Coeus is an ADSI based Situational Awareness toolkit for domain environments with modularity in mind. Allows for the enumeration of users/groups/computers as well as some common misconfigurations including roasting (AS-REP, kerber) and delegation (Constrained, Unconstrained, RCBD) attacks.
Catch my talk featuring Coeus here! (add link pls)
Coeus is an interactive console app, meaning executing the binary drops users into a prompt. Use commands to view all available commands like so:
To get help for any command, use the help util:
- Enumerate users, groups (and group memberships), and computers on a domain
- Returns information on the domain and forest including domain
- Returns information on the RootDSE
- Searches for accounts with descriptions
- Returns "interesting accounts" (based ona string array in Models/Data.cs)
- Query object properties
- Return domain password policies
- Returns machine accounts with SPNs assigned and their respective SPNs
- Searches for potentially AS-REP/Kerberoastable accounts
- Searcher for machines potentially vulnerable to delegation attacks (constrained, unconstrained,
resource based, coming soon) - Query GPOs
- Query object ACL
Open .sln in Visual Studio and build
- Give option to set/change SearchScope
Usersno passwd req'd
ObjProperyparse SID/GUID
- LAPSSweep
- RoastHunter
- if machine w/ SPN is found, attempt to determine enc type (msDS-SupportedEncryptionTypes) and return that
- use Coeus to locate potentially kerberoastable machines and fetch neccesary info to pass to SnipeRoast AtlasUtil
- ACL Enum
- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
takes obj as param- allow for the specifying of Identity Reference
GPO Enumfetch allall propertiesspecific propertiesreturn namescorrectly return byte[] entries (objGUID)
- DCSync
- search for DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set
Misccreate method to convert and return SID/GIUD entries in extensions
- Authenticate
- Allow for operator to authenticate into a domain as to not drop Coeus to disk
I am not responsible for actions taken by users of Coeus. Coeus was released solely for educational and ethical purposes.