Hopefully everyone reading this is aware of the amazing HaveIBeenPwned project by Troy Hunt. As of today, NTLM hashes are officially available for download of all compromised passwords seen in this project. This is great for checking against your Active Directory environment to see whether or not your users are using passwords that are known to be compromised. I threw together a quick tool that can get all of the NTLM hashes from your AD environment using DSInternals, and then check to see which (if any) are listed in the download from HIBP.
While this is a fairly simple concept, the shear size of the download from HIBP presents a number of problems when performing this type of searching. This application is specifically designed to avoid reading the entire HIBP file into memory; as that could negatively affect the computer it is being run on. Because of the amount of data it has to process, you should expect it to take at least a few hours – no matter how small your AD environment is. That being said, it uses even less memory than most of the other processes running on your computer (especially Chrome); so multi-tasking shouldn’t be an issue.
Check out the source code here: https://github.com/thegeekkid/CompromiseCheck, and download the pre-compiled project and installer from here: https://bscc.support/files/CompromiseCheckSetup.exe