From 841150e1c69109442ee87e260ef69746fc38b349 Mon Sep 17 00:00:00 2001 From: Stuart Morgan Date: Mon, 28 Dec 2015 17:54:47 +0000 Subject: Added Find-ManagedSecurityGroups --- Recon/PowerView.ps1 | 71 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1 index 57a5789..c38943d 100644 --- a/Recon/PowerView.ps1 +++ b/Recon/PowerView.ps1 @@ -11101,6 +11101,77 @@ function Find-ForeignGroup { } } +function Find-ManagedSecurityGroups { +<# + .SYNOPSIS + + This function retrieves all security groups in the domain and identifies ones that + have a manager set. It also determines whether the manager has the ability to add + or remove members from the group. + + Author: Stuart Morgan (@ukstufus) + License: BSD 3-Clause + + .EXAMPLE + + PS C:\> Find-ManagedSecurityGroups | Export-PowerViewCSV -NoTypeInformation group-managers.csv + + Store a list of all security groups with managers in group-managers.csv + + .DESCRIPTION + + Authority to manipulate the group membership of AD security groups and distribution groups + can be delegated to non-administrators by setting the 'managedBy' attribute. This is typically + used to delegate management authority to distribution groups, but Windows supports security groups + being managed in the same way. + + This function searches for AD groups which have a group manager set, and determines whether that + user can manipulate group membership. This could be a useful method of horizontal privilege + escalation, especially if the manager can manipulate the membership of a privileged group. + + .LINK + + https://github.com/PowerShellEmpire/Empire/pull/119 + +#> + + # Go through the list of security groups on the domain and identify those who have a manager + Get-NetGroup -FullData -Filter '(&(managedBy=*)(groupType:1.2.840.113556.1.4.803:=2147483648))' | Select-Object -Unique distinguishedName,managedBy,cn | Foreach-Object { + + # Retrieve the object that the managedBy DN refers to + $group_manager = Get-ADObject -ADSPath $_.managedBy | Select-Object cn,distinguishedname,name,samaccounttype,samaccountname + + # Create a results object to store our findings + $results_object = New-Object -TypeName PSObject -Property @{ + 'GroupCN' = $_.cn + 'GroupDN' = $_.distinguishedname + 'ManagerCN' = $group_manager.cn + 'ManagerDN' = $group_manager.distinguishedName + 'ManagerSAN' = $group_manager.samaccountname + 'ManagerType' = '' + 'CanManagerWrite' = $FALSE + } + + # Determine whether the manager is a user or a group + if ($group_manager.samaccounttype -eq 0x10000000) { + $results_object.ManagerType = 'Group' + } elseif ($group_manager.samaccounttype -eq 0x30000000) { + $results_object.ManagerType = 'User' + } + + # Find the ACLs that relate to the ability to write to the group + $xacl = Get-ObjectAcl -ADSPath $_.distinguishedname -Rights WriteMembers + + # Double-check that the manager + if ($xacl.ObjectType -eq 'bf9679c0-0de6-11d0-a285-00aa003049e2' -and $xacl.AccessControlType -eq 'Allow' -and $xacl.IdentityReference.Value.Contains($group_manager.samaccountname)) { + $results_object.CanManagerWrite = $TRUE + } + + $results_object + + } + +} function Invoke-MapDomainTrust { <# -- cgit v1.2.3 From 2343f43e7cb15efe18e0f66631f5ff43895c7435 Mon Sep 17 00:00:00 2001 From: Stuart Morgan Date: Tue, 29 Dec 2015 13:37:40 +0000 Subject: Added reference to function to powersploit.psd1 and recon.psd1 --- PowerSploit.psd1 | 1 + Recon/Recon.psd1 | 1 + 2 files changed, 2 insertions(+) diff --git a/PowerSploit.psd1 b/PowerSploit.psd1 index bc482e1..492b846 100644 --- a/PowerSploit.psd1 +++ b/PowerSploit.psd1 @@ -38,6 +38,7 @@ FunctionsToExport = @( 'Find-GPOLocation', 'Find-InterestingFile', 'Find-LocalAdminAccess', + 'Find-ManagedSecurityGroups', 'Find-PathHijack', 'Find-UserField', 'Get-ADObject', diff --git a/Recon/Recon.psd1 b/Recon/Recon.psd1 index 55f19f7..205cae8 100644 --- a/Recon/Recon.psd1 +++ b/Recon/Recon.psd1 @@ -74,6 +74,7 @@ FunctionsToExport = @( 'Get-CachedRDPConnection', 'Get-NetProcess', 'Find-InterestingFile', + 'Find-ManagedSecurityGroups', 'Invoke-UserHunter', 'Invoke-ProcessHunter', 'Invoke-EventHunter', -- cgit v1.2.3 From f645f6160715274510af3cfe87b64b1764b66352 Mon Sep 17 00:00:00 2001 From: Stuart Morgan Date: Tue, 29 Dec 2015 14:04:03 +0000 Subject: Sorted the recon.psd1 module import into alphabetical order --- Recon/Recon.psd1 | 102 +++++++++++++++++++++++++++---------------------------- 1 file changed, 51 insertions(+), 51 deletions(-) diff --git a/Recon/Recon.psd1 b/Recon/Recon.psd1 index 205cae8..e82cd97 100644 --- a/Recon/Recon.psd1 +++ b/Recon/Recon.psd1 @@ -23,71 +23,71 @@ PowerShellVersion = '2.0' # Functions to export from this module FunctionsToExport = @( - 'Get-ComputerDetails', - 'Get-HttpStatus', - 'Invoke-Portscan', - 'Invoke-ReverseDnsLookup', - 'Set-MacAttribute', - 'Copy-ClonedFile', + 'Add-NetUser', + 'Add-ObjectAcl', + 'Convert-NT4toCanonical', 'Convert-NameToSid', 'Convert-SidToName', - 'Convert-NT4toCanonical', - 'Get-Proxy', - 'Get-PathAcl', - 'Get-NetDomain', - 'Get-NetForest', - 'Get-NetForestDomain', - 'Get-NetForestCatalog', - 'Get-NetDomainController', - 'Get-NetUser', - 'Add-NetUser', - 'Get-UserProperty', + 'Copy-ClonedFile', + 'Find-ComputerField', + 'Find-ForeignGroup', + 'Find-ForeignUser', + 'Find-GPOComputerAdmin', + 'Find-GPOLocation', + 'Find-InterestingFile', + 'Find-LocalAdminAccess', + 'Find-ManagedSecurityGroups', 'Find-UserField', - 'Get-UserEvent', - 'Get-ObjectAcl', - 'Add-ObjectAcl', - 'Invoke-ACLScanner', - 'Get-NetComputer', 'Get-ADObject', - 'Set-ADObject', + 'Get-CachedRDPConnection', + 'Get-ComputerDetails', 'Get-ComputerProperty', - 'Find-ComputerField', - 'Get-NetOU', - 'Get-NetSite', - 'Get-NetSubnet', - 'Get-NetGroup', - 'Get-NetGroupMember', - 'Get-NetFileServer', 'Get-DFSshare', + 'Get-DomainPolicy', + 'Get-ExploitableSystem', + 'Get-HttpStatus', + 'Get-LastLoggedOn', + 'Get-NetComputer', + 'Get-NetDomain', + 'Get-NetDomainController', + 'Get-NetDomainTrust', + 'Get-NetFileServer', + 'Get-NetForest', + 'Get-NetForestCatalog', + 'Get-NetForestDomain', + 'Get-NetForestTrust', 'Get-NetGPO', 'Get-NetGPOGroup', - 'Find-GPOLocation', - 'Find-GPOComputerAdmin', - 'Get-DomainPolicy', + 'Get-NetGroup', + 'Get-NetGroupMember', 'Get-NetLocalGroup', - 'Get-NetShare', 'Get-NetLoggedon', - 'Get-NetSession', + 'Get-NetOU', + 'Get-NetProcess', 'Get-NetRDPSession', + 'Get-NetSession', + 'Get-NetShare', + 'Get-NetSite', + 'Get-NetSubnet', + 'Get-NetUser', + 'Get-ObjectAcl', + 'Get-PathAcl', + 'Get-Proxy', + 'Get-UserEvent', + 'Get-UserProperty', + 'Invoke-ACLScanner', 'Invoke-CheckLocalAdminAccess', - 'Get-LastLoggedOn', - 'Get-CachedRDPConnection', - 'Get-NetProcess', - 'Find-InterestingFile', - 'Find-ManagedSecurityGroups', - 'Invoke-UserHunter', - 'Invoke-ProcessHunter', + 'Invoke-EnumerateLocalAdmin', 'Invoke-EventHunter', - 'Invoke-ShareFinder', 'Invoke-FileFinder', - 'Find-LocalAdminAccess', - 'Get-ExploitableSystem', - 'Invoke-EnumerateLocalAdmin', - 'Get-NetDomainTrust', - 'Get-NetForestTrust', - 'Find-ForeignUser', - 'Find-ForeignGroup', - 'Invoke-MapDomainTrust' + 'Invoke-MapDomainTrust', + 'Invoke-Portscan', + 'Invoke-ProcessHunter', + 'Invoke-ReverseDnsLookup', + 'Invoke-ShareFinder', + 'Invoke-UserHunter', + 'Set-ADObject', + 'Set-MacAttribute' ) # List of all files packaged with this module -- cgit v1.2.3 From ed60b51f0ab30c94d0592caea224476cf8c175d1 Mon Sep 17 00:00:00 2001 From: Stuart Morgan Date: Tue, 29 Dec 2015 14:06:06 +0000 Subject: Sorted exports into alphabetical order --- Privesc/Privesc.psd1 | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/Privesc/Privesc.psd1 b/Privesc/Privesc.psd1 index 34ebf7b..2ccdb8e 100644 --- a/Privesc/Privesc.psd1 +++ b/Privesc/Privesc.psd1 @@ -23,26 +23,26 @@ PowerShellVersion = '2.0' # Functions to export from this module FunctionsToExport = @( - 'Get-ServiceUnquoted', - 'Get-ServiceFilePermission', - 'Get-ServicePermission', - 'Get-ServiceDetail', - 'Invoke-ServiceAbuse', - 'Write-ServiceBinary', - 'Install-ServiceBinary', - 'Restore-ServiceBinary', 'Find-DLLHijack', 'Find-PathHijack', - 'Write-HijackDll', + 'Get-ApplicationHost', 'Get-RegAlwaysInstallElevated', 'Get-RegAutoLogon', + 'Get-ServiceDetail', + 'Get-ServiceFilePermission', + 'Get-ServicePermission', + 'Get-ServiceUnquoted', + 'Get-UnattendedInstallFile', 'Get-VulnAutoRun', 'Get-VulnSchTask', - 'Get-UnattendedInstallFile', 'Get-Webconfig', - 'Get-ApplicationHost', - 'Write-UserAddMSI', - 'Invoke-AllChecks' + 'Install-ServiceBinary', + 'Invoke-AllChecks', + 'Invoke-ServiceAbuse', + 'Restore-ServiceBinary', + 'Write-HijackDll', + 'Write-ServiceBinary', + 'Write-UserAddMSI' ) # List of all files packaged with this module -- cgit v1.2.3 From bc7efdf22914c722d88eb70fac01a4dc5493c87b Mon Sep 17 00:00:00 2001 From: Stuart Morgan Date: Tue, 29 Dec 2015 14:08:28 +0000 Subject: Added Find-ManagedSecurityGroups to readme --- Recon/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Recon/README.md b/Recon/README.md index d992798..6e28a30 100644 --- a/Recon/README.md +++ b/Recon/README.md @@ -120,6 +120,8 @@ an array of hosts from the pipeline. Invoke-ShareFinder - finds (non-standard) shares on hosts in the local domain Invoke-FileFinder - finds potentially sensitive files on hosts in the local domain Find-LocalAdminAccess - finds machines on the domain that the current user has local admin access to + Find-ManagedSecurityGroups - searches for active directory security groups which are managed and identify users who have write access to + - those groups (i.e. the ability to add or remove members) Find-UserField - searches a user field for a particular term Find-ComputerField - searches a computer field for a particular term Get-ExploitableSystem - finds systems likely vulnerable to common exploits -- cgit v1.2.3