30.Additional AD Auditing Techniques

I. Creating an AD Snapshot with Active Directory Explorer

  • AD Explorer (Sysinternals):

    • Advanced AD viewer and editor.

    • Allows easy navigation, object property viewing, permission editing, schema viewing, and sophisticated searches.

    • Can save snapshots of AD databases for offline viewing and comparison.

    • Useful for before-and-after comparisons to detect changes.

  • Usage:

    • Login with any valid domain user.

    • Browse AD objects.

    • Create snapshots (File -> Create Snapshot).

    • Analyze snapshots offline.

II. PingCastle

  • Purpose:

    • Evaluates AD security posture.

    • Provides results in maps and graphs.

    • Generates detailed security reports based on CMMI.

    • Helps gather host inventories.

  • Key Features:

    • Health checks, consolidated reports, domain maps, workstation scans, and data exports.

    • Reports on misconfigurations, vulnerabilities, shares, trusts, permissions, and user/computer states.

    • Reports on recent vulnerability susceptibility.

  • Usage:

    • Run PingCastle.exe in CMD or PowerShell.

    • Use interactive mode or command-line switches (e.g., --help).

    • Generate health check reports.

    • Utilize scanner options for specific checks.

    • Analyze generated reports and maps.

  • Important Note:

    • If you have issues running the tool, change the system date to before July 31st, 2023.

III. Group3r

  • Purpose:

    • Finds vulnerabilities in AD Group Policy.

    • Requires a domain-joined host or domain user context.

  • Usage:

    • Run group3r.exe -f <filepath-name.log> or group3r.exe -s

    • Use -h for help.

    • Analyze output (indentation indicates levels).

    • Output will show the GPO, policy settings, and findings.

  • Key Feature:

    • Can find issues that other tools might overlook.

IV. ADRecon

  • Purpose:

    • Gathers a large amount of AD data at once.

    • Useful when stealth is not a primary concern.

  • Usage:

    • Run ADRecon.ps1.

    • Analyze generated HTML and CSV reports.

    • Excel needs to be installed for automatic HTML report generation.

    • The GroupPolicy powershell module needs to be installed for Group Policy reporting.

    • Use -GenExcel to generate Excel reports from CSV files.

  • Output:

    • Reports on domains, forests, trusts, sites, subnets, password policies, domain controllers, users, groups, OUs, GPOs, DNS, printers, computers, LAPS, and BitLocker.

V. Reporting

  • Importance:

    • Provides comprehensive information to clients.

    • Aids in problem-solving and security improvements.

    • Helps clients get funding to fix security issues.

  • Key Takeaways:

    • These tools enhance AD auditing and security assessments.

    • They provide detailed data and visualizations for analysis.

    • Proper reporting is essential for effective security improvements.

    • Using multiple tools will provide for a much more complete view of a domains security posture.

Previous29.Hardening-active-directoryNextLinux Privilege Escalation

Last updated