{"id":1412,"date":"2018-04-19T19:17:33","date_gmt":"2018-04-19T18:17:33","guid":{"rendered":"https:\/\/www.phillips321.co.uk\/?p=1412"},"modified":"2018-04-19T19:32:55","modified_gmt":"2018-04-19T18:32:55","slug":"automating-an-active-directory-audit-in-powershell","status":"publish","type":"post","link":"https:\/\/www.phillips321.co.uk\/2018\/04\/19\/automating-an-active-directory-audit-in-powershell\/","title":{"rendered":"Automating an Active Directory Audit in PowerShell"},"content":{"rendered":"<p><img loading=\"lazy\" src=\"https:\/\/www.phillips321.co.uk\/wp-content\/uploads\/2018\/04\/powershell-1030x770-150x150.png\" alt=\"\" width=\"150\" height=\"150\" class=\"aligncenter size-thumbnail wp-image-1413\" \/><\/a>So I&#8217;ve started doing a few active directory audits recently and noticed that I&#8217;m repeating myself over and over again.<\/p>\n<p>As such I&#8217;ve decided to write as much of this up as possible in a powershell script to make my life easier. I chose powershell for two reasons; 1. I need to learn powershell, 2. I don&#8217;t want to drop an exe on a remote box.<\/p>\n<p>This script doesn&#8217;t do everything, there&#8217;s still stuff to add, so recommend me things!<\/p>\n<p>It currently does the following:<\/p>\n<ul>\n<li>Password Policy Findings<\/li>\n<li>Looking for accounts that dont expire<\/li>\n<li>Looking for inactive\/disabled accounts<\/li>\n<li>Looking for server 2003\/XP machines connected to domain<\/li>\n<li>AD Findings<\/li>\n<li>Domain Trust Findings<\/li>\n<li>GPO Findings<\/li>\n<li>Trying to find SysVOL xml files containg cpassword<\/li>\n<li>Trying to save NTDS.dit<\/li>\n<\/ul>\n<div class=\"codecolorer-container powershell vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;height:300px;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/>3<br \/>4<br \/>5<br \/>6<br \/>7<br \/>8<br \/>9<br \/>10<br \/>11<br \/>12<br \/>13<br \/>14<br \/>15<br \/>16<br \/>17<br \/>18<br \/>19<br \/>20<br \/>21<br \/>22<br \/>23<br \/>24<br \/>25<br \/>26<br \/>27<br \/>28<br \/>29<br \/>30<br \/>31<br \/>32<br \/>33<br \/>34<br \/>35<br \/>36<br \/>37<br \/>38<br \/>39<br \/>40<br \/>41<br \/>42<br \/><\/div><\/td><td><div class=\"powershell codecolorer\"><span class=\"kw2\">PS<\/span> Microsoft.PowerShell.Core\\FileSystem::\\\\tsclient\\Desktop<span class=\"sy0\">&gt;<\/span> \\\\tsclient\\Desktop\\AdAudit.ps1<br \/>\n&nbsp;_____ ____ &nbsp; &nbsp; _____ &nbsp; &nbsp; &nbsp; _ _ _<br \/>\n<span class=\"sy0\">|<\/span> &nbsp;_ &nbsp;<span class=\"sy0\">|<\/span> &nbsp; &nbsp;\\ &nbsp; <span class=\"sy0\">|<\/span> &nbsp;_ &nbsp;<span class=\"sy0\">|<\/span>_ _ _<span class=\"sy0\">|<\/span> <span class=\"sy0\">|<\/span>_<span class=\"sy0\">|<\/span> <span class=\"sy0\">|<\/span>_<br \/>\n<span class=\"sy0\">|<\/span> &nbsp; &nbsp; <span class=\"sy0\">|<\/span> &nbsp;<span class=\"sy0\">|<\/span> &nbsp;<span class=\"sy0\">|<\/span> &nbsp;<span class=\"sy0\">|<\/span> &nbsp; &nbsp; <span class=\"sy0\">|<\/span> <span class=\"sy0\">|<\/span> <span class=\"sy0\">|<\/span> . <span class=\"sy0\">|<\/span> <span class=\"sy0\">|<\/span> &nbsp;_<span class=\"sy0\">|<\/span><br \/>\n<span class=\"sy0\">|<\/span>__<span class=\"sy0\">|<\/span>__<span class=\"sy0\">|<\/span>____<span class=\"sy0\">\/<\/span> &nbsp; <span class=\"sy0\">|<\/span>__<span class=\"sy0\">|<\/span>__<span class=\"sy0\">|<\/span>___<span class=\"sy0\">|<\/span>___<span class=\"sy0\">|<\/span>_<span class=\"sy0\">|<\/span>_<span class=\"sy0\">|<\/span><br \/>\nv1.0 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;by phillips321<br \/>\n<br \/>\n<span class=\"br0\">&#91;<\/span><span class=\"sy0\">*<\/span><span class=\"br0\">&#93;<\/span> Script start time 04<span class=\"sy0\">\/<\/span><span class=\"nu0\">19<\/span><span class=\"sy0\">\/<\/span><span class=\"nu0\">2018<\/span> <span class=\"nu0\">19<\/span>:<span class=\"nu0\">29<\/span>:01<br \/>\n<span class=\"br0\">&#91;<\/span><span class=\"sy0\">+<\/span><span class=\"br0\">&#93;<\/span> Outputting to \\\\tsclient\\Desktop\\2008R2X64SP1<br \/>\n<span class=\"br0\">&#91;<\/span><span class=\"sy0\">*<\/span><span class=\"br0\">&#93;<\/span> Password Policy Findings<br \/>\n&nbsp; &nbsp; <span class=\"br0\">&#91;<\/span><span class=\"sy0\">!<\/span><span class=\"br0\">&#93;<\/span> Password Complexity not enabled<br \/>\n&nbsp; &nbsp; <span class=\"br0\">&#91;<\/span><span class=\"sy0\">!<\/span><span class=\"br0\">&#93;<\/span> Lockout threshold is less than <span class=\"nu0\">5<\/span><span class=\"sy0\">,<\/span> currently <span class=\"kw2\">set<\/span> to <span class=\"nu0\">0<\/span><br \/>\n&nbsp; &nbsp; <span class=\"br0\">&#91;<\/span><span class=\"sy0\">!