├── .gitignore ├── ADHuntingDemo ├── SANS-DFIR-2022-Demo-HiddenObjects_AddFullyHiddenUser.gif ├── SANS-DFIR-2022-Demo-HiddenObjects_AddHiddenUserSIDHistory.gif ├── SANS-DFIR-2022-Demo-HiddenObjects_Export-HuntingHiddenObjectsWithDRSRepData.gif └── Set-ObjectDenyRightForEveryone.ps1 ├── FarsightAD.ps1 ├── LICENSE ├── README.md └── SANS_DFIR_Summit_2022-Hunting_for_Active_Directory_persistence-v1.2.pdf /.gitignore: -------------------------------------------------------------------------------- 1 | .vscode/* 2 | !.vscode/settings.json 3 | !.vscode/tasks.json 4 | !.vscode/launch.json 5 | !.vscode/extensions.json 6 | !.vscode/*.code-snippets 7 | .vs/* 8 | */.vs/* 9 | 10 | # Local History for Visual Studio Code 11 | .history/ 12 | 13 | # Built Visual Studio Code Extensions 14 | *.vsix 15 | 16 | _old/* 17 | Temp/* -------------------------------------------------------------------------------- /ADHuntingDemo/SANS-DFIR-2022-Demo-HiddenObjects_AddFullyHiddenUser.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Qazeer/FarsightAD/3abba21cc660976b63844527c9989a38015d2e73/ADHuntingDemo/SANS-DFIR-2022-Demo-HiddenObjects_AddFullyHiddenUser.gif -------------------------------------------------------------------------------- /ADHuntingDemo/SANS-DFIR-2022-Demo-HiddenObjects_AddHiddenUserSIDHistory.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Qazeer/FarsightAD/3abba21cc660976b63844527c9989a38015d2e73/ADHuntingDemo/SANS-DFIR-2022-Demo-HiddenObjects_AddHiddenUserSIDHistory.gif -------------------------------------------------------------------------------- /ADHuntingDemo/SANS-DFIR-2022-Demo-HiddenObjects_Export-HuntingHiddenObjectsWithDRSRepData.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Qazeer/FarsightAD/3abba21cc660976b63844527c9989a38015d2e73/ADHuntingDemo/SANS-DFIR-2022-Demo-HiddenObjects_Export-HuntingHiddenObjectsWithDRSRepData.gif -------------------------------------------------------------------------------- /ADHuntingDemo/Set-ObjectDenyRightForEveryone.ps1: -------------------------------------------------------------------------------- 1 | #requires -Module ActiveDirectory 2 | 3 | function Set-ObjectDenyRightForEveryone { 4 | Param( 5 | [Parameter(Mandatory=$True)][String]$Object, 6 | [Parameter(Mandatory=$True)][String]$Right, 7 | [Parameter(Mandatory=$False)][String]$AttributeGuid = "00000000-0000-0000-0000-000000000000", 8 | [Parameter(Mandatory=$False)][String]$Server = $null, 9 | [Parameter(Mandatory=$False)][System.Management.Automation.PSCredential]$Credential = $null, 10 | [Parameter(Mandatory=$False)][String]$ADDriveName = "ADHunting" 11 | ) 12 | 13 | $PSDefaultParameterValues = @{} 14 | 15 | If (!$Server) { 16 | $Server = (Get-ADDomain).PDCEmulator 17 | } 18 | $PSDefaultParameterValues.Add("*-AD*:Server", $Server) 19 | $PSDefaultParameterValues.Add("New-PSDrive:Server", $Server) 20 | 21 | If ($Credential) { 22 | $PSDefaultParameterValues.Add("*-AD*:Credential", $Credential) 23 | $PSDefaultParameterValues.Add("New-PSDrive:Credential", $Credential) 24 | } 25 | 26 | New-PSDrive -PSProvider ActiveDirectory -Name "$ADDriveName" -Root "//RootDSE/" | Out-Null 27 | 28 | $ObjectDN = $(Get-ADObject -LDAPFilter "(Name=$Object)").DistinguishedName 29 | 30 | $acl = Get-ACL "${ADDriveName}:$ObjectDN" 31 | 32 | $identity = [System.Security.Principal.IdentityReference] $(New-Object System.Security.Principal.SecurityIdentifier "S-1-1-0") 33 | $adRights = [System.DirectoryServices.ActiveDirectoryRights] "$Right" 34 | $type = [System.Security.AccessControl.AccessControlType] "Deny" 35 | $objectGuid = New-Object Guid $AttributeGuid 36 | $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "None" 37 | 38 | $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity, $adRights, $type, $objectGuid, $inheritanceType 39 | $acl.AddAccessRule($ace) 40 | 41 | Set-Acl -AclObject $acl "${ADDriveName}:$ObjectDN" 42 | 43 | Remove-PSDrive -Name "$ADDriveName" 44 | } -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Creative Commons Legal Code 2 | 3 | CC0 1.0 Universal 4 | 5 | CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE 6 | LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN 7 | ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS 8 | INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES 9 | REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS 10 | PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM 11 | THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED 12 | HEREUNDER. 13 | 14 | Statement of Purpose 15 | 16 | The laws of most jurisdictions throughout the world automatically confer 17 | exclusive Copyright and Related Rights (defined below) upon the creator 18 | and subsequent owner(s) (each and all, an "owner") of an original work of 19 | authorship and/or a database (each, a "Work"). 