LiveDiffAD

AD Live changes viewer

GPL-3.0 License

Stars
35
View Code on GitHub View on X
Ecosystems: PowerShell

LiveDiffAD

LiveDiffAD is a tiny powershell script used to grab Active Directory changes on the fly.

How it works

The script:

  1. is based on UncoverDCShadow, which uses the LDAP_SERVER_NOTIFICATION_OID (1.2.840.113556.1.4.528) LDAP control. This special control can be used to retrieves the object which are being changed ;
  2. grab replication metadata for the targeted object, and compare it to the LocalUSN. If the USN is higher, indicating a more recent change, the new value is printed and the internal USN updated accordingly
  3. uses repadmin /showchanges cookies (placed on script start-up in cookie*.bin files) to print a summary of all the changes made during Show-LiveDiff call, and avoid missing one of them. Indeed, this method, while using the same concepts, does not reuse the information grabbed by the script. Therefore, one can have a stronger confidence in its global diff results.

Usage

# Import the script
PS> Import-Module .\livediff.ps1
# Launch the live view
PS> Show-LiveDiff
...

For each change, the script will highlight the target object, and its attributes being changed.

Once the script is terminated, a change summary is printed.

# Summary for the domain naming context
[Summary - DC=WINDOMAIN,DC=LOCAL]
Using cookie from file cookie.bin (132 bytes)

==== SOURCE DSA: DC.WINDOMAIN.LOCAL ====
...

# Summary for the Configuration naming context
[Summary - CN=Configuration,DC=WINDOMAIN,DC=LOCAL]
...

# Summary for the Schema naming context
[Summary - CN=Schema,CN=Configuration,DC=WINDOMAIN,DC=LOCAL]
...

# Summary for the Forest DNS Zones naming context
[Summary - DC=ForestDnsZones,DC=WINDOMAIN,DC=LOCAL]
...

# Summary for the Domain DNS Zones naming context
[Summary - DC=DomainDnsZones,DC=WINDOMAIN,DC=LOCAL]
...

The files cookies*.bin are updated at the end of the script, and can be used as a checkpoint after the script termination.

Examples

The diff_examples directory highlights changes made during some scenarios.

Related Projects
Compare-UserJS

PowerShell script for comparing user.js (or prefs.js) files.

07 Jul 2018 103
BadBlood

BadBlood by @davidprowe, Secframe.com, fills a Microsoft Active Directory Domain with a structure...

16 Jan 2020 2,001
Active-Directory-Exploitation-Cheat-Sheet

A cheat sheet that contains common enumeration and attack methods for Windows Active Directory.

28 May 2020 2,451
PSAccessFinder

searches recursive for folders where the current user has permissions

29 Mar 2022 4
PowerShell-Beautifier

A whitespace reformatter and code cleaner for Windows PowerShell and PowerShell Core

11 Jun 2017 332
Find-String

A PowerShell script to provide functionality similar to grep or ack with highlighting.

11 Jun 2009 61
red-team-scripts

A collection of Red Team focused tools, scripts, and notes

01 May 2017 1,110
Get-CMUnusedSources

A PowerShell script that will tell you what folders are not used by Microsoft Endpoint Manager Co...

10 Feb 2019 35
SessionGopher

SessionGopher is a PowerShell tool that uses WMI to extract saved session information for remote ...

08 Mar 2017 1,206
vulnerable-AD

Create a vulnerable active directory that's allowing you to test most of the active directory att...

19 Jun 2020 1,887
PowerShell

Various PowerShell functions and scripts

08 Mar 2014 951
PowerSharpPack

06 Apr 2020 1,505
D365FFO-PowerShell-scripts

Set of PowerShell scripts to maintain D365FFO (Dynamics 365 for Finance and Operations)

31 Jan 2019 33
PowerShell-WindowsAdmin

A collection of scripts I've created over the years to administer things.

03 Oct 2017 65
Powershell

Miscellaneous PowerShell scripts and modules.

17 Sep 2014 30