Similar to the mythological dog that never failed to catch what he was hunting, laelaPS is a tool designed to identify MITRE ATT&CK techniques that are used in attacks against Active Directory, based on events recorded on Domain Controller:
Common tools that are used to enumeratate users and groups inside a domain are:
- Bloodhound
net.exe
Using administrative privileges, run the laelaPS on the Domain Controller
PS >.\laelaPS.ps1
The report will include the enumerated groups, along with the timestamp of the attack and the user that requested the enumeration
Using administrative privileges, specify the remote Domain Controller server
PS >.\laelaPS.ps1 -server <DC_IP_addr>
Enumeration is not reported when group members are enumerated using Active Directory Users and Computers snap-in