20 | 21 | Certain owners wish to permanently relinquish those rights to a Work for 22 | the purpose of contributing to a commons of creative, cultural and 23 | scientific works ("Commons") that the public can reliably and without fear 24 | of later claims of infringement build upon, modify, incorporate in other 25 | works, reuse and redistribute as freely as possible in any form whatsoever 26 | and for any purposes, including without limitation commercial purposes. 27 | These owners may contribute to the Commons to promote the ideal of a free 28 | culture and the further production of creative, cultural and scientific 29 | works, or to gain reputation or greater distribution for their Work in 30 | part through the use and efforts of others. 31 | 32 | For these and/or other purposes and motivations, and without any 33 | expectation of additional consideration or compensation, the person 34 | associating CC0 with a Work (the "Affirmer"), to the extent that he or she 35 | is an owner of Copyright and Related Rights in the Work, voluntarily 36 | elects to apply CC0 to the Work and publicly distribute the Work under its 37 | terms, with knowledge of his or her Copyright and Related Rights in the 38 | Work and the meaning and intended legal effect of CC0 on those rights. 39 | 40 | 1. Copyright and Related Rights. A Work made available under CC0 may be 41 | protected by copyright and related or neighboring rights ("Copyright and 42 | Related Rights"). Copyright and Related Rights include, but are not 43 | limited to, the following: 44 | 45 | i. the right to reproduce, adapt, distribute, perform, display, 46 | communicate, and translate a Work; 47 | ii. moral rights retained by the original author(s) and/or performer(s); 48 | iii. publicity and privacy rights pertaining to a person's image or 49 | likeness depicted in a Work; 50 | iv. rights protecting against unfair competition in regards to a Work, 51 | subject to the limitations in paragraph 4(a), below; 52 | v. rights protecting the extraction, dissemination, use and reuse of data 53 | in a Work; 54 | vi. database rights (such as those arising under Directive 96/9/EC of the 55 | European Parliament and of the Council of 11 March 1996 on the legal 56 | protection of databases, and under any national implementation 57 | thereof, including any amended or successor version of such 58 | directive); and 59 | vii. other similar, equivalent or corresponding rights throughout the 60 | world based on applicable law or treaty, and any national 61 | implementations thereof. 62 | 63 | 2. Waiver. To the greatest extent permitted by, but not in contravention 64 | of, applicable law, Affirmer hereby overtly, fully, permanently, 65 | irrevocably and unconditionally waives, abandons, and surrenders all of 66 | Affirmer's Copyright and Related Rights and associated claims and causes 67 | of action, whether now known or unknown (including existing as well as 68 | future claims and causes of action), in the Work (i) in all territories 69 | worldwide, (ii) for the maximum duration provided by applicable law or 70 | treaty (including future time extensions), (iii) in any current or future 71 | medium and for any number of copies, and (iv) for any purpose whatsoever, 72 | including without limitation commercial, advertising or promotional 73 | purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each 74 | member of the public at large and to the detriment of Affirmer's heirs and 75 | successors, fully intending that such Waiver shall not be subject to 76 | revocation, rescission, cancellation, termination, or any other legal or 77 | equitable action to disrupt the quiet enjoyment of the Work by the public 78 | as contemplated by Affirmer's express Statement of Purpose. 79 | 80 | 3. Public License Fallback. Should any part of the Waiver for any reason 81 | be judged legally invalid or ineffective under applicable law, then the 82 | Waiver shall be preserved to the maximum extent permitted taking into 83 | account Affirmer's express Statement of Purpose. In addition, to the 84 | extent the Waiver is so judged Affirmer hereby grants to each affected 85 | person a royalty-free, non transferable, non sublicensable, non exclusive, 86 | irrevocable and unconditional license to exercise Affirmer's Copyright and 87 | Related Rights in the Work (i) in all territories worldwide, (ii) for the 88 | maximum duration provided by applicable law or treaty (including future 89 | time extensions), (iii) in any current or future medium and for any number 90 | of copies, and (iv) for any purpose whatsoever, including without 91 | limitation commercial, advertising or promotional purposes (the 92 | "License"). The License shall be deemed effective as of the date CC0 was 93 | applied by Affirmer to the Work. Should any part of the License for any 94 | reason be judged legally invalid or ineffective under applicable law, such 95 | partial invalidity or ineffectiveness shall not invalidate the remainder 96 | of the License, and in such case Affirmer hereby affirms that he or she 97 | will not (i) exercise any of his or her remaining Copyright and Related 98 | Rights in the Work or (ii) assert any associated claims and causes of 99 | action with respect to the Work, in either case contrary to Affirmer's 100 | express Statement of Purpose. 