Error.log

All the errors are attached in log

In some environments where the Active Directory Recycle Bin is enabled, it is reported as disabled in the CSV and Excel reports when using the LDAP method from a Stand Alone workstation. There are two primary possible reasons why this occurs:

1. AD Recycle Bin is available via Server 2008 R2 and later forest levels (https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/adac/introduction-to-active-directory-administrative-center-enhancements--level-100-). According to the scripts own FLAD variable, the forest functional level integer value for 2008R2 is 4, but in both the ADWS and LDAP Recycle Bin Feature Status Enumeration code, there is a check to see if Forest Mode is 6 or greater (Windows 2012R2 or later) before it will even enumerate the feature. This should be 4 to include Windows Server 2008R2 and later - correct?

2. For the LDAP method from a standalone workstation, some AD environments have been observed returning the "msDS-EnabledFeatureBL" property in all lower case. While powershell is mostly case indifferent, it appears that this Active Directory property is case sensitive.

• https://social.technet.microsoft.com/Forums/windowsserver/en-US/b95eb187-16fe-41d0-bd8e-2f22b1e5f140/query-userprincipalname-usign-powershell?forum=winserverpowershell
• https://social.technet.microsoft.com/Forums/windowsserver/en-US/78e10a25-deca-4378-bc45-5c5d2ee5734c/powershell-case-sensitivity

For environments where the property is returned in all lower case "msds-enabledfeaturebl" (see example below on a manual step through of the ADRecon script)

the check "$ADRecycleBin.Properties.'msDS-EnabledFeatureBL'.Count -gt 0" fails (even when Recycle Bin is enabled) and the report shows the Recycle Bin Feature as disabled. This is all despite the script enumerating the $ADRecycleBin variable correctly on a manual step through; the output of the variable shows the Recycle Bin Feature option is enabled and the proper applied scope when the affected property is called using all lower case, I am not certain that this property is always returned in lower case - but have found two different AD environments where it is.

Hey Prashant,

Just wanted to let you know the latest update has broken excel document generation.
The scripts saves the ISM control column name as 'ISM Controls 10Mar2022' on line 5519, but line 7691 expects it to be 'ISM Controls 16Jun2022'.

This causes excel to repair the document on startup, with no way to save the repaired file:

Should be a simple fix, change the name parameter on line 5519 to 'ISM Controls 16Jun2022'.

Thanks & love the tool!

Windows Defender detects ps1 as HackTool:PowerShell/ADRecon!MSR.

Can we use something like Get-ADFineGrainedPasswordPolicy and Get-ADDomainDefaultPasswordPolicy and merge it with the GPO pull for password policy so we can see all the password policies on the domain not just want is in the GPO?

This issue is for situations that you run adrecon collect, create a folder with csv files, then try to merge

Command:
Invoke-ADRecon -GenExcel .\ADRecon-Report-20200326214743\

Output:

cmdlet Invoke-ADRecon at command pipeline position 1
Supply values for the following parameters:
Collect[0]:

For Example:
I'm trying to generate a report by overriding the DormantTimeSpan parameter in the adrecon.ps1 script. I'm using the following command:
./adrecon.ps1 -DormantTimeSpan 180 -GenExcel "..path\to\report"

The script executes without any errors, but the generated report still contains the default results. I have tried various combinations, but I have been unsuccessful in getting the desired output.

Operating System: Windows 10 Ver 22H2
PowerShell Version: 5.1.19041.3

Hi,

Is it possible to create the temp files in the working directory opposed to TEMP. During testing i dont always have access to the "C:\windows\temp" directory.

[*] ADRecon v1.27 by Prashant Mahajan (@prashant3535)
WARNING: [Invoke-ADRecon] ActiveDirectory Module from RSAT (Remote Server Administration Tools) is not installed ...
Continuing with LDAP
Add-Type : (0) : Source file 'C:\windows\temp\kf2y4vmy.0.cs' could not be found

Anyway around this?

• ADRecon v1.24
• .NET 5.0.204
• PowerShell 7.1.3
• ArchLinux

it seems that despite the fact I'm running the tool from linux, the prerequisites are satisfied.

PS /tmp/ADRecon> .\ADRecon.ps1 -DomainController 10.x.x.x -Credential domain.xxx\user
...
[*] ADRecon v1.24 by Prashant Mahajan (@prashant3535)
[Invoke-ADRecon] The term 'Get-CimInstance' is not recognized as a name of a cmdlet, function, script file, or executable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
Computer Role could not be identified.
Remove-Variable: /tmp/ADRecon/ADRecon.ps1:11814
 Line |
11814 |      Remove-Variable computer
      |      ~~~~~~~~~~~~~~~~~~~~~~~~
      | Cannot find a variable with the name 'computer'.

Remove-Variable: /tmp/ADRecon/ADRecon.ps1:11815
 Line |
11815 |      Remove-Variable computerdomainrole
      |      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      | Cannot find a variable with the name 'computerdomainrole'.

Remove-Variable: /tmp/ADRecon/ADRecon.ps1:11816
 Line |
11816 |      Remove-Variable computerrole
      |      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      | Cannot find a variable with the name 'computerrole'.

