I was looking at something like this recently called pingcastle, which does a few similar things. I would run ping castle in your lab and see what you could nab from its report for this.
A security section would be awesome, so something like:
Check for accounts that don't have password expiry set
I was looking at something like this recently called pingcastle, which does a few similar things. I would run ping castle in your lab and see what you could nab from its report for this.
A security section would be awesome, so something like:
Check for accounts that don't have password expiry set
Get-ADUser -Filter 'useraccountcontrol -band 65536' -Properties useraccountcontrol
Check for accounts that have no password requirement
Get-ADUser -Filter 'useraccountcontrol -band 32' -Properties useraccountcontrol
Accounts that have the password stored in a reversibly encrypted format
Get-ADUser -Filter 'useraccountcontrol -band 128' -Properties useraccountcontrol
List users that are trusted for Kerberos delegation (Accounts can make Kerberos tickets for everyone)
Get-ADUser -Filter 'useraccountcontrol -band 524288' -Properties useraccountcontrol
List accounts that don't require pre-authentication (Attackers can request a TGT without a password/timestamp)
Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol
List accounts that have credentials encrypted with DES (Insecure)
Get-ADUser -Filter 'useraccountcontrol -band 2097152' -Properties useraccountcontrol
Check ANONYMOUS LOGON is not a member of Pre-Windows 2000 Compatible Access https://blogs.technet.microsoft.com/poshchap/2015/06/12/security-focus-check-active-directory-for-anonymous-access/ $PreWindows_2000_Compatible_Access = "S-1-5-32-554" $Anonymous_Logon = "S-1-5-7" Get-ADGroupMember -Identity $Pre_Windows_2000_Compatible_Access | Where-Object {$.SID -eq $Anonymous_Logon} List all privileged users for review Get-ADUser -Filter {AdminCount -eq 1}
Check for stale accounts
contextfull comments (143)report
bopsbt