 16

In an LDAP filter, what character represents the logical ‘NOT’ operator?

Answer 16

The exclamation mark (!).

Question 17

What is the correct syntax placement for logical operators (&, |, !) within an LDAP filter group?

Answer 17

The logical operator must always appear at the beginning of the grouping (prefix notation).

Question 18

What LDAP filter would find all user accounts (sAMAccountType=805306368) that also have their adminCount attribute set to 1?

Answer 18

(&(samAccountType=805306368)(adminCount=1))

Question 19

How can you limit the attributes returned by an ldapsearch query?

Answer 19

Use the --attributes parameter followed by a comma-separated list of attribute names.

Question 20

Which attribute must be included in an ldapsearch query to identify ACL-based attack paths in BloodHound?

Answer 20

ntsecuritydescriptor

Question 21

What is the LDAP OID for the bitwise AND matching rule (LDAP_MATCHING_RULE_BIT_AND)?

Answer 21

1.2.840.113556.1.4.803

Question 22

The bitwise AND filter is particularly useful for querying which specific Active Directory attribute that consists of bitwise flags?

Answer 22

userAccountControl

Question 23

What LDAP filter would find computer accounts (sAMAccountType=805306369) configured for unconstrained delegation (a userAccountControl flag of 524288)?

Answer 23

(&(samAccountType=805306369)(userAccountControl:1.2.840.113556.1.4.803:=524288))

Question 24

What is the LDAP OID for the matching rule LDAP_MATCHING_RULE_IN_CHAIN?

Answer 24

1.2.840.113556.1.4.1941

Question 25

What is the primary use case for the `LDAP_MATCHING_RULE_IN_CHAIN` OID in Active Directory enumeration?

Answer 25

It is used to query the ancestry of an object, which is useful for unrolling nested group memberships.

Question 26

What LDAP filter would recursively find all members of the 'Domain Admins' group, including members of nested groups?

Answer 26

"(memberof:1.2.840.113556.1.4.1941:=CN=Domain Admins,CN=Users,DC=contoso,DC=com)"

Question 27

What OPSEC risk is associated with the 'Expensive Search Results Threshold' for LDAP queries?

Answer 27

This threshold is triggered by queries that return more results than a configured limit, such as a query for `(objectClass=*)`.

Question 28

What are the two main factors that contribute to a long LDAP query time, potentially triggering the 'Search Time Threshold'?

Answer 28

The size of the result set and the number of attributes being returned for each object.

Question 29

Requesting which two attributes together in `ldapsearch` will result in the slowest query time for a given filter?

Answer 29

All attributes and the security descriptor (`*,ntsecuritydescriptor`).

Question 30

When does an LDAP query trigger the 'Inefficient Search Results Threshold'?

Answer 30

When a query visits a large number of directory objects but returns less than 10% of them as results.

Question 31

Why might a targeted query for kerberoastable users be considered 'inefficient' from a detection standpoint?

Answer 31

It visits every user account but may only return a small percentage of them if few have an SPN set.

Question 32

What type of program is BOFHound?

Answer 32

It is a Python script designed to parse the raw output from tools like the `ldapsearch` BOF.

Question 33

What is the recommended query methodology when using `ldapsearch` and BOFHound to avoid detection?

Answer 33

Use small, efficient queries to build up a picture of the environment over several days or weeks.

Question 34

After running `bofhound` on Cobalt Strike logs, what is the next step to visualize the data?

Answer 34

Upload the generated JSON files to the BloodHound UI via the 'Administration > File Ingest' page.

Question 35

In the BloodHound UI, what does an object represented only by a SID or as 'no name or id' indicate?

Answer 35

It means that no data has been collected for that specific object yet.

Question 36

What is a piece of local group membership data that cannot be collected using LDAP alone?

Answer 36

Restricted group data, which is defined and applied via Group Policy Objects (GPOs).

Question 37

In which file, located in a GPO's SYSVOL path, is restricted group membership data defined?

Answer 37

GptTmpl.inf

Question 38

What is the typical path structure to find the `GptTmpl.inf` file for a GPO?

Answer 38

\\\SysVol\\Policies\{GPO_GUID}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf

Question 39

In BloodHound, what type of query language is used to manually add relationships, such as those for restricted groups?

Answer 39

Cypher

Question 40

What do WMI filters allow a GPO to do?

Answer 40

They allow for additional criteria to be set on GPO application, restricting it to computers that match a specific WMI query.

Question 41

What is a major limitation of BloodHound (at the time of writing) regarding GPOs and WMI filters?

Answer 41

BloodHound does not collect, display, or evaluate WMI filters when building its graphs.

Question 42

Which attribute of a GPO object indicates that a WMI filter is applied to it?

Answer 42

gPCWQLFilter

Question 43

In Active Directory, WMI filter objects are stored in which container?

Answer 43

The `CN=System,CN=WmiPolicy,CN=SOM` container.

Question 44

What is the `objectClass` of a WMI filter object in Active Directory?

Answer 44

msWMI-Som

Question 45

Which attribute of a `msWMI-Som` object stores the actual WMI query string?

Answer 45

msWMI-Parm2

Question 46

What is the relationship between GPOs and WMI filters?

Answer 46

It is a one-to-many relationship; a GPO can have only one WMI filter, but a WMI filter can be applied to multiple GPOs.

Question 47

What LDAP `objectClass` represents a computer account in the domain?

Answer 47

computer

Question 48

What LDAP `objectClass` is a container for storing users, computers, and other account objects?

Answer 48

organizationalUnit

Question 49

What LDAP `objectClass` is a container for storing Group Policy Objects?

Answer 49

groupPolicyContainer

Question 50

What specific SID represents the built-in Administrators group on a local machine?

Answer 50

S-1-5-32-544