There are no reviews yet. Be the first to send feedback to the community and the maintainers!
hAcKtive-Directory-Forensics
Get-NetSessionEnum
Automate Network sessions enumeration of connected users in the domain, to facilitate AD Reconnaissance for Adversary simulation & Red TeamsSEC-T_21-One-Liners-Powershell
Code & other materials from SEC-T 2022 talk "When SysAdmin & Hacker Unite: 21 One-Liners to make you convert from bash to Powershell"Get-LDAPperformance
Collects LDAP Query Performance Events and analyzes them to CSV & Grid. Helps in identifying large or unusual LDAP queries, either for Threat Hunting or IT optimizationGet-RemotePSSession
Query PS Sessions (wsman) for their connected users, IPs & hosts, locally & remotelyAD-Replication-Metadata
Track past changes in your AD accounts (users & computers), even if no event logs exist - e.g. not collected, no retention/overwritten, wiped (e.g. during an Incident Response) etc. Uses Replication metadata history parsingGet-LoggedOnUser
Gets currently logged-on users on domain computers, to see if they are local admins or not.Get-DomainNLAStatus
Checks for domain-wide computers Network Level Authentication settings in light of RDP Vulns, e.g BlueKeep, DejaBlueGet-ADGroupChanges
"Pure" powershell command (no dependencies, no special permissions etc') to retrieve change history in an AD group membership. relies on object metadata rather than event logs. useful for DF/IR, tracking changes in groups etc'.PowerShell-Hacking-BSidesTLV
Code from my talk @ BSidesTLV 2019 on PowerShell as a Hacking ToolMisc_Tools
Things that make you go hmm... scripts for fun(ctionality)ZeroLogon-Exploitation-Check
quick'n'dirty automated checks for potential exploitation of CVE-2020-1472 (aka ZeroLogon), using leading artifects in determining an actual exploitation of CVE-2020-1472. requires admin access to the DCsPowerShell-Performance-Optimization
from my talk @ Microsoft regarding various tips & best practices on PowerShell/.net Optimization for PerformanceGet-ChangesInADUser
Checks for changes in AD users. Useful in finding who|when changed what property of an AD user. Requires 'Event Log Readers' or equivalent. No additional modules required.GoldFinger-Suspicious_TGT_Hunter
GoldFinger - Suspicious TGT detection - collects | analyzes | hunts for potential Golden Tickets & Pass-The-HashGet-ADUserAddedToGroup
simple script to check when a user was added to a group (entry level forensics)Get-PSTranscriptReport
PowerShell Transcripts Analysis & Reporting - analyzes PSTranscriptions folder content, provides insights and some hunting guidanceWeakCipherUsage
SecurityWeekly_Cover-Tracks-Evade-Detection
Code from the Security Weekly session on Covering Tracks & Evading DetectionTimeLineGenerator
AD account timeline generator - parse DC security logs for activity timelineGet-ADPrincipalKerberosTokenGroup
a powershell implementation of PAC enum (similar to getpac.py). does not require privileges. can enum Effective Token (Kerberos group SIDs) for any userInvoke-AdminSDHolderPermissionCheck
Analyzes AdminSDHolder permissions & compares with a previous run, to detect potential backdoor/excessive persistent permission(s)Get-DCShadowNTDSdsa
detecting DCShadow in retrospect from relevant DC demotion/ntdsDSA deletionLove Open Source and this site? Check out how you can help us