FarsightAD – PowerShell Script That Aim To Help Uncovering (Eventual) Persistence Mechanisms Deployed By A Threat Actor Following An Active Directory Domain Compromise

FarsightAD is a PowerShell script that aim to help uncovering (eventual) persistence mechanisms deployed by a threat actor following an Active Directory domain compromise.

The script produces CSV / JSON file exports of various objects and their attributes, enriched with timestamps from replication metadata. Additionally, if executed with replication privileges, the Directory Replication Service (DRS) protocol is leveraged to detect fully or partially hidden objects.

If the module is correctly updated, Get-Command Get-ADObject should return:

More information on each cmdlet usage can be retrieved using Get-Help -Full <CMDLET>.

Adding a fully hidden user

Hiding the SID History attribute of an user

Uncovering the fully and partially hidden users with Export-ADHuntingHiddenObjectsWithDRSRepData

The C# code for DRS requests was adapted from:

The AD CS related persistence is based on work from:



Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top

Adblock Detected

Please consider supporting us by disabling your ad blocker

Refresh Page