Hidden Accounts in Active Directory

While taking a SANS course we went through an exercise to learn how adversary's hide accounts through modifying the access controls.  During the class I created this script to iterate through the access controls placed on the objects in Active Directory and compares it to what is seen with the commands of Get-ADUser, Get-ADComputer and Get-ADGroup.  This script identified the hidden account.

Below is the powershell for the script.  Use with caution, only used in a test environment.

# Script built to detect suspicous entries in AD access control lists
# A paper written by Will Schroeder and Lee Christensen about "An Ace up the Sleeve" highlights hidding objects with denied privileges
# This script analyzes what is in the access control lists and then finds objects that are not listed in Get-ADUsers, Get-ADComputers and Get-ADGroups

# Version 0.2
# Fixes - In the test lab I could go off of the .Name object of an Account, Group or Computer.  In a production environment the SamAccountName is necessary
#       - Removed the compList because the SamAccountName of a computer has a $
#       - The list of computers changed in the evaluation from compList to computerList due to the change above


Import-Module ActiveDirectory

# Pull in the list of user accounts output from Get-ADUser
$userList = (Get-ADUser -Filter *).SamAccountName

# Pull in the list of groups output from Get-ADGroup
$groupList = (Get-ADGroup -Filter *).SamAccountName

# Pull in the list of computers from Get-ADComputer
$computerList = (Get-ADComputer -Filter *).SamAccountName      


$domain = $env:USERDOMAIN

# Capture interesting accounts
$interestingAccounts = @()

# Initial concept was to only look at the Organizational Units - Expanded to All Objects in the Domain
#$OUs = Get-ChildItem -Recurse -LiteralPath "AD:\DC=sec699-32,DC=lab" | Where ObjectClass -eq organizationalUnit

# Pull all of the Objects in the Domain into a Variable
$adObjects = Get-ChildItem -Recurse -LiteralPath "AD:\DC=sec699-32,DC=lab" 
""
"Display Suspicious Access Privileges of an Object that is not Listed by Get-ADUser, Get-ADComputer or Get-ADGroup"
ForEach ($object in $adObjects) {
    # Pull the access of each object
    $accessRights = (Get-ACL -Path $object.PSpath).Access
    # Iterate over each Access Right
    ForEach ($accessRight in $accessRights) {
        # If the IdentityReference in the Access Right contains the domain continue
        If ($accessRight.IdentityReference -like "*$($domain)*") {
            # Split the domain name from the account, group or computername
            $domainName, $identity = $accessRight.IdentityReference.ToString().Split("\")
            # Check to see if the account, group or computername exists in the lists pulled above from Get-ADUser, Get-ADComputer and Get-ADGroup
            If (($identity -notin $userList) -and ($identity -notin $groupList) -and ($identity -notin $computerList)) {
                # If the identity does not exist add it to the interesting accounts array
                If ($identity -notin $interestingAccounts) {
                    $interestingAccounts += $identity
                }
                # Display the AD Object that is Interesting and that contains an identity that does not exist by default viewing

                # Uncomment the below line to see the verbose output of each object
                #
                #"ADObject:$($object.name) ObjectClass:$($object.ObjectClass) DN:$($object.DistinguishedName) Account:$($accessRight.IdentityReference) Access:$($accessRight.AccessControlType) $($accessRight.ActiveDirectoryRights)"
            }
        }
    }
}
"`n`n"
"Interesting Accounts, Groups or Computers Identified"
$interestingAccounts