hAcKtive Directory Forensics


Compiled by 1nTh35h311 (#yossi_sassi)

Page last updated on September 18th 2023 (tools in links may update routinely)

Comments and improvements are welcome


Talks, slides & videos:

'HackCon' 2023 talk: Hacktive Directory Forensics - a toolkit for understanding who|what|when in your domain

Slides - Presentation slides


'Hack In Paris' 2022 talk: Hacktive Directory Forensics (announcing 'GoldFinger' - Suspicious TGT Detector)

Video - Talk video on YouTube


SecurityFest 2022 talk: "I know what your 'Microsoft Mainframe' did last summer!"

Video - Talk video on YouTube


OSDFCon 2021 talk: "I know what your AD did last summer!.."

Slides - Presentation slides in PDF

Video - Talk video on YouTube


Open source tools & Scripts:

Invoke-TgsMonitor - Monitor TGS requests (All, or just Failed)- Monitor TGS requests (All, or just Failed). Useful during a live IR without other central threat hunting log solution, or in general, to monitor access & failure reasons. Requires 'Event Log Readers' permission or equivalent.


Invoke-PostKrbtgtResetMonitor - Centralized detection of Golden Ticktes after resetting the krbtgt password TWICE- Centralized detection of Golden Ticktes via event ID 4769 (TGS) with Error code 0x1f & TGT Anomalies. Useful when coming to a site recently After a krbtgt double-reset. No Dependencies/modules. Requires Event Log Redears or equivalent


GoldFinger - Suspicious Kerberos TGT detector- Collects | analyzes | hunts for potential Golden Tickets & Pass-The-Hash in domain-joined Endpoints. No Agent, uses WinRM or SMB


Get-ADGroupChanges- "pure" powershell cmdlet (no module dependencies or special AD permissions needed) to retrieve change history in an AD group membership, or all groups, or per user since the creation of the domain. relies on object metadata rather than event logs. useful for DF/IR, tracking changes in groups etc'. Supports querying AD Metadata either from an Online Domain Controller, or from an offline system state backup/Snapshot


Get-ADUserAddedToGroup- simple & quick script to check when a user was added to a group (basic/entry level forensics, requires activedirectory module)


AD Replication Metadata History - Quickly tracks changes on your AD objects, even if event logs were wiped or recycled (e.g. during an Incident Response), using Replication metadata history. for both Online & Offline scenarios. No special permissions needed for Live AD query (local admin only required when using Offline DB for port bind)


TimeLineGenerator - AD account timeline generator - parse DC security logs & display activity timeline- AD account timeline generator, displaying grid/CSV with accounts' activity timeline. Can run directly on Domain Controllers (Live, through WinRM), OR - specify Path to Evtx files. Can run a Full/Longer report, or a more Focused/Quicker one, with a select set of events to filter. Can set the Max Events to fetch Per DC.


ADTimeLine - Generates a timeline based on Active Directory replication metadata for objects considered of interest (by ANSSI-FR, national authority for security and defense of information systems de France)


Get-LDAPperformance - LDAP Query Performance Analysis for Threat Hunting or IT optimization - Collects LDAP Query Performance Events and analyzes them to CSV & Grid. Helps in identifying large or unusual LDAP queries, either for Threat Hunting or IT optimization. No Dependencies. No modules required. Requires Event Log Readers permission or equivalent (privileged/access to DC 'directory Services' logs).


Get Last Logon of an account (user or computer) - Get up-to-date last logon of any user or computer from all Domain Controllers in the domain. no dependencies, no special permissions, just LDAP connectivity.


Get-DCShadowNTDSdsa - Finds potential exploitation of DCShadow, in retrospect, from relevant DC demotion/ntdsDSA deletion


Search for String in AD Objects - Looks for interesting strings (e.g. password), as well as IP addresses, in all AD objects


Get-ADPrincipalKerberosTokenGroup - a powershell implementation of PAC enum (similar to getpac.py). does not require special privileges. enumerates effective token (cumulative group SIDs from Kerberos PAC) for any user, by any authenticated user


LDAPMonitor - My updated ps1 version of @p0dalirius's script. Monitor creation, deletion and changes to LDAP objects during a *live* forensics session, or pentest and/or for sys admin|secops during a pentest


Additional topic-related scripts:


Invoke-AdminSDHolderPermissionCheck - Analyzes AdminSDHolder permissions & compares with a previous run, to detect potential backdoor/excessive persistent permission(s). No special privileges required.


Get-ChangesInADUser - Checks for changes in AD users. Useful in finding who|when changed what property of an AD user. Requires 'Event Log Readers' permission or equivalent, to query Security event logs on Domain Controllers. No additional modules required.


Get-LogonworkstationsAttributeStatus - Gets the latest Change (if ever) in userWorkstations attribute value (Logon restrictions by user workstations) using Replication property MetaData. No logging/auditing required. No special permissions required. Sees ANY change since creation of the user. Can laso indicate if attribute was cleared deliberately.


Get-UserSession - Queries user sessions for the entire domain (Interactive/RDP etc), allowing you to query a user and see all his logged on sessions, whether Active or Disconnected. Can be correlated during live forensics with active entity sessions


Get-RemotePSSession - Query PS Sessions (wsman) for their connected users, IPs & hosts, locally & remotely. Can be correlated during live forensics with active entity sessions


WeakCipherUsage - Gets weak cipher usage (RC4 used in Domain environments). useful for On-Prem diagnostics, similar to MDI (cloud app sec) weak cupher usage report. Can be useful to assess if can move to AES only (see which systems still use RC4), as well as basic indication for potential Kerberoasting attack (with False Positives, naturally, since systems may generate downgrade TGS regardless of this common attack)


ZeroLogon Post-Exploitation Check - Script to automate checks for potential exploitation of CVE-2020-1472 (aka ZeroLogon) in the domain. This is a very "quick and dirty" lookup for some of the leading artifects in determining an actual exploitation of CVE-2020-1472, compiled from multiple blogs. Ideally, the 2nd check (for events from Security & System event logs) can be done from a SIEM/Syslog/Event collector, which keeps events far enough back to detect such exploits. Note that if netlogon logs were not enabled in the environment, and DC logs were overwritten by newer events, an exploitation could have happened and would not be noticed by the remaining artifacts in the environment checked


Hunt for PrintNightmare Exploitation - Looks for evidence of PrintNightmare exploitation execution in Logs. Requires 'Event Log Readers' or higher permissions. Defaults to domain controllers, yet can be pointed to any/all domain machines (using -AllComputers parameter, or changes to LDAP query). Outputs results of potential PrintNightmare exploitation to console + CSV file


Find renamed users (with current & previous samaccountname values) - Useful to detect SamAccountName Spoofing (CVE-2021-42278 and CVE-2021-42287). Find renamed accounts in AD logs (and their current and previous samaccountname values). No dependencies/No AD module required. Requires 'Event Log Redears' permission or higher


Other useful resources:

ADSecurity.org - Useful articles on AD Security in general, including on AD replication metadata

DC Recovery steps (for DFIR) - Some proposed steps to reinstall DCs after a compromise