diff --git a/Invoke-ScriptSentry.ps1 b/Invoke-ScriptSentry.ps1 index b451eac..0f8ebb0 100644 --- a/Invoke-ScriptSentry.ps1 +++ b/Invoke-ScriptSentry.ps1 @@ -19,9 +19,28 @@ Invoke-ScriptSentry | Out-File c:\temp\ScriptSentry.txt Invoke-ScriptSentry -SaveOutput $true #> -[CmdletBinding()] +[CmdletBinding(DefaultParameterSetName = 'Default')] Param( - [boolean]$SaveOutput = $false + [boolean]$SaveOutput = $false, + + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty, + + [Parameter(Mandatory = $true, + ParameterSetName = 'socks')] + [boolean] + $socks, + + [Parameter(Mandatory = $true, + ParameterSetName = 'socks')] + [string] + $Server, + + [Parameter(Mandatory = $true, + ParameterSetName = 'socks')] + [string] + $Domain ) function Get-ForestDomains { @@ -1004,15 +1023,33 @@ function Get-DomainObject { } function Get-LogonScripts { [CmdletBinding()] - param() + param( + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty, + + [string] + $Domain, + + [string] + $Server + ) # Get the current domain name from the environment # $currentDomain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() - $Domains = Get-ForestDomains + if ($Domain) { + $Domains = $Domain + } else { + $Domains = Get-ForestDomains + } foreach ($Domain in $Domains) { # $SysvolScripts = '\\' + (Get-ADDomain).DNSRoot + '\sysvol\' + (Get-ADDomain).DNSRoot + '\scripts' - $SysvolScripts = "\\$($Domain.Name)\sysvol\$($Domain.Name)\scripts" + if ($Server) { + Get-ChildItem "\\$Server\sysvol\$($Domain.Name)\scripts" -ErrorAction SilentlyContinue + } else { + $SysvolScripts = Get-ChildItem "\\$($Domain.Name)\sysvol\$($Domain.Name)\scripts" -ErrorAction SilentlyContinue + } $ExtensionList = '.bat|.vbs|.ps1|.cmd|.kix' $LogonScripts = try { Get-ChildItem -Path $SysvolScripts -Recurse | Where-Object {$_.Extension -match $ExtensionList} } catch {} Write-Verbose "[+] Logon scripts:" @@ -1024,14 +1061,32 @@ function Get-LogonScripts { } function Get-GPOLogonScripts { [CmdletBinding()] - param() + param( + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty, + + [string] + $Domain, + + [string] + $Server + ) # Get the current domain name from the environment # $currentDomain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() - $Domains = Get-ForestDomains + if ($Domain) { + $Domains = $Domain + } else { + $Domains = Get-ForestDomains + } foreach ($Domain in $Domains) { - $Policies = Get-ChildItem "\\$($Domain.Name)\SysVol\$($Domain.Name)\Policies" -ErrorAction SilentlyContinue + if ($Server) { + $Policies = Get-ChildItem "\\$Server\SYSVOL\$($Domain.Name)\POLICIES\" -ErrorAction SilentlyContinue + } else { + $Policies = Get-ChildItem "\\$($Domain.Name)\SysVol\$($Domain.Name)\Policies" -ErrorAction SilentlyContinue + } $Policies | ForEach-Object { $GPOLogonScripts = Get-Content -Path "$($_.FullName)\User\Scripts\scripts.ini" -ErrorAction SilentlyContinue | Select-String -Pattern "\\\\.*\.