PowerShell module to detect weak authentication protocols, cipher usage, account lockouts, and Domain Controller health — across your entire AD forest.
Legacy authentication protocols like NTLM and weak ciphers like RC4 remain active in many Active Directory environments — often silently — creating significant security exposure. This PowerShell module hunts them down across all Domain Controllers using Windows Event Logs via WinRM, giving you actionable visibility without deploying any agents.
| Capability | Description |
|---|---|
| 🔐 RC4 Detection | Identify sources using the weak RC4 encryption cipher for Kerberos |
| 🔑 NTLM Detection | Surface clients and services still authenticating over NTLM |
| ✅ AES Detection | Confirm sources correctly using AES Kerberos encryption |
| 🔒 Account Lockout | Trace the origin of account lockout events |
| ⏱️ DC Uptime | Report uptime across all Domain Controllers in the forest |
| 🩹 Patch Status | Retrieve the last Windows Update date per Domain Controller |
| Requirement | Details |
|---|---|
| PowerShell | 5.1 or later |
| WinRM | Must be enabled and reachable on all Domain Controllers |
| Module | ActiveDirectory (RSAT) |
| Privilege | Domain Admin — required to query DC event logs remotely |
| Source | PSGallery |
# ── Step 1: Install the module from PSGallery ────────────────────
Install-Module -Name XDomainControllers-Events `
-RequiredVersion 1.3 `
-Force `
-Verbose `
-Repository PSGallery
# ── Step 2: Import into your session ────────────────────────────
Import-Module XDomainControllers-Events -Verbose
# ── Step 3: Verify available commands ───────────────────────────
Get-Command -Module XDomainControllers-EventsAvailable Functions:
CommandType Name Version Source
----------- ---- ------- ------
Function Get-XhuntAES 1.3 XDomainControllers-Events
Function Get-XhuntLockout 1.3 XDomainControllers-Events
Function Get-XhuntNtlm 1.3 XDomainControllers-Events
Function Get-XhuntRC4 1.3 XDomainControllers-Events
Function Get-XhuntUptime 1.3 XDomainControllers-Events
Function Get-XhuntWUdate 1.3 XDomainControllers-Events
Identifies clients and services authenticating via Kerberos using the RC4-HMAC cipher (etype 23) — flagged as weak by Microsoft and disabled by default in Windows Server 2025+.
Get-XhuntRC4💡 Why it matters: RC4 is considered cryptographically weak and is a common target in Kerberoasting attacks. Any source appearing here should be prioritised for remediation.
Surfaces all NTLM authentication events logged on Domain Controllers — revealing legacy clients, services, or applications that have not migrated to Kerberos.
Get-XhuntNtlm💡 Why it matters: NTLM is vulnerable to Pass-the-Hash and relay attacks. Reducing NTLM usage is a foundational step in hardening AD environments.
Returns sources actively using AES-128 or AES-256 Kerberos encryption — confirming compliant, modern authentication behaviour.
Get-XhuntAES💡 Use this to validate remediation progress after suppressing RC4 or NTLM usage.
Queries Domain Controller Security event logs to identify the originating source (workstation, server, or process) triggering account lockouts.
Get-XhuntLockout💡 Useful for resolving recurring lockouts caused by cached credentials, stale sessions, or mapped drives.
Reports the current uptime of every Domain Controller in the forest — useful for identifying DCs that may have missed a planned restart after patching.
Get-XhuntUptimeRetrieves the last successful Windows Update date from all Domain Controllers, enabling quick identification of machines falling behind on patch cycles.
Get-XhuntWUdate Run Get-XhuntRC4 ──▶ Identify RC4 sources ──▶ Enforce AES-only policy
Run Get-XhuntNtlm ──▶ Identify NTLM sources ──▶ Move to Kerberos / block NTLM
Run Get-XhuntAES ──▶ Confirm AES adoption ──▶ Validate remediation
Run Get-XhuntLockout ──▶ Find lockout origin ──▶ Fix cached credentials
Run Get-XhuntUptime ──▶ Flag stale DCs ──▶ Schedule maintenance
Run Get-XhuntWUdate ──▶ Identify unpatched DCs ──▶ Trigger patch deployment
⚠️ Domain Admin privilege is required. This module queries Security and System event logs on Domain Controllers remotely over WinRM. Ensure WinRM is enabled and firewall rules permit access from the machine running the module.
# Verify WinRM connectivity to a DC before running
Test-WSMan -ComputerName "DC01.yourdomain.com" -Authentication Default- 📖 Kerberos RC4 / AES Encryption in Windows — Microsoft Docs
- 📖 NTLM Overview — Microsoft Docs
- 📖 Configuring WinRM — Microsoft Docs
- 📖 Account Lockout Tools and Settings — Microsoft Docs
- 📖 XDomainControllers-Events on PSGallery
Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.