ForestSweep is a PowerShell toolkit designed for stealthy, low-footprint enumeration of Active Directory environments. It relies on raw LDAP queries through .NET, making it lightweight, portable, and well-suited for red, blue, and purple team assessments.
- Uses only native .NET classes (
System.DirectoryServices.Protocols) - Enumerates users, computers, groups, GPOs, trusts, SPNs, domain controllers, and more
- Includes built-in OPSEC warnings for high-risk enumeration paths
- Supports obfuscation (attribute shuffling + filter encoding)
- Modular and extensible logic for easy customization
- No third-party dependencies; runs natively on any PowerShell 5+ system
# Basic domain enumeration over LDAP (port 389)
.\ForestSweep.ps1 -Domain "corp.example.com"
# Use a specific Domain Controller with LDAPS (SSL on port 636)
.\ForestSweep.ps1 -Domain "corp.example.com" -LDAPServer "dc01.corp.example.com" -Port 636 -UseSSL
# Run enumeration with mild obfuscation (randomized attribute order + encoded LDAP filters)
.\ForestSweep.ps1 -Domain "corp.example.com" -Obfuscate
# Exclude verbose attributes like objectGUID from output
.\ForestSweep.ps1 -Domain "corp.local" -ExcludeAttributes objectGUID,whenCreated
# Enable detailed logs for script activity
.\ForestSweep.ps1 -Domain "corp.local" -VerboseOutput
- Red Team reconnaissance in domain environments (low noise, no artifacts)
- GPO + SPN mapping without triggering common EDR detections
- Purple Team workflows and training environments
- PowerShell 5.1 or newer
- Domain credentials with basic read access(non-privilaged)
- Network reachability to Domain Controller (LDAP:389 or LDAPS:636)