JoeDibley JoeDibley
JoeDibley
/ Invoke-PtTCheck.ps1
Last active
May 25, 2023 18:48
Checks the username of logged in users to the Kerberos Tickets. Whilst not the best it is a potential local based detection for things like Pass-the-Ticket, Golden Ticket type attacks
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| This is comprised of 3 functions: | |
| 1. Get-Sessions: Get Session information from WMI. | |
| Reused some code from https://github.com/tmmtsmith/Powershell/blob/master/Get-LoggedOnUsers.ps1 for the regex matching | |
| 2. Return-SessionTickets: Retrieves Kerberos Session Tickets. This is a klist wrapper to return PSCustomObjects | |
| This code is mostly all from the GetKerbTix.ps1 script in the Technet Script Center | |
| https://gallery.technet.microsoft.com/scriptcenter/List-All-Cached-Kerberos-5ba41829 |
JoeDibley
/ Get-ADPasswordExpiration.ps1
Last active
August 9, 2018 09:56
Function to retrieve Active Directory Password Expiration Time
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .SYNOPSIS | |
| Get-ADPasswordExpiration is used to easily retrieve active directory password expiration | |
| time using the calculated attribute msDS-UserPasswordExpiryTimeComputed | |
| Requires ActiveDirectory PowerShell module | |
| .PARAMETER Username | |
| Username, Samaccountname or DistinguishedName of the accounts required. | |
JoeDibley
/ Get-GroupMembers.ps1
Last active
August 8, 2018 16:02
Gets AD group members from multiple domains and can also do recursive lookup. Uses string manipulation to get Domain and if fails uses GC
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-GroupMembers | |
| { | |
| param ( | |
| [Parameter( | |
| Position = 0, | |
| ValueFromPipeline = $true, | |
| ValueFromPipelineByPropertyName = $true, | |
| ValueFromRemainingArguments = $false | |
| )] | |
| [ValidateNotNullOrEmpty()] |