Event id 8004 – Finding the Source of Windows Password Spraying Attacks

Steve Stonebraker posted this in Active Directory, Uncategorized, Windows on June 13th, 2019

Password Spraying

Finding the source of Windows password spraying attacks can be daunting as the Event log does not provide the source IP of the machine making the calls.

Windows Event Logs

Ideally all of your Windows Event logs from your domain controllers should be going in to some type of SIEM. I will be . . . → Read More: Event id 8004 – Finding the Source of Windows Password Spraying Attacks

One comment   Active Directory, Uncategorized, Windows

Extracting Password Hashes from Active Directory

Steve Stonebraker posted this in Active Directory, Hacking, Windows on July 11th, 2018

Extracting hashes from Active Directory

To extract hashes from Active Directory you must first obtain a copy of the underlying Active Directory database; ntds.dit

For more information on the Data Store Architecture please refer to this Microsoft Technet article

Prerequisites

You must be logged on to a domain controller.

Extracting the Database

To extract . . . → Read More: Extracting Password Hashes from Active Directory

Leave a comment   Active Directory, Hacking, Windows

Active Directory Password Expiration Date

Steve Stonebraker posted this in Active Directory, Windows on January 12th, 2015

To find out the password expiration date for an Active Directory user you must first determine your domain’s password expiration policy and then when the password was last set.

Find your Domain Password Expiration Policy import-module activedirectory Get-ADDefaultDomainPasswordPolicy

Property MaxPasswordAge will tell you the default password expiration policy

Determine Date User Password Was Last Set . . . → Read More: Active Directory Password Expiration Date

Leave a comment   Active Directory, Windows

active directory disable users older than x days

Steve Stonebraker posted this in Active Directory, powershell, Windows on February 29th, 2012

Script Details

This is example will show you how to disable folks that have a password older than x number of days AND / OR have not logged in for X number of days

Requirements ActiveRoles Management Shell (free) Powershell Server 2003 or Higher Domain Controller Example Script

Filename: C:\1audit\scripts\disable_accounts_password_age_greater_91_days.ps1 Description: (Disable users that have . . . → Read More: active directory disable users older than x days

Leave a comment   Active Directory, powershell, Windows