Added couple of tools

red-teaming/Count-PrivilegedGroupMembers.ps1

@@ -0,0 +1,79 @@
+<#
+  This script enumerates privileged groups (Tier-) and counts their users.
+  By knowing how many privileged users are there in examined groups, we can
+  briefly estimate the configuration debt impact on the assessed Active Directory
+  or domain maintenance misconfiguration impact.
+
+  Usage:
+    PS> . .\Count-PrivilegedGroupMembers.ps1
+    PS> Count-PrivilegedGroupMembers
+  
+  Mariusz B. / mgeeky
+#>
+
+# This script requires PowerView 3.0 dev branch
+# Import-Module powerview.ps1 -ErrorAction SilentlyContinue
+
+Function Count-PrivilegedGroupMembers
+{    
+	[CmdletBinding()] Param(
+		[Parameter(Mandatory=$false)]
+        [String]
+        $Domain,
+
+		[Parameter(Mandatory=$false)]
+        [Switch]
+        $Recurse,
+
+		[Parameter(Mandatory=$false)]
+        [String]
+        $AdditionalGroupsFile
+    )
+
+	$PrivilegedGroups = @(
+		"Enterprise Admins"
+		"Domain Admins"
+		"Schema Admin"
+		"Account Operators"
+		"Backup Operators"
+		"Print Operators"
+		"Server Operators"
+		"Domain Controllers"
+		"Read-only Domain Controllers"
+		"Group Policy Creator Owners"
+		"Cryptographic Operators"
+		"Distributed COM Users"
+	)
+
+	$AdditionalGroups = @()
+
+	if($AdditionalGroupsFile.length -gt 0) {
+		[string[]]$AdditionalGroups = Get-Content -Path $AdditionalGroupsFile
+	}
+
+	$groups = $PrivilegedGroups + $AdditionalGroups
+
+	$GroupsMembers = @{}
+	foreach ($group in $groups)
+	{
+		$command = "(Get-DomainGroupMember -Identity '$group'"
+		if ($Recurse)
+		{
+			$command += " -Recurse"
+		}
+
+		if($Domain)
+		{
+			$command += " -Domain $Domain"
+		}
+
+		$command += " ).Count"
+		Write-Verbose "Running '$command'..."
+		$members = (Invoke-Expression $command) -as [int]
+		$GroupsMembers.Add($group, $members)
+
+		Write-Verbose "Got $members members in $group."
+	}
+
+	return $GroupsMembers
+}

red-teaming/README.md

@@ -54,6 +54,8 @@ $s = New-Object IO.MemoryStream(, [Convert]::FromBase64String('H4sIAMkfcloC/3u/e
 IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();
 ```
 
+- **`Count-PrivilegedGroupMembers.ps1`** - Counts number of members in predefined (or augumented from an input file) list of privileged, sensitive groups in Active Directory. Purely for statistics and overview purposes.
+
 - **`delete-warning-div-macro.vbs`** - VBA Macro function to be used as a Social Engineering trick removing "Enable Content" warning message as the topmost floating text box with given name. ([gist](https://gist.github.com/mgeeky/9cb6acdec31c8a70cc037c84c77a359c))
 
 - **`Disable-Amsi.ps1`** - Tries to evade AMSI by leveraging couple of publicly documented techniqus, but in an approach to avoid signatured or otherwise considered harmful keywords.