• Stars
    star
    7
  • Rank 2,294,772 (Top 46 %)
  • Language
    PowerShell
  • Created almost 4 years ago
  • Updated about 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

"Pure" powershell command (no dependencies, no special permissions etc') to retrieve change history in an AD group membership. relies on object metadata rather than event logs. useful for DF/IR, tracking changes in groups etc'.

More Repositories

1

Get-UserSession

Query user sessions for the entire domain (Interactive/RDP etc), allowing you to query a Username and see all their logged on sessions, whether Active or Disconnected
PowerShell
86
star
2

hAcKtive-Directory-Forensics

36
star
3

Get-NetSessionEnum

Automate Network sessions enumeration of connected users in the domain, to facilitate AD Reconnaissance for Adversary simulation & Red Teams
PowerShell
15
star
4

SEC-T_21-One-Liners-Powershell

Code & other materials from SEC-T 2022 talk "When SysAdmin & Hacker Unite: 21 One-Liners to make you convert from bash to Powershell"
PowerShell
14
star
5

Get-LDAPperformance

Collects LDAP Query Performance Events and analyzes them to CSV & Grid. Helps in identifying large or unusual LDAP queries, either for Threat Hunting or IT optimization
PowerShell
10
star
6

Get-RemotePSSession

Query PS Sessions (wsman) for their connected users, IPs & hosts, locally & remotely
PowerShell
9
star
7

AD-Replication-Metadata

Track past changes in your AD accounts (users & computers), even if no event logs exist - e.g. not collected, no retention/overwritten, wiped (e.g. during an Incident Response) etc. Uses Replication metadata history parsing
PowerShell
9
star
8

Get-LoggedOnUser

Gets currently logged-on users on domain computers, to see if they are local admins or not.
PowerShell
8
star
9

Get-DomainNLAStatus

Checks for domain-wide computers Network Level Authentication settings in light of RDP Vulns, e.g BlueKeep, DejaBlue
PowerShell
7
star
10

PowerShell-Hacking-BSidesTLV

Code from my talk @ BSidesTLV 2019 on PowerShell as a Hacking Tool
PowerShell
6
star
11

Misc_Tools

Things that make you go hmm... scripts for fun(ctionality)
PowerShell
6
star
12

ZeroLogon-Exploitation-Check

quick'n'dirty automated checks for potential exploitation of CVE-2020-1472 (aka ZeroLogon), using leading artifects in determining an actual exploitation of CVE-2020-1472. requires admin access to the DCs
PowerShell
6
star
13

PowerShell-Performance-Optimization

from my talk @ Microsoft regarding various tips & best practices on PowerShell/.net Optimization for Performance
PowerShell
5
star
14

Get-ChangesInADUser

Checks for changes in AD users. Useful in finding who|when changed what property of an AD user. Requires 'Event Log Readers' or equivalent. No additional modules required.
PowerShell
3
star
15

GoldFinger-Suspicious_TGT_Hunter

GoldFinger - Suspicious TGT detection - collects | analyzes | hunts for potential Golden Tickets & Pass-The-Hash
PowerShell
3
star
16

Get-ADUserAddedToGroup

simple script to check when a user was added to a group (entry level forensics)
PowerShell
3
star
17

Get-PSTranscriptReport

PowerShell Transcripts Analysis & Reporting - analyzes PSTranscriptions folder content, provides insights and some hunting guidance
PowerShell
3
star
18

WeakCipherUsage

PowerShell
2
star
19

SecurityWeekly_Cover-Tracks-Evade-Detection

Code from the Security Weekly session on Covering Tracks & Evading Detection
PowerShell
2
star
20

TimeLineGenerator

AD account timeline generator - parse DC security logs for activity timeline
PowerShell
2
star
21

Get-ADPrincipalKerberosTokenGroup

a powershell implementation of PAC enum (similar to getpac.py). does not require privileges. can enum Effective Token (Kerberos group SIDs) for any user
PowerShell
1
star
22

Invoke-AdminSDHolderPermissionCheck

Analyzes AdminSDHolder permissions & compares with a previous run, to detect potential backdoor/excessive persistent permission(s)
PowerShell
1
star
23

Get-DCShadowNTDSdsa

detecting DCShadow in retrospect from relevant DC demotion/ntdsDSA deletion
PowerShell
1
star