The crowd has spoken - and Improsec has listened! Based on external requests, we have updated two of our open-source password tools, Get-bADpasswords and Password Filter, to include new quality-of-life features.
Update #1: Get-bADpasswords in Event Log
The Get-bADpasswords script, as known to some of our readers, is a PowerShell script capable of fetching password hashes from an Active Directory domain and comparing them against other passwords in the same environment as well as comparing them against a list of weak, publicly known and compromised passwords. The results of these comparisons are then presented in the form of statistics as well as in the form of a list showing all the observations made by the script.
However, by request from an external entity, we have expanded the script to include writing the results of these comparisons to the Windows Event Log. Therefore, it is now possible to integrate the Get-bADpasswords script with a SIEM solution.
Using the default configuration, the events will be written to the following paths:
%SystemRoot%\System32\Winevt\Logs\Improsec Password Audit.evtx
Event Viewer\Applications and Services Logs\Improsec Password Audit
Using the default configuration, the script generates the following event logs:
For empty passwords:
Event ID: 13371
Event Type: Warning
Event Message: Empty password found for user: <SamAccountName>
For weak or leaked passwords:
Event ID: 13372
Event Type: Warning
Event Message: Weak password found for user: <SamAccountName>
For shared passwords across multiple users:
Event ID: 13373
Event Type: Warning
Event Message: A single password is shared by users: ‘<SamAccountName>’,‘<SamAccountName>’,…
Read more about the Get-bADpasswords solution here.
Update #2: Password Filter with wildcard
The Password Filter, as known to some of our readers, is a native solution for blocking attempts at changing Active Directory passwords into any password specified in a list of weak passwords.
However, by request from an external entity, we have expanded the solution to include partial password matching as well as an optional feature for comparing against a list of publicly known and compromised passwords.
The password matching procedure now considers partial matches rather than explicit strict matches. For example, if the password list contains the phrase, “password”, the new solution will block all password change attempts that includes that same case-insensitive phrase, such as “Password1234”.
Additionally, the solution has been expanded to include an optional feature for loading the same list of publicly known and compromised passwords that we use for our Get-bADpasswords solution. The list originates from the HaveIBeenPwned.com website, and credits goes to Microsoft Regional Director and MVP, Troy Hunt.
Note, however, that the list of compromised passwords weighs in at a size of approximately 10 GB. In order to keep password change requests at a high performance rate so that there are no noticeable delays in password changes across the environment, it is necessary to load the entire list and keep it in memory on the machines that implements the solution, which should be all Domain Controllers in the Active Directory environment. For this reason, the feature is disabled by default, but can be trivially enabled by changing a single boolean value. Keep in mind that you will need to allocate at least 10 GB of excess memory for each of the Domain Controllers in order to support this functionality.
Read more about the Password Filter solution here.