Skip to content
This repository was archived by the owner on Jan 21, 2021. It is now read-only.

Get-GPODelegation #236

Merged
merged 2 commits into from
May 24, 2017
Merged

Get-GPODelegation #236

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2501e8e
Get-GPODelegation
MrAnde7son May 4, 2017
6a71a6e
Update PowerView.ps1
MrAnde7son May 7, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 62 additions & 0 deletions Recon/PowerView.