ShadowHound: Stealthy AD Enumeration with PowerShell

by ·

ShadowHound

ShadowHound is a set of PowerShell scripts for Active Directory enumeration without the need for introducing known-malicious binaries like SharpHound. It leverages native PowerShell capabilities to minimize detection risks and offers two methods for data collection:

  • ADModule Based: This script leverages the Active Directory module (Get-ADObject cmdlet) in PowerShell, which communicates via the Active Directory Web Services (ADWS) protocol over port 9389.
  • DirectorySearcher Based: This script uses the DirectorySearcher class, performing LDAP queries directly.

Scripts Overview

ShadowHound-ADM.ps1

 

  • Method: Active Directory module (Get-ADObject via ADWS).
  • Usage Scenario: When the AD module is available and ADWS is accessible.
  • Features:
    • Handles large domains with -SplitSearch, -Recurse, and -LetterSplitSearch options.
    • Enumerates certificates with the -Certificates flag.

ShadowHound-DS.ps1

 

  • Method: Direct LDAP queries using DirectorySearcher.
  • Usage Scenario: Environments where the AD module isn’t available or LDAP is preferred.
  • Features:
    • Enumerates certificates with the -Certificates flag.
    • Supports alternate credentials with the -Credential parameter.

Download & Use

Tags: