hAcKtive Directory Forensics
Compiled for OSDFCon 2021 talk "I know what your AD did last summer!.." by 1nth35h311 (#yossi_sassi)
Page last updated on December 1st 2021 (tools in links may update routinely)
Comments and improvements are welcome
Link to presentation & video:
Video: <Coming soon>
Open source tools & Scripts:
Get-ADGroupChanges- "pure" powershell cmdlet (no module dependencies or special AD permissions needed) to retrieve change history in an AD group membership, or all groups, or per user since the creation of the domain. relies on object metadata rather than event logs. useful for DF/IR, tracking changes in groups etc'. Supports querying AD Metadata either from an Online Domain Controller, or from an offline system state backup/Snapshot
Get-ADUserAddedToGroup- simple & quick script to check when a user was added to a group (basic/entry level forensics, requires activedirectory module)
AD Replication Metadata History - Quickly tracks changes on your AD objects, even if event logs were wiped or recycled (e.g. during an Incident Response), using Replication metadata history. for both Online & Offline scenarios. No special permissions needed for Live AD query (local admin only required when using Offline DB for port bind)
ADTimeLine - Generates a timeline based on Active Directory replication metadata for objects considered of interest (by ANSSI-FR, national authority for security and defense of information systems de France)
Get-DCShadowNTDSdsa - Finds potential exploitation of DCShadow, in retrospect, from relevant DC demotion/ntdsDSA deletion
Search for String in AD Objects - Looks for interesting strings (e.g. password), as well as IP addresses, in all AD objects
Get-ADPrincipalKerberosTokenGroup- a powershell implementation of PAC enum (similar to getpac.py). does not require special privileges. enumerates effective token (cumulative group SIDs from Kerberos PAC) for any user, by any authenticated user
LDAPMonitor - My updated ps1 version of @p0dalirius's script. Monitor creation, deletion and changes to LDAP objects during a *live* forensics session, or pentest and/or for sys admin|secops during a pentest
Additional topic-related scripts:
Get-UserSession - Queries user sessions for the entire domain (Interactive/RDP etc), allowing you to query a user and see all his logged on sessions, whether Active or Disconnected. Can be correlated during live forensics with active entity sessions
Get-RemotePSSession - Query PS Sessions (wsman) for their connected users, IPs & hosts, locally & remotely. Can be correlated during live forensics with active entity sessions
WeakCipherUsage - Gets weak cipher usage (RC4 used in Domain environments). useful for On-Prem diagnostics, similar to MDI (cloud app sec) weak cupher usage report. Can be useful to assess if can move to AES only (see which systems still use RC4), as well as basic indication for potential Kerberoasting attack (with False Positives, naturally, since systems may generate downgrade TGS regardless of this common attack)
ZeroLogon Post-Exploitation Check - Script to automate checks for potential exploitation of CVE-2020-1472 (aka ZeroLogon) in the domain. This is a very "quick and dirty" lookup for some of the leading artifects in determining an actual exploitation of CVE-2020-1472, compiled from multiple blogs. Ideally, the 2nd check (for events from Security & System event logs) can be done from a SIEM/Syslog/Event collector, which keeps events far enough back to detect such exploits. Note that if netlogon logs were not enabled in the environment, and DC logs were overwritten by newer events, an exploitation could have happened and would not be noticed by the remaining artifacts in the environment checked
Hunt for PrintNightmare Exploitation - Looks for evidence of PrintNightmare exploitation execution in Logs. Requires 'Event Log Readers' or higher permissions. Defaults to domain controllers, yet can be pointed to any/all domain machines (using -AllComputers parameter, or changes to LDAP query). Outputs results of potential PrintNightmare exploitation to console + CSV file
Find renamed users (with current & previous samaccountname values) - Find renamed accounts in AD logs (and their current and previous samaccountname values). No dependencies/No AD module required. Requires 'Event Log Redears' permission or higher
Some other useful resources:
ADSecurity.org - Useful articles on AD Security in general, including on AD replication metadata
Hunting with AD Replication metadata - article on AD repl metadata, from another cool blog by harmj0y