30.Additional AD Auditing Techniques

I. Creating an AD Snapshot with Active Directory Explorer

AD Explorer (Sysinternals):
- Advanced AD viewer and editor.
- Allows easy navigation, object property viewing, permission editing, schema viewing, and sophisticated searches.
- Can save snapshots of AD databases for offline viewing and comparison.
- Useful for before-and-after comparisons to detect changes.
Usage:
- Login with any valid domain user.
- Browse AD objects.
- Create snapshots (File -> Create Snapshot).
- Analyze snapshots offline.

II. PingCastle

Purpose:
- Evaluates AD security posture.
- Provides results in maps and graphs.
- Generates detailed security reports based on CMMI.
- Helps gather host inventories.
Key Features:
- Health checks, consolidated reports, domain maps, workstation scans, and data exports.
- Reports on misconfigurations, vulnerabilities, shares, trusts, permissions, and user/computer states.
- Reports on recent vulnerability susceptibility.
Usage:
- Run PingCastle.exe in CMD or PowerShell.
- Use interactive mode or command-line switches (e.g., --help).
- Generate health check reports.
- Utilize scanner options for specific checks.
- Analyze generated reports and maps.
Important Note:
- If you have issues running the tool, change the system date to before July 31st, 2023.

III. Group3r

Purpose:
- Finds vulnerabilities in AD Group Policy.
- Requires a domain-joined host or domain user context.
Usage:
- Run group3r.exe -f <filepath-name.log> or group3r.exe -s
- Use -h for help.
- Analyze output (indentation indicates levels).
- Output will show the GPO, policy settings, and findings.
Key Feature:
- Can find issues that other tools might overlook.

IV. ADRecon

Purpose:
- Gathers a large amount of AD data at once.
- Useful when stealth is not a primary concern.
Usage:
- Run ADRecon.ps1.
- Analyze generated HTML and CSV reports.
- Excel needs to be installed for automatic HTML report generation.
- The GroupPolicy powershell module needs to be installed for Group Policy reporting.
- Use -GenExcel to generate Excel reports from CSV files.
Output:
- Reports on domains, forests, trusts, sites, subnets, password policies, domain controllers, users, groups, OUs, GPOs, DNS, printers, computers, LAPS, and BitLocker.

V. Reporting

Importance:
- Provides comprehensive information to clients.
- Aids in problem-solving and security improvements.
- Helps clients get funding to fix security issues.
Key Takeaways:
- These tools enhance AD auditing and security assessments.
- They provide detailed data and visualizations for analysis.
- Proper reporting is essential for effective security improvements.
- Using multiple tools will provide for a much more complete view of a domains security posture.

Last updated 12 days ago

I. Creating an AD Snapshot with Active Directory Explorer

AD Explorer (Sysinternals):
- Advanced AD viewer and editor.
- Allows easy navigation, object property viewing, permission editing, schema viewing, and sophisticated searches.
- Can save snapshots of AD databases for offline viewing and comparison.
- Useful for before-and-after comparisons to detect changes.
Usage:
- Login with any valid domain user.
- Browse AD objects.
- Create snapshots (File -> Create Snapshot).
- Analyze snapshots offline.

II. PingCastle

Purpose:
- Evaluates AD security posture.
- Provides results in maps and graphs.
- Generates detailed security reports based on CMMI.
- Helps gather host inventories.
Key Features:
- Health checks, consolidated reports, domain maps, workstation scans, and data exports.
- Reports on misconfigurations, vulnerabilities, shares, trusts, permissions, and user/computer states.
- Reports on recent vulnerability susceptibility.
Usage:
- Run PingCastle.exe in CMD or PowerShell.
- Use interactive mode or command-line switches (e.g., --help).
- Generate health check reports.
- Utilize scanner options for specific checks.
- Analyze generated reports and maps.
Important Note:
- If you have issues running the tool, change the system date to before July 31st, 2023.

III. Group3r

Purpose:
- Finds vulnerabilities in AD Group Policy.
- Requires a domain-joined host or domain user context.
Usage:
- Run group3r.exe -f <filepath-name.log> or group3r.exe -s
- Use -h for help.
- Analyze output (indentation indicates levels).
- Output will show the GPO, policy settings, and findings.
Key Feature:
- Can find issues that other tools might overlook.

IV. ADRecon

Purpose:
- Gathers a large amount of AD data at once.
- Useful when stealth is not a primary concern.
Usage:
- Run ADRecon.ps1.
- Analyze generated HTML and CSV reports.
- Excel needs to be installed for automatic HTML report generation.
- The GroupPolicy powershell module needs to be installed for Group Policy reporting.
- Use -GenExcel to generate Excel reports from CSV files.
Output:
- Reports on domains, forests, trusts, sites, subnets, password policies, domain controllers, users, groups, OUs, GPOs, DNS, printers, computers, LAPS, and BitLocker.

V. Reporting

Importance:
- Provides comprehensive information to clients.
- Aids in problem-solving and security improvements.
- Helps clients get funding to fix security issues.
Key Takeaways:
- These tools enhance AD auditing and security assessments.
- They provide detailed data and visualizations for analysis.
- Proper reporting is essential for effective security improvements.
- Using multiple tools will provide for a much more complete view of a domains security posture.

Last updated 12 days ago