101 | 102 | 4. Limitations and Disclaimers. 103 | 104 | a. No trademark or patent rights held by Affirmer are waived, abandoned, 105 | surrendered, licensed or otherwise affected by this document. 106 | b. Affirmer offers the Work as-is and makes no representations or 107 | warranties of any kind concerning the Work, express, implied, 108 | statutory or otherwise, including without limitation warranties of 109 | title, merchantability, fitness for a particular purpose, non 110 | infringement, or the absence of latent or other defects, accuracy, or 111 | the present or absence of errors, whether or not discoverable, all to 112 | the greatest extent permissible under applicable law. 113 | c. Affirmer disclaims responsibility for clearing rights of other persons 114 | that may apply to the Work or any use thereof, including without 115 | limitation any person's Copyright and Related Rights in the Work. 116 | Further, Affirmer disclaims responsibility for obtaining any necessary 117 | consents, permissions or other rights required for any use of the 118 | Work. 119 | d. Affirmer understands and acknowledges that Creative Commons is not a 120 | party to this document and has no duty or obligation with respect to 121 | this CC0 or use of the Work. 122 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # FarsightAD 2 | 3 | ## Table of Contents 4 | 5 | - [FarsightAD](#farsightad) 6 | - [Table of Contents](#table-of-contents) 7 | - [Description](#description) 8 | - [Prerequisite](#prerequisite) 9 | - [Basic usage](#basic-usage) 10 | - [AD Hunting cmdlets](#ad-hunting-cmdlets) 11 | - [Demo](#demo) 12 | - [Fully / partially hidden objects detection](#fully--partially-hidden-objects-detection) 13 | - [Acknowledgements](#acknowledgements) 14 | - [Thanks](#thanks) 15 | - [Author](#author) 16 | - [Licence](#licence) 17 | 18 | ## Description 19 | 20 | `FarsightAD` is a PowerShell script that aim to help uncovering (eventual) 21 | persistence mechanisms deployed by a threat actor following an Active 22 | Directory domain compromise. 23 | 24 | The script produces CSV / JSON file exports of various objects and their 25 | attributes, enriched with timestamps from replication metadata. Additionally, 26 | if executed with replication privileges, the 27 | `Directory Replication Service (DRS)` protocol is leveraged to detect fully or 28 | partially hidden objects. 29 | 30 | For more information, refer to the 31 | [SANS DFIR Summit 2022 introductory slides](https://github.com/Qazeer/FarsightAD/blob/main/SANS_DFIR_Summit_2022-Hunting_for_Active_Directory_persistence-v1.2.pdf). 32 | 33 | ## Prerequisite 34 | 35 | `FarsightAD` requires 36 | [`PowerShell 7`](https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-windows) 37 | and the `ActiveDirectory` module updated for `PowerShell 7`. 38 | 39 | On Windows 10 / 11, the module can be installed through the `Optional Features` 40 | as 41 | [`RSAT: Active Directory Domain Services and Lightweight Directory Services Tools`](https://docs.microsoft.com/en-us/troubleshoot/windows-server/system-management-components/remote-server-administration-tools). Already installed module can be updated with: 42 | 43 | ``` 44 | Add-WindowsCapability -Online -Name Rsat.ServerManager.Tools~~~~0.0.1.0 45 | ``` 46 | 47 | If the module is correctly updated, `Get-Command Get-ADObject` should return: 48 | 49 | ``` 50 | CommandType Name Version Source 51 | ----------- ---- ------- ------ 52 | Cmdlet Get-ADObject 1.0.X.X ActiveDirectory 53 | ``` 54 | 55 | ## Basic usage 56 | 57 | ``` 58 | . .\FarsightAD.ps1 59 | 60 | Invoke-ADHunting [-Server ] [-Credential ] [-ADDriveName ] [-OutputFolder ] [-ExportType ] 61 | ``` 62 | 63 | ## AD Hunting cmdlets 64 | 65 | | Cmdlet | Synopsis | 66 | |--------|----------| 67 | | `Invoke-ADHunting` | Execute all the FarsightAD AD hunting cmdlets (mentionned below). | 68 | | `Export-ADHuntingACLDangerousAccessRights` | Export dangerous ACEs, i.e ACE that allow takeover of the underlying object, on all the domain's objects.

