ShadowHound: Stealthy AD Enumeration with PowerShell
ShadowHound
ShadowHound is a set of PowerShell scripts for Active Directory enumeration without the need for introducing known-malicious binaries like SharpHound. It leverages native PowerShell capabilities to minimize detection risks and offers two methods for data collection:
- ADModule Based: This script leverages the Active Directory module (Get-ADObject cmdlet) in PowerShell, which communicates via the Active Directory Web Services (ADWS) protocol over port 9389.
- DirectorySearcher Based: This script uses the DirectorySearcher class, performing LDAP queries directly.
Scripts Overview
ShadowHound-ADM.ps1
- Method: Active Directory module (Get-ADObject via ADWS).
- Usage Scenario: When the AD module is available and ADWS is accessible.
- Features:
- Handles large domains with -SplitSearch, -Recurse, and -LetterSplitSearch options.
- Enumerates certificates with the -Certificates flag.
ShadowHound-DS.ps1
- Method: Direct LDAP queries using DirectorySearcher.
- Usage Scenario: Environments where the AD module isn’t available or LDAP is preferred.
- Features:
- Enumerates certificates with the -Certificates flag.
- Supports alternate credentials with the -Credential parameter.
