-
Notifications
You must be signed in to change notification settings - Fork 104
/
Get-BadPrivilege.psm1
76 lines (67 loc) · 2.92 KB
/
Get-BadPrivilege.psm1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
# -----------------------------------------
# Function: Get-BadPrivilege
# -----------------------------------------
# With local administrator privileges, this script uses PoshPrivilege to list all user right/privilege assignments.
# It then filters for known dangerous privileges based on https://twitter.com/vysecurity/status/1315272197959749635.
# Requires: https://github.com/proxb/PoshPrivilege
# Wrapper Author: Scott Sutherland, @_nullbind NetSPI 2020
Function Get-BadPrivilege
{
# Check if Get-Privilege has bee loaded
$CheckFunc = Test-Path Function:\Get-Privilege
If(-not $CheckFunc){
Write-Output "The Get-Privilege function does not appear to be available."
Write-Output "It can be downloaded from https://github.com/proxb/PoshPrivilege."
Write-Output "Aborting run."
break
}
# Check if the current user is an administrator
$CheckAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
If(-not $CheckAdmin){
Write-Output "This script must be run as a local adminsitrator."
Write-Output "Aborting run."
break
}
# Create a table of known high risk rights/privileges
$BadPrivileges = New-Object System.Collections.Arraylist
$null = $BadPrivileges.Add("SeImpersonatePrivilege")
$null = $BadPrivileges.Add("SeAssignPrimaryPrivilege")
$null = $BadPrivileges.Add("SeTcbPrivilege")
$null = $BadPrivileges.Add("SeBackupPrivilege")
$null = $BadPrivileges.Add("SeRestorePrivilege")
$null = $BadPrivileges.Add("SeCreateTokenPrivilege")
$null = $BadPrivileges.Add("SeLoadDriverPrivilege")
$null = $BadPrivileges.Add("SeTakeOwnershipPrivilege")
$null = $BadPrivileges.Add("SeDebugPrivilege")
# Iterate through identified right/privilege assignments
Get-Privilege |
ForEach-Object{
# Get privilege information
$MyComputerName = $_.ComputerName
$MyPrivilege = $_.Privilege
$MyDescription = $_.Description
$MyAffectedAccounts = $_.Accounts
# Check if the privilege is high risk
$BadPrivileges |
ForEach-Object{
if ($_ -like "$MyPrivilege*")
{
$MyRiskStatus = "Yes"
}else{
$MyRiskStatus = "No"
}
}
# Parse affected accounts
$MyAffectedAccounts |
ForEach-Object{
$myObject = [PSCustomObject]@{
ComputerName = [string]$MyComputerName
Privilege = [string]$MyPrivilege
HighRisk = [string]$MyRiskStatus
Description = [string]$MyDescription
User = [string]$_
}
$myObject
}
}
}