Powershell AD Auditing

Powershell AD Auditing

Domain Info

List general info

Get-ADDomain

SMB

SMB Version

(Get-SmbConnection).ServerVersion

Check if NTLMv1 - 1 = enabled

(Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\' -Name 'LmCompatibilityLevel').LmCompatibilityLevel -eq 1

List SMB shares

Get-SmbShare | Select-Object Name, Path

Check if exec is enabled

Get-SmbShare | ForEach-Object { $_.Name + ": " + (Get-SmbShareAccess -Name $_.Name -AccountName Everyone).AccessRight.HasFlag([System.Management.Automation.SPSmbShareAccessRight]::ExecuteFile) }

Kerberos

List kerberoastable users

Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

List users with SPNs enabled (similar to above)

Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName

Check if RC4 is still enabled - 1 = enabled

(Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128\').Enabled

Check for AS-REP 

Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} | Select-Object SamAccountName

Users

enum password policy

net accounts

Local admins

Get-LocalGroupMember -Group 'Administrators' | Select-Object Name

List Domain Admins

Get-AdGroupMember -Identity 'Domain Admins' | Select-Object SamAccountName

List domain groups

Get-ADGroup -Filter * | select name

Specific group info

Get-ADGroup -Identity "Backup Operators"

Check members of group

Get-ADGroupMember -Identity "Backup Operators"

Recursively check inherited group rights 

Get-DomainGroupMember -Identity "Domain Admins" -Recurse

Specific user info

Get-DomainUser -Identity <USER> -Domain inlanefreight.local | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset,lastlogontimestamp,accountexpires,admincount,userprincipalname,serviceprincipalname,useraccountcontrol

List service accounts & group memberships

💡
This one requires special perms and may trigger alerting 
Get-AdUser -Filter {ServiceAccount -eq $true} -Properties MemberOf | ForEach-Object {
    $_ | Select-Object SamAccountName, @{Name='GroupMemberships';Expression={(Get-AdUser -Identity $_.SamAccountName -Properties MemberOf).MemberOf -join ','}}
}

List admins who’s accounts can be delegated

💡
This one may require special perms and may trigger alerting
Get-AdUser -Filter {(MemberOf -like 'Administrators' -or MemberOf -like 'Domain Admins') -and -not (UserCannotBeDelegated -eq $true)} | Select-Object SamAccountName

Auditing ACLs

  • Would need proper tooling, but very important

Credentials

Check for credentials stored in credman

windows-->credential manager-->GUI

Check for wdigest (possible credential caching)

💡
Anything with registry may trigger alerting
(Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential').UseLogonCredential -eq 1

Check is CredSSP is being used (possible cached crerds)

(Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\CredSSP' -Name 'Enabled').Enabled -eq 1

Check if LSA protections are enabled

(Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name 'RunAsPPL').RunAsPPL -eq 1