6.2 KiB
6.2 KiB
Changelog
2025-10-30
Update-KHDB.ps1 v2.0.0
Changed:
- Replaced single-archive workflow with manifest-driven, two-hex shard downloads that verify SHA256/size before in-place updates.
- Added incremental refresh logic, stale shard cleanup, and automatic rebuild of the merged
khdb.txtfor downstream scripts. - Hardened validation to stream-check merged output while preserving strict TLS, retry, and transcript behaviour.
ElysiumSettings.txt.sample v1.3.0
Added:
- Documented
KhdbManifestPath,KhdbShardPrefix, andKhdbLocalShardDirdefaults for the shard-aware updater.
README.md
Changed:
- Described the manifest/shard update flow so operators understand the incremental download model and automatic cleanup.
Prepare-KHDBStorage.ps1 v1.0.0
Added:
- Helper script to split
khdb.txt(or a directory/list of.gzHIBP slices) into two-hex shards, build the JSON manifest, and push the package to Azure Blob Storage or S3-compatible endpoints. - Validation step that tallies and quarantines malformed hashes before sharding, writing
invalid-hashes.txtplus a console summary so bad data never reaches storage. - Optional
-ShowProgressmode emitting periodicWrite-Progressupdates (interval configurable) so large ingests visibly tick forward. - Automatic reconstruction of HIBP NTLM hashes (file-prefix + suffix) so partially stored hashes still produce full 32-hex values in the shards, plus per-prefix deduplication that keeps the highest observed count.
-ForcePlainTextswitch to skip.gzexpansions entirely and treat the source as pre-built hash lines (skipped entries are reported separately).- Emits a merged
khdb-clean.txtalongside the shards for DSInternals or offline review, including SHA256 fingerprints for both manifest and clean output. - Automatic checkpoint/resume when
-ForcePlainTextis used (configurable via-CheckpointPath, disable with-NoCheckpoint) so large ingests can be paused and resumed without reprocessing prior shards.
2025-10-26
Test-WeakADPasswords.ps1 v1.3.3
Added:
- Opt-in usage beacon that fires a single HTTP request (GET/POST/PUT) after settings load, suitable for pre-signed S3 URLs, and only includes script name, version, and a UTC timestamp (plus optional instance ID).
- Instance identifier header/body support and configurable timeout so adopters can differentiate deployments without collecting user data.
ElysiumSettings.txt.sample v1.2.0
Added:
- Documented
UsageBeacon*keys (URL, method, instance ID, timeout) so telemetry stays disabled by default but easy to enable.
README.md
Added:
- Usage beacon section explaining how to configure the lightweight tracking call and what metadata is transmitted.
2025-10-21
Extract-NTHashes.ps1 v1.2.1
Fixed:
- Corrected SigV4 host header formatting so non-default ports serialize without parser errors.
- Hardened hashing helpers to avoid
ComputeHashoverload ambiguity under Windows PowerShell. - Domain selection menu now respects the configured numeric order.
Test-WeakADPasswords.ps1 v1.3.2
Changed:
- Switched to the sorted KHDB path when driving
Test-PasswordQuality, eliminating full linear scans and avoiding malformed-line crashes on massive datasets.
Test-WeakADPasswords.ps1 v1.3.1
Fixed:
- Domain picker now renders in numeric order from settings for predictable operator workflows.
- UPN export now relies on structured weak-password results, so dictionary hit UPN lists are populated reliably.
2025-10-10
Test-WeakADPasswords.ps1 v1.3.0
Added:
CheckOnlyEnabledUsersflag wired from settings to filter accounts prior toTest-PasswordQuality.- Transcript logging to
Reports/logs/test-weakad-<timestamp>.log.
Extract-NTHashes.ps1 v1.2.0
Added:
- Transcript logging to
Reports/logs/extract-hashes-<timestamp>.log.
Elysium.ps1 v1.1.0
Updated:
- Added strict error handling (
$ErrorActionPreference='Stop') andSet-StrictMode. - Resolved script invocations via
$PSScriptRootto avoid CWD issues.
Elysium.ps1 v1.2.0
Added:
- Transcript logging to
Reports/logs/orchestrator-<timestamp>.logand graceful shutdown withoutexit.
Uninstall.ps1 v1.1.0
Added:
- Transcript logging to
%TEMP%/Elysium/logs/uninstall-<timestamp>.logso logs persist after directory removal.
Update-KHDB.ps1 v1.1.0
Added/Updated:
- Robust settings validation and SAS token normalization.
- Safe URL construction with
UriBuilderand custom User-Agent. - TLS 1.2 enforced;
HttpClienttimeout and retry with backoff for transient errors. - Download progress for both known and unknown content length.
- Atomic-ish update: download to temp, extract, validate, backup existing
khdb.txt, then replace. - KHDB validation: format check (32-hex), deduplication and normalization.
- Transcript logging to
Reports/logs/update-khdb-<timestamp>.log.
Test-WeakADPasswords.ps1 v1.2.0
Updated:
- Enforced modules via
#Requires; removed runtime installs. - Added strict mode and error preference.
- Resolved paths relative to
$PSScriptRoot(settings, KHDB, reports). - Ensured report directory creation and sane defaults (
Reports). - Removed stray top-level loop; UPN enrichment occurs during report generation only.
Extract-NTHashes.ps1 v1.1.0
Updated:
- Enforced modules via
#Requires; added strict mode. - Fixed variable ordering bug and unified filename scheme with domain prefix.
- Implemented PBKDF2 (HMAC-SHA256, 100k iterations) + random salt for AES-256-CBC encryption; header
ELY1|salt|iv. - Normalized SAS token and verified container existence; checksum verified before cleanup; artifacts retained on failure.
- Paths resolved relative to
$PSScriptRoot; ensured report base directory exists.
ElysiumSettings.txt.sample v1.1.0
Updated:
ReportPathBasedefault changed toReports(relative) and added guidance on required modules and replication rights.- Added optional
CheckOnlyEnabledUsers=trueexample flag.
Extract-NTHashes.ps1
version 1.1.1
Updated:
- UPNs of the accounts with passwords found in dictionary were moved into separate report (one UPN at a line) to enable further automation.
version 1.1.0
Added:
- UPN retrieval (this will prolong the time needed to run the script significantly)
- Better error handling