Similar to the mythological dog that never failed to catch what he was hunting, laelaPS is a tool designed to identify MITRE ATT&CK techniques that are used in attacks against Active Directory, based on events recorded on Domain Controller:

• Permission Groups Discovery (T1069)
• Account Discovery (T1087)

Common tools that are used to enumeratate users and groups inside a domain are:

• Bloodhound
• net.exe

Using administrative privileges, run the laelaPS on the Domain Controller

The report will include the enumerated groups, along with the timestamp of the attack and the user that requested the enumeration

Using administrative privileges, specify the remote Domain Controller server

Enumeration is not reported when group members are enumerated using Active Directory Users and Computers snap-in