anssi-fr / adtimeline Goto Github PK

Hello, thanks for this script!

From my integration engineer perspective, there are some enhancements you could consider on error handling.
I join my proposal for the starting section.

Since I am really bad in using GitHub, I attach my file rather than pasting code here. Display is awful.

My excerpt code is tested on my Win10 Enterprise/PS 5.1.17134.407

I go on reviewing your code.

DBZ78

Hi,
The issue is not related to the tool itself but with mounting the ntds.dit file.

getting below error while trying to mount ntds.dit in offline mode:

The NTDS dump is coming from a Windows 2012 R2, and I've made a clean install + added the necessary requirements (AD LDS services and RSAT AD LDS). I made sure Active Directory Web Service (ADWS) is also running.
Any idea on what is possibly wrong here? I know the issue is not related to the tool, however any assistance from your end is greatly appreciated.

Instead of forcing the user to edit the script, consider adding a "CustomGroups" parameter.

Can be easily implemented
[parameter(Mandatory=$false)][string[]]$CustomGroups = $null

ive installed the app in splunk and was wondering if it would be possible and/or a good idea to use the script input in splunk to run the discovery script on a schedule tp collect data

Hi,

I have the following issue when running the tool in offline mode:

I've correctly used dsamain.exe and can manually browse using ADSIEdit:

Any idea on what is possibly wrong there?

The NTDS dump is coming from a Windows 2008 R2 SP1, and I've made a clean install + added the necessary requirements (AD LDS services and RSAT AD LDS).

I hope this a the right place for the following questions. They are not issues in a sense of bugs or feature requests (at least if you do not consider improving the readme as a FR), but I do not see any reference labeled "support" or similar, so I post it here.

Many parts of the readme seem greatly written to me, for example that you specify all the objects that are considered as "of interest" and the large section about Splunk-integration. However there are some basic background information that are not clear to me:

• Does a single DC (that does not replicate anything anywhere) also have the replication metadata? (I read https://www.ssi.gouv.fr/uploads/2019/04/ad_timeline_first_tc.pdf which says "For each replicated attribute msDS-ReplAttributeMetaData contains", but I am not sure whether "replicated attribute" means only if it IS replicated or also if it would be replicated, if a second DC would exist)

• Does Windows server keep the replication metadata indefinitely or will they be purged at some time similar to event logs?

• Does ADTimeline only consider the replication metadata or does it also consider the objects themselves? ("normal" metadata and other fields)? Reading the readme feels like this tool is only about replication metadata, on the other hand it is called ADTimeline, not ADRepDataTimeline or similar.

Thank you very much.

Consider using try/catch logic for error handling.
Instead of checking if $error exists, and clearing it, maybe you could use some try catch logic.

For Example:

# LDAP root information, to retrieve partitions paths
$root = Get-ADRootDSE -server $server

if($error)
	{
	write-output -inputobject "---- Connexion au DC $($server) impossible ----"
	Exit $ERR_GC_BIND_FAILED
	}

Try the following:

# LDAP root information, to retrieve partitions paths
Try {
    $root = Get-ADRootDSE -server $server
} Catch {
    #You Can directly explore the current error by using $_ or $PSItem
    write-output -inputobject "---- Connexion au DC $($server) impossible ----"
	Exit $ERR_GC_BIND_FAILED
}

Instead of using nltest:
$mySite = (nltest /dsgetsite 2>$null)[0]

you can use the following to retrieve the current site name:
[System.DirectoryServices.ActiveDirectory.ActiveDirectorySite]::GetComputerSite().Name

Could this be ok?

On first glance, it looks like the timeline script collects similar fields to admon which is already commonly deployed. Could admon be used instead of the new script which would commonly be resisted by customers for non technical reasons?

I've seen a lot of errors when running the tool similar to this one:

Cannot convert value "<DS_REPL_VALUE_META_DATA>
    <pszAttributeName>member</pszAttributeName>
    <pszObjectDn>CN=IT Helpdesk\0ACNF:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,OU=Shared Mailboxes,OU=XX,OU=XXX XXXXXXXX,OU=Users & Groups,DC=xxxxxx,DC=xxxxx</pszObjectDn>
    <cbData>0</cbData>
    <pbData></pbData>
    <ftimeDeleted>1601-01-01T00:00:00Z</ftimeDeleted>
    <ftimeCreated>2012-11-02T11:25:44Z</ftimeCreated>
    <dwVersion>1</dwVersion>
    <ftimeLastOriginatingChange>2012-11-02T11:25:44Z</ftimeLastOriginatingChange>
    <uuidLastOriginatingDsaInvocationID>xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx</uuidLastOriginatingDsaInvocationID>
    <usnOriginatingChange>44912828</usnOriginatingChange>
    <usnLocalChange>29905</usnLocalChange>
    <pszLastOriginatingDsaDN></pszLastOriginatingDsaDN>
</DS_REPL_VALUE_META_DATA>
" to type "System.Xml.XmlDocument". Error: "An error occurred while parsing EntityName. Line 3, position 125."
At C:\Users\Administrator\Desktop\ADTimeline-master\ADTimeline-master\ADTimeline.ps1:2508 char:124
+             {if($objgrp."msDS-ReplValueMetadata"){$metadasgrp = $objgrp."msDS-ReplValueMetadata" | foreach-object{ ([
xml] $_.Replace <<<< ("`0","")).DS_REPL_VALUE_META_DATA}}}
    + CategoryInfo          : NotSpecified: (:) [], RuntimeException
    + FullyQualifiedErrorId : RuntimeException

I think this might be related to the OU name containing &, which should be escaped.

Example with and without &:

Consider the following syntax, available since powershell 3.0:

$Replinfo += [PSCustomObject]@{
                    Propriete1='Value1'
                    Propriete2='Value1'
                    Propriete3='Value1'
                }

It might make you save some time when creating new objects.

Maybe you can use arraylist instead of arrays: way faster to add items in it.
Other consideration when using arrays: everytime you use += the array is duplicated, and your new item added at the end of the newly created array. So i dont know how many object your array must contain, but the more objects you add... the slower it gets.
ArrayList is not duplicated when you add new items.

$replinfo = [System.Collections.ArrayList]@()
$replinfo.add(
    [PSCustomObject]@{
        Propriete1='Value1'
        Propriete2='Value1'
        Propriete3='Value1'
    }
)

A suggested update to the listed "Prerequisites" on the main page. Where "If you are using offline mode install the ADLDS role on a Windows Server edition in order to use dsamain.exe and mount the NTDS database. is listed based on my use of ADTimeline the OS version of the server being used for analysis needs to match the version of the server where the "ntds.dit" came from. If the ".dit" file(s) came from a Win2k8 server then the OS of the analysis server also needs to be Win2k8. Failure to do this will cause dsamain to be unable to mount the database. To test this I've used databases from every version of Windows Server from Windows 2000 - Windows 2022. The databases were only able to successfully mount when the OS versions matched. As a test, I took the kape collection that was provided via a SANs class and tried to run ADTimeline on the .dit file. Essentially, this is a server that I know nothing about and have NO credentials. Once I figured out what version the servers OS had been using the SOFTWARE registry hive and the "CurrentVersion" key information the DB mounted and ADTimeline worked perfectly.

It would be helpful to people who use your tool to have this little piece of info. This knowledge makes the difference between it working and not working.