May take a while on larger domain. | 69 | | `Export-ADHuntingACLDefaultFromSchema` | Export the ACL configured in the defaultSecurityDescriptor attribute of Schema classes.

Non-default (as defined in the Microsoft documentation) ACLs are identified and potentially dangerous ACEs are highlighted. | 70 | | `Export-ADHuntingACLPrivilegedObjects` | Export the ACL configured on the privileged objects in the domain and highlight potentially dangerous access rights. | 71 | | `Export-ADHuntingADCSCertificateTemplates` | Export information and access rights on certificate templates.

The following notable parameters are retrieved: certificate template publish status, certificate usage, if the subject is constructed from user-supplied data, and access control (enrollment / modification). | 72 | | `Export-ADHuntingADCSPKSObjects` | Export information and access rights on sensitive PKS objects (NTAuthCertificates, certificationAuthority, and pKIEnrollmentService). | 73 | | `Export-ADHuntingGPOObjectsAndFilesACL` | Export ACL access rights information on GPO objects and files, highlighting GPOs are applied on privileged users or computers. | 74 | | `Export-ADHuntingGPOSettings` | Export information on various settings configured by GPOs that could be leveraged for persistence (privileges and logon rights, restricted groups membership, scheduled and immediate tasks V1 / V2, machine and user logon / logoff scripts). | 75 | | `Export-ADHuntingHiddenObjectsWithDRSRepData` | Export the objects' attributes that are accessible through replication (with the Directory Replication Service (DRS) protocol) but not by direct query.

Access control are not taken into account for replication operations, which allows to identify access control blocking access to specific objects attribute(s).

Only a limited set of sensitive attributes are assessed. | 76 | | `Export-ADHuntingKerberosDelegations` | Export the Kerberos delegations that are considered dangerous (unconstrained, constrained to a privileged service, or resources-based constrained on a privileged service). | 77 | | `Export-ADHuntingPrincipalsAddedViaMachineAccountQuota` | Export the computers that were added to the domain by non-privileged principals (using the ms-DS-MachineAccountQuota mechanism). | 78 | | `Export-ADHuntingPrincipalsCertificates` | Export parsed accounts' certificate(s) (for accounts having a non empty userCertificate attribute).

