Running script in offline mode #17
Comments
|
The script doesn't support runnning on the NTDS.dit file directly. And adding that functionality will require rewrite of majority of the code. There are also other tools which provide this functionality. |
|
Can you suggest a tool that provides this functionality? I haven't seen anything that represents the same data. |
|
I remember seeing one on GitHub .. lemme search my notes and see if I can find it |
|
Any luck finding it? |
|
To parse the .dit without needing admin creds you can use ADTimeline on GitHub or Hacktive Directory
powershell. Using the powershell "Hactive Directory" scripts can provide great info. However, I would suggest using the ADTimeline tool with the Splunk App. The Splunk app can take the report info and display a really nice dashboard showing just about everything you'd want to know.
The powershell scripts that I'd mentioned before allow you to perform direct queries of the DB. BOTH toolsets require the .dit file to be mounted using DSAmain.exe.
https://github.com/ANSSI-FR/ADTimeline
https://github.com/YossiSassi/hAcKtive-Directory-Forensics
…On Wed, Oct 19, 2022 at 9:08 PM Prashant Mahajan ***@***.***> wrote:
I remember seeing one on GitHub .. lemme search my notes and see if I can
find it
—
Reply to this email directly, view it on GitHub
<#17 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AKTCECAH2XBOR5BYQZH2SJ3WECSQHANCNFSM6AAAAAARHIFNPY>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is there a way to run the script in "offline" mode without admin creds? I'm thinking of the situation where I have a disk image for analysis during an IR. I can get a copy of the NTDS folder from the image and run the script against it without the server being running. @prashant3535
The text was updated successfully, but these errors were encountered: