PowerShell Security Toolkit for AD
PowerShell is both the defender's best friend and the attacker's favorite tool. Master the essential scripts for assessing AD security posture, hardening configurations, and detecting compromise -- from finding Kerberoastable accounts to rotating the KRBTGT password.
PowerShell is the command-line interface built into Windows that administrators use to manage Active Directory. It comes with the ActiveDirectory module, which provides commands like Get-ADUser, Get-ADComputer, and Get-ADGroup for querying the directory. For security, PowerShell scripts can find problems that are invisible in the GUI: accounts with passwords that never expire, users with Kerberos pre-authentication disabled (AS-REP Roasting targets), computers with unconstrained delegation enabled, and accounts with Service Principal Names set (Kerberoasting targets). Beyond assessment, PowerShell can harden AD by rotating the KRBTGT password (which invalidates Golden Tickets), disabling weak encryption, and setting the MachineAccountQuota to zero (preventing RBCD attacks). Well-known tools like BloodHound (SharpHound collector), PingCastle, ADRecon, and PowerView also use PowerShell to perform comprehensive AD security assessments.
A security guard has three toolkits: an inspection kit (flashlight, checklist, clipboard) for finding vulnerabilities during rounds, a reinforcement kit (locks, chains, cameras) for hardening weak points, and a monitoring kit (walkie-talkie, alert system) for detecting incidents in real time. PowerShell scripts for AD security work the same way: assessment scripts find weaknesses (stale accounts, excessive privileges, weak configurations), hardening scripts fix them (rotate KRBTGT, disable RC4, enforce AES), and monitoring scripts watch for attacks (privileged group changes, DCSync attempts, honeytoken access).
Try It Yourself
Key Takeaways
- Get-ADUser with ServicePrincipalName and DoesNotRequirePreAuth filters identifies Kerberoasting and AS-REP Roasting targets instantly.
- KRBTGT password rotation requires a safe double-reset process with full replication between resets.
- Setting MachineAccountQuota to 0 prevents unprivileged users from creating computer accounts used in RBCD attacks.
- Monitoring Event IDs 4728/4732/4756 detects changes to privileged groups like Domain Admins.
- Tools like BloodHound, PingCastle, and ADRecon automate comprehensive AD security assessment.
Attackers use PowerShell to enumerate and exploit AD. Defenders who master the same tools can find and fix vulnerabilities before they are exploited. Every security assessment starts with "what does Get-ADUser tell us?" -- knowing the right queries is foundational.