diff options
| -rw-r--r-- | Exfiltration/Invoke-NinjaCopy.ps1 | 4 | ||||
| -rw-r--r-- | Recon/Invoke-CompareAttributesForClass.ps1 | 1044 | ||||
| -rwxr-xr-x | Recon/PowerView.ps1 | 212 |
3 files changed, 1136 insertions, 124 deletions
diff --git a/Exfiltration/Invoke-NinjaCopy.ps1 b/Exfiltration/Invoke-NinjaCopy.ps1 index f22d5f5..e3eb8f0 100644 --- a/Exfiltration/Invoke-NinjaCopy.ps1 +++ b/Exfiltration/Invoke-NinjaCopy.ps1 @@ -2205,7 +2205,7 @@ $RemoteScriptBlock = { $PEInfo = Get-PEBasicInfo -PEBytes $PEBytes -Win32Types $Win32Types $OriginalImageBase = $PEInfo.OriginalImageBase $NXCompatible = $true - if (($PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT) -ne $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT) + if (([Int] $PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT) -ne $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT) { Write-Warning "PE is not compatible with DEP, might cause issues" -WarningAction Continue $NXCompatible = $false @@ -2263,7 +2263,7 @@ $RemoteScriptBlock = { Write-Verbose "Allocating memory for the PE and write its headers to memory" [IntPtr]$LoadAddr = [IntPtr]::Zero - if (($PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) -ne $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) + if (([Int] $PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) -ne $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) { Write-Warning "PE file being reflectively loaded is not ASLR compatible. If the loading fails, try restarting PowerShell and trying again" -WarningAction Continue [IntPtr]$LoadAddr = $OriginalImageBase diff --git a/Recon/Invoke-CompareAttributesForClass.ps1 b/Recon/Invoke-CompareAttributesForClass.ps1 new file mode 100644 index 0000000..b2d11c6 --- /dev/null +++ b/Recon/Invoke-CompareAttributesForClass.ps1 @@ -0,0 +1,1044 @@ +function Get-AllAttributesForClass +{<# +.Synopsis + Gets all AD Schema attributes for class +.DESCRIPTION + This function will get all attributes for a class from AD. +.EXAMPLE + PS C:\> Get-AllAttributesForAClass -class user +.EXAMPLE + PS C:\> Get-AllAttributesForAClass -class computer +#> + [CmdletBinding()] + Param( + [Parameter(Mandatory=$true)] + [String] + $Class + ) + + Process { + #Custom object + $ListOfAttributesFromAD = @() + + #lets get all classes and store in a variable. + $NextClass = $Class + $AllClasses = Do + { + $CurrentClass = $NextClass + $NextClass = Get-ADObject -SearchBase "$((Get-ADRootDSE).SchemaNamingContext)" -Filter {lDAPDisplayName -eq $NextClass} -properties subClassOf |Select-Object -ExpandProperty subClassOf + $CurrentClass + } + While($CurrentClass -ne $NextClass) + #Now that we have our classes in $allClasses lets turn to the attributes + $attributAttributes = 'MayContain','MustContain','systemMayContain','systemMustContain' + Write-verbose "Attempting to find all attributes for the AD Object: $($ADObj.Name)" + $AllAttributes = ForEach ($Class in $AllClasses) + { + $ClassInfo = Get-ADObject -SearchBase "$((Get-ADRootDSE).SchemaNamingContext)" -Filter {lDAPDisplayName -eq $Class} -properties $attributAttributes + ForEach ($attribute in $attributAttributes) + { + $ListOfAttributesFromAD += $ClassInfo.$attribute + $ClassInfo.$attribute + } + } + $ListOfAttributesAD = $ListOfAttributesFromAD | Sort-Object -Unique + write-output $ListOfAttributesAD + } + End + { + } +} + + +function Invoke-CompareAttributesForClass +{ +<# +.Synopsis + Author: @oddvarmoe + Required Dependencies: Search-ADAccounts, Set-ADComputer, Get-ADForest, Get-ADDomain, + Optional Dependencies: None + Compares list of attributes with active attributes in Active Directory. Currently only works with user and computer class. + +.DESCRIPTION + Compares list of attributes with active attributes in Active Directory. + This function is used to spot unusal attributes. + + Example where an attribute is found in AD and not in compare list: + InputObject SideIndicator + ----------- ------------- + TopSecretAttribute => + + +.EXAMPLE + PS C:\> Invoke-CompareAttributesForClass -Class user + +.EXAMPLE + PS C:\> Invoke-CompareAttributesForClass -Class computer +#> + [CmdletBinding()] + Param( + [Parameter(Mandatory=$true)] + [ValidateSet("User","Computer")] + [String] + $Class + ) + + Process { + #https://msdn.microsoft.com/en-us/library/ms683980(v=vs.85).aspx + #List of attributes generated from demo AD with Exchange schema changes on Server 2016 DC + #TODO: Attributes based on AD Domain level or Schema version. + if($Class -eq "user"){ + $UserAttributeListFromAD = Get-AllAttributesForClass -Class user + + $UserAttributelist = @( + "accountExpires", + "aCSPolicyName", + "adminCount", + "adminDescription", + "adminDisplayName", + "allowedAttributes", + "allowedAttributesEffective", + "allowedChildClasses", + "allowedChildClassesEffective", + "assistant", + "attributeCertificateAttribute", + "audio", + "badPasswordTime", + "badPwdCount", + "bridgeheadServerListBL", + "businessCategory", + "businessRoles", + "c", + "canonicalName", + "carLicense", + "cn", + "co", + "codePage", + "comment", + "company", + "controlAccessRights", + "countryCode", + "createTimeStamp", + "dBCSPwd", + "defaultClassStore", + "department", + "departmentNumber", + "description", + "desktopProfile", + "destinationIndicator", + "directReports", + "displayName", + "displayNamePrintable", + "distinguishedName", + "division", + "dSASignature", + "dSCorePropagationData", + "dynamicLDAPServer", + "employeeID", + "employeeNumber", + "employeeType", + "extensionName", + "facsimileTelephoneNumber", + "flags", + "fromEntry", + "frsComputerReferenceBL", + "fRSMemberReferenceBL", + "fSMORoleOwner", + "generationQualifier", + "givenName", + "groupMembershipSAM", + "groupPriority", + "groupsToIgnore", + "homeDirectory", + "homeDrive", + "homePhone", + "homePostalAddress", + "houseIdentifier", + "initials", + "instanceType", + "internationalISDNNumber", + "ipPhone", + "isCriticalSystemObject", + "isDeleted", + "isPrivilegeHolder", + "isRecycled", + "jpegPhoto", + "kMServer", + "l", + "labeledURI", + "lastKnownParent", + "lastLogoff", + "lastLogon", + "lastLogonTimestamp", + "lmPwdHistory", + "localeID", + "lockoutTime", + "logonCount", + "logonHours", + "logonWorkstation", + "mail", + "managedObjects", + "manager", + "masteredBy", + "maxStorage", + "memberOf", + "mhsORAddress", + "middleName", + "mobile", + "modifyTimeStamp", + "msCOM-PartitionSetLink", + "msCOM-UserLink", + "msCOM-UserPartitionSetLink", + "msDFSR-ComputerReferenceBL", + "msDFSR-MemberReferenceBL", + "msDRM-IdentityCertificate", + "msDS-AllowedToActOnBehalfOfOtherIdentity", + "msDS-AllowedToDelegateTo", + "msDS-Approx-Immed-Subordinates", + "msDS-AssignedAuthNPolicy", + "msDS-AssignedAuthNPolicySilo", + "msDS-AuthenticatedAtDC", + "msDS-AuthenticatedToAccountlist", + "msDS-AuthNPolicySiloMembersBL", + "msDS-Cached-Membership", + "msDS-Cached-Membership-Time-Stamp", + "msDS-ClaimSharesPossibleValuesWithBL", + "msDS-CloudAnchor", + "mS-DS-ConsistencyChildCount", + "mS-DS-ConsistencyGuid", + "mS-DS-CreatorSID", + "msDS-EnabledFeatureBL", + "msDS-FailedInteractiveLogonCount", + "msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon", + "msDS-HABSeniorityIndex", + "msDS-HostServiceAccountBL", + "msDS-IsDomainFor", + "msDS-IsFullReplicaFor", + "msDS-IsPartialReplicaFor", + "msDS-IsPrimaryComputerFor", + "msDS-KeyCredentialLink", + "msDS-KeyPrincipalBL", + "msDS-KrbTgtLinkBl", + "msDS-LastFailedInteractiveLogonTime", + "msDS-LastKnownRDN", + "msDS-LastSuccessfulInteractiveLogonTime", + "msDS-LocalEffectiveDeletionTime", + "msDS-LocalEffectiveRecycleTime", + "msDs-masteredBy", + "msds-memberOfTransitive", + "msDS-MembersForAzRoleBL", + "msDS-MembersOfResourcePropertyListBL", + "msds-memberTransitive", + "msDS-NCReplCursors", + "msDS-NCReplInboundNeighbors", + "msDS-NCReplOutboundNeighbors", + "msDS-NC-RO-Replica-Locations-BL", + "msDS-NcType", + "msDS-NonMembersBL", + "msDS-ObjectReferenceBL", + "msDS-ObjectSoa", + "msDS-OIDToGroupLinkBl", + "msDS-OperationsForAzRoleBL", + "msDS-OperationsForAzTaskBL", + "msDS-parentdistname", + "msDS-PhoneticCompanyName", + "msDS-PhoneticDepartment", + "msDS-PhoneticDisplayName", + "msDS-PhoneticFirstName", + "msDS-PhoneticLastName", + "msDS-PrimaryComputer", + "msDS-PrincipalName", + "msDS-PSOApplied", + "msDS-ReplAttributeMetaData", + "msDS-ReplValueMetaData", + "msDS-ReplValueMetaDataExt", + "msDS-ResultantPSO", + "msDS-RevealedDSAs", + "msDS-RevealedListBL", + "msDS-SecondaryKrbTgtNumber", + "msDS-Site-Affinity", + "msDS-SourceAnchor", + "msDS-SourceObjectDN", + "msDS-SupportedEncryptionTypes", + "msDS-SyncServerUrl", + "msDS-TasksForAzRoleBL", + "msDS-TasksForAzTaskBL", + "msDS-TDOEgressBL", + "msDS-TDOIngressBL", + "msDS-User-Account-Control-Computed", + "msDS-UserPasswordExpiryTimeComputed", + "msDS-ValueTypeReferenceBL", + "msExchAcceptedDomainBL", + "msExchAccountForestBL", + "msExchArchiveDatabaseBL", + "msExchAssociatedAcceptedDomainBL", + "msExchAuthPolicyBL", + "msExchAuxMailboxParentObjectIdBL", + "msExchAvailabilityOrgWideAccountBL", + "msExchAvailabilityPerUserAccountBL", + "msExchCatchAllRecipientBL", + "msExchConferenceMailboxBL", + "msExchControllingZone", + "msExchDataEncryptionPolicyBL", + "msExchDelegateListBL", + "msExchDeviceAccessControlRuleBL", + "msExchEvictedMemebersBL", + "msExchHABRootDepartmentBL", + "msExchHouseIdentifier", + "msExchHygieneConfigurationMalwareBL", + "msExchHygieneConfigurationSpamBL", + "msExchIMAPOWAURLPrefixOverride", + "msExchIntendedMailboxPlanBL", + "msExchMailboxMoveSourceArchiveMDBBL", + "msExchMailboxMoveSourceMDBBL", + "msExchMailboxMoveSourceUserBL", + "msExchMailboxMoveStorageMDBBL", + "msExchMailboxMoveTargetArchiveMDBBL", + "msExchMailboxMoveTargetMDBBL", + "msExchMailboxMoveTargetUserBL", + "msExchMDBAvailabilityGroupConfigurationBL", + "msExchMobileRemoteDocumentsAllowedServersBL", + "msExchMobileRemoteDocumentsBlockedServersBL", + "msExchMobileRemoteDocumentsInternalDomainSuffixListBL", + "msExchMultiMailboxDatabasesBL", + "msExchMultiMailboxLocationsBL", + "msExchOABGeneratingMailboxBL", + "msExchOrganizationsAddressBookRootsBL", + "msExchOrganizationsGlobalAddressListsBL", + "msExchOrganizationsTemplateRootsBL", + "msExchOriginatingForest", + "msExchOWAAllowedFileTypesBL", + "msExchOWAAllowedMimeTypesBL", + "msExchOWABlockedFileTypesBL", + "msExchOWABlockedMIMETypesBL", + "msExchOWAForceSaveFileTypesBL", + "msExchOWAForceSaveMIMETypesBL", + "msExchOWARemoteDocumentsAllowedServersBL", + "msExchOWARemoteDocumentsBlockedServersBL", + "msExchOWARemoteDocumentsInternalDomainSuffixListBL", + "msExchOWATranscodingFileTypesBL", + "msExchOWATranscodingMimeTypesBL", + "msExchParentPlanBL", + "msExchQueryBaseDN", + "msExchRBACPolicyBL", + "msExchResourceGUID", + "msExchResourceProperties", + "msExchRMSComputerAccountsBL", + "msExchServerAssociationBL", + "msExchServerSiteBL", + "msExchSMTPReceiveDefaultAcceptedDomainBL", + "msExchSupervisionDLBL", + "msExchSupervisionOneOffBL", + "msExchSupervisionUserBL", + "msExchTransportRuleTargetBL", + "msExchTrustedDomainBL", + "msExchUGMemberBL", + "msExchUserBL", + "msExchUserCulture", + "msIIS-FTPDir", + "msIIS-FTPRoot", + "mSMQDigests", + "mSMQDigestsMig", + "mSMQSignCertificates", + "mSMQSignCertificatesMig", + "msNPAllowDialin", + "msNPCallingStationID", + "msNPSavedCallingStationID", + "msOrg-LeadersBL", + "msPKIAccountCredentials", + "msPKI-CredentialRoamingTokens", + "msPKIDPAPIMasterKeys", + "msPKIRoamingTimeStamp", + "msRADIUSCallbackNumber", + "msRADIUS-FramedInterfaceId", + "msRADIUSFramedIPAddress", + "msRADIUS-FramedIpv6Prefix", + "msRADIUS-FramedIpv6Route", + "msRADIUSFramedRoute", + "msRADIUS-SavedFramedInterfaceId", + "msRADIUS-SavedFramedIpv6Prefix", + "msRADIUS-SavedFramedIpv6Route", + "msRADIUSServiceType", + "msRASSavedCallbackNumber", + "msRASSavedFramedIPAddress", + "msRASSavedFramedRoute", + "msRTCSIP-AcpInfo", + "msRTCSIP-ApplicationOptions", + "msRTCSIP-ArchivingEnabled", + "msRTCSIP-DeploymentLocator", + "msRTCSIP-FederationEnabled", + "msRTCSIP-GroupingID", + "msRTCSIP-InternetAccessEnabled", + "msRTCSIP-Line", + "msRTCSIP-LineServer", + "msRTCSIP-OptionFlags", + "msRTCSIP-OriginatorSid", + "msRTCSIP-OwnerUrn", + "msRTCSIP-PrimaryHomeServer", + "msRTCSIP-PrimaryUserAddress", + "msRTCSIP-PrivateLine", + "msRTCSIP-TargetHomeServer", + "msRTCSIP-TargetUserPolicies", + "msRTCSIP-TenantId", + "msRTCSIP-UserEnabled", + "msRTCSIP-UserExtension", + "msRTCSIP-UserLocationProfile", + "msRTCSIP-UserPolicies", + "msRTCSIP-UserPolicy", + "msRTCSIP-UserRoutingGroupId", + "msSFU30Name", + "msSFU30NisDomain", + "msSFU30PosixMemberOf", + "msTSAllowLogon", + "msTSBrokenConnectionAction", + "msTSConnectClientDrives", + "msTSConnectPrinterDrives", + "msTSDefaultToMainPrinter", + "msTSExpireDate", + "msTSExpireDate2", + "msTSExpireDate3", + "msTSExpireDate4", + "msTSHomeDirectory", + "msTSHomeDrive", + "msTSInitialProgram", + "msTSLicenseVersion", + "msTSLicenseVersion2", + "msTSLicenseVersion3", + "msTSLicenseVersion4", + "msTSLSProperty01", + "msTSLSProperty02", + "msTSManagingLS", + "msTSManagingLS2", + "msTSManagingLS3", + "msTSManagingLS4", + "msTSMaxConnectionTime", + "msTSMaxDisconnectionTime", + "msTSMaxIdleTime", + "msTSPrimaryDesktop", + "msTSProfilePath", + "msTSProperty01", + "msTSProperty02", + "msTSReconnectionAction", + "msTSRemoteControl", + "msTSSecondaryDesktops", + "msTSWorkDirectory", + "name", + "netbootSCPBL", + "networkAddress", + "nonSecurityMemberBL", + "ntPwdHistory", + "nTSecurityDescriptor", + "o", + "objectCategory", + "objectClass", + "objectGUID", + "objectVersion", + "operatorCount", + "otherFacsimileTelephoneNumber", + "otherHomePhone", + "otherIpPhone", + "otherLoginWorkstations", + "otherMailbox", + "otherMobile", + "otherPager", + "otherTelephone", + "otherWellKnownObjects", + "ou", + "ownerBL", + "pager", + "partialAttributeDeletionList", + "partialAttributeSet", + "personalPager", + "personalTitle", + "photo", + "physicalDeliveryOfficeName", + "possibleInferiors", + "postalAddress", + "postalCode", + "postOfficeBox", + "preferredDeliveryMethod", + "preferredLanguage", + "preferredOU", + "primaryGroupID", + "primaryInternationalISDNNumber", + "primaryTelexNumber", + "profilePath", + "proxiedObjectName", + "proxyAddresses", + "pwdLastSet", + "queryPolicyBL", + "registeredAddress", + "replPropertyMetaData", + "replUpToDateVector", + "repsFrom", + "repsTo", + "revision", + "roomNumber", + "scriptPath", + "sDRightsEffective", + "secretary", + "seeAlso", + "serialNumber", + "serverReferenceBL", + "servicePrincipalName", + "showInAdvancedViewOnly", + "siteObjectBL", + "sn", + "st", + "street", + "streetAddress", + "structuralObjectClass", + "subRefs", + "subSchemaSubEntry", + "systemFlags", + "telephoneAssistant", + "telephoneNumber", + "teletexTerminalIdentifier", + "telexNumber", + "terminalServer", + "thumbnailLogo", + "thumbnailPhoto", + "title", + "uid", + "unicodePwd", + "url", + "userAccountControl", + "userCertificate", + "userParameters", + "userPassword", + "userPKCS12", + "userPrincipalName", + "userSharedFolder", + "userSharedFolderOther", + "userSMIMECertificate", + "userWorkstations", + "uSNChanged", + "uSNCreated", + "uSNDSALastObjRemoved", + "USNIntersite", + "uSNLastObjRem", + "uSNSource", + "wbemPath", + "wellKnownObjects", + "whenChanged", + "whenCreated", + "wWWHomePage", + "x121Address", + "x500uniqueIdentifier" + ) + $Compare = Compare-Object -ReferenceObject $UserAttributelist -DifferenceObject $UserAttributeListFromAD + Write-Output $Compare + } + + if($Class -eq "computer"){ + $ComputerAttributeListFromAD = Get-AllAttributesForClass -Class computer + + $ComputerAttributeList = @( + "accountExpires", + "aCSPolicyName", + "adminCount", + "adminDescription", + "adminDisplayName", + "allowedAttributes", + "allowedAttributesEffective", + "allowedChildClasses", + "allowedChildClassesEffective", + "assistant", + "attributeCertificateAttribute", + "audio", + "badPasswordTime", + "badPwdCount", + "bridgeheadServerListBL", + "businessCategory", + "businessRoles", + "c", + "canonicalName", + "carLicense", + "catalogs", + "cn", + "co", + "codePage", + "comment", + "company", + "controlAccessRights", + "countryCode", + "createTimeStamp", + "dBCSPwd", + "defaultClassStore", + "defaultLocalPolicyObject", + "department", + "departmentNumber", + "description", + "desktopProfile", + "destinationIndicator", + "directReports", + "displayName", + "displayNamePrintable", + "distinguishedName", + "division", + "dNSHostName", + "dSASignature", + "dSCorePropagationData", + "dynamicLDAPServer", + "employeeID", + "employeeNumber", + "employeeType", + "extensionName", + "facsimileTelephoneNumber", + "flags", + "fromEntry", + "frsComputerReferenceBL", + "fRSMemberReferenceBL", + "fSMORoleOwner", + "generationQualifier", + "givenName", + "groupMembershipSAM", + "groupPriority", + "groupsToIgnore", + "homeDirectory", + "homeDrive", + "homePhone", + "homePostalAddress", + "houseIdentifier", + "initials", + "instanceType", + "internationalISDNNumber", + "ipPhone", + "isCriticalSystemObject", + "isDeleted", + "isPrivilegeHolder", + "isRecycled", + "jpegPhoto", + "kMServer", + "l", + "labeledURI", + "lastKnownParent", + "lastLogoff", + "lastLogon", + "lastLogonTimestamp", + "lmPwdHistory", + "localeID", + "localPolicyFlags", + "location", + "lockoutTime", + "logonCount", + "logonHours", + "logonWorkstation", + "logRolloverInterval", + "machineRole", + "mail", + "managedBy", + "managedObjects", + "manager", + "masteredBy", + "maxStorage", + "memberOf", + "mhsORAddress", + "middleName", + "mobile", + "modifyTimeStamp", + "monitoredConfigurations", + "monitoredServices", + "monitoringAvailabilityStyle", + "monitoringAvailabilityWindow", + "monitoringCachedViaMail", + "monitoringCachedViaRPC", + "monitoringMailUpdateInterval", + "monitoringMailUpdateUnits", + "monitoringRPCUpdateInterval", + "monitoringRPCUpdateUnits", + "msCOM-PartitionSetLink", + "msCOM-UserLink", + "msCOM-UserPartitionSetLink", + "msDFSR-ComputerReferenceBL", + "msDFSR-MemberReferenceBL", + "msDRM-IdentityCertificate", + "msDS-AdditionalDnsHostName", + "msDS-AdditionalSamAccountName", + "msDS-AllowedToActOnBehalfOfOtherIdentity", + "msDS-AllowedToDelegateTo", + "msDS-Approx-Immed-Subordinates", + "msDS-AssignedAuthNPolicy", + "msDS-AssignedAuthNPolicySilo", + "msDS-AuthenticatedAtDC", + "msDS-AuthenticatedToAccountlist", + "msDS-AuthNPolicySiloMembersBL", + "msDS-Cached-Membership", + "msDS-Cached-Membership-Time-Stamp", + "msDS-ClaimSharesPossibleValuesWithBL", + "msDS-CloudAnchor", + "mS-DS-ConsistencyChildCount", + "mS-DS-ConsistencyGuid", + "mS-DS-CreatorSID", + "msDS-EnabledFeatureBL", + "msDS-ExecuteScriptPassword", + "msDS-FailedInteractiveLogonCount", + "msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon", + "msDS-GenerationId", + "msDS-HABSeniorityIndex", + "msDS-HostServiceAccount", + "msDS-HostServiceAccountBL", + "msDS-IsDomainFor", + "msDS-IsFullReplicaFor", + "msDS-isGC", + "msDS-IsPartialReplicaFor", + "msDS-IsPrimaryComputerFor", + "msDS-isRODC", + "msDS-IsUserCachableAtRodc", + "msDS-KeyCredentialLink", + "msDS-KeyPrincipalBL", + "msDS-KrbTgtLink", + "msDS-KrbTgtLinkBl", + "msDS-LastFailedInteractiveLogonTime", + "msDS-LastKnownRDN", + "msDS-LastSuccessfulInteractiveLogonTime", + "msDS-LocalEffectiveDeletionTime", + "msDS-LocalEffectiveRecycleTime", + "msDs-masteredBy", + "msds-memberOfTransitive", + "msDS-MembersForAzRoleBL", + "msDS-MembersOfResourcePropertyListBL", + "msds-memberTransitive", + "msDS-NCReplCursors", + "msDS-NCReplInboundNeighbors", + "msDS-NCReplOutboundNeighbors", + "msDS-NC-RO-Replica-Locations-BL", + "msDS-NcType", + "msDS-NeverRevealGroup", + "msDS-NonMembersBL", + "msDS-ObjectReferenceBL", + "msDS-ObjectSoa", + "msDS-OIDToGroupLinkBl", + "msDS-OperationsForAzRoleBL", + "msDS-OperationsForAzTaskBL", + "msDS-parentdistname", + "msDS-PhoneticCompanyName", + "msDS-PhoneticDepartment", + "msDS-PhoneticDisplayName", + "msDS-PhoneticFirstName", + "msDS-PhoneticLastName", + "msDS-PrimaryComputer", + "msDS-PrincipalName", + "msDS-PromotionSettings", + "msDS-PSOApplied", + "msDS-ReplAttributeMetaData", + "msDS-ReplValueMetaData", + "msDS-ReplValueMetaDataExt", + "msDS-ResultantPSO", + "msDS-RevealedDSAs", + "msDS-RevealedList", + "msDS-RevealedListBL", + "msDS-RevealedUsers", + "msDS-RevealOnDemandGroup", + "msDS-SecondaryKrbTgtNumber", + "msDS-Site-Affinity", + "msDS-SiteName", + "msDS-SourceAnchor", + "msDS-SourceObjectDN", + "msDS-SupportedEncryptionTypes", + "msDS-SyncServerUrl", + "msDS-TasksForAzRoleBL", + "msDS-TasksForAzTaskBL", + "msDS-TDOEgressBL", + "msDS-TDOIngressBL", + "msDS-User-Account-Control-Computed", + "msDS-UserPasswordExpiryTimeComputed", + "msDS-ValueTypeReferenceBL", + "msExchAcceptedDomainBL", + "msExchAccountForestBL", + "msExchArchiveDatabaseBL", + "msExchAssociatedAcceptedDomainBL", + "msExchAuthPolicyBL", + "msExchAuxMailboxParentObjectIdBL", + "msExchAvailabilityOrgWideAccountBL", + "msExchAvailabilityPerUserAccountBL", + "msExchCatchAllRecipientBL", + "msExchComponentStates", + "msExchConferenceMailboxBL", + "msExchControllingZone", + "msExchDataEncryptionPolicyBL", + "msExchDelegateListBL", + "msExchDeviceAccessControlRuleBL", + "msExchEvictedMemebersBL", + "msExchExchangeServerLink", + "msExchHABRootDepartmentBL", + "msExchHouseIdentifier", + "msExchHygieneConfigurationMalwareBL", + "msExchHygieneConfigurationSpamBL", + "msExchIMAPOWAURLPrefixOverride", + "msExchIntendedMailboxPlanBL", + "msExchMailboxMoveSourceArchiveMDBBL", + "msExchMailboxMoveSourceMDBBL", + "msExchMailboxMoveSourceUserBL", + "msExchMailboxMoveStorageMDBBL", + "msExchMailboxMoveTargetArchiveMDBBL", + "msExchMailboxMoveTargetMDBBL", + "msExchMailboxMoveTargetUserBL", + "msExchMDBAvailabilityGroupConfigurationBL", + "msExchMobileRemoteDocumentsAllowedServersBL", + "msExchMobileRemoteDocumentsBlockedServersBL", + "msExchMobileRemoteDocumentsInternalDomainSuffixListBL", + "msExchMultiMailboxDatabasesBL", + "msExchMultiMailboxLocationsBL", + "msExchOABGeneratingMailboxBL", + "msExchOrganizationsAddressBookRootsBL", + "msExchOrganizationsGlobalAddressListsBL", + "msExchOrganizationsTemplateRootsBL", + "msExchOriginatingForest", + "msExchOWAAllowedFileTypesBL", + "msExchOWAAllowedMimeTypesBL", + "msExchOWABlockedFileTypesBL", + "msExchOWABlockedMIMETypesBL", + "msExchOWAForceSaveFileTypesBL", + "msExchOWAForceSaveMIMETypesBL", + "msExchOWARemoteDocumentsAllowedServersBL", + "msExchOWARemoteDocumentsBlockedServersBL", + "msExchOWARemoteDocumentsInternalDomainSuffixListBL", + "msExchOWATranscodingFileTypesBL", + "msExchOWATranscodingMimeTypesBL", + "msExchParentPlanBL", + "msExchPolicyList", + "msExchPolicyOptionList", + "msExchQueryBaseDN", + "msExchRBACPolicyBL", + "msExchResourceGUID", + "msExchResourceProperties", + "msExchRMSComputerAccountsBL", + "msExchServerAssociationBL", + "msExchServerSiteBL", + "msExchSMTPReceiveDefaultAcceptedDomainBL", + "msExchSupervisionDLBL", + "msExchSupervisionOneOffBL", + "msExchSupervisionUserBL", + "msExchTransportRuleTargetBL", + "msExchTrustedDomainBL", + "msExchUGMemberBL", + "msExchUserBL", + "msExchUserCulture", + "msIIS-FTPDir", + "msIIS-FTPRoot", + "msImaging-HashAlgorithm", + "msImaging-ThumbprintHash", + "mSMQDigests", + "mSMQDigestsMig", + "mSMQSignCertificates", + "mSMQSignCertificatesMig", + "msNPAllowDialin", + "msNPCallingStationID", + "msNPSavedCallingStationID", + "msOrg-LeadersBL", + "msPKIAccountCredentials", + "msPKI-CredentialRoamingTokens", + "msPKIDPAPIMasterKeys", + "msPKIRoamingTimeStamp", + "msRADIUSCallbackNumber", + "msRADIUS-FramedInterfaceId", + "msRADIUSFramedIPAddress", + "msRADIUS-FramedIpv6Prefix", + "msRADIUS-FramedIpv6Route", + "msRADIUSFramedRoute", + "msRADIUS-SavedFramedInterfaceId", + "msRADIUS-SavedFramedIpv6Prefix", + "msRADIUS-SavedFramedIpv6Route", + "msRADIUSServiceType", + "msRASSavedCallbackNumber", + "msRASSavedFramedIPAddress", + "msRASSavedFramedRoute", + "msRTCSIP-AcpInfo", + "msRTCSIP-ApplicationOptions", + "msRTCSIP-ArchivingEnabled", + "msRTCSIP-DeploymentLocator", + "msRTCSIP-FederationEnabled", + "msRTCSIP-GroupingID", + "msRTCSIP-InternetAccessEnabled", + "msRTCSIP-Line", + "msRTCSIP-LineServer", + "msRTCSIP-OptionFlags", + "msRTCSIP-OriginatorSid", + "msRTCSIP-OwnerUrn", + "msRTCSIP-PrimaryHomeServer", + "msRTCSIP-PrimaryUserAddress", + "msRTCSIP-PrivateLine", + "msRTCSIP-TargetHomeServer", + "msRTCSIP-TargetUserPolicies", + "msRTCSIP-TenantId", + "msRTCSIP-UserEnabled", + "msRTCSIP-UserExtension", + "msRTCSIP-UserLocationProfile", + "msRTCSIP-UserPolicies", + "msRTCSIP-UserPolicy", + "msRTCSIP-UserRoutingGroupId", + "msSFU30Aliases", + "msSFU30Name", + "msSFU30NisDomain", + "msSFU30PosixMemberOf", + "msTPM-OwnerInformation", + "msTPM-TpmInformationForComputer", + "msTSAllowLogon", + "msTSBrokenConnectionAction", + "msTSConnectClientDrives", + "msTSConnectPrinterDrives", + "msTSDefaultToMainPrinter", + "msTSEndpointData", + "msTSEndpointPlugin", + "msTSEndpointType", + "msTSExpireDate", + "msTSExpireDate2", + "msTSExpireDate3", + "msTSExpireDate4", + "msTSHomeDirectory", + "msTSHomeDrive", + "msTSInitialProgram", + "msTSLicenseVersion", + "msTSLicenseVersion2", + "msTSLicenseVersion3", + "msTSLicenseVersion4", + "msTSLSProperty01", + "msTSLSProperty02", + "msTSManagingLS", + "msTSManagingLS2", + "msTSManagingLS3", + "msTSManagingLS4", + "msTSMaxConnectionTime", + "msTSMaxDisconnectionTime", + "msTSMaxIdleTime", + "msTSPrimaryDesktop", + "msTSPrimaryDesktopBL", + "msTSProfilePath", + "msTSProperty01", + "msTSProperty02", + "msTSReconnectionAction", + "msTSRemoteControl", + "msTSSecondaryDesktopBL", + "msTSSecondaryDesktops", + "msTSWorkDirectory", + "name", + "netbootDUID", + "netbootGUID", + "netbootInitialization", + "netbootMachineFilePath", + "netbootMirrorDataFile", + "netbootSCPBL", + "netbootSIFFile", + "networkAddress", + "nisMapName", + "nonSecurityMemberBL", + "ntPwdHistory", + "nTSecurityDescriptor", + "o", + "objectCategory", + "objectClass", + "objectGUID", + "objectVersion", + "operatingSystem", + "operatingSystemHotfix", + "operatingSystemServicePack", + "operatingSystemVersion", + "operatorCount", + "otherFacsimileTelephoneNumber", + "otherHomePhone", + "otherIpPhone", + "otherLoginWorkstations", + "otherMailbox", + "otherMobile", + "otherPager", + "otherTelephone", + "otherWellKnownObjects", + "ou", + "ownerBL", + "pager", + "partialAttributeDeletionList", + "partialAttributeSet", + "personalPager", + "personalTitle", + "photo", + "physicalDeliveryOfficeName", + "physicalLocationObject", + "policyReplicationFlags", + "possibleInferiors", + "postalAddress", + "postalCode", + "postOfficeBox", + "preferredDeliveryMethod", + "preferredLanguage", + "preferredOU", + "primaryGroupID", + "primaryInternationalISDNNumber", + "primaryTelexNumber", + "profilePath", + "promoExpiration", + "proxiedObjectName", + "proxyAddresses", + "pwdLastSet", + "queryPolicyBL", + "registeredAddress", + "replPropertyMetaData", + "replUpToDateVector", + "repsFrom", + "repsTo", + "revision", + "rIDSetReferences", + "roomNumber", + "scriptPath", + "sDRightsEffective", + "secretary", + "securityProtocol", + "seeAlso", + "serialNumber", + "serverReferenceBL", + "servicePrincipalName", + "showInAdvancedViewOnly", + "siteGUID", + "siteObjectBL", + "sn", + "st", + "street", + "streetAddress", + "structuralObjectClass", + "subRefs", + "subSchemaSubEntry", + "systemFlags", + "telephoneAssistant", + "telephoneNumber", + "teletexTerminalIdentifier", + "telexNumber", + "terminalServer", + "thumbnailLogo", + "thumbnailPhoto", + "title", + "trackingLogPathName", + "type", + "uid", + "unicodePwd", + "url", + "userAccountControl", + "userCertificate", + "userParameters", + "userPassword", + "userPKCS12", + "userPrincipalName", + "userSharedFolder", + "userSharedFolderOther", + "userSMIMECertificate", + "userWorkstations", + "uSNChanged", + "uSNCreated", + "uSNDSALastObjRemoved", + "USNIntersite", + "uSNLastObjRem", + "uSNSource", + "volumeCount", + "wbemPath", + "wellKnownObjects", + "whenChanged", + "whenCreated", + "wWWHomePage", + "x121Address", + "x500uniqueIdentifier" + ) + $Compare = Compare-Object -ReferenceObject $ComputerAttributeList -DifferenceObject $ComputerAttributeListFromAD + Write-Output $Compare + } + } +} +
\ No newline at end of file diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1 index 142f2a3..c003d8e 100755 --- a/Recon/PowerView.ps1 +++ b/Recon/PowerView.ps1 @@ -4471,7 +4471,7 @@ Switch. Return user accounts that are marked as 'sensitive and not allowed for d Switch. Return computer objects that are trusted to authenticate for other principals. -.PARAMETER KerberosPreauthNotRequired +.PARAMETER PreauthNotRequired Switch. Return user accounts with "Do not require Kerberos preauthentication" set. @@ -4628,8 +4628,9 @@ The raw DirectoryServices.SearchResult object, if -Raw is enabled. [Switch] $TrustedToAuth, + [Alias('KerberosPreauthNotRequired', 'NoPreauth')] [Switch] - $KerberosPreauthNotRequired, + $PreauthNotRequired, [ValidateNotNullOrEmpty()] [String] @@ -4705,9 +4706,19 @@ The raw DirectoryServices.SearchResult object, if -Raw is enabled. $IdentityFilter = '' $Filter = '' $Identity | Where-Object {$_} | ForEach-Object { - $IdentityInstance = $_ - if ($IdentityInstance -match '.+\\.+') { - $ConvertedIdentityInstance = $IdentityInstance | Convert-ADName -OutputType Canonical + $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29') + if ($IdentityInstance -match '^S-1-') { + $IdentityFilter += "(objectsid=$IdentityInstance)" + } + elseif ($IdentityInstance -match '^CN=') { + $IdentityFilter += "(distinguishedname=$IdentityInstance)" + } + elseif ($IdentityInstance -imatch '^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$') { + $GuidByteString = (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object { '\' + $_.ToString('X2') }) -join '' + $IdentityFilter += "(objectguid=$GuidByteString)" + } + elseif ($IdentityInstance.Contains('\')) { + $ConvertedIdentityInstance = $IdentityInstance.Replace('\28', '(').Replace('\29', ')') | Convert-ADName -OutputType Canonical if ($ConvertedIdentityInstance) { $UserDomain = $ConvertedIdentityInstance.SubString(0, $ConvertedIdentityInstance.IndexOf('/')) $UserName = $IdentityInstance.Split('\')[1] @@ -4718,26 +4729,10 @@ The raw DirectoryServices.SearchResult object, if -Raw is enabled. } } else { - $IdentityInstance = $IdentityInstance.Replace('(', '\28').Replace(')', '\29') - if ($IdentityInstance -match '^S-1-.*') { - # SID format - $IdentityFilter += "(objectsid=$IdentityInstance)" - } - elseif ($IdentityInstance -match '^CN=.*') { - # distinguished names - $IdentityFilter += "(distinguishedname=$IdentityInstance)" - } - else { - try { - $GuidByteString = (-Join (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object {$_.ToString('X').PadLeft(2,'0')})) -Replace '(..)','\$1' - $IdentityFilter += "(objectguid=$GuidByteString)" - } - catch { - $IdentityFilter += "(samAccountName=$IdentityInstance)" - } - } + $IdentityFilter += "(samAccountName=$IdentityInstance)" } } + if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) { $Filter += "(|$IdentityFilter)" } @@ -4763,7 +4758,7 @@ The raw DirectoryServices.SearchResult object, if -Raw is enabled. Write-Verbose '[Get-DomainUser] Searching for users that are trusted to authenticate for other principals' $Filter += '(msds-allowedtodelegateto=*)' } - if ($PSBoundParameters['KerberosPreauthNotRequired']) { + if ($PSBoundParameters['PreauthNotRequired']) { Write-Verbose '[Get-DomainUser] Searching for user accounts that do not require kerberos preauthenticate' $Filter += '(userAccountControl:1.2.840.113556.1.4.803:=4194304)' } @@ -5750,28 +5745,21 @@ The raw DirectoryServices.SearchResult object, if -Raw is enabled. $Filter = '' $Identity | Where-Object {$_} | ForEach-Object { $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29') - if ($IdentityInstance -match '^S-1-.*') { + if ($IdentityInstance -match '^S-1-') { $IdentityFilter += "(objectsid=$IdentityInstance)" } - elseif ($IdentityInstance -match '^CN=.*') { + elseif ($IdentityInstance -match '^CN=') { $IdentityFilter += "(distinguishedname=$IdentityInstance)" } - elseif ($IdentityInstance -match '.*\..