• Stars
    star
    9
  • Rank 1,939,727 (Top 39 %)
  • Language
    PowerShell
  • Created over 4 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Track past changes in your AD accounts (users & computers), even if no event logs exist - e.g. not collected, no retention/overwritten, wiped (e.g. during an Incident Response) etc. Uses Replication metadata history parsing

More Repositories

1

Get-UserSession

Query user sessions for the entire domain (Interactive/RDP etc), allowing you to query a Username and see all their logged on sessions, whether Active or Disconnected
PowerShell
86
star
2

hAcKtive-Directory-Forensics

36
star
3

Get-NetSessionEnum

Automate Network sessions enumeration of connected users in the domain, to facilitate AD Reconnaissance for Adversary simulation & Red Teams
PowerShell
15
star
4

SEC-T_21-One-Liners-Powershell

Code & other materials from SEC-T 2022 talk "When SysAdmin & Hacker Unite: 21 One-Liners to make you convert from bash to Powershell"
PowerShell
14
star
5

Get-LDAPperformance

Collects LDAP Query Performance Events and analyzes them to CSV & Grid. Helps in identifying large or unusual LDAP queries, either for Threat Hunting or IT optimization
PowerShell
10
star
6

Get-RemotePSSession

Query PS Sessions (wsman) for their connected users, IPs & hosts, locally & remotely
PowerShell
9
star
7

Get-LoggedOnUser

Gets currently logged-on users on domain computers, to see if they are local admins or not.
PowerShell
8
star
8

Get-DomainNLAStatus

Checks for domain-wide computers Network Level Authentication settings in light of RDP Vulns, e.g BlueKeep, DejaBlue
PowerShell
7
star
9

Get-ADGroupChanges

"Pure" powershell command (no dependencies, no special permissions etc') to retrieve change history in an AD group membership. relies on object metadata rather than event logs. useful for DF/IR, tracking changes in groups etc'.
PowerShell
7
star
10

PowerShell-Hacking-BSidesTLV

Code from my talk @ BSidesTLV 2019 on PowerShell as a Hacking Tool
PowerShell
6
star
11

Misc_Tools

Things that make you go hmm... scripts for fun(ctionality)
PowerShell
6
star
12

ZeroLogon-Exploitation-Check

quick'n'dirty automated checks for potential exploitation of CVE-2020-1472 (aka ZeroLogon), using leading artifects in determining an actual exploitation of CVE-2020-1472. requires admin access to the DCs
PowerShell
6
star
13

PowerShell-Performance-Optimization

from my talk @ Microsoft regarding various tips & best practices on PowerShell/.net Optimization for Performance
PowerShell
5
star
14

Get-ChangesInADUser

Checks for changes in AD users. Useful in finding who|when changed what property of an AD user. Requires 'Event Log Readers' or equivalent. No additional modules required.
PowerShell
3
star
15

GoldFinger-Suspicious_TGT_Hunter

GoldFinger - Suspicious TGT detection - collects | analyzes | hunts for potential Golden Tickets & Pass-The-Hash
PowerShell
3
star
16

Get-ADUserAddedToGroup

simple script to check when a user was added to a group (entry level forensics)
PowerShell
3
star
17

Get-PSTranscriptReport

PowerShell Transcripts Analysis & Reporting - analyzes PSTranscriptions folder content, provides insights and some hunting guidance
PowerShell
3
star
18

WeakCipherUsage

PowerShell
2
star
19

SecurityWeekly_Cover-Tracks-Evade-Detection

Code from the Security Weekly session on Covering Tracks & Evading Detection
PowerShell
2
star
20

TimeLineGenerator

AD account timeline generator - parse DC security logs for activity timeline
PowerShell
2
star
21

Get-ADPrincipalKerberosTokenGroup

a powershell implementation of PAC enum (similar to getpac.py). does not require privileges. can enum Effective Token (Kerberos group SIDs) for any user
PowerShell
1
star
22

Invoke-AdminSDHolderPermissionCheck

Analyzes AdminSDHolder permissions & compares with a previous run, to detect potential backdoor/excessive persistent permission(s)
PowerShell
1
star
23

Get-DCShadowNTDSdsa

detecting DCShadow in retrospect from relevant DC demotion/ntdsDSA deletion
PowerShell
1
star