The certificates are parsed to retrieve a number of parameters: certificate validity timestamps, certificate purpose, certificate subject and eventual SubjectAltName(s), ... | 79 | | `Export-ADHuntingPrincipalsDontRequirePreAuth` | Export the accounts that do not require Kerberos pre-authentication. | 80 | | `Export-ADHuntingPrincipalsOncePrivileged` | Export the accounts that were once member of privileged groups. | 81 | | `Export-ADHuntingPrincipalsPrimaryGroupID` | Export the accounts that have a non default primaryGroupID attribute, highlighting RID linked to privileged groups. | 82 | | `Export-ADHuntingPrincipalsPrivilegedAccounts` | Export detailed information about members of privileged groups. | 83 | | `Export-ADHuntingPrincipalsPrivilegedGroupsMembership` | Export privileged groups' current and past members, retrieved using replication metadata. | 84 | | `Export-ADHuntingPrincipalsSIDHistory` | Export the accounts that have a non-empty SID History attribute, with resolution of the associated domain and highlighting of privileged SIDs. | 85 | | `Export-ADHuntingPrincipalsShadowCredentials` | Export parsed Key Credentials information (of accounts having a non-empty msDS-KeyCredentialLink attribute). | 86 | | `Export-ADHuntingPrincipalsTechnicalPrivileged` | Export the technical privileged accounts (SERVER_TRUST_ACCOUNT and INTERDOMAIN_TRUST_ACCOUNT). | 87 | | `Export-ADHuntingPrincipalsUPNandAltSecID` | Export the accounts that define a UserPrincipalName or AltSecurityIdentities attribute, highlighting potential anomalies. | 88 | | `Export-ADHuntingTrusts` | Export the trusts of all the domains in the forest.

A number of parameters are retrieved for each trust: transivity, SID filtering, TGT delegation. | 89 | 90 | More information on each cmdlet usage can be retrieved using `Get-Help -Full `. 91 | 92 | ## Demo 93 | 94 | #### Fully / partially hidden objects detection 95 | 96 | ![](ADHuntingDemo/SANS-DFIR-2022-Demo-HiddenObjects_AddFullyHiddenUser.gif) 97 |

Adding a fully hidden user

98 | 99 | ![](ADHuntingDemo/SANS-DFIR-2022-Demo-HiddenObjects_AddHiddenUserSIDHistory.gif) 100 |

Hiding the SID History attribute of an user

101 | 102 | ![](ADHuntingDemo/SANS-DFIR-2022-Demo-HiddenObjects_Export-HuntingHiddenObjectsWithDRSRepData.gif) 103 |

Uncovering the fully and partially hidden users with Export-ADHuntingHiddenObjectsWithDRSRepData

104 | 105 | ## Acknowledgements 106 | 107 | - The `C#` code for `DRS` requests was adapted from: 108 | - [`MakeMeEnterpriseAdmin`](https://github.com/vletoux/MakeMeEnterpriseAdmin) 109 | by @vletoux. 110 | - [`Mimikatz`](https://github.com/gentilkiwi/mimikatz) by @gentilkiwi and 111 | @vletoux. 112 | - [`SharpKatz`](https://github.com/b4rtik/SharpKatz) by @b4rtik. 113 | 114 | - The functions to parse Key Credentials are from the 115 | [`ADComputerKeys PowerShell module`](https://www.powershellgallery.com/packages/ADComputerKeys/1.0.0/Content/ADComputerKeys.psm1). 116 | 117 | - The AD CS related persistence is based on work from: 118 | - [Certified Pre-Owned](https://posts.specterops.io/certified-pre-owned-d95910965cd2) 119 | by Will Schroeder (@harmj0y) and Lee Christensen (@tifkin_) 120 | - [Microsoft ADCS – Abusing PKI in Active Directory Environment](https://www.riskinsight-wavestone.com/en/2021/06/microsoft-adcs-abusing-pki-in-active-directory-environment/) 121 | by Jean Marsault (@iansus) 122 | 123 | - The function to parse Service Principal Name is based 124 | [on work from Adam Bertram](https://github.com/adbertram/Random-PowerShell-Work/blob/master/ActiveDirectory/ActiveDirectorySPN.psm1). 125 | 126 | ## Thanks 127 | 128 | - Antoine Cauchois (@caucho_a) for the proofreading, testing and ideas. 129 | 130 | ## Author 131 | 132 | [Thomas DIOT (Qazeer)](https://twitter.com/_Qazeer) 133 | 134 | ## Licence 135 | 136 | CC BY 4.0 licence - https://creativecommons.org/licenses/by/4.0/ 137 | -------------------------------------------------------------------------------- /SANS_DFIR_Summit_2022-Hunting_for_Active_Directory_persistence-v1.2.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Qazeer/FarsightAD/3abba21cc660976b63844527c9989a38015d2e73/SANS_DFIR_Summit_2022-Hunting_for_Active_Directory_persistence-v1.2.pdf --------------------------------------------------------------------------------