ADTimeline: PowerShell script creating a timeline with Active Directory replication metadata

The ADTimeline script generates a timeline based on Active Directory replication metadata for objects considered of interest.
Replication metadata gives you the time at which each replicated attribute for a given object was last changed. As a result, the timeline of modifications is partial. For each modification of a replicated attribute, a version number is incremented. ADTimeline was presented at the CoRI&IN 2019.

Slides of the presentation, in the French language, are available here.

Objects considered of interest retrieved by the script include:

• Schema and configuration partition root objects.
• Domain root and objects located directly under the root.
• Objects having an ACE on the domain root.
• Domain roots located in the AD forest.
• Domain trusts.
• Deleted users (i.e. tombstoned).
• Objects protected by the SDProp process (i.e. AdminCount equals 1).
• The AdminSDHolder object.
• Class Schema objects.
• Existing and deleted Group Policy objects.
• DPAPI secrets.
• Domain controllers (Computer objects, ntdsdsa and server objects).
• DNS zones and admins.
• Accounts with suspicious SIDHistory (scope is forest wide).
• Sites.
• Organizational Units.
• Objects with Kerberos delegation enabled.
• Extended rights.
• Schema attributes with particular SearchFlags (Do not audit or confidential).
• Kerberoastable user accounts (SPN value).
• AS-REP roastable accounts (UserAccountControl value).
• CertificationAuthority objects.
• Cross Reference containers.
• Exchange RBAC roles and accounts assigned to a role.
• Exchange mail flow configuration objects.
• Deleted objects under the configuration partition.
• Dynamic objects.
• The directory service and RID manager objects.
• The Pre Windows 2000 compatible access, Cert publishers, GPO creator owners and DNS Admins groups.
• Custom groups which have to be manually defined.

Files generated

Output files are generated in the current directory:

• timeline.csv: The timeline generated with the AD replication metadata of objects retrieved.
• log-adexport.log: Script log file. You will also find various information on the domain.
• ADobjects.xml: Objects of interest retrieved via LDAP.
• gcADobjects.xml: Objects of interest retrieved via the Global Catalog.

Download

git clone https://github.com/ANSSI-FR/ADTimeline

Use

Copyright (C) 2019 ANSSI-FR

Source: https://github.com/ANSSI-FR/