HackTool.PS1.ADRecon.A

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Übertragungsdetails

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

Fügt die folgenden Ordner hinzu:

• {string used in -GenExcel parameter} → if folder does not exist
• {string used in -OutputDir parameter} → if folder does not exist
• {Current Working Location}\ADRecon-Report-{Date in YYMMDDhhmmss} → if -OutputDir parameter was not triggered

Einschleusungsroutine

Schleust die folgenden Dateien ein:

• {Current Working Location}\ADRecon-Console-Log.txt → if -Log parameter is enabled
• {Directory}\CSV-Files\{module name}.csv
• {Directory}\XML-Files\{module name}.xml
• {Directory}\JSON-Files\{module name}.json
• {Directory}\HTML-Files\{module name}.html
• {Directory}\GPO-Report.html
• {Directory}\GPO-Report.xml
• {Directory}\{domain name}-ADRecon-Report.xlsx
  • Where {Directory} can be either:
    • {String used in -OutputDir parameter}
    • {Current Working Location}\ADRecon-Report-{Date in YYMMDDhhmmss}

Datendiebstahl

Folgende Daten werden gesammelt:

• Forest
• Domain
• Trusts
• Sites
• Subnets
• Schema History
• Default and Fine Grained Password Policy (if implemented)
• Domain Controllers, SMB versions, whether SMB Signing is supported and FSMO roles
• Users and their attributes
• Service Principal Names (SPNs)
• Groups, memberships and changes
• Organizational Units (OUs)
• GroupPolicy objects and gPLink details
• DNS Zones and Records
• Printers
• Computers and their attributes
• PasswordAttributes (Experimental)
• LAPS passwords (if implemented)
• BitLocker Recovery Keys (if implemented)
• ACLs (DACLs and SACLs) for the Domain, OUs, Root Containers, GPO, Users, Computers and Groups objects (not included in the default collection method)
• GPOReport (requires RSAT)
• Kerberoast (not included in the default collection method)
• Domain accounts used for service accounts (requires privileged account and not included in the default collection method)

Andere Details

Es macht Folgendes:

• Reads the following files if -GenExcel {path} is provided in parameter:
  • {string used in -GenExcel parameter}\CSV-Files\AboutADRecon.csv
  • {string used in -GenExcel parameter}\CSV-Files\Forest.csv
  • {string used in -GenExcel parameter}\CSV-Files\Domain.csv
  • {string used in -GenExcel parameter}\CSV-Files\Subnets.csv
  • {string used in -GenExcel parameter}\CSV-Files\Sites.csv
  • {string used in -GenExcel parameter}\CSV-Files\SchemaHistory.csv
  • {string used in -GenExcel parameter}\CSV-Files\FineGrainedPasswordPolicy.csv
  • {string used in -GenExcel parameter}\CSV-Files\DefaultPasswordPolicy.csv
  • {string used in -GenExcel parameter}\CSV-Files\DomainControllers.csv
  • {string used in -GenExcel parameter}\CSV-Files\GroupChanges.csv
  • {string used in -GenExcel parameter}\CSV-Files\DACLs.csv
  • {string used in -GenExcel parameter}\CSV-Files\SACLs.csv
  • {string used in -GenExcel parameter}\CSV-Files\GPOs.csv
  • {string used in -GenExcel parameter}\CSV-Files\gPLinks.csv
  • {string used in -GenExcel parameter}\CSV-Files\DNSNodes.csv
  • {string used in -GenExcel parameter}\CSV-Files\DNSZones.csv
  • {string used in -GenExcel parameter}\CSV-Files\Printers.csv
  • {string used in -GenExcel parameter}\CSV-Files\BitLockerRecoveryKeys.csv
  • {string used in -GenExcel parameter}\CSV-Files\LAPS.csv
  • {string used in -GenExcel parameter}\CSV-Files\ComputerSPNs.csv
  • {string used in -GenExcel parameter}\CSV-Files\Computers.csv
  • {string used in -GenExcel parameter}\CSV-Files\OUs.csv
  • {string used in -GenExcel parameter}\CSV-Files\Groups.csv
  • {string used in -GenExcel parameter}\CSV-Files\GroupMembers.csv
  • {string used in -GenExcel parameter}\CSV-Files\UserSPNs.csv
  • {string used in -GenExcel parameter}\CSV-Files\Users.csv