Merge pull request #105 from stufus/find_ad_managed_security_groups

Find AD Managed Security Groups

5 files changed, 138 insertions, 63 deletions

diff --git a/PowerSploit.psd1 b/PowerSploit.psd1
index bc482e1..492b846 100644
--- a/PowerSploit.psd1
+++ b/PowerSploit.psd1
@@ -38,6 +38,7 @@ FunctionsToExport = @(
     'Find-GPOLocation',
     'Find-InterestingFile',
     'Find-LocalAdminAccess',
+    'Find-ManagedSecurityGroups',
     'Find-PathHijack',
     'Find-UserField',
     'Get-ADObject',
diff --git a/Privesc/Privesc.psd1 b/Privesc/Privesc.psd1
index 34ebf7b..2ccdb8e 100644
--- a/Privesc/Privesc.psd1
+++ b/Privesc/Privesc.psd1
@@ -23,26 +23,26 @@ PowerShellVersion = '2.0'
 
 # Functions to export from this module
 FunctionsToExport = @(  
-    'Get-ServiceUnquoted',
-    'Get-ServiceFilePermission',
-    'Get-ServicePermission',
-    'Get-ServiceDetail',
-    'Invoke-ServiceAbuse',
-    'Write-ServiceBinary',
-    'Install-ServiceBinary',
-    'Restore-ServiceBinary',
     'Find-DLLHijack',
     'Find-PathHijack',
-    'Write-HijackDll',
+    'Get-ApplicationHost',
     'Get-RegAlwaysInstallElevated',
     'Get-RegAutoLogon',
+    'Get-ServiceDetail',
+    'Get-ServiceFilePermission',
+    'Get-ServicePermission',
+    'Get-ServiceUnquoted',
+    'Get-UnattendedInstallFile',
     'Get-VulnAutoRun',
     'Get-VulnSchTask',
-    'Get-UnattendedInstallFile',
     'Get-Webconfig',
-    'Get-ApplicationHost',
-    'Write-UserAddMSI',
-    'Invoke-AllChecks'
+    'Install-ServiceBinary',
+    'Invoke-AllChecks',
+    'Invoke-ServiceAbuse',
+    'Restore-ServiceBinary',
+    'Write-HijackDll',
+    'Write-ServiceBinary',
+    'Write-UserAddMSI'
 )
 
 # List of all files packaged with this module
diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1
index 57a5789..c38943d 100644
--- a/Recon/PowerView.ps1
+++ b/Recon/PowerView.ps1
@@ -11101,6 +11101,77 @@ function Find-ForeignGroup {
     }
 }
 
+function Find-ManagedSecurityGroups {
+<#
+    .SYNOPSIS
+
+        This function retrieves all security groups in the domain and identifies ones that
+        have a manager set. It also determines whether the manager has the ability to add
+        or remove members from the group.
+
+        Author: Stuart Morgan (@ukstufus) <stuart.morgan@mwrinfosecurity.com>
+        License: BSD 3-Clause
+
+    .EXAMPLE
+
+        PS C:\> Find-ManagedSecurityGroups | Export-PowerViewCSV -NoTypeInformation group-managers.csv
+
+        Store a list of all security groups with managers in group-managers.csv
+
+    .DESCRIPTION
+
+        Authority to manipulate the group membership of AD security groups and distribution groups 
+        can be delegated to non-administrators by setting the 'managedBy' attribute. This is typically
+        used to delegate management authority to distribution groups, but Windows supports security groups
+        being managed in the same way.
+
+        This function searches for AD groups which have a group manager set, and determines whether that
+        user can manipulate group membership. This could be a useful method of horizontal privilege
+        escalation, especially if the manager can manipulate the membership of a privileged group.
+
+    .LINK
+
+        https://github.com/PowerShellEmpire/Empire/pull/119
+
+#>
+
+    # Go through the list of security groups on the domain and identify those who have a manager
+    Get-NetGroup -FullData -Filter '(&(managedBy=*)(groupType:1.2.840.113556.1.4.803:=2147483648))' | Select-Object -Unique distinguishedName,managedBy,cn | Foreach-Object {
+
+        # Retrieve the object that the managedBy DN refers to
+        $group_manager = Get-ADObject -ADSPath $_.managedBy | Select-Object cn,distinguishedname,name,samaccounttype,samaccountname
+
+        # Create a results object to store our findings
+        $results_object = New-Object -TypeName PSObject -Property @{
+            'GroupCN' = $_.cn
+            'GroupDN' = $_.distinguishedname
+            'ManagerCN' = $group_manager.cn
+            'ManagerDN' = $group_manager.distinguishedName
+            'ManagerSAN' = $group_manager.samaccountname
+            'ManagerType' = ''
+            'CanManagerWrite' = $FALSE
+        }
+
+        # Determine whether the manager is a user or a group
+        if ($group_manager.samaccounttype -eq 0x10000000) {
+            $results_object.ManagerType = 'Group'
+        } elseif ($group_manager.samaccounttype -eq 0x30000000) {
+            $results_object.ManagerType = 'User'
+        }
+
+        # Find the ACLs that relate to the ability to write to the group
+        $xacl = Get-ObjectAcl -ADSPath $_.distinguishedname -Rights WriteMembers
+
+        # Double-check that the manager
+        if ($xacl.ObjectType -eq 'bf9679c0-0de6-11d0-a285-00aa003049e2' -and $xacl.AccessControlType -eq 'Allow' -and $xacl.IdentityReference.Value.Contains($group_manager.samaccountname)) {
+            $results_object.CanManagerWrite = $TRUE
+        }
+
+        $results_object
+
+    }
+
+}
 
 function Invoke-MapDomainTrust {
 <#
diff --git a/Recon/README.md b/Recon/README.md
index d992798..6e28a30 100644
--- a/Recon/README.md
+++ b/Recon/README.md
@@ -120,6 +120,8 @@ an array of hosts from the pipeline.
     Invoke-ShareFinder              -   finds (non-standard) shares on hosts in the local domain

