Hacker enumeration AD Scripts

Author: botesjuan

README.md

@@ -2,11 +2,31 @@
 
 >Purpose of these PowerShell Scripts, is to get Notable Active Directory Accounts or high value objects:  
   
-1. Extract a list of notable AD User Accounts that have not change their passwords and did not logon since given date. - Dormant  
-2. List all possible accounts with SPN values kerberoastable from Active Directory.  
-3. High value AD Computers  
-4. Get the current user running permissions for all objects ACL  
-5. Password Spray single password against list of usernames.  
+1. Potential weak accounts target by malicious actors with weak passwords
+2. Notable AD User Accounts that have not change their passwords and did not logon since given date. - Dormant  
+3. List all possible accounts with SPN values kerberoastable from Active Directory.  
+4. High value AD Computers  
+5. Get the current user running permissions for all objects ACL  
+6. Password Spray single password against list of usernames.  
+
+----  
+
+## Potential Weak Targets  
+
+>PowerShell active directory script to Identify accounts targeted by malicious actors that gain internal network access:
+* Enabled accounts  
+* Account created over 2 years ago  
+* password last set older than 1 year  
+* password never expires flag enabled  
+
+>Remediation:  
+* change to use strong complex passwords
+* AD user Account with no recent logon history for last 6 months must be disabled
+* Cleanup by removing all group membership and permissions  
+
+```
+Potential-weak-target-accounts.ps1
+```  
 
 ----  
 

powershell-scripts/Potential-weak-target-accounts.ps1

@@ -0,0 +1,66 @@
+# Load Active Directory Module
+Import-Module ActiveDirectory
+
+# Define timeframes
+$twoYearsAgo = (Get-Date).AddYears(-2)
+$oneYearAgo = (Get-Date).AddYears(-1)
+$sixMonthsAgo = (Get-Date).AddMonths(-6)
+
+# Output file paths
+$legacyAccountsFile = "C:\Temp\Reports_LegacyAccounts.csv"
+$inactiveAccountsFile = "C:\Temp\Reports_InactiveAccounts.csv"
+
+# Create arrays to store results
+$legacyAccountsResults = @()
+$inactiveAccountsResults = @()
+
+# Get legacy accounts
+Write-Output "Identifying legacy accounts..."
+$legacyAccounts = Get-ADUser -Filter * -Property WhenCreated, PasswordLastSet, PasswordNeverExpires, Enabled | Where-Object {
+    $_.WhenCreated -lt $twoYearsAgo -and
+    $_.PasswordLastSet -lt $oneYearAgo -and
+    $_.PasswordNeverExpires -eq $true
+}
+
+# Collect legacy accounts into the results array
+foreach ($account in $legacyAccounts) {
+    Write-Output "Legacy account found: $($account.SamAccountName)"
+    $legacyAccountsResults += [PSCustomObject]@{
+        UserName             = $account.SamAccountName
+        DisplayName          = $account.Name
+        WhenCreated          = $account.WhenCreated
+        PasswordLastSet      = $account.PasswordLastSet
+        PasswordNeverExpires = $account.PasswordNeverExpires
+        Enabled              = $account.Enabled
+    }
+}
+
+# Get inactive accounts
+Write-Output "Identifying inactive accounts..."
+$inactiveAccounts = Get-ADUser -Filter * -Property LastLogonDate, Enabled | Where-Object {
+    $_.LastLogonDate -lt $sixMonthsAgo -or
+    $_.LastLogonDate -eq $null
+}
+
+# Collect inactive accounts into the results array
+foreach ($inactiveAccount in $inactiveAccounts) {
+    Write-Output "Inactive account found: $($inactiveAccount.SamAccountName)"
+    $inactiveAccountsResults += [PSCustomObject]@{
+        UserName    = $inactiveAccount.SamAccountName
+        DisplayName = $inactiveAccount.Name
+        LastLogon   = $inactiveAccount.LastLogonDate
+        Enabled     = $inactiveAccount.Enabled
+        Status      = "Inactive"
+    }
+}
+
+# Export results to CSV
+Write-Output "Exporting results to CSV files..."
+$legacyAccountsResults | Export-Csv -Path $legacyAccountsFile -NoTypeInformation -Encoding UTF8
+$inactiveAccountsResults | Export-Csv -Path $inactiveAccountsFile -NoTypeInformation -Encoding UTF8
+
+Write-Output "Reports generated:"
+Write-Output "Legacy Accounts Report: $legacyAccountsFile"
+Write-Output "Inactive Accounts Report: $inactiveAccountsFile"
+
+Write-Output "Script completed successfully."