https://github.com/phillips321/adaudit

Powershell script to do domain auditing automation
https://github.com/phillips321/adaudit

Last synced: 3 months ago
JSON representation

Powershell script to do domain auditing automation

• Host: GitHub
• URL: https://github.com/phillips321/adaudit
• Owner: phillips321
• Created: 2018-04-20T11:29:06.000Z (over 7 years ago)
• Default Branch: master
• Last Pushed: 2024-11-15T10:37:29.000Z (12 months ago)
• Last Synced: 2024-11-15T11:30:32.452Z (12 months ago)
• Language: PowerShell
• Homepage: https://www.phillips321.co.uk
• Size: 203 KB
• Stars: 374
• Watchers: 30
• Forks: 100
• Open Issues: 7
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

• awesome-hacking-lists - phillips321/adaudit - Powershell script to do domain auditing automation (PowerShell)

README

          
# adaudit

This PowerShell script is designed to conduct a comprehensive audit of Microsoft Active Directory, focusing on identifying common security vulnerabilities and weaknesses. Its execution facilitates the pinpointing of critical areas that require reinforcement, thereby fortifying your infrastructure against prevalent tactics used in lateral movement or privilege escalation attacks targeting Active Directory.

```

_____ ____     _____       _ _ _

|  _  |    \   |  _  |_ _ _| |_| |_

|     |  |  |  |     | | | . | |  _|

|__|__|____/   |__|__|___|___|_|_|

                 by phillips321

```

If you have any decent powershell one liners that could be used in the script please let me know. I'm trying to keep this script as a single file with no requirements on external tools (other than ntdsutil and cmd.exe)

Run directly on a DC using a DA. If you don't trust the code I suggest reading it first and you'll see it's all harmless! (But shouldn't you be doing that anyway with code you download off the net and then run as DA??)

## What this does

* Device Information

  * Get-HostDetails

* Domain Audit

  * Get-LastWUDate

  * Get-DCEval

  * Get-TimeSource

  * Get-PrivilegedGroupMembership

  * Get-MachineAccountQuota

  * Get-DefaultDomainControllersPolicy

  * Get-SMB1Support

  * Get-FunctionalLevel

  * Get-DCsNotOwnedByDA

  * Get-ReplicationType

  * Get-RecycleBinState

  * Get-CriticalServicesStatus

  * Get-RODC

* Domain Trust Audit

  * Get-DomainTrusts

* User Accounts Audit

  * Get-InactiveAccounts

  * Get-DisabledAccounts

  * Get-LockedAccounts

  * Get-AdminAccountChecks

  * Get-NULLSessions

  * Get-PrivilegedGroupAccounts

  * Get-ProtectedUsers

* Password Information Audit

  * Get-AccountPassDontExpire

  * Get-UserPasswordNotChangedRecently

  * Get-PasswordPolicy

  * Get-PasswordQuality

* Dumps NTDS.dit

  * Get-NTDSdit

* Computer Objects Audit

  * Get-OldBoxes

* GPO audit (and checking SYSVOL for passwords)

  * Get-GPOtoFile

  * Get-GPOsPerOU

  * Get-SYSVOLXMLS

  * Get-GPOEnum

* Check Generic Group AD Permissions

  * Get-OUPerms

* Check For Existence of LAPS in domain

  * Get-LAPSStatus

* Check For Existence of Authentication Polices and Silos

  * Get-AuthenticationPoliciesAndSilos

* Check for insecure DNS zones

  * Get-DNSZoneInsecure

* Check for newly created users and groups

  * Get-RecentChanges

* Check for ADCS vulnerabilties, ESC1,2,3,4 and 8. 

* Check for high value kerberoastable accounts 

* Check for ASREPRoastable accounts

* Check for dangerous ACL permissions on Users, Groups and Computers. 

* Check LDAP and LDAPs settings (Signing, null sessions etc )

## Runtime Args

The following switches can be used in combination

* `-installdeps` installs optional features (DSInternals)

* `-hostdetails` retrieves hostname and other useful audit info

* `-domainaudit` retrieves information about the AD such as functional level

* `-trusts` retrieves information about any domain trusts

* `-accounts` identifies account issues such as expired, disabled, etc...

* `-passwordpolicy` retrieves password policy information

* `-ntds` dumps the NTDS.dit file using `ntdsutil`

* `-oldboxes` identified outdated OSs like XP/2003 joined to the domain

* `-gpo` dumps the GPOs in XML and HTML for later analysis

* `-ouperms` checks generic OU permission issues

* `-laps` checks if LAPS is installed

* `-authpolsilos` checks for existence of authentication policies and silos

* `-insecurednszone` checks for insecure DNS zones

* `-recentchanges` checks for newly created users and groups (last 30 days)

* `-adcs` checks for ADCS vulnerabilties, ESC1,2,3,4 and 8.

* `-acl` checks for dangerous ACL permissions on Users, Groups and Computers. 

* `-spn` checks for high value kerberoastable accounts 

* `-asrep` checks for ASREPRoastable accounts

* `-ldapsecurity` checks for multiple LDAP issues

* `-exclude` allows you to exclude specific checks when using `adaudit.ps1 -all -exclude ouperms,ntds,adcs"`

* `-select` allows you to exclude specific checks when using `adaudit.ps1 -all "gpo,ntds,acl"`

* `-all` runs all checks, e.g. `AdAudit.ps1 -all`