Uncovering the fully and partially hidden users with Export-ADHuntingHiddenObjectsWithDRSRepData

Acknowledgements

• The C# code for DRS requests was adapted from:

  • MakeMeEnterpriseAdmin by @vletoux.
  • Mimikatz by @gentilkiwi and @vletoux.
  • SharpKatz by @b4rtik.

• The functions to parse Key Credentials are from the ADComputerKeys PowerShell module.

• The AD CS related persistence is based on work from:

  • Certified Pre-Owned by Will Schroeder (@harmj0y) and Lee Christensen (@tifkin_)
  • Microsoft ADCS – Abusing PKI in Active Directory Environment by Jean Marsault (@iansus)

• The function to parse Service Principal Name is based on work from Adam Bertram.

Thanks

• Antoine Cauchois (@caucho_a) for the proofreading, testing and ideas.

Author

Thomas DIOT (Qazeer)

Licence

CC BY 4.0 licence – https://creativecommons.org/licenses/by/4.0/