ADRecon
ADRecon is an open-source PowerShell-based Active Directory reconnaissance tool used to collect extensive information from AD environments. The provided content states it can gather data including ACLs, DNS zones, BitLocker recovery keys, LAPS passwords, domain accounts, and SPN credential hashes. It is executed as scripts such as ADRecon.ps1 and has also been observed renamed as dra.ps1 or recovered as obfuscated scripts such as C:\osit\r.ps1. Reported use cases in the content are post-compromise enterprise reconnaissance and privilege-escalation support, particularly to enumerate AD environments and help attackers progress toward Domain Admin access. The tool is associated in the content with multiple threat actors and intrusion sets, including VOID MANTICORE, BlackCat/ALPHV intrusions or affiliates, UNC3944, and Octo Tempest. It is described as being used alongside other reconnaissance or credential-access tooling such as PingCastle, ADFind, and Mimikatz. The content specifically notes its use in intrusions affecting Windows enterprise environments with Active Directory, including destructive and extortion-focused operations. No unique malware-style network indicators or hashes for ADRecon itself are provided in the content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The file was identified as ‘ADRecon’, an open-source PowerShell tool specifically designed to gather extensive information about Active Directory (AD) environments, including ACLs, DNS zones, BitLocker recovery keys, LAPS passwords, Domain accounts, and SPN credential hashes.
VOID MANTICORE has utilized ADRecon to enumerate the active directory environment.
Techniques & procedures
7 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 techniqueThese included executing PowerShell commands... The threat actor created the ‘C:\Intel\45.ps1’ file... and executed it using PowerShell... Day 5: The threat actor used PowerShell to download and execute a script named ‘vic64.ps1’.
Stealth
1 techniquethe threat actor uploaded the ‘netscan.exe’ file to the same folder, used it to scan the domain, and deleted it after the scan activity was completed... the file no longer existed after execution – presumably it was deleted by the threat actor.
Discovery
5 techniquesthe threat actor utilized ‘nslookup’ and ‘dir’ commands to carry out reconnaissance of a server in a different domain... scan the domain... enumeration of the Admins group in the new domain.
Later, the threat actor utilized a user account to remotely deploy Cobalt Strike Beacon on a server in a third domain, followed by network scans and enumeration of the Admins group in the new domain.
The threat actor leveraged the SoftPerfect tool to perform several manual reconnaissance activities, which included searching for passwords in Group Policy xml files, accessing remote folders via Windows Explorer...
T1087.002 - Domain Account Description from ATT&CK. Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior.
...running ADRecon (e.g., dra.ps1) to reach Domain Admin and enable broad destructive action.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Active Directory reconnaissance tool used to enumerate the victim AD environment.
Active Directory reconnaissance tool used to enumerate AD environments and support privilege escalation and destructive operations.
PowerShell-based Active Directory reconnaissance framework used to enumerate domain information to support privilege escalation and follow-on destructive actions.
Active Directory reconnaissance framework used to enumerate sensitive AD configuration and credential-related data at scale.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.