We had a client who was being Brute Force Attacked and we wanted to know if any of the usernames that were being tried, actually existed in their active directory. They had a substantial active directory with dozens and dozens of organizational units so browsing through them manually, or running a FIND on each user would be tedious.

Instead we built this Powershell script to export every user that was in their active directory come over regardless of their ou file which we then converted to an Excel file:

PS C:\Windows\system32> Get-ADUser -Filter * -Property "SamAccountName", "UserPrincipalName", "whenCreated", "DistinguishedName" | Select-Object "SamAccountName", "UserPrincipalName", @{Name="OrganizationalUnit";Expression={($_.DistinguishedName -split ",",2)[1]}}, "whenCreated" | Export-Csv -Path "C:\Temp\ADUsers.csv" -NoTypeInformation

PowerShell to Export All Users From All Organizational Units to a CSV File

We were then able to very quickly search the Excel file for the accounts the hacker was trying to connect with. Most of the names it was trying to use were generic, like Liz and Mike but a few of them were oddly specific like Khalid.Abdullah. We were very happy to see that not a single one of the attempted hacking accounts matched the clients production users.

What Does -NoTypeInformation Do In a PowerShell Script?

The -NoTypeInformation parameter in PowerShell is used when exporting data to a file, specifically with cmdlets like Export-Csv, ConvertTo-Csv, and ConvertTo-Xml.

In PowerShell, every object has a TypeName, which is the .NET class of that object. When you export data to a file, the operation includes this #TYPE information header by default. This header represents the TypeName of the objects being exported.

Here are some examples of TypeNames, so you you can see why you don’t likely want that extra detail:

  • System.IO.DirectoryInfo1
  • System.IO.FileInfo1
  • Deserialized.System.IO.DirectoryInf

The -NoTypeInformation parameter is used to exclude this #TYPE information from the exported file’s header. Put simply, it removes the TypeName of the objects from the beginning of the output file.

For example: Get-Process | Export-Csv -Path .\\Processes.csv -NoTypeInformation

In this example, the Get-Process cmdlet gets the process objects and the Export-Csv cmdlet exports these objects to a CSV file. The -NoTypeInformation parameter is used to exclude the #TYPE information from the CSV file.

NOTE: From PowerShell version 6.0 onwards, you do not need to specify the -NoTypeInformation because in newer versions of PowerShell, the #TYPE information is excluded by default.



0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *