Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2015-06-24 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

The Powershell Diaries - Finding Problem User Accounts in AD

Published: 2015-06-24
Last Updated: 2015-06-24 18:20:52 UTC
by Rob VandenBrink (Version: 1)
10 comment(s)

Powershell has gotten a lot of attention lately as a pentester's tool of choice, since it has access to pretty much every low-level system function in the Microsoft ecosystem, and the AV industry isn't dealing well with that yet (aside from ignoring powershell completely that is).

But what about day-to-day system administration?  Really, the possibilities for admins are just as limitless as for pentesters - that's what Powershell was invented for after all !

A simple call like "get-aduser -filter * -properties * "  can get you everything you want on domain user accounts.  However, most sysadmins will look at this and give me the TLDR response - it's just too much information to process effectively.

But how about filtering that- let's find all users who aren't required to reset their passwords?

Or who don't have passwords at all?

How about have never reset their passwords (ie - haven't changed the initial password set at creation):
get-aduser -filter * -properties * | select samaccountname,passwordlastset

Operationally - let's add to the list - say folks who've had their accounts locked.  This might be a "reset password on Friday, can't remember on Monday" symptom, but might also  be someone brute forcing that account on the corporate website or VPN  (hint - 2-factor authentication does wonders for those!)

get-aduser -filter * -properties * | select samaccountname,passwordlastset,lockedout

You can use the above to also find out who's left the organization.  If you're like lots of IT groups, maybe HR isn't so timely in letting you know about departures!  Let's dig to see who hasn't logged in in 4 weeks.  8 weeks?  12 weeks?   Best call HR with this list in-hand to see if these folks are on longer term leave, or if they've moved on or maybe just stopped showing up for work?

get-aduser -filter * -properties * | select samaccountname,lastlogondate

At this point it becomes obvious that you want to sort these lists.  You can go directly to a GUI view, where you can sort an play with the data as needed:

get-aduser -filter * -properties * | select samaccountname,passwordlastset | out-gridview

I find the CSV output, which can  then be imported to excel - to be the most useful.  If for regulatory (or other) reasons, you then need to save those files to demonstrate that you do audit yourself, and that you compare your audits to previous data, this can be a real help

The list that I use most often is below (change the field order as needed):

get-aduser -filter * -properties * | select samaccountname, name, enabled, scriptpath, passwordlastset, passwordexpired, passwordneverexpires, passwordnotrequired, lockedout, lastlogondate, cannotchangepassword, accountexiprationdate | export-csv "c:\pathspec\account-problems-yy-mm-dd.csv"

This imports directly into Excel (or any other spreadsheet), where you can slice and dice to your heart's content.

In closing, let me acknowledge Jason Fossen and SANS SEC 505 for re-kindling my enthusiasm for Powershell !  If you want to dig deeper into Powershell with a security slant, I'll be posting on this topic for a while, stay tuned.  But if you want 6 days solid of concentrated powershell+windows goodness, take a look at SEC 505!

 

===============
Rob VandenBrink
Metafore

10 comment(s)
Diary Archives