FarsightAD – PowerShell Script That Aim To Help Uncovering (Eventual) Persistence Mechanisms Deployed By A Threat Actor Following An Active Directory Domain Compromise
FarsightAD is a PowerShell script that aim to help uncovering (eventual) persistence mechanisms deployed by a threat actor following an Active Directory domain compromise.
The script produces CSV / JSON file exports of various objects and their attributes, enriched with timestamps from replication metadata. Additionally, if executed with replication privileges, the Directory Replication Service (DRS) protocol is leveraged to detect fully or partially hidden objects.
For more information, refer to the
Uncovering the fully and partially hidden users with Export-ADHuntingHiddenObjectsWithDRSRepData
Acknowledgements
-
The
C#code forDRSrequests was adapted from:MakeMeEnterpriseAdminby @vletoux.Mimikatzby @gentilkiwi and @vletoux.SharpKatzby @b4rtik.
-
The functions to parse Key Credentials are from the
ADComputerKeys PowerShell module. -
The AD CS related persistence is based on work from:
- Certified Pre-Owned by Will Schroeder (@harmj0y) and Lee Christensen (@tifkin_)
- Microsoft ADCS – Abusing PKI in Active Directory Environment by Jean Marsault (@iansus)
-
The function to parse Service Principal Name is based on work from Adam Bertram.
Thanks
- Antoine Cauchois (@caucho_a) for the proofreading, testing and ideas.
Author
Thomas DIOT (Qazeer)
Licence
CC BY 4.0 licence – https://creativecommons.org/licenses/by/4.0/
