Password Spraying Finding the source of Windows password spraying attacks can be daunting as the Event log does not provide the source IP of the machine making the calls. Windows Event Logs Ideally all of your Windows Event logs from your domain controllers should be going in to some type of SIEM. I will be... » read more
Extracting hashes from Active Directory To extract hashes from Active Directory you must first obtain a copy of the underlying Active Directory database; ntds.dit For more information on the Data Store Architecture please refer to this Microsoft Technet article Prerequisites You must be logged on to a domain controller. Extracting the Database To extract the... » read more
To find out the password expiration date for an Active Directory user you must first determine your domain’s password expiration policy and then when the password was last set. Find your Domain Password Expiration Policy import-module activedirectory Get-ADDefaultDomainPasswordPolicy Property MaxPasswordAge will tell you the default password expiration policy Determine Date User Password Was Last Set... » read more
Script Details This is example will show you how to disable folks that have a password older than x number of days AND / OR have not logged in for X number of days Requirements ActiveRoles Management Shell (free) Powershell Server 2003 or Higher Domain Controller Example Script Filename: C:\1audit\scripts\disable_accounts_password_age_greater_91_days.ps1 Description: (Disable users that have... » read more
Scripts to manage Active Directory Users Appending a Multi-Valued Attribute Appending a Phone Number Adding a Route to the Dial-In Properties of a User Account Adding a User to Two Security Groups Appending Address Page Information for a User Account Appending a Home Phone Number to a User Account Assigning a Published Certificate to a... » read more