     Invoke-FileFinder               -   finds potentially sensitive files on hosts in the local domain

     Find-LocalAdminAccess           -   finds machines on the domain that the current user has local admin access to

+    Find-ManagedSecurityGroups      -   searches for active directory security groups which are managed and identify users who have write access to

+                                    -   those groups (i.e. the ability to add or remove members)

     Find-UserField                  -   searches a user field for a particular term

     Find-ComputerField              -   searches a computer field for a particular term

     Get-ExploitableSystem           -   finds systems likely vulnerable to common exploits

diff --git a/Recon/Recon.psd1 b/Recon/Recon.psd1
index 55f19f7..e82cd97 100644
--- a/Recon/Recon.psd1
+++ b/Recon/Recon.psd1
@@ -23,70 +23,71 @@ PowerShellVersion = '2.0'
 

 # Functions to export from this module

 FunctionsToExport = @(

-    'Get-ComputerDetails',

-    'Get-HttpStatus',

-    'Invoke-Portscan',

-    'Invoke-ReverseDnsLookup',

-    'Set-MacAttribute',

-    'Copy-ClonedFile',

+    'Add-NetUser',

+    'Add-ObjectAcl',

+    'Convert-NT4toCanonical',

     'Convert-NameToSid',

     'Convert-SidToName',

-    'Convert-NT4toCanonical',

-    'Get-Proxy',

-    'Get-PathAcl',

-    'Get-NetDomain',

-    'Get-NetForest',

-    'Get-NetForestDomain',

-    'Get-NetForestCatalog',

-    'Get-NetDomainController',

-    'Get-NetUser',

-    'Add-NetUser',

-    'Get-UserProperty',

+    'Copy-ClonedFile',

+    'Find-ComputerField',

+    'Find-ForeignGroup',

+    'Find-ForeignUser',

+    'Find-GPOComputerAdmin',

+    'Find-GPOLocation',

+    'Find-InterestingFile',

+    'Find-LocalAdminAccess',

+    'Find-ManagedSecurityGroups',

     'Find-UserField',

-    'Get-UserEvent',

-    'Get-ObjectAcl',

-    'Add-ObjectAcl',

-    'Invoke-ACLScanner',

-    'Get-NetComputer',

     'Get-ADObject',

-    'Set-ADObject',

+    'Get-CachedRDPConnection',

+    'Get-ComputerDetails',

     'Get-ComputerProperty',

-    'Find-ComputerField',

-    'Get-NetOU',

-    'Get-NetSite',

-    'Get-NetSubnet',

-    'Get-NetGroup',

-    'Get-NetGroupMember',

-    'Get-NetFileServer',

     'Get-DFSshare',

+    'Get-DomainPolicy',

+    'Get-ExploitableSystem',

+    'Get-HttpStatus',

+    'Get-LastLoggedOn',

+    'Get-NetComputer',

+    'Get-NetDomain',

+    'Get-NetDomainController',

+    'Get-NetDomainTrust',

+    'Get-NetFileServer',

+    'Get-NetForest',

+    'Get-NetForestCatalog',

+    'Get-NetForestDomain',

+    'Get-NetForestTrust',

     'Get-NetGPO',

     'Get-NetGPOGroup',

-    'Find-GPOLocation',

-    'Find-GPOComputerAdmin',

-    'Get-DomainPolicy',

+    'Get-NetGroup',

+    'Get-NetGroupMember',

     'Get-NetLocalGroup',

-    'Get-NetShare',

     'Get-NetLoggedon',

-    'Get-NetSession',

+    'Get-NetOU',

+    'Get-NetProcess',

     'Get-NetRDPSession',

+    'Get-NetSession',

+    'Get-NetShare',

+    'Get-NetSite',

+    'Get-NetSubnet',

+    'Get-NetUser',

+    'Get-ObjectAcl',

+    'Get-PathAcl',

+    'Get-Proxy',

+    'Get-UserEvent',

+    'Get-UserProperty',

+    'Invoke-ACLScanner',

     'Invoke-CheckLocalAdminAccess',

-    'Get-LastLoggedOn',

-    'Get-CachedRDPConnection',

-    'Get-NetProcess',

-    'Find-InterestingFile',

-    'Invoke-UserHunter',

-    'Invoke-ProcessHunter',

+    'Invoke-EnumerateLocalAdmin',

     'Invoke-EventHunter',

-    'Invoke-ShareFinder',

     'Invoke-FileFinder',

-    'Find-LocalAdminAccess',

-    'Get-ExploitableSystem',

-    'Invoke-EnumerateLocalAdmin',

-    'Get-NetDomainTrust',

-    'Get-NetForestTrust',

-    'Find-ForeignUser',

-    'Find-ForeignGroup',

-    'Invoke-MapDomainTrust'

+    'Invoke-MapDomainTrust',

+    'Invoke-Portscan',

+    'Invoke-ProcessHunter',

+    'Invoke-ReverseDnsLookup',

+    'Invoke-ShareFinder',

+    'Invoke-UserHunter',

+    'Set-ADObject',

+    'Set-MacAttribute'

 )

 

 # List of all files packaged with this module