An additional useful script for your #HacktiveDirectory package -
Shows how many logons each user/computer account has made in your AD domain to each DC (this attribute is not copied between DCs) + total logons + an optional parameter that also outputs the actual lastlogon (without the shananigans of the "average lastlogon" displayed by the problematic lastlogondate field).
https://github.com/YossiSassi/Get-LogonCount

Had fun sharing my updated insights & tools for #HAcktiveDirectory #Forensics at
@TheHackSummit
today! Session slides and all scripts demonstrated are UP on github --> https://github.com/YossiSassi/The_Hack_Summit_2025_The-hAcktive-Directory-Toolkit-domain-wide-forensics #DFIR

New script is up: Get-KerberosServiceTicketAudit - Assess Kerberos Cipher and Hash usage in Active Directory environments (e.g. Weak/Deprecated encryption types, or Quantum-resilient candidates)
https://github.com/YossiSassi/Get-KerberosServiceTicketAudit
#HAcktiveDirectory

Had fun coming up with One-liner to get sid 500 of every domain, even if renamed, without dependencies:
(New-Object System.Security.Principal.SecurityIdentifier("$((New-Object System.Security.Principal.SecurityIdentifier($(([adsi]'').objectSid), 0)).Value)-500")).Translate([System.Security.Principal.NTAccount]).Value
#HacktiveDirectory

Update: Get-ADPrincipalKerberosTokenGroup now supports discovery of SidHistory in PAC enumeration. Calculates recursive group membership for any user in the domain -
https://github.com/YossiSassi/Get-ADPrincipalKerberosTokenGroup
#HacktiveDirectory