This snippet showcases how to recover metadata about changed attributes and trace the changes back to the domain controller that initiated the changes.
# import PowerViewImport-Module ..\PowerView.ps1# find any users who were added and then deleted from any "privileged" groupsGet-DomainGroupMemberDeleted-LDAPFilter '(admincount=1)'# find any user in the forest that may have been a subject to "targeted kerberoasting"Get-DomainObjectAttributeHistory -LDAPFilter '(&(samAccountType=805306368)(!(serviceprincipalname=*)))' -Properties servicePrincipalName -SearchBase "GC://$($ENV:USERDNSDOMAIN)"
# find the last time the ACLs on the testObject object were modified in the domain$testObject = Get-DomainObjectAttributeHistory 'CN=testObject,CN=System,DC=domain,DC=com' | ? {$_.AttributeName -eq 'ntsecuritydescriptor'}
$testObject# map the LastOriginatingDsaDN to a domain controllerGet-DomainObject -LDAPFilter "(serverreference=$($testObject.LastOriginatingDsaDN))" | %{ Get-DomainObject $_."msdfsr-computerreference" } | Select -Expand dnshostname