ShadowHound : Leveraging PowerShell For Stealthy Active Directory Enumeration

ShadowHound is a set of PowerShell scripts for Active Directory enumeration without the need for introducing known-malicious binaries like SharpHound.

It leverages native PowerShell capabilities to minimize detection risks and offers two methods for data collection:

• ShadowHound-ADM.ps1: Uses the Active Directory module (ADWS).
• ShadowHound-DS.ps1: Utilizes direct LDAP queries via DirectorySearcher.

Blog Post

For more details and context, check out the blog post.

Scripts Overview

ShadowHound-ADM.ps1

• Method: Active Directory module (Get-ADObject via ADWS).
• Usage Scenario: When the AD module is available and ADWS is accessible.
• Features:
  • Handles large domains with -SplitSearch, -Recurse, and -LetterSplitSearch options.
  • Enumerates certificates with the -Certificates flag.

ShadowHound-DS.ps1

• Method: Direct LDAP queries using DirectorySearcher.
• Usage Scenario: Environments where the AD module isn’t available or LDAP is preferred.
• Features:
  • Enumerates certificates with the -Certificates flag.
  • Supports alternate credentials with the -Credential parameter.

Usage Examples

Basic Enumeration

ShadowHound-ADM.ps1

# Basic usage
ShadowHound-ADM -OutputFilePath "C:\Results\ldap_output.txt"

# Specify a domain controller and custom LDAP filter
ShadowHound-ADM -Server "dc.domain.local" -OutputFilePath "C:\Results\ldap_output.txt" -LdapFilter "(objectClass=user)"

# Use alternate credentials
$cred = Get-Credential
ShadowHound-ADM -OutputFilePath "C:\Results\ldap_output.txt" -Credential $cred -SearchBase "DC=domain,DC=local"

ShadowHound-DS.ps1

# Basic usage
ShadowHound-DS -OutputFile "C:\Results\ldap_output.txt"

# Specify a domain controller
ShadowHound-DS -Server "dc.domain.local" -OutputFile "C:\Results\ldap_output.txt"

# Use a custom LDAP filter
ShadowHound-DS -OutputFile "C:\Results\ldap_output.txt" -LdapFilter "(objectClass=computer)"

For more information click here.