Full Report
Introduction
Analysis Summary
# Tool/Technique: InvokeADCheck PowerShell Module
## Overview
InvokeADCheck is a PowerShell module developed to streamline the security assessment process for Active Directory (AD) environments. It automates various checks to identify security misconfigurations, weaknesses, and deviations from best practices within an AD setup, providing actionable insights to security professionals and IT administrators.
## Technical Details
- Type: Tool (PowerShell Module)
- Platform: Windows (Specifically targets Active Directory environments)
- Capabilities: Performs targeted checks on AD objects/attributes, exports results (e.g., to Excel via ImportExcel), highlights insecure settings in red on the CLI.
- First Seen: Not explicitly mentioned, but developed by SensePost researchers.
## MITRE ATT&CK Mapping
Since this tool is used for **assessment** and identifying misconfigurations rather than explicit malicious execution, its primary mapping relates to discovery and information gathering, assuming an adversary might use similar enumeration techniques.
- **TA0007 - Discovery**
- **T1087 - Account Discovery** (*By checking user account health and configurations*)
- **T1049 - System Network Connections Discovery** (*Indirectly, by querying domain controllers and trust relationships*)
- **T1069 - Permission or Group Discovery** (*By checking group memberships and ACLs*)
## Functionality
### Core Capabilities
* **Active Directory Assessment:** Executes numerous predefined functional checks against the configured Active Directory environment.
* **Prerequisite Handling:** Manages dependency installation (e.g., ImportExcel module).
* **Output Formatting:** Displays findings directly in the Command Line Interface (CLI), highlighting critical issues in red.
### Advanced Features
* **Configurable Output:** Supports redirecting findings to various file formats, including Excel (`.xlsx`), utilizing the `ImportExcel` module for detailed reporting on specific checks like user account health.
* **Modular Design:** Constructed using the `ModuleBuild` framework, organizing assessment logic into private functions for maintainability.
* **Comprehensive Checks:** Includes checks for default domain password policies, built-in group membership, GPO permissions, Kerberos settings, ACLs, and tombstone lifetime.
## Indicators of Compromise
As this is a defensive/assessment tool, traditional IoCs for malware are not applicable. Indicators relate to its execution:
- File Hashes: N/A (Source code repository is the primary indicator)
- File Names: `Invoke-ADCheck.ps1` (Public function), Internal private functions (e.g., `Get-IADUserAccountHealth.ps1`)
- Registry Keys: N/A
- Network Indicators: N/A (Operates locally against AD infrastructure)
- Behavioral Indicators: Heavy use of PowerShell cmdlets interacting with the Active Directory module (`Get-ADUser`, `Get-ADGroup`, etc.); Installation/importation of `ImportExcel` module.
## Associated Threat Actors
This tool is developed by security researchers/consultants (SensePost) and is intended for **defensive assessment** and penetration testing purposes, not typically associated with malicious threat actors.
## Detection Methods
Detection focuses on identifying the execution of security assessment scripts:
- Signature-based detection: Detections on the standard distribution files (`InvokeADCheck-current.zip`).
- Behavioral detection: Monitoring for the extensive enumeration of AD objects and attributes, especially when executed outside of standard administrative scripting environments.
- YARA rules: Not available based on the context.
## Mitigation Strategies
Since this tool is designed for security auditing, mitigation involves controlling who has the right to execute it and who has privileges to perform the queries it runs.
- Prevention measures: Restrict PowerShell execution policies or use Constrained Language Mode where appropriate.
- Hardening recommendations: Implement Just-Enough-Administration (JEA) to limit which users can run extensive domain enumeration scripts. Monitor execution of high-volume AD enumeration commands.
## Related Tools/Techniques
* **Invoke-TrimarcADChecks:** An inspiration/predecessor mentioned in the article.
* **ImportExcel:** Dependency module for exporting data to XLSX format.
* **ModuleBuild:** Scaffolding framework used for module creation.