28 - AD Auditing - JA Smith

# AD Snapshot with AD Explorer - [AD Explorer](https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer) is part of the Sysinternal Suite and can also be used to save snapshots of an AD database for offline viewing and comparison - Log into AD Explorer ![[images/Pasted image 20251107202810.png]] - Browse AD with AD Explorer![[images/Pasted image 20251107202828.png]] - Create a snapshot of AD with AD Explorer ![[images/Pasted image 20251107202849.png]] # PingCastle - [PingCastle](https://www.pingcastle.com/documentation/) is a powerful tool that evaluates the security posture of an AD environment and provides us the results in several different maps and graphs - PingCastle is different from tools such as PowerView and BloodHound because, aside from providing us with enumeration data that can inform our attacks, it also provides a detailed report of the target domain's security level using a methodology based on a risk assessment/maturity framework - The scoring shown in the report is based on the [Capability Maturity Model Integration](https://en.wikipedia.org/wiki/Capability_Maturity_Model_Integration) (CMMI) - Pingcastle has a TUI for our usage ```cmd .\pingcastle.exe |:. PingCastle (Version 2.10.1.0 1/19/2022 8:12:02 AM) | #:. Get Active Directory Security at 80% in 20% of the time # @@ > End of support: 7/31/2023 | @@@: : .# Vincent LE TOUX ([email protected]) .: twitter: @mysmartlogon https://www.pingcastle.com What do you want to do? ======================= Using interactive mode. Do not forget that there are other command line switches like --help that you can use 1-healthcheck-Score the risk of a domain 2-conso -Aggregate multiple reports into a single one 3-carto -Build a map of all interconnected domains 4-scanner -Perform specific security checks on workstations 5-export -Export users or computers 6-advanced -Open the advanced menu 0-Exit ============================== This is the main functionnality of PingCastle. In a matter of minutes, it produces a report which will give you an overview of your Active Directory security. This report can be generated on other domains by using the existing trust links. ``` # Group3r - [Group3r](https://github.com/Group3r/Group3r) is a tool purpose-built to find vulnerabilities in Active Directory associated Group Policy. Group3r must be run from a domain-joined host with a domain user (it does not need to be an administrator), or in the context of a domain user (i.e., using `runas /netonly`) ``` C:\htb> group3r.exe -f <filepath-name.log> ``` - From here, when reading the output from Group3r, each indentation is a different level, so no indent will be the GPO, one indent will be policy settings, and another will be findings in those settings # AutoRecon - In an assessment where stealth is not required, it is also worth running a tool like [ADRecon](https://github.com/adrecon/ADRecon) and analyzing the results, just in case all of our enumeration missed something minor that may be useful to us or worth pointing out to our client ```powershell PS C:\htb> .\ADRecon.ps1 [*] ADRecon v1.1 by Prashant Mahajan (@prashant3535) [*] Running on INLANEFREIGHT.LOCAL\MS01 - Member Server [*] Commencing - 03/28/2022 09:24:58 [-] Domain [-] Forest [-] Trusts [-] Sites [-] Subnets [-] SchemaHistory - May take some time [-] Default Password Policy [-] Fine Grained Password Policy - May need a Privileged Account [-] Domain Controllers [-] Users and SPNs - May take some time [-] PasswordAttributes - Experimental [-] Groups and Membership Changes - May take some time [-] Group Memberships - May take some time [-] OrganizationalUnits (OUs) [-] GPOs [-] gPLinks - Scope of Management (SOM) [-] DNS Zones and Records [-] Printers [-] Computers and SPNs - May take some time [-] LAPS - Needs Privileged Account [-] BitLocker Recovery Keys - Needs Privileged Account [-] GPOReport - May take some time [*] Total Execution Time (mins): 11.05 [*] Output Directory: C:\Tools\ADRecon-Report-20220328092458 ``` - `AutoRecon` outputs various report files - ```powershell PS C:\htb> ls Directory: C:\Tools\ADRecon-Report-20220328092458 Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 3/28/2022 12:42 PM CSV-Files -a---- 3/28/2022 12:42 PM 2758736 GPO-Report.html -a---- 3/28/2022 12:42 PM 392780 GPO-Report.xml ```