FarsightAD is a PowerShell script that aim to help uncovering (eventual) persistence mechanisms deployed by a threat actor following an Active Directory domain compromise.
The script produces CSV / JSON file exports of various objects and their attributes, enriched with timestamps from replication metadata. Additionally, if executed with replication privileges, the
Directory Replication Service (DRS) protocol is leveraged to detect fully or partially hidden objects.
If the module is correctly updated,
Get-Command Get-ADObject should return:
More information on each cmdlet usage can be retrieved using
Get-Help -Full <CMDLET>.
Adding a fully hidden user
Hiding the SID History attribute of an user
Uncovering the fully and partially hidden users with Export-ADHuntingHiddenObjectsWithDRSRepData
C# code for
DRS requests was adapted from:
The AD CS related persistence is based on work from: