Dropped a bunch of various scripts.

2025-09-02 01:58:33 +02:00 · 2019-01-29 05:19:12 -05:00
parent e839e64db2
commit 1bf88bef0b
9 changed files with 105 additions and 1 deletions
--- a/red-teaming/Find-GPODelegatedUsers.ps1
+++ b/red-teaming/Find-GPODelegatedUsers.ps1
@ -0,0 +1 @@
+Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name} | %{$acl=$_; $a=[string]$acl.IdentityReference; $b=$a.Substring($a.IndexOf("\")+1); $c=$null; $c=Get-NetUser "$b"; If ($c -ne $null -And $c.userprincipalname -like "*") { $dn=$acl.ObjectDN; If($dn -match 'CN=({[0-9A-F\-]+}),.+'){ $cn=$matches[1]; $gpo=Get-NetGPO -GPOname "$cn"; Write-Output "User: $b / $($c.userprincipalname) - delegated to GPO: $($gpo.displayname)"}}}
--- a/red-teaming/README.md
+++ b/red-teaming/README.md
@ -66,6 +66,8 @@ Loaded $StealthUserHunterShowAll results.
 Loaded $UserHunterShowAll results.
 ```

+- **`Find-GPODelegatedUsers.ps1`** - One-liner for finding GPO Delegated users that can Edit Settings of that GPO and thus could be used to Abuse GPO Permissions (https://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/). [gist](https://gist.github.com/mgeeky/5843df09607123772a61e782a6406d54)
+
 - **`generateMSBuildPowershellXML.py`** - Powershell via MSBuild inline-task XML payload generation script - To be used during Red-Team assignments to launch Powershell payloads without using `powershell.exe` ([gist](https://gist.github.com/mgeeky/df9f313cfe468e56c59268b958319bcb))

    Example output **not minimized**:
				`@ -0,0 +1 @@`
				`Get-NetGPO \| %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name} \| %{$acl=$_; $a=[string]$acl.IdentityReference; $b=$a.Substring($a.IndexOf("\")+1); $c=$null; $c=Get-NetUser "$b"; If ($c -ne $null -And $c.userprincipalname -like "*") { $dn=$acl.ObjectDN; If($dn -match 'CN=({[0-9A-F\-]+}),.+'){ $cn=$matches[1]; $gpo=Get-NetGPO -GPOname "$cn"; Write-Output "User: $b / $($c.userprincipalname) - delegated to GPO: $($gpo.displayname)"}}}`