FarsightAD is a PowerShell script that aim to help uncovering (eventual) persistence mechanisms deployed by a threat actor following an Active Directory domain compromise.

The script produces CSV / JSON file exports of various objects and their attributes, enriched with timestamps from replication metadata. Additionally, if executed with replication privileges, the Directory Replication Service (DRS) protocol is leveraged to detect fully or partially hidden objects.

For more information, refer to the

Uncovering the fully and partially hidden users with Export-ADHuntingHiddenObjectsWithDRSRepData


  • The C# code for DRS requests was adapted from:

    • MakeMeEnterpriseAdmin by @vletoux.
    • Mimikatz by @gentilkiwi and @vletoux.
    • SharpKatz by @b4rtik.
  • The functions to parse Key Credentials are from the ADComputerKeys PowerShell module.

  • The AD CS related persistence is based on work from:

    • Certified Pre-Owned by Will Schroeder (@harmj0y) and Lee Christensen (@tifkin_)
    • Microsoft ADCS – Abusing PKI in Active Directory Environment by Jean Marsault (@iansus)
  • The function to parse Service Principal Name is based on work from Adam Bertram.


  • Antoine Cauchois (@caucho_a) for the proofreading, testing and ideas.


Thomas DIOT (Qazeer)


CC BY 4.0 licence – https://creativecommons.org/licenses/by/4.0/

Download FarsightAD

If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.


Original Source

By admin