\w+" | ForEach-Object { $_.Matches.Value } Write-Verbose "[+] GPO Logon scripts:" @@ -1046,12 +1101,27 @@ function Get-GPOLogonScripts { } function Get-NetlogonSysvol { [CmdletBinding()] - param() + param( + [string] + $Domain, + + [string] + $Server + ) - $Domains = Get-ForestDomains + if ($Domain) { + $Domains = $Domain + } else { + $Domains = Get-ForestDomains + } foreach ($Domain in $Domains){ - "\\$($Domain.Name)\NETLOGON" - "\\$($Domain.Name)\SYSVOL" + if ($Server) { + "\\$Server\NETLOGON" + "\\$Server\SYSVOL" + } else { + "\\$($Domain.Name)\NETLOGON" + "\\$($Domain.Name)\SYSVOL" + } } } function Get-Art($Version) { @@ -1109,102 +1179,107 @@ A custom PSObject with LDAP hashtable properties translated. $Properties ) - $ObjectProperties = @{} - - $Properties.PropertyNames | ForEach-Object { - if ($_ -ne 'adspath') { - if (($_ -eq 'objectsid') -or ($_ -eq 'sidhistory')) { - # convert all listed sids (i.e. if multiple are listed in sidHistory) - #$ObjectProperties[$_] = $Properties[$_] | ForEach-Object { (New-Object System.Security.Principal.SecurityIdentifier($_, 0)).Value } - } - elseif ($_ -eq 'grouptype') { - #$ObjectProperties[$_] = $Properties[$_][0] -as $GroupTypeEnum - } - elseif ($_ -eq 'samaccounttype') { - #$ObjectProperties[$_] = $Properties[$_][0] -as $SamAccountTypeEnum - } - elseif ($_ -eq 'objectguid') { - # convert the GUID to a string - #$ObjectProperties[$_] = (New-Object Guid (,$Properties[$_][0])).Guid - } - elseif ($_ -eq 'useraccountcontrol') { - #$ObjectProperties[$_] = $Properties[$_][0] -as $UACEnum - } - elseif ($_ -eq 'ntsecuritydescriptor') { - # $ObjectProperties[$_] = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $Properties[$_][0], 0 - $Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $Properties[$_][0], 0 - if ($Descriptor.Owner) { - $ObjectProperties['Owner'] = $Descriptor.Owner + PROCESS { + $ObjectProperties = @{} + + $Properties.PropertyNames | ForEach-Object { + if ($_ -ne 'adspath') { + if (($_ -eq 'objectsid') -or ($_ -eq 'sidhistory')) { + # convert all listed sids (i.e. if multiple are listed in sidHistory) + #$ObjectProperties[$_] = $Properties[$_] | ForEach-Object { (New-Object System.Security.Principal.SecurityIdentifier($_, 0)).Value } } - if ($Descriptor.Group) { - $ObjectProperties['Group'] = $Descriptor.Group + elseif ($_ -eq 'grouptype') { + #$ObjectProperties[$_] = $Properties[$_][0] -as $GroupTypeEnum } - if ($Descriptor.DiscretionaryAcl) { - $ObjectProperties['DiscretionaryAcl'] = $Descriptor.DiscretionaryAcl + elseif ($_ -eq 'samaccounttype') { + #$ObjectProperties[$_] = $Properties[$_][0] -as $SamAccountTypeEnum } - if ($Descriptor.SystemAcl) { - $ObjectProperties['SystemAcl'] = $Descriptor.SystemAcl + elseif ($_ -eq 'objectguid') { + # convert the GUID to a string + #$ObjectProperties[$_] = (New-Object Guid (,$Properties[$_][0])).Guid } - } - elseif ($_ -eq 'accountexpires') { - if ($Properties[$_][0] -gt [DateTime]::MaxValue.Ticks) { - $ObjectProperties[$_] = "NEVER" + elseif ($_ -eq 'useraccountcontrol') { + #$ObjectProperties[$_] = $Properties[$_][0] -as $UACEnum } - else { - $ObjectProperties[$_] = [datetime]::fromfiletime($Properties[$_][0]) + elseif ($_ -eq 'ntsecuritydescriptor') { + # $ObjectProperties[$_] = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $Properties[$_][0], 0 + $Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $Properties[$_][0], 0 + if ($Descriptor.Owner) { + $ObjectProperties['Owner'] = $Descriptor.Owner + } + if ($Descriptor.Group) { + $ObjectProperties['Group'] = $Descriptor.Group + } + if ($Descriptor.DiscretionaryAcl) { + $ObjectProperties['DiscretionaryAcl'] = $Descriptor.DiscretionaryAcl + } + if ($Descriptor.SystemAcl) { + $ObjectProperties['SystemAcl'] = $Descriptor.SystemAcl + } } - } - elseif ( ($_ -eq 'lastlogon') -or ($_ -eq 'lastlogontimestamp') -or ($_ -eq 'pwdlastset') -or ($_ -eq 'lastlogoff') -or ($_ -eq 'badPasswordTime') ) { - # convert timestamps - if ($Properties[$_][0] -is [System.MarshalByRefObject]) { - # if we have a System.