Get-GPODelegation

Hi, I know you guys mentioned this before, but I've not this implemented. I wrote Get-GPODelegation that finds users with write permissions on Group Policy objects, for a potential privilege escalation path. As requested, moved into dev branch.
2017-05-04 16:11:12 +03:00 · 2017-05-04 16:11:12 +03:00 · 2501e8e912
parent 095988269b
commit 2501e8e912
1 changed files with 60 additions and 0 deletions
--- a/Recon/PowerView.ps1
+++ b/Recon/PowerView.ps1
@ -18764,6 +18764,66 @@ Custom PSObject with translated domain API trust result fields.
    }
 }

+function Get-GPODelegation
+{
+<#
+    .SYNOPSIS
+        Finds users with write permissions on GPO objects which may allow privilege escalation within the domain.
+
+        Author: Itamar Mizrahi (@MrAnde7son)
+        License: GNU v3
+        Required Dependencies: None
+        Optional Dependencies: None
+
+    .DESCRIPTION
+
+    .PARAMETER GPOName
+        The GPO display name to query for, wildcards accepted.  
+
+    .PARAMETER PageSize
+
+    .EXAMPLE 
+        PS C:\> Get-GPODelegation
+        Returns all GPO delegations in current forest.
+
+    .EXAMPLE 
+        PS C:\> Get-GPODelegation -GPOName
+        Returns all GPO delegations on a given GPO.
+#>
+    [CmdletBinding()]
+    Param (
+        [String]
+        $GPOName = '*',
+
+        [ValidateRange(1,10000)] 
+        [Int]
+        $PageSize = 200
+    )
+
+    $Exclusions = @("SYSTEM","Domain Admins","Enterprise Admins")
+
+    $Forest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
+    $DomainList = @($Forest.Domains)
+    $Domains = $DomainList | foreach { $_.GetDirectoryEntry() }
+    foreach ($Domain in $Domains) {
+        $Filter = "(&(objectCategory=groupPolicyContainer)(displayname=$GPOName))"
+        $Searcher = New-Object System.DirectoryServices.DirectorySearcher
+        $Searcher.SearchRoot = $Domain
+        $Searcher.Filter = $Filter
+        $Searcher.PageSize = $PageSize
+        $Searcher.SearchScope = "Subtree"
+        $listGPO = $Searcher.FindAll()
+        foreach ($gpo in $listGPO){
+            $ACL = (([ADSI]$gpo.path).ObjectSecurity).Access | ? {$_.ActiveDirectoryRights -match "Write" -and $_.AccessControlType -eq "Allow" -and  $Exclusions -notcontains $_.IdentityReference.toString().split("\")[1] -and $_.IdentityReference -ne "CREATOR OWNER"}
+            $GpoACL = New-Object psobject
+            $GpoACL | Add-Member Noteproperty 'ADSPath' $gpo.Properties.adspath
+            $GpoACL | Add-Member Noteproperty 'GPODisplayName' $gpo.Properties.displayname
+            $GpoACL | Add-Member Noteproperty 'IdentityReference' $ACL.IdentityReference
+            $GpoACL | Add-Member Noteproperty 'ActiveDirectoryRights' $ACL.ActiveDirectoryRights
+            $GpoACL
+        }
+    }
+}

 ########################################################
 #