<\/span><span class=\"br0\">&#93;<\/span> Minimum password length is less than <span class=\"nu0\">14<\/span><span class=\"sy0\">,<\/span> currently <span class=\"kw2\">set<\/span> to <span class=\"nu0\">7<\/span><br \/>\n&nbsp; &nbsp; <span class=\"br0\">&#91;<\/span><span class=\"sy0\">!<\/span><span class=\"br0\">&#93;<\/span> Passwords <span class=\"kw3\">do<\/span> not expire<br \/>\n&nbsp; &nbsp; <span class=\"br0\">&#91;<\/span><span class=\"sy0\">!<\/span><span class=\"br0\">&#93;<\/span> Passwords <span class=\"kw2\">history<\/span> is less than <span class=\"nu0\">12<\/span><span class=\"sy0\">,<\/span> currently <span class=\"kw2\">set<\/span> to <span class=\"nu0\">0<\/span><br \/>\n&nbsp; &nbsp; <span class=\"br0\">&#91;<\/span><span class=\"sy0\">!<\/span><span class=\"br0\">&#93;<\/span> <span class=\"nu0\">4<\/span> accounts with passwords older than 90days<span class=\"sy0\">,<\/span> see accounts_with_old_passwords.txt<br \/>\n<span class=\"br0\">&#91;<\/span><span class=\"sy0\">*<\/span><span class=\"br0\">&#93;<\/span> Looking <span class=\"kw3\">for<\/span> accounts that dont expire<br \/>\n&nbsp; &nbsp; <span class=\"br0\">&#91;<\/span><span class=\"sy0\">!<\/span><span class=\"br0\">&#93;<\/span> There are <span class=\"nu0\">4<\/span> accounts that don<span class=\"st0\">'t expire, see accounts_passdontexpire.txt<br \/>\n[*] Looking for inactive\/disabled accounts<br \/>\n&nbsp; &nbsp; [!] 1 inactive user accounts(180days), see accounts_inactive.txt<br \/>\n&nbsp; &nbsp; [!] 2 disabled user accounts, see accounts_disabled.txt<br \/>\n[*] Looking for server 2003\/XP machines connected to domain<br \/>\n[*] AD Findings<br \/>\n&nbsp; &nbsp; [!] Domain users can add 10 devices to the domain!<br \/>\n&nbsp; &nbsp; [!] SMBv1 is not disabled<br \/>\n[*] Domain Trust Findings<br \/>\n&nbsp; &nbsp; [!] Bidirectyional trust with domain test.local!<br \/>\n[*] GPO Findings<br \/>\n&nbsp; &nbsp; [+] GPO Report saved to GPOReport.html<br \/>\n&nbsp; &nbsp; [+] Inhertied GPOs saved to ous_inheritedGPOs.txt<br \/>\n[*] Trying to find SysVOL xml files containg cpassword...<br \/>\n&nbsp; &nbsp; [!] cpassword found in file, copying to output folder<br \/>\n&nbsp; &nbsp; &nbsp; &nbsp; \\\\FRUIT.COM\\SYSVOL\\fruit.com\\Policies\\{039AF941-42BE-4D56-A479-A284E3494670}\\User\\Preferences\\<br \/>\nDrives\\Drives.xml<br \/>\n&nbsp; &nbsp; [!] cpassword found in file, copying to output folder<br \/>\n&nbsp; &nbsp; &nbsp; &nbsp; \\\\FRUIT.COM\\SYSVOL\\fruit.com\\Policies\\{750D5660-5AB3-4A33-A776-6F10657A6662}\\Machine\\Preferenc<br \/>\nes\\ScheduledTasks\\ScheduledTasks.xml<br \/>\n[*] Trying to save NTDS.dit, please wait...<br \/>\n&nbsp; &nbsp; [+] NTDS.dit, SYSTEM &amp; SAM saved to output folder<br \/>\n&nbsp; &nbsp; [+] Use secretsdump.py -system registry\/SYSTEM -ntds Active\\ Directory\/ntds.dit LOCAL -outputfile <br \/>\ncustomer<br \/>\n[*] Script end time 04\/19\/2018 19:29:34<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p>And finally the link to the code: <a href=\"https:\/\/github.com\/phillips321\/adaudit\" rel=\"noopener\" target=\"_blank\">github.com\/phillips321\/adaudit<\/a><br \/>\n<a href=\"https:\/\/www.phillips321.co.uk\/wp-content\/uploads\/2018\/04\/powershell-1030x770.png\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>So I&#8217;ve started doing a few active directory audits recently and noticed that I&#8217;m repeating myself over and over again. As such I&#8217;ve decided to write as much of this up as possible in a powershell script to make my life easier. I chose powershell for two reasons; 1. I need to learn powershell, 2. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1413,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[482,481,484,483,485,487,486,415],"_links":{"self":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/1412"}],"collection":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/comments?post=1412"}],"version-history":[{"count":5,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/1412\/revisions"}],"predecessor-version":[{"id":1416,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/1412\/revisions\/1416"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/media\/1413"}],"wp:attachment":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/media?parent=1412"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/categories?post=1412"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/tags?post=1412"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}