__ComObject - $Temp = $Properties[$_][0] - [Int32]$High = $Temp.GetType().InvokeMember('HighPart', [System.Reflection.BindingFlags]::GetProperty, $Null, $Temp, $Null) - [Int32]$Low = $Temp.GetType().InvokeMember('LowPart', [System.Reflection.BindingFlags]::GetProperty, $Null, $Temp, $Null) - $ObjectProperties[$_] = ([datetime]::FromFileTime([Int64]("0x{0:x8}{1:x8}" -f $High, $Low))) + elseif ($_ -eq 'accountexpires') { + if ($Properties[$_][0] -gt [DateTime]::MaxValue.Ticks) { + $ObjectProperties[$_] = "NEVER" + } + else { + $ObjectProperties[$_] = [datetime]::fromfiletime($Properties[$_][0]) + } } - else { - # otherwise just a string - $ObjectProperties[$_] = ([datetime]::FromFileTime(($Properties[$_][0]))) + elseif ( ($_ -eq 'lastlogon') -or ($_ -eq 'lastlogontimestamp') -or ($_ -eq 'pwdlastset') -or ($_ -eq 'lastlogoff') -or ($_ -eq 'badPasswordTime') ) { + # convert timestamps + if ($Properties[$_][0] -is [System.MarshalByRefObject]) { + # if we have a System.__ComObject + $Temp = $Properties[$_][0] + [Int32]$High = $Temp.GetType().InvokeMember('HighPart', [System.Reflection.BindingFlags]::GetProperty, $Null, $Temp, $Null) + [Int32]$Low = $Temp.GetType().InvokeMember('LowPart', [System.Reflection.BindingFlags]::GetProperty, $Null, $Temp, $Null) + $ObjectProperties[$_] = ([datetime]::FromFileTime([Int64]("0x{0:x8}{1:x8}" -f $High, $Low))) + } + else { + # otherwise just a string + $ObjectProperties[$_] = ([datetime]::FromFileTime(($Properties[$_][0]))) + } } - } - elseif ($Properties[$_][0] -is [System.MarshalByRefObject]) { - # try to convert misc com objects - $Prop = $Properties[$_] - try { - $Temp = $Prop[$_][0] - [Int32]$High = $Temp.GetType().InvokeMember('HighPart', [System.Reflection.BindingFlags]::GetProperty, $Null, $Temp, $Null) - [Int32]$Low = $Temp.GetType().InvokeMember('LowPart', [System.Reflection.BindingFlags]::GetProperty, $Null, $Temp, $Null) - $ObjectProperties[$_] = [Int64]("0x{0:x8}{1:x8}" -f $High, $Low) + elseif ($Properties[$_][0] -is [System.MarshalByRefObject]) { + # try to convert misc com objects + $Prop = $Properties[$_] + try { + $Temp = $Prop[$_][0] + [Int32]$High = $Temp.GetType().InvokeMember('HighPart', [System.Reflection.BindingFlags]::GetProperty, $Null, $Temp, $Null) + [Int32]$Low = $Temp.GetType().InvokeMember('LowPart', [System.Reflection.BindingFlags]::GetProperty, $Null, $Temp, $Null) + $ObjectProperties[$_] = [Int64]("0x{0:x8}{1:x8}" -f $High, $Low) + } + catch { + Write-Verbose "[Convert-LDAPProperty] error: $_" + $ObjectProperties[$_] = $Prop[$_] + } } - catch { - Write-Verbose "[Convert-LDAPProperty] error: $_" - $ObjectProperties[$_] = $Prop[$_] + elseif ($Properties[$_].count -eq 1) { + $ObjectProperties[$_] = $Properties[$_][0] + } + else { + $ObjectProperties[$_] = $Properties[$_] } - } - elseif ($Properties[$_].count -eq 1) { - $ObjectProperties[$_] = $Properties[$_][0] - } - else { - $ObjectProperties[$_] = $Properties[$_] } } - } - try { - New-Object -TypeName PSObject -Property $ObjectProperties - } - catch { - Write-Warning "[Convert-LDAPProperty] Error parsing LDAP properties : $_" + try { + New-Object -TypeName PSObject -Property $ObjectProperties + } + catch { + Write-Warning "[Convert-LDAPProperty] Error parsing LDAP properties : $_" + } } } function Find-AdminLogonScripts { [CmdletBinding()] param ( - [array]$AdminUsers + [array]$AdminUsers, + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty ) # Enabled user accounts Foreach ($Admin in $AdminUsers) { - $AdminLogonScripts = Get-DomainUser -Identity $Admin.MemberName | Where-Object { $_.scriptPath -ne $null} + $AdminLogonScripts = Get-DomainUser -Identity $Admin.MemberName | Where-Object { $null -ne $_.scriptPath } # "`n[!] Admins found with logon scripts" $AdminLogonScripts | Foreach-object { @@ -1221,11 +1296,14 @@ function Find-LogonScriptCredentials { [CmdletBinding()] param( [Parameter(Mandatory = $true)] - [array]$LogonScripts + [array]$LogonScripts, + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty ) foreach ($script in $LogonScripts) { # Write-Verbose -Message "Checking $($Script.FullName) for credentials.." - $Credentials = Get-Content -Path $script.FullName -ErrorAction SilentlyContinue | Select-String -Pattern "/user:","-AsPlainText" -AllMatches + $Credentials = Get-Content -Path $script.FullName -ErrorAction SilentlyContinue | Select-String -Pattern "/u[\w]*:","-AsPlainText" -AllMatches if ($Credentials) { # "`n[!] CREDENTIALS FOUND!" $Credentials | ForEach-Object { @@ -1243,7 +1321,10 @@ function Find-UNCScripts { [CmdletBinding()] param( [Parameter(Mandatory = $true)] - [array]$LogonScripts + [array]$LogonScripts, + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty ) $ExcludedMatches = "copy|&|/command|%WINDIR%|-i|\*" @@ -1269,7 +1350,10 @@ function Find-MappedDrives { [CmdletBinding()] param( [Parameter(Mandatory = $true)] - [array]$LogonScripts + [array]$LogonScripts, + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty ) $Shares = @() @@ -1302,7 +1386,10 @@ function Find-NonexistentShares { [CmdletBinding()] param ( [array]$LogonScripts, - [array]$AdminUsers + [array]$AdminUsers, + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty ) $LogonScriptShares = @() [Array] $LogonScriptShares = foreach ($script in $LogonScripts) { @@ -1371,7 +1458,10 @@ function Find-UnsafeLogonScriptPermissions { [Parameter(Mandatory = $true)] [array]$LogonScripts, [Parameter(Mandatory = $true)] - [array]$SafeUsersList + [array]$SafeUsersList, + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty ) $UnsafeRights = 'FullControl|Modify|Write' @@ -1401,7 +1491,10 @@ function Find-UnsafeUNCPermissions { [Parameter(Mandatory = $true)] [array]$UNCScripts, [Parameter(Mandatory = $true)] - [array]$SafeUsersList + [array]$SafeUsersList, + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty ) $UnsafeRights = 'FullControl|Modify|Write' @@ -1452,7 +1545,10 @@ function Find-UnsafeLogonScriptPermissions { [Parameter(Mandatory = $true)] [array]$LogonScripts, [Parameter(Mandatory = $true)] - [array]$SafeUsersList + [array]$SafeUsersList, + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty ) $UnsafeRights = 'FullControl|Modify|Write' @@ -1482,7 +1578,10 @@ function Find-UnsafeGPOLogonScriptPermissions { [Parameter(Mandatory = $true)] [array]$GPOLogonScripts, [Parameter(Mandatory = $true)] - [array]$SafeUsersList + [array]$SafeUsersList, + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty ) $UnsafeRights = 'FullControl|Modify|Write' @@ -1534,37 +1633,143 @@ function Show-Results { } } -Get-Art -Version '0.6' +Get-Art -Version '0.7-dev' $SafeUsers = 'NT AUTHORITY\\SYSTEM|Administrator|NT SERVICE\\TrustedInstaller|Domain Admins|Server Operators|Enterprise Admins|CREATOR OWNER' $AdminGroups = @("Account Operators", "Administrators", "Backup Operators", "Cryptographic Operators", "Distributed COM Users", "Domain Admins", "Domain Controllers", "Enterprise Admins", "Print Operators", "Schema Admins", "Server Operators") -$AdminUsers = $AdminGroups | ForEach-Object { (Get-DomainGroupMember -Identity $_ -Recurse | Where-Object {$_.MemberObjectClass -eq 'user'})} | Sort-Object -Property MemberName -Unique -$AdminUsers | ForEach-Object { $SafeUsers = $SafeUsers + '|' + $_.MemberName } -# Get a list of all logon scripts -$LogonScripts = Get-LogonScripts +if ($Credential.UserName) { + Write-Host "[i] Credentials detected. Running ScriptSentry as: $($Credential.UserName)" +} else { + # nothing, no creds supplied +} + +if ($Credential.UserName) { + if ($socks) { + $AdminUsers = $AdminGroups | ForEach-Object { (Get-DomainGroupMember -Identity $_ -Recurse -Credential $Credential -Server $Server -Domain $Domain | Where-Object {$_.MemberObjectClass -eq 'user'})} | Sort-Object -Property MemberName -Unique + } else { + $AdminUsers = $AdminGroups | ForEach-Object { (Get-DomainGroupMember -Identity $_ -Recurse -Credential $Credential | Where-Object {$_.MemberObjectClass -eq 'user'})} | Sort-Object -Property MemberName -Unique + } + $AdminUsers | ForEach-Object { $SafeUsers = $SafeUsers + '|' + $_.MemberName } + + # Get a list of all logon scripts + if ($socks) { + $LogonScripts = Get-LogonScripts -Credential $Credential -Domain $Domain -Server $Server + } else { + $LogonScripts = Get-LogonScripts -Credential $Credential + } + + # Get a list of all GPO logon scripts + if ($socks) { + $GPOLogonScripts = Get-GPOLogonScripts -Credential $Credential -Domain $Domain -Server $Server + } else { + $GPOLogonScripts = Get-GPOLogonScripts -Credential $Credential -Domain $Domain -Server $Server + } + + if ($LogonScripts) { + # Find logon scripts (.bat, .vbs, .cmd, .ps1, .kix) that contain unc paths (e.g. \\srv01\fileshare1) + $UNCScripts = Find-UNCScripts -LogonScripts $LogonScripts -Credential $Credential + + # Find mapped drives (e.g. \\srv01\fileshare1, \\srv02\fileshare2\accounting) + $MappedDrives = Find-MappedDrives -LogonScripts $LogonScripts -Credential $Credential -# Get a list of all GPO logon scripts -$GPOLogonScripts = Get-GPOLogonScripts + # Find nonexistent shares + $NonExistentSharesScripts = Find-NonexistentShares -LogonScripts $LogonScripts -AdminUsers $AdminUsers -Credential $Credential + $NonExistentShares = $NonExistentSharesScripts | Where-Object {$_.Exploitable -eq 'Potentially'} | Sort-Object -Property Share -Unique -if ($LogonScripts) { - # Find logon scripts (.bat, .vbs, .cmd, .ps1, .kix) that contain unc paths (e.g. \\srv01\fileshare1) - $UNCScripts = Find-UNCScripts -LogonScripts $LogonScripts + # Find unsafe permissions on logon scripts + $UnsafeLogonScripts = Find-UnsafeLogonScriptPermissions -LogonScripts $LogonScripts -SafeUsersList $SafeUsers -Credential $Credential - # Find mapped drives (e.g. \\srv01\fileshare1, \\srv02\fileshare2\accounting) - $MappedDrives = Find-MappedDrives -LogonScripts $LogonScripts + # Find credentials in logon scripts + $Credentials = Find-LogonScriptCredentials -LogonScripts $LogonScripts -Credential $Credential + } else { + Write-Host "[i] No logon scripts found!`n" -ForegroundColor Cyan + } + + if ($UNCScripts) { + # Find unsafe permissions for unc files found in logon scripts + $UnsafeUNCPermissions = Find-UnsafeUNCPermissions -UNCScripts $UNCScripts -SafeUsersList $SafeUsers -Credential $Credential + } else { + Write-Host "[i] No UNC files found!`n" -ForegroundColor Cyan + } + + if ($MappedDrives) { + # Find unsafe permissions for unc paths found in logon scripts + $UnsafeMappedDrives = Find-UnsafeUNCPermissions -UNCScripts $MappedDrives -SafeUsersList $SafeUsers -Credential $Credential + } else { + Write-Host "[i] No mapped drives found!`n" -ForegroundColor Cyan + } - # Find nonexistent shares - $NonExistentSharesScripts = Find-NonexistentShares -LogonScripts $LogonScripts -AdminUsers $AdminUsers - $NonExistentShares = $NonExistentSharesScripts | Where-Object {$_.Exploitable -eq 'Potentially'} | Sort-Object -Property Share -Unique + # Find unsafe NETLOGON & SYSVOL share permissions + $NetlogonSysvol = Get-NetlogonSysvol + $UnsafeNetlogonSysvol = Find-UnsafeUNCPermissions -UNCScripts $NetlogonSysvol -SafeUsersList $SafeUsers -Credential $Credential - # Find unsafe permissions on logon scripts - $UnsafeLogonScripts = Find-UnsafeLogonScriptPermissions -LogonScripts $LogonScripts -SafeUsersList $SafeUsers + if ($GPOLogonScripts) { + # Find unsafe permissions on GPO logon scripts + $UnsafeGPOLogonScripts = Find-UnsafeGPOLogonScriptPermissions -GPOLogonScripts $GPOLogonScripts -SafeUsersList $SafeUsers -Credential $Credential + } else { + Write-Host "[i] No GPO logon scripts found!`n" -ForegroundColor Cyan + } - # Find credentials in logon scripts - $Credentials = Find-LogonScriptCredentials -LogonScripts $LogonScripts + # Find admins that have logon scripts assigned + $AdminLogonScripts = Find-AdminLogonScripts -AdminUsers $AdminUsers -Credential $Credential } else { - Write-Host "[i] No logon scripts found!`n" -ForegroundColor Cyan + $AdminUsers = $AdminGroups | ForEach-Object { (Get-DomainGroupMember -Domain (Get-Domain).Name -Identity $_ -Recurse | Where-Object {$_.MemberObjectClass -eq 'user'})} | Sort-Object -Property MemberName -Unique + $AdminUsers | ForEach-Object { $SafeUsers = $SafeUsers + '|' + $_.MemberName } + + # Get a list of all logon scripts + $LogonScripts = Get-LogonScripts + + # Get a list of all GPO logon scripts + $GPOLogonScripts = Get-GPOLogonScripts + + if ($LogonScripts) { + # Find logon scripts (.bat, .vbs, .cmd, .ps1, .kix) that contain unc paths (e.g. \\srv01\fileshare1) + $UNCScripts = Find-UNCScripts -LogonScripts $LogonScripts + + # Find mapped drives (e.g. \\srv01\fileshare1, \\srv02\fileshare2\accounting) + $MappedDrives = Find-MappedDrives -LogonScripts $LogonScripts + + # Find nonexistent shares + $NonExistentSharesScripts = Find-NonexistentShares -LogonScripts $LogonScripts -AdminUsers $AdminUsers + $NonExistentShares = $NonExistentSharesScripts | Where-Object {$_.Exploitable -eq 'Potentially'} | Sort-Object -Property Share -Unique + + # Find unsafe permissions on logon scripts + $UnsafeLogonScripts = Find-UnsafeLogonScriptPermissions -LogonScripts $LogonScripts -SafeUsersList $SafeUsers + + # Find credentials in logon scripts + $Credentials = Find-LogonScriptCredentials -LogonScripts $LogonScripts + } else { + Write-Host "[i] No logon scripts found!`n" -ForegroundColor Cyan + } + + if ($UNCScripts) { + # Find unsafe permissions for unc files found in logon scripts + $UnsafeUNCPermissions = Find-UnsafeUNCPermissions -UNCScripts $UNCScripts -SafeUsersList $SafeUsers + } else { + Write-Host "[i] No UNC files found!`n" -ForegroundColor Cyan + } + + if ($MappedDrives) { + # Find unsafe permissions for unc paths found in logon scripts + $UnsafeMappedDrives = Find-UnsafeUNCPermissions -UNCScripts $MappedDrives -SafeUsersList $SafeUsers + } else { + Write-Host "[i] No mapped drives found!`n" -ForegroundColor Cyan + } + + # Find unsafe NETLOGON & SYSVOL share permissions + $NetlogonSysvol = Get-NetlogonSysvol + $UnsafeNetlogonSysvol = Find-UnsafeUNCPermissions -UNCScripts $NetlogonSysvol -SafeUsersList $SafeUsers + + if ($GPOLogonScripts) { + # Find unsafe permissions on GPO logon scripts + $UnsafeGPOLogonScripts = Find-UnsafeGPOLogonScriptPermissions -GPOLogonScripts $GPOLogonScripts -SafeUsersList $SafeUsers + } else { + Write-Host "[i] No GPO logon scripts found!`n" -ForegroundColor Cyan + } + + # Find admins that have logon scripts assigned + $AdminLogonScripts = Find-AdminLogonScripts -AdminUsers $AdminUsers } if ($NonExistentShares) { @@ -1574,34 +1779,6 @@ if ($NonExistentShares) { Write-Host "[i] No non-existent shares found!`n" -ForegroundColor Cyan } -if ($UNCScripts) { - # Find unsafe permissions for unc files found in logon scripts - $UnsafeUNCPermissions = Find-UnsafeUNCPermissions -UNCScripts $UNCScripts -SafeUsersList $SafeUsers -} else { - Write-Host "[i] No UNC files found!`n" -ForegroundColor Cyan -} - -if ($MappedDrives) { - # Find unsafe permissions for unc paths found in logon scripts - $UnsafeMappedDrives = Find-UnsafeUNCPermissions -UNCScripts $MappedDrives -SafeUsersList $SafeUsers -} else { - Write-Host "[i] No mapped drives found!`n" -ForegroundColor Cyan -} - -# Find unsafe NETLOGON & SYSVOL share permissions -$NetlogonSysvol = Get-NetlogonSysvol -$UnsafeNetlogonSysvol = Find-UnsafeUNCPermissions -UNCScripts $NetlogonSysvol -SafeUsersList $SafeUsers - -if ($GPOLogonScripts) { - # Find unsafe permissions on GPO logon scripts - $UnsafeGPOLogonScripts = Find-UnsafeGPOLogonScriptPermissions -GPOLogonScripts $GPOLogonScripts -SafeUsersList $SafeUsers -} else { - Write-Host "[i] No GPO logon scripts found!`n" -ForegroundColor Cyan -} - -# Find admins that have logon scripts assigned -$AdminLogonScripts = Find-AdminLogonScripts -AdminUsers $AdminUsers - # Show all results if ($UnsafeMappedDrives) {Show-Results $UnsafeMappedDrives} if ($UnsafeLogonScripts) {Show-Results $UnsafeLogonScripts} @@ -1653,4 +1830,5 @@ if ($SaveOutput) { Get-ChildItem -Filter "*.csv" -File } -} \ No newline at end of file + +}