S0105 dsquery

dsquery is a command-line utility that can be used to query Active Directory for information from a system within a domain. ¹ It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.

Item	Value
ID	S0105
Associated Names
Type	TOOL
Version	1.4
Created	31 May 2017
Last Modified	04 January 2023
Navigation Layer	View In ATT&CK® Navigator

Techniques Used

Domain	ID	Name	Use
enterprise	T1087	Account Discovery	-
enterprise	T1087.002	Domain Account	dsquery can be used to gather information on user accounts within a domain.¹³
enterprise	T1482	Domain Trust Discovery	dsquery can be used to gather information on domain trusts with `dsquery * -filter “(objectClass=trustedDomain)” -attr *`.²
enterprise	T1069	Permission Groups Discovery	-
enterprise	T1069.002	Domain Groups	dsquery can be used to gather information on permission groups within a domain.¹³
enterprise	T1082	System Information Discovery	dsquery has the ability to enumerate various information, such as the operating system and host name, for systems within a domain.³

Groups That Use This Software

ID	Name	References
G0096	APT41	³
G0061	FIN8	⁶

References

Microsoft. (n.d.). Dsquery. Retrieved April 18, 2016. ↩↩↩
Schroeder, W. (2017, October 30). A Guide to Attacking Domain Trusts. Retrieved February 14, 2019. ↩
Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022. ↩↩↩↩
Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. ↩
Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022. ↩
Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. ↩