Single-script Active Directory assessment collector. Orchestrates PingCastle, Locksmith2, Rubeus, SharpHound, and Snaffler into a single timestamped run with structured output. Includes built-in checks for LDAP signing, NTLM configuration, and GPP credential exposure.
No dependencies beyond PowerShell 5.1 and the tools themselves.
Environment
- Windows host, PowerShell 5.1+
- Domain-joined session — domain and DC are resolved automatically from the current AD context
- Administrator token recommended for PingCastle (DNS zones, object creation dates)
Tools — populate tools\ before running:
| Path | Source |
|---|---|
tools\PingCastle.exe + appsettings.console.json |
pingcastle.com |
tools\Rubeus.exe |
GhostPack/Rubeus |
tools\SharpHound.exe + SharpHound.exe.config |
BloodHoundAD/SharpHound |
tools\Locksmith2\ |
jakehildreth/Locksmith2 |
tools\Snaffler.exe |
SnaffCon/Snaffler |
PowerShell modules — installed automatically on first run if absent (requires internet):
| Module | Role |
|---|---|
PSCertutil |
Required — ESC6, ESC7, ESC11, ESC16 |
PSWriteHTML |
Optional — Locksmith2 report formatting |
# Prompts for credentials at startup
.\collect.ps1
# Non-interactive
$cred = Get-Credential
.\collect.ps1 -Credential $cred
# Override Snaffler timeout (default 30 min)
.\collect.ps1 -SnafflerTimeout 60Credentials are passed to Locksmith2 only, which requires a PSCredential for LDAP. All other tools run under the current session token.
output\YYYY-MM-DD_HH-MM\
pingcastle\
ad_hc_*.xml
ad_hc_*.html
locksmith\
locksmith2_findings.json
rubeus\
kerberoast.txt # absent if no kerberoastable accounts
asreproast.txt # absent if no AS-REP roastable accounts
sharphound\
*_BloodHound.zip
adchecks\
adchecks.json # LDAP signing, channel binding, NTLM level
gpp\
gpp_cpassword.json # absent findings = empty array
snaffler\
snaffler.log # partial if timeout reached
coercion\
coercion.json # Spooler + WebClient status per DC
manifest.json # domain, dc, user, per-step results
PingCastle — runs --healthcheck --no-enum-limit against the configured DC. A restricted-token warning is non-fatal; the report generates regardless.
Locksmith2 — covers ESC1–7, ESC9–11, ESC16. If PSCertutil fails to install, ESC6, ESC7, ESC11, and ESC16 are skipped and the output file is written with "partial": true. ESC8 (NTLM relay to HTTP enrollment) is out of scope for a host-local collector.
Rubeus — loaded in-memory via Assembly.Load(). Runs kerberoast and asreproast against the configured domain using the current session token. No credentials are stored or passed.
SharpHound — runs --collectionmethods All. Explicit credential passing is omitted intentionally; it fails on domain-joined sessions under SharpHound v2. Session token is sufficient for full collection.
ADChecks — reads LDAP signing (LDAPServerIntegrity), channel binding (LdapEnforceChannelBinding), and NTLM level (LmCompatibilityLevel) from the DC registry via WinRM using the supplied credential. Also probes for anonymous LDAP bind independently of WinRM. If WinRM is unavailable, registry values are null and source is set to winrm_unavailable; the anonymous bind result is always present.
GPP — scans SYSVOL for Group Policy Preferences XML files containing cpassword. Readable by any domain user. Empty findings array is a clean result.
Coercion — queries all domain controllers via WMI for Spooler (PrinterBug / MS-RPRN) and WebClient (HTTP coercion) service status. Running on a DC means that coercion vector is open from any authenticated domain user.
Snaffler — hunts accessible SMB shares for credentials, keys, and sensitive configuration. Findings stream to the console in real-time. Stops at $SnafflerTimeout minutes (default 30); partial results are preserved in snaffler.log. Adjust with -SnafflerTimeout <minutes>.
Some tools in the stack will trigger endpoint detection. Add the lim\ directory as an exclusion before running.
Binaries can be encrypted at rest and decrypted in-memory at runtime to reduce static detection surface, but it falls outside the scope of this project.
MIT — see LICENSE