I was recently asked how to find a user when you have data that may be the SamAccountName or in another attribute. My first thought was leveraging Ambiguous Name Resolution (ANR) Search in Active Directory. ANR enables you to find a user when you have some information about a user, but don’t know exactly to …
Category: PowerShell
Oct 07 2014
PowerShell Code: Find User in Active Directory Forest
PowerShell Code: Find User in Active Directory Forest There are times when you have a userid, but don’t know where in a multi-domain forest a user is located. Here’s some PowerShell code for locating the user’s domain. PowerShell code leverages the Active Directory PowerShell module to query a local Global Catalog (GC) server in …
Oct 02 2014
Using PowerShell to Perform a Reverse DNS Lookup in Active Directory
Typically, one would use ping -a to get the hostname for a specific IP address which performs a DNS reverse lookup. Querying AD for a computer with an IP works great for computers joined to the Active Directory domain since most computers in AD have the IP Address configured on the computer account. When the …
Oct 01 2014
Black Hat USA 2014 Presentation: Investigating PowerShell Attacks
Black Hat USA 2014 Presentation: Investigating PowerShell Attacks This is an excellent presentation and I highly recommend anyone who is an admin or who is responsible for AD security. Investigating PowerShell Attacks Ryan Kazanciyan Technical Director, Mandiant Matt Hastings Consultant, Mandiant Over the past two years, we’ve seen targeted attackers increasingly utilize PowerShell to conduct …
Sep 28 2014
PowerShell: ADSI and Case Sensitivity
In developing a custom PowerShell script which leveraged ADSI, I noticed that the script wasn’t working properly. Here’s a sample block of the script which uses ADSI to get changes made to ExtensionAttribute11 as part of an Active Directory Convergence test script: 1 2 3 4 $ADSITarget = [ADSI]”LDAP://$DC” $Searcher = New-Object DirectoryServices.DirectorySearcher($ADSITarget,”(sAMAccountName=$ConvergenceObject)”) $ConvergenceObjectData = …
Sep 27 2014
Powershell Remote Use of Module Commandlets (Remoting Import-Module)
Practically all of my Powershell scripts use an Active Directory commandlet. Ok, so they use several. I like to query AD to get environmental information so when I run the script, I know what I am working with from an AD perspective. I can’t help it, I’m an AD Guy. In order to run the …
Sep 25 2014
PowerShell Code: Find Active Directory Site Containing AD Subnet
Here’s a quick script that returns the site in the Active Directory forest given a subnet (ex. 10.20.30.0). Match-Subnet2Site.ps1 Param ( [string]$Subnet ) $IPSubnetRegEx = ‘\b((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.){3}(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|0)\b’ # $IPRegEx = ‘\b((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.){3}(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\b’ IF ($Subnet -match $IPSubnetRegEx) { Write-Output “Searching the AD forest for subnet: $Subnet ” } ELSE { Write-Error “The provided subnet ($Subnet) is not …
Sep 23 2014
PowerShell Code: Active Directory Domain Controller Discovery
There are several different ways to find AD Domain Controllers (DCs). Here are a few: AD PowerShell Module: Discover the closest Domain Controller running the AD web services (support PowerShell AD cmdlets): import-module activedirectory Get-ADDomainController -discover -forcediscover -nextclosestsite -service ADWS discover – find a DC forcediscover – re-discover a DC and not use a cached …
Sep 22 2014
Powershell Filter Operators
Once you get used to Powershell, you will want to do more and more with it. One of the keys to leveraging the power of PowerShell is filters. PowerShell commandlets all support filters (well, most of them anyway). This means you can drill down to resulting data subsets. If you run into commandlets that don’t …
Sep 21 2014
PowerShell: Parse a Large Multi-Line Text Field Based on String Value & Extract Text
Parsing a large multi-line text field (variable) for a specific string and extract text from it: $EventMessage = @” An account was successfully logged on. Subject: Security ID: SYSTEM Account Name: METCORPWKS201$ Account Domain: METCORP Logon ID: 0x2b5 Logon Type:10 New Logon: Security ID: METCORP\Administrator Account Name: Administrator Account Domain: METCORPWKS201 Logon ID: 0bc123d Logon …
Recent Comments