1nTh35h3ll's Projects
Track past changes in your AD accounts (users & computers), even if no event logs exist - e.g. not collected, no retention/overwritten, wiped (e.g. during an Incident Response) etc. Uses Replication metadata history parsing
Babel-Shellfish deobfuscates and scans Powershell scripts on real-time right before each line execution.
/dev/קרש
D(COM) V(ulnerability) S(canner) AKA Devious swiss army knife - Lateral movement using DCOM Objects
"Pure" powershell command (no dependencies, no special permissions etc') to retrieve change history in an AD group membership. relies on object metadata rather than event logs. useful for DF/IR, tracking changes in groups etc'.
a powershell implementation of PAC enum (similar to getpac.py). does not require privileges. can enum Effective Token (Kerberos group SIDs) for any user
simple script to check when a user was added to a group (entry level forensics)
Checks for changes in AD users. Useful in finding who|when changed what property of an AD user. Requires 'Event Log Readers' or equivalent. No additional modules required.
detecting DCShadow in retrospect from relevant DC demotion/ntdsDSA deletion
Checks for domain-wide computers Network Level Authentication settings in light of RDP Vulns, e.g BlueKeep, DejaBlue
One-liner that gets the last logon for an account (user or computer) from all DCs. no dependencies, no special permissions, just LDAP connectivity.
Collects LDAP Query Performance Events and analyzes them to CSV & Grid. Helps in identifying large or unusual LDAP queries, either for Threat Hunting or IT optimization
Gets currently logged-on users on domain computers, to see if they are local admins or not.
Gets the latest Change (if ever) in userWorkstations attribute value (Logon restrictions by user workstations) using Replication property MetaData. No logging/auditing required. No special permissions required, just an authenticated domain user.
Automate Network sessions enumeration of connected users in the domain, to facilitate AD Reconnaissance for Adversary simulation & Red Teams
Query PS Sessions (wsman) for their connected users, IPs & hosts, locally & remotely
Query user sessions for the entire domain (Interactive/RDP etc), allowing you to query a Username and see all their logged on sessions, whether Active or Disconnected
Map account sessions for domain Endpoints or specific hosts, both SMB sessions (which accounts are connected via shares) and interactive (RDP, local, RunAs), with No admin permissions needed
GoldFinger - Suspicious TGT detection - collects | analyzes | hunts for potential Golden Tickets & Pass-The-Hash
Presentation from HackCon talk - 'It's just a tool. Not bad nor good. That part is up to YOU.'
Looks for evidence of PrintNightmare exploitation execution in Logs. Requires 'Event Log Readers' or higher permissions. Defaults to domain controllers, yet can be pointed to any/all domain machines (using -AllComputers parameter, or changes LDAP query). Outputs results of potential PrintNightmare exploitation to console + CSV file.
Hide your Powershell script in plain sight. Bypass all Powershell security features
Analyzes AdminSDHolder permissions & compares with a previous run, to detect potential backdoor/excessive persistent permission(s)
Centralized detection of Golden Tickets via anomalous kerberos tickets detection AFTER resetting the krbtgt password TWICE. No Dependencies/modules. Requires Event Log Readers or equivalent
Monitor TGS requests (All, or just Failed ones, with Error Code reasons). Useful during a live IR without other central threat hunting log solution, or in general, to monitor access & failure reasons
Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration!
Things that make you go hmm... scripts for fun(ctionality)
Code from my talk @ BSidesTLV 2019 on PowerShell as a Hacking Tool