Here’s a breakdown of what ADRecon is and how it works:

🛠 What Is ADRecon?

ADRecon is a PowerShell-based tool designed to gather and analyze data from Active Directory (AD) environments. It provides a comprehensive snapshot of the current state of an AD infrastructure, making it invaluable for:

• Security auditors
• Digital forensics and incident response (DFIR) teams
• Penetration testers
• System administrators
• Students learning AD security

You can run it from any workstation connected to the domain—even if it’s not a domain member—and it works with non-privileged accounts, although some features require elevated permissions.

📊 What Does It Collect?

ADRecon extracts and compiles a wide range of AD artifacts into a Microsoft Excel report with summary views and metrics. Here’s what it can gather:

• Forest, Domain, Trusts, Sites, Subnets
• Password Policies (Default and Fine-Grained)
• Domain Controllers and their roles
• Users, Groups, and Memberships
• Service Principal Names (SPNs)
• Organizational Units (OUs)
• Group Policy Objects (GPOs)
• DNS Zones and Records
• Computers and Printers
• ACLs (DACLs and SACLs) for various AD objects
• Experimental features like PasswordAttributes
• LAPS passwords and BitLocker Recovery Keys (if implemented)
• Kerberoasting data (optional and requires privilege)

🔍 How It Works

• Uses RSAT (Remote Server Administration Tools) if available.
• Falls back to LDAP queries if RSAT isn’t present.
• Outputs a structured Excel file for easy analysis.

🚀 Use Cases

• Post-exploitation: Penetration testers use it to map out AD after gaining access.
• Security audits: Helps identify misconfigurations and risky setups.
• Incident response: Assists in understanding the scope of compromise.
• Learning tool: Great for exploring AD structure in labs or training environments.

If you’re curious to try it out or dive deeper into its capabilities, you can explore the official GitHub repository.