HackTool.PS1.ADRecon.A

This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Hacking Tool adds the following folders:

• {string used in -GenExcel parameter} → if folder does not exist
• {string used in -OutputDir parameter} → if folder does not exist
• {Current Working Location}\ADRecon-Report-{Date in YYMMDDhhmmss} → if -OutputDir parameter was not triggered

Dropping Routine

This Hacking Tool drops the following files:

• {Current Working Location}\ADRecon-Console-Log.txt → if -Log parameter is enabled
• {Directory}\CSV-Files\{module name}.csv
• {Directory}\XML-Files\{module name}.xml
• {Directory}\JSON-Files\{module name}.json
• {Directory}\HTML-Files\{module name}.html
• {Directory}\GPO-Report.html
• {Directory}\GPO-Report.xml
• {Directory}\{domain name}-ADRecon-Report.xlsx
  • Where {Directory} can be either:
    • {String used in -OutputDir parameter}
    • {Current Working Location}\ADRecon-Report-{Date in YYMMDDhhmmss}

Information Theft

This Hacking Tool gathers the following data:

• Forest
• Domain
• Trusts
• Sites
• Subnets
• Schema History
• Default and Fine Grained Password Policy (if implemented)
• Domain Controllers, SMB versions, whether SMB Signing is supported and FSMO roles
• Users and their attributes
• Service Principal Names (SPNs)
• Groups, memberships and changes
• Organizational Units (OUs)
• GroupPolicy objects and gPLink details
• DNS Zones and Records
• Printers
• Computers and their attributes
• PasswordAttributes (Experimental)
• LAPS passwords (if implemented)
• BitLocker Recovery Keys (if implemented)
• ACLs (DACLs and SACLs) for the Domain, OUs, Root Containers, GPO, Users, Computers and Groups objects (not included in the default collection method)
• GPOReport (requires RSAT)
• Kerberoast (not included in the default collection method)
• Domain accounts used for service accounts (requires privileged account and not included in the default collection method)

Other Details

This Hacking Tool does the following:

• Reads the following files if -GenExcel {path} is provided in parameter:
  • {string used in -GenExcel parameter}\CSV-Files\AboutADRecon.csv
  • {string used in -GenExcel parameter}\CSV-Files\Forest.csv
  • {string used in -GenExcel parameter}\CSV-Files\Domain.csv
  • {string used in -GenExcel parameter}\CSV-Files\Subnets.csv
  • {string used in -GenExcel parameter}\CSV-Files\Sites.csv
  • {string used in -GenExcel parameter}\CSV-Files\SchemaHistory.csv
  • {string used in -GenExcel parameter}\CSV-Files\FineGrainedPasswordPolicy.csv
  • {string used in -GenExcel parameter}\CSV-Files\DefaultPasswordPolicy.csv
  • {string used in -GenExcel parameter}\CSV-Files\DomainControllers.csv
  • {string used in -GenExcel parameter}\CSV-Files\GroupChanges.csv
  • {string used in -GenExcel parameter}\CSV-Files\DACLs.csv
  • {string used in -GenExcel parameter}\CSV-Files\SACLs.csv
  • {string used in -GenExcel parameter}\CSV-Files\GPOs.csv
  • {string used in -GenExcel parameter}\CSV-Files\gPLinks.csv
  • {string used in -GenExcel parameter}\CSV-Files\DNSNodes.csv
  • {string used in -GenExcel parameter}\CSV-Files\DNSZones.csv
  • {string used in -GenExcel parameter}\CSV-Files\Printers.csv
  • {string used in -GenExcel parameter}\CSV-Files\BitLockerRecoveryKeys.csv
  • {string used in -GenExcel parameter}\CSV-Files\LAPS.csv
  • {string used in -GenExcel parameter}\CSV-Files\ComputerSPNs.csv
  • {string used in -GenExcel parameter}\CSV-Files\Computers.csv
  • {string used in -GenExcel parameter}\CSV-Files\OUs.csv
  • {string used in -GenExcel parameter}\CSV-Files\Groups.csv
  • {string used in -GenExcel parameter}\CSV-Files\GroupMembers.csv
  • {string used in -GenExcel parameter}\CSV-Files\UserSPNs.csv
  • {string used in -GenExcel parameter}\CSV-Files\Users.csv

It accepts the following parameters:

• -Method → Which method to use; ADWS (default), LDAP
• -DomainController → Domain Controller IP Address or Domain FQDN.
• -Credential → Domain Credentials.
• -GenExcel → Path for ADRecon output folder containing the CSV files to generate the ADRecon-Report.xlsx.
• -OutputDir → Path for ADRecon output folder to save the files and the ADRecon-Report.xlsx
• -Collect → Which modules to run; Comma separated; e.g Forest,Domain (Default all except Kerberoast, DomainAccountsusedforServiceLogon)
• Valid values include: Forest, Domain, Trusts, Sites, Subnets, SchemaHistory, PasswordPolicy, FineGrainedPasswordPolicy, DomainControllers, Users, UserSPNs, PasswordAttributes, Groups, GroupChanges, GroupMembers, OUs, GPOs, gPLinks, DNSZones, DNSRecords, Printers, Computers, ComputerSPNs, LAPS, BitLocker, ACLs, GPOReport, Kerberoast, DomainAccountsusedforServiceLogon.
• -OutputType → e.g STDOUT,CSV,XML,JSON,HTML,Excel (Default STDOUT with -Collect parameter, else CSV and Excel).
• Valid values include: STDOUT, CSV, XML, JSON, HTML, Excel, All (excludes STDOUT).
• -DormantTimeSpan → Timespan for Dormant accounts. (Default 90 days)
• -PassMaxAge → Maximum machine account password age. (Default 30 days)
• -PageSize → The PageSize to set for the LDAP searcher object.
• -Threads → The number of threads to use during processing objects. (Default 10)
• -Log → Create ADRecon Log using Start-Transcript