Gh0st
/
PowerSploit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Updated Find-DomainObjectPropertyOutlier approach.

This commit is contained in:
HarmJ0y 2017-06-13 17:13:17 -04:00
parent d9e9231755
commit 1bfe3a2715
1 changed files with 17 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
Recon/PowerView.ps1
View File

@ -4234,19 +4234,16 @@ Finds user/group/computer objects in AD that have 'outlier' properties set.
Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation) Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation)
License: BSD 3-Clause License: BSD 3-Clause
Required Dependencies: Get-Domain, Get-DomainUser, Get-DomainGroup, Get-DomainComputer, Get-ForestSchemaClass Required Dependencies: Get-Domain, Get-DomainUser, Get-DomainGroup, Get-DomainComputer
.DESCRIPTION .DESCRIPTION
Enumerates the schema for the specified -ClassName (if passed) by using Get-ForestSchemaClass. A 'reference' set of property names is calculated, either from a standard set preserved
If a -ReferenceObject is passed, the class is extracted from the passed object.
A 'reference' set of property names is then calculated, either from a standard set preserved
for user/group/computers, or from the array of names passed to -ReferencePropertySet, or for user/group/computers, or from the array of names passed to -ReferencePropertySet, or
from the property names of the passed -ReferenceObject. These property names are substracted from the property names of the passed -ReferenceObject. Every user/group/computer object
from the master schema propertyu name list to retrieve a set of 'non-standard' properties. (depending on determined class) are enumerated, and for each object, if the object has a
Every user/group/computer object (depending on determined class) are enumerated, and for each 'non-standard' property set (meaning a property not held by the reference set), the object's
object, if the object has a 'non-standard' property set, the object samAccountName, property samAccountName, property name, and property value are output to the pipeline.
name, and property value are output to the pipeline.
.PARAMETER ClassName .PARAMETER ClassName
@ -4428,7 +4425,7 @@ Custom PSObject with translated object property outliers.
Write-Verbose "[Find-DomainObjectPropertyOutlier] Extracting property names from -ReferenceObject to use as the reference property set" Write-Verbose "[Find-DomainObjectPropertyOutlier] Extracting property names from -ReferenceObject to use as the reference property set"
$ReferenceObjectProperties = Get-Member -InputObject $ReferenceObject -MemberType NoteProperty | Select-Object -Expand Name $ReferenceObjectProperties = Get-Member -InputObject $ReferenceObject -MemberType NoteProperty | Select-Object -Expand Name
$ReferenceObjectClass = $ReferenceObject.objectclass | Select-Object -Last 1 $ReferenceObjectClass = $ReferenceObject.objectclass | Select-Object -Last 1
Write-Verbose "[Find-DomainObjectPropertyOutlier] Caldulated ReferenceObjectClass : $ReferenceObjectClass" Write-Verbose "[Find-DomainObjectPropertyOutlier] Calculated ReferenceObjectClass : $ReferenceObjectClass"
} }
else { else {
Write-Verbose "[Find-DomainObjectPropertyOutlier] Using the default reference property set for the object class '$ClassName'" Write-Verbose "[Find-DomainObjectPropertyOutlier] Using the default reference property set for the object class '$ClassName'"
@ -4436,34 +4433,30 @@ Custom PSObject with translated object property outliers.
if (($ClassName -eq 'User') -or ($ReferenceObjectClass -eq 'User')) { if (($ClassName -eq 'User') -or ($ReferenceObjectClass -eq 'User')) {
$Objects = Get-DomainUser @SearcherArguments $Objects = Get-DomainUser @SearcherArguments
$SchemaClass = Get-ForestSchemaClass @SchemaArguments -ClassName 'User' if (-not $ReferenceObjectProperties) {
$ReferenceObjectProperties = $UserReferencePropertySet $ReferenceObjectProperties = $UserReferencePropertySet
} }
}
elseif (($ClassName -eq 'Group') -or ($ReferenceObjectClass -eq 'Group')) { elseif (($ClassName -eq 'Group') -or ($ReferenceObjectClass -eq 'Group')) {
$Objects = Get-DomainGroup @SearcherArguments $Objects = Get-DomainGroup @SearcherArguments
$SchemaClass = Get-ForestSchemaClass @SchemaArguments -ClassName 'Group' if (-not $ReferenceObjectProperties) {
$ReferenceObjectProperties = $GroupReferencePropertySet $ReferenceObjectProperties = $GroupReferencePropertySet
} }
}
elseif (($ClassName -eq 'Computer') -or ($ReferenceObjectClass -eq 'Computer')) { elseif (($ClassName -eq 'Computer') -or ($ReferenceObjectClass -eq 'Computer')) {
Write-Verbose "COMPUTER!"
$Objects = Get-DomainComputer @SearcherArguments $Objects = Get-DomainComputer @SearcherArguments
$SchemaClass = Get-ForestSchemaClass @SchemaArguments -ClassName 'Computer' if (-not $ReferenceObjectProperties) {
$ReferenceObjectProperties = $ComputerReferencePropertySet $ReferenceObjectProperties = $ComputerReferencePropertySet
} }
}
else { else {
throw "[Find-DomainObjectPropertyOutlier] Invalid class: $ClassName" throw "[Find-DomainObjectPropertyOutlier] Invalid class: $ClassName"
} }
$SchemaProperties = $SchemaClass | Select-Object -ExpandProperty OptionalProperties | Select-Object -ExpandProperty name
$SchemaProperties += $SchemaClass | Select-Object -ExpandProperty MandatoryProperties | Select-Object -ExpandProperty name
# find the schema properties that are NOT in the first returned reference property set
$NonstandardProperties = Compare-Object -ReferenceObject $ReferenceObjectProperties -DifferenceObject $SchemaProperties -PassThru
ForEach ($Object in $Objects) { ForEach ($Object in $Objects) {
$ObjectProperties = Get-Member -InputObject $Object -MemberType NoteProperty | Select-Object -Expand Name $ObjectProperties = Get-Member -InputObject $Object -MemberType NoteProperty | Select-Object -Expand Name
ForEach($ObjectProperty in $ObjectProperties) { ForEach($ObjectProperty in $ObjectProperties) {
if ($NonstandardProperties -Contains $ObjectProperty) { if ($ReferenceObjectProperties -NotContains $ObjectProperty) {
$Out = New-Object PSObject $Out = New-Object PSObject
$Out | Add-Member Noteproperty 'SamAccountName' $Object.SamAccountName $Out | Add-Member Noteproperty 'SamAccountName' $Object.SamAccountName
$Out | Add-Member Noteproperty 'Property' $ObjectProperty $Out | Add-Member Noteproperty 'Property' $ObjectProperty