⚠️ Overview

dsquery is not a standalone malware family but a legitimate Microsoft Windows command-line utility for querying Active Directory that has been weaponized by multiple threat actors for post-exploitation reconnaissance. First publicly documented as a malicious tool by Red Canary in 2020, it is used by groups including APT29 (Cozy Bear), FIN6, and the Carbanak gang to enumerate domain users, computers, groups, and trust relationships. It falls under the categories of Living-Off-the-Land (LotL) binary and reconnaissance tool rather than a traditional malware strain.

🔧 Technical Capabilities

Attackers execute dsquery via command-line arguments after gaining initial access through phishing, credential theft, or remote exploitation. Common commands include dsquery user -name * to list all domain users, dsquery computer for domain-joined machines, and dsquery * -filter "(objectClass=group)" for security group membership. It uses standard LDAP queries over TCP port 389 (or 636 for LDAPS) to Active Directory domain controllers, blending in with normal administrative traffic. Persistence is not inherent to dsquery, but it is often dropped alongside scripts or used in scheduled tasks. Evasion is achieved by relying on Microsoft-signed binaries, avoiding custom malware signatures, and operating entirely within memory or legitimate system processes. The utility is frequently chained with net.exe, whoami, and nltest for comprehensive domain mapping.

📜 History & Notable Incidents

First observed in criminal campaigns around 2015, dsquery gained prominence in 2020 when the SolarWinds supply-chain attack (attributed to APT29) used it extensively for lateral movement and discovery. In 2022, the LockBit ransomware group incorporated dsquery into their encryption scripts to target domain controllers before deployment. No specific CVE is associated with dsquery itself, but it has been used in conjunction with CVEs such as CVE-2021-42287 and CVE-2021-42278 (Kerberos privilege escalation) to escalate from domain user to domain admin. No law enforcement actions have targeted dsquery as it is a legitimate tool.

🔍 Detection Indicators

Behavioral detection focuses on anomalous outbound LDAP queries from non-admin workstations: process dsquery.exe spawned by cmd.exe, powershell.exe, or wscript.exe with rapid successions of user, computer, and group arguments. Network indicators include LDAP traffic to multiple domain controllers from a single source IP in short bursts, or Base64-encoded LDAP filters in Event ID 4662 (An operation was performed on an object). No static file hashes exist because dsquery is part of the Windows RSAT (Remote Server Administration Tools) package, with known legitimate SHA-1 varying by OS version. Registry keys or mutexes are not created by the utility itself.

☠️ Risk & Impact

The primary damage is information disclosure: attackers harvest Active Directory user lists, group memberships, and trust relationships to map attack paths for privilege escalation and lateral movement. This reconnaissance directly enables ransomware deployment (e.g., Ryuk, Conti), data exfiltration from domain controllers, and credential theft via Kerberoasting (using extracted service principal names). Financial losses from downstream attacks have totaled hundreds of millions of dollars across healthcare, finance, and energy sectors, particularly after the 2020-2021 wave of human-operated ransomware.

🛡️ Mitigation

Mitigation involves restricting execution of dsquery to authorized administrative workstations via AppLocker or Windows Defender Application Control (WDAC), monitoring Event ID 4662 for suspicious LDAP queries, and deploying Sigma rules (e.g., proc_creation_win_dsquery_usage) available from the Sigma repository. Microsoft’s Security Compliance Toolkit provides baselines to disable unnecessary RSAT components on endpoints.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.