WARNING: [Invoke-ADRecon] ActiveDirectory Module from RSAT (Remote Server Administration Tools) is not installed ... Continuing with LDAP
...

Does ADRecon absolutely requires to run on a Windows host?

Hi,

Is it possible to pass arguments when Running directly from memory, such as:

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/adrecon/ADRecon/master/ADRecon.ps1')

With something like:

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/adrecon/ADRecon/master/ADRecon.ps1' -Domain X )

Is there a way to run the script in "offline" mode without admin creds? I'm thinking of the situation where I have a disk image for analysis during an IR. I can get a copy of the NTDS folder from the image and run the script against it without the server being running. @prashant3535

WARNING: [*] LAPS is not implemented.

While processing excel file, the errors accur.

Another question, Messy Chinese character

I noticed on certain operating systems, when the output format date is '%m/%d/%Y %H:%M:%S %p', there is a time difference about 2 hours between the lastPasswordSet and the whenCreated field.

However, this information is wrong because the user has never changed his password. Both values should be the same.

We check on our Active Directory and the LastPasswordSet value is 6/14/2016 1:25:44 PM.

It could be problematic when we want to detect users have not changed their initial password by comparing lastPasswordSet and whenCreated.

Thanks in advance

Hello,
thanks for your effort in this project.
On recent windows systems ADRecon.ps1 raise the error “This script contains malicious content and has been blocked by your antivirus software”, this should be related to the AMSI component.
Do you know which section of the code is detected as malicious and how to fix/bypass it?

Hello,

when generating a report, I get tons of PowerShell errors. The Excel file is generated and usable, but I don't know what these errors mean, and if they are preventing something from being generated in the report. I also think they should be eliminated for the sake of not having erros when running the tool 😊

Here are a few of these errors. My system is in French, so I did my best to translate them.

Value doesn't belong in the expected range.
At D:\tools\adrecon\ADRecon.ps1:5509 : 17
+ ...             $worksheet.Range($ObjValues[$i]).FormatConditions.Add([Mi ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [], ArgumentException
    + FullyQualifiedErrorId : System.ArgumentException

Invalid index. (HRESULT exception: 0x8002000B (DISP_E_BADINDEX))
At D:\tools\adrecon\ADRecon.ps1:5514 : 17
+ ...             $worksheet.Range($_).FormatConditions.Item(1).StopIfTrue  ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [], COMException
    + FullyQualifiedErrorId : System.Runtime.InteropServices.COMException

Cannot find an overload for « Style » and the number of arguments: « 1 »
At D:\tools\adrecon\ADRecon.ps1:4960 : 5
+     $worksheet.Cells.Item($row,$column).Style = "Heading 2"
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], SetValueInvocationException
    + FullyQualifiedErrorId : RuntimeException

HRESULT exception: 0x800A03EC
At D:\tools\adrecon\ADRecon.ps1:5914 : 17
+ ...             Get-ADRExcelChart -ChartType "xlPie" -ChartLayout 3 -Char ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [], COMException
    + FullyQualifiedErrorId : System.Runtime.InteropServices.COMException

You can get here a ZIP file containing the full error log, the CSV files, and the generated Excel file: ADRecon.zip

This was run on a testing environment, but the same errors happen on real environments.

Could you look into it and tell me why these errors occur, or what can I do to help you fix them?

It would be great if I could have the script run daily/weekly and do a diff from my original run and compare it to the current settings and email it to me.

This way I can do see what changes and when to detect compromise

Hello

I am not capable anymore to download and install the tool : Trojan has been detected and the tools remove by the antivirus.

Can you please update the tool ?

Regards

There looks to be some invalid characters in the script body, smart quotes and longer hyphens. Script errors out unless you replace these.

Smart quotes on these lines:
10297
10311
10322
10325
10326

Long hyphens on these lines:
11285
11293

BTW - This script is awesome

Im getting the following error (we have > 10,000 groups)

[-] Group Memberships - May take some time
Exception caught: System.ArgumentException: Destination array was not long enough. Check destIndex and length, and the array's lower bounds.
at System.Array.Copy(Array sourceArray, Int32 sourceIndex, Array destinationArray, Int32 destinationIndex, Int32 length, Boolean reliable)
at System.Collections.Generic.Dictionary2.Resize(Int32 newSize, Boolean forceNewHashCodes) at System.Collections.Generic.Dictionary2.Insert(TKey key, TValue value, Boolean add)
at ADRecon.ADWSClass.GroupRecordDictionaryProcessor.processRecord(Object record)

im unable to run the script as it pose serious virus threat, i scan the PS script and it shows trojan detected, advise anyone plz.
plz have look at below link.

https://www.virustotal.com/gui/file/5cb950d97db0bfb3f5f8a7833515b34fa980f6d3fb3114cf9282367d5f7fb745

Enumerating ACLs in large environments can cause system resource exhaustion in large environments.

I have been able to update the Function Get-ADRACL to include -SearchBase $DnBase and $objSearcherPath.SearchRoot = "LDAP://$DnBase" using an additional property, but that isn't ideal.

The property could be brought into the helper Function Invoke-ADRecon or could be used to iterate through the subtrees as smaller chunks.

Let me know if you want me to merge the -SearchBase and SearchRoot as an example to test with.