*') { - $IdentityFilter += "(dnshostname=$IdentityInstance)" + elseif ($IdentityInstance.Contains('.')) { + $IdentityFilter += "(|(name=$IdentityInstance)(dnshostname=$IdentityInstance))" + } + elseif ($IdentityInstance -imatch '^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$') { + $GuidByteString = (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object { '\' + $_.ToString('X2') }) -join '' + $IdentityFilter += "(objectguid=$GuidByteString)" } else { - try { - $GuidByteString = (-Join (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object {$_.ToString('X').PadLeft(2,'0')})) -Replace '(..)','\$1' - $IdentityFilter += "(objectguid=$GuidByteString)" - } - catch { - if ($IdentityInstance.Contains('.')) { - $IdentityFilter += "(|(name=$IdentityInstance)(dnshostname=$IdentityInstance))" - } - else { - $IdentityFilter += "(name=$IdentityInstance)" - } - } + $IdentityFilter += "(name=$IdentityInstance)" } } if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) { @@ -6062,40 +6050,33 @@ The raw DirectoryServices.SearchResult object, if -Raw is enabled. $IdentityFilter = '' $Filter = '' $Identity | Where-Object {$_} | ForEach-Object { - $IdentityInstance = $_ - if ($IdentityInstance -match '.+\\.+') { - $ConvertedIdentityInstance = $IdentityInstance | Convert-ADName -OutputType Canonical + $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29') + if ($IdentityInstance -match '^S-1-') { + $IdentityFilter += "(objectsid=$IdentityInstance)" + } + elseif ($IdentityInstance -match '^(CN|OU|DC)=') { + $IdentityFilter += "(distinguishedname=$IdentityInstance)" + } + elseif ($IdentityInstance -imatch '^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$') { + $GuidByteString = (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object { '\' + $_.ToString('X2') }) -join '' + $IdentityFilter += "(objectguid=$GuidByteString)" + } + elseif ($IdentityInstance.Contains('\')) { + $ConvertedIdentityInstance = $IdentityInstance.Replace('\28', '(').Replace('\29', ')') | Convert-ADName -OutputType Canonical if ($ConvertedIdentityInstance) { $ObjectDomain = $ConvertedIdentityInstance.SubString(0, $ConvertedIdentityInstance.IndexOf('/')) $ObjectName = $IdentityInstance.Split('\')[1] $IdentityFilter += "(samAccountName=$ObjectName)" $SearcherArguments['Domain'] = $ObjectDomain - Write-Verbose "[Get-DomainUser] Extracted domain '$ObjectDomain' from '$IdentityInstance'" + Write-Verbose "[Get-DomainObject] Extracted domain '$ObjectDomain' from '$IdentityInstance'" $ObjectSearcher = Get-DomainSearcher @SearcherArguments } } + elseif ($IdentityInstance.Contains('.')) { + $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(dnshostname=$IdentityInstance))" + } else { - $IdentityInstance = $IdentityInstance.Replace('(', '\28').Replace(')', '\29') - if ($IdentityInstance -match '^S-1-.*') { - $IdentityFilter += "(objectsid=$IdentityInstance)" - } - elseif ($IdentityInstance -match '^(CN|OU|DC)=.*') { - $IdentityFilter += "(distinguishedname=$IdentityInstance)" - } - else { - try { - $GuidByteString = (-Join (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object {$_.ToString('X').PadLeft(2,'0')})) -Replace '(..)','\$1' - $IdentityFilter += "(objectguid=$GuidByteString)" - } - catch { - if ($IdentityInstance.Contains('.')) { - $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(dnshostname=$IdentityInstance))" - } - else { - $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(displayname=$IdentityInstance))" - } - } - } + $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(displayname=$IdentityInstance))" } } if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) { @@ -6587,6 +6568,7 @@ Set the owner of 'dfm' in the current domain to 'harmj0y' using the alternate cr try { Write-Verbose "[Set-DomainObjectOwner] Attempting to set the owner for '$Identity' to '$OwnerIdentity'" $Entry = $RawObject.GetDirectoryEntry() + $Entry.PsBase.Options.SecurityMasks = 'Owner' $Entry.PsBase.ObjectSecurity.SetOwner($OwnerIdentityReference) $Entry.PsBase.CommitChanges() } @@ -6783,19 +6765,15 @@ Custom PSObject with ACL entries. elseif ($IdentityInstance -match '^(CN|OU|DC)=.*') { $IdentityFilter += "(distinguishedname=$IdentityInstance)" } + elseif ($IdentityInstance -imatch '^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$') { + $GuidByteString = (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object { '\' + $_.ToString('X2') }) -join '' + $IdentityFilter += "(objectguid=$GuidByteString)" + } + elseif ($IdentityInstance.Contains('.')) { + $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(dnshostname=$IdentityInstance))" + } else { - try { - $GuidByteString = (-Join (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object {$_.ToString('X').PadLeft(2,'0')})) -Replace '(..)','\$1' - $IdentityFilter += "(objectguid=$GuidByteString)" - } - catch { - if ($IdentityInstance.Contains('.')) { - $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(dnshostname=$IdentityInstance))" - } - else { - $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(displayname=$IdentityInstance))" - } - } + $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(displayname=$IdentityInstance))" } } if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) { @@ -7205,6 +7183,7 @@ https://social.technet.microsoft.com/Forums/windowsserver/en-US/df3bfd33-c070-4a ForEach ($ACE in $ACEs) { Write-Verbose "[Add-DomainObjectAcl] Granting principal $($PrincipalObject.distinguishedname) rights GUID '$($ACE.ObjectType)' on $($TargetObject.Properties.distinguishedname)" $TargetEntry = $TargetObject.GetDirectoryEntry() + $TargetEntry.PsBase.Options.SecurityMasks = 'Dacl' $TargetEntry.PsBase.ObjectSecurity.AddAccessRule($ACE) $TargetEntry.PsBase.CommitChanges() } @@ -8668,11 +8647,19 @@ Custom PSObject with translated group property fields. $IdentityFilter = '' $Filter = '' $Identity | Where-Object {$_} | ForEach-Object { - $IdentityInstance = $_ - - if ($IdentityInstance -match '.