Hacking Tools

ShadowHound : Leveraging PowerShell For Stealthy Active Directory Enumeration

ShadowHound is a set of PowerShell scripts for Active Directory enumeration without the need for introducing known-malicious binaries like SharpHound.

It leverages native PowerShell capabilities to minimize detection risks and offers two methods for data collection:

  • ShadowHound-ADM.ps1: Uses the Active Directory module (ADWS).
  • ShadowHound-DS.ps1: Utilizes direct LDAP queries via DirectorySearcher.

Blog Post

For more details and context, check out the blog post.

Scripts Overview

ShadowHound-ADM.ps1

  • Method: Active Directory module (Get-ADObject via ADWS).
  • Usage Scenario: When the AD module is available and ADWS is accessible.
  • Features:
    • Handles large domains with -SplitSearch, -Recurse, and -LetterSplitSearch options.
    • Enumerates certificates with the -Certificates flag.

ShadowHound-DS.ps1

  • Method: Direct LDAP queries using DirectorySearcher.
  • Usage Scenario: Environments where the AD module isn’t available or LDAP is preferred.
  • Features:
    • Enumerates certificates with the -Certificates flag.
    • Supports alternate credentials with the -Credential parameter.

Usage Examples

Basic Enumeration

ShadowHound-ADM.ps1

# Basic usage
ShadowHound-ADM -OutputFilePath "C:\Results\ldap_output.txt"

# Specify a domain controller and custom LDAP filter
ShadowHound-ADM -Server "dc.domain.local" -OutputFilePath "C:\Results\ldap_output.txt" -LdapFilter "(objectClass=user)"

# Use alternate credentials
$cred = Get-Credential
ShadowHound-ADM -OutputFilePath "C:\Results\ldap_output.txt" -Credential $cred -SearchBase "DC=domain,DC=local"

ShadowHound-DS.ps1

# Basic usage
ShadowHound-DS -OutputFile "C:\Results\ldap_output.txt"

# Specify a domain controller
ShadowHound-DS -Server "dc.domain.local" -OutputFile "C:\Results\ldap_output.txt"

# Use a custom LDAP filter
ShadowHound-DS -OutputFile "C:\Results\ldap_output.txt" -LdapFilter "(objectClass=computer)"

For more information click here.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

Best OSINT Tools for Journalists 2026: Verify Sources, Images and Claims

Journalists use OSINT to verify public information before publishing. In 2026, misinformation, AI-generated images, fake…

6 hours ago

Install Docker on Ubuntu 20.04: Complete Step-by-Step Guide

Docker is an open-source platform that lets you package and run applications inside containers. Each container…

17 hours ago

Install PostgreSQL on Ubuntu: Database Setup and Admin Guide

PostgreSQL (often called Postgres) is an open-source relational database system. It supports advanced features like JSON…

18 hours ago

Install Xrdp Remote Desktop on Ubuntu: Setup and Connect

Xrdp is an open-source server that lets you connect to your Ubuntu machine from another computer…

18 hours ago

Tomcat 9 on Ubuntu 20.04: Install, Configure, and Start

Apache Tomcat is an open-source web server and Java servlet container. It is one of the…

18 hours ago

Automatic Updates on Ubuntu: Set Up unattended-upgrades

Keeping your Ubuntu system updated is one of the best ways to protect it. Security…

19 hours ago