We had a client who was being Brute Force Attacked and we wanted to know if any of the usernames that were being tried, actually existed in their active directory. They had a substantial active directory with dozens and dozens of organizational units so browsing through them manually, or running a FIND on each user would be tedious.
Instead we built this Powershell script to export every user that was in their active directory come over regardless of their ou file which we then converted to an Excel file:
PS C:\Windows\system32> Get-ADUser -Filter * -Property "SamAccountName", "UserPrincipalName", "whenCreated", "DistinguishedName" | Select-Object "SamAccountName", "UserPrincipalName", @{Name="OrganizationalUnit";Expression={($_.DistinguishedName -split ",",2)[1]}}, "whenCreated" | Export-Csv -Path "C:\Temp\ADUsers.csv" -NoTypeInformation
We were then able to very quickly search the Excel file for the accounts the hacker was trying to connect with. Most of the names it was trying to use were generic, like Liz and Mike but a few of them were oddly specific like Khalid.Abdullah. We were very happy to see that not a single one of the attempted hacking accounts matched the clients production users.
The -NoTypeInformation
parameter in PowerShell is used when exporting data to a file, specifically with cmdlets like Export-Csv
, ConvertTo-Csv
, and ConvertTo-Xml
.
In PowerShell, every object has a TypeName, which is the .NET class of that object. When you export data to a file, the operation includes this #TYPE information header by default. This header represents the TypeName of the objects being exported.
Here are some examples of TypeNames, so you you can see why you don’t likely want that extra detail:
The -NoTypeInformation
parameter is used to exclude this #TYPE information from the exported file’s header. Put simply, it removes the TypeName of the objects from the beginning of the output file.
For example: Get-Process | Export-Csv -Path .\\Processes.csv -NoTypeInformation
In this example, the Get-Process
cmdlet gets the process objects and the Export-Csv
cmdlet exports these objects to a CSV file. The -NoTypeInformation
parameter is used to exclude the #TYPE information from the CSV file.
NOTE: From PowerShell version 6.0 onwards, you do not need to specify the -NoTypeInformation
because in newer versions of PowerShell, the #TYPE information is excluded by default.
This website uses cookies.