+\\.+') { - # DOMAIN\groupname - $ConvertedIdentityInstance = $IdentityInstance | Convert-ADName -OutputType Canonical + $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29') + if ($IdentityInstance -match '^S-1-') { + $IdentityFilter += "(objectsid=$IdentityInstance)" + } + elseif ($IdentityInstance -match '^CN=') { + $IdentityFilter += "(distinguishedname=$IdentityInstance)" + } + elseif ($IdentityInstance -imatch '^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$') { + $GuidByteString = (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object { '\' + $_.ToString('X2') }) -join '' + $IdentityFilter += "(objectguid=$GuidByteString)" + } + elseif ($IdentityInstance.Contains('\')) { + $ConvertedIdentityInstance = $IdentityInstance.Replace('\28', '(').Replace('\29', ')') | Convert-ADName -OutputType Canonical if ($ConvertedIdentityInstance) { $GroupDomain = $ConvertedIdentityInstance.SubString(0, $ConvertedIdentityInstance.IndexOf('/')) $GroupName = $IdentityInstance.Split('\')[1] @@ -8683,24 +8670,10 @@ Custom PSObject with translated group property fields. } } else { - $IdentityInstance = $IdentityInstance.Replace('(', '\28').Replace(')', '\29') - if ($IdentityInstance -match '^S-1-.*') { - $IdentityFilter += "(objectsid=$IdentityInstance)" - } - elseif ($IdentityInstance -match '^CN=.*') { - $IdentityFilter += "(distinguishedname=$IdentityInstance)" - } - else { - try { - $GuidByteString = (-Join (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object {$_.ToString('X').PadLeft(2,'0')})) -Replace '(..)','\$1' - $IdentityFilter += "(objectguid=$GuidByteString)" - } - catch { - $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance))" - } - } + $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance))" } } + if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) { $Filter += "(|$IdentityFilter)" } @@ -9393,10 +9366,19 @@ http://www.powershellmagazine.com/2013/05/23/pstip-retrieve-group-membership-of- $IdentityFilter = '' $Filter = '' $Identity | Where-Object {$_} | ForEach-Object { - $IdentityInstance = $_ - if ($IdentityInstance -match '.+\\.+') { - # DOMAIN\groupname - $ConvertedIdentityInstance = $IdentityInstance | Convert-ADName -OutputType Canonical + $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29') + if ($IdentityInstance -match '^S-1-') { + $IdentityFilter += "(objectsid=$IdentityInstance)" + } + elseif ($IdentityInstance -match '^CN=') { + $IdentityFilter += "(distinguishedname=$IdentityInstance)" + } + elseif ($IdentityInstance -imatch '^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$') { + $GuidByteString = (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object { '\' + $_.ToString('X2') }) -join '' + $IdentityFilter += "(objectguid=$GuidByteString)" + } + elseif ($IdentityInstance.Contains('\')) { + $ConvertedIdentityInstance = $IdentityInstance.Replace('\28', '(').Replace('\29', ')') | Convert-ADName -OutputType Canonical if ($ConvertedIdentityInstance) { $GroupDomain = $ConvertedIdentityInstance.SubString(0, $ConvertedIdentityInstance.IndexOf('/')) $GroupName = $IdentityInstance.Split('\')[1] @@ -9407,24 +9389,10 @@ http://www.powershellmagazine.com/2013/05/23/pstip-retrieve-group-membership-of- } } else { - $IdentityInstance = $IdentityInstance.Replace('(', '\28').Replace(')', '\29') - if ($IdentityInstance -match '^S-1-.*') { - $IdentityFilter += "(objectsid=$IdentityInstance)" - } - elseif ($IdentityInstance -match '^CN=.*') { - $IdentityFilter += "(distinguishedname=$IdentityInstance)" - } - else { - try { - $GuidByteString = (-Join (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object {$_.ToString('X').PadLeft(2,'0')})) -Replace '(..)','\$1' - $IdentityFilter += "(objectguid=$GuidByteString)" - } - catch { - $IdentityFilter += "(samAccountName=$IdentityInstance)" - } - } + $IdentityFilter += "(samAccountName=$IdentityInstance)" } } + if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) { $Filter += "(|$IdentityFilter)" } @@ -9914,7 +9882,7 @@ function Get-DomainDFSShare { .SYNOPSIS Returns a list of all fault-tolerant distributed file systems -for the current (or specified) domain. +for the current (or specified) domains. Author: Ben Campbell (@meatballs__) License: BSD 3-Clause @@ -9929,7 +9897,7 @@ The server data is parsed appropriately and returned. .PARAMETER Domain -Specifies the domain to use for the query, defaults to the current domain. +Specifies the domains to use for the query, defaults to the current domain. .PARAMETER SearchBase @@ -10212,7 +10180,7 @@ A custom PSObject describing the distributed file systems. function Get-DomainDFSShareV1 { [CmdletBinding()] Param( - [String[]] + [String] $Domain, [String] @@ -10291,7 +10259,7 @@ A custom PSObject describing the distributed file systems. function Get-DomainDFSShareV2 { [CmdletBinding()] Param( - [String[]] + [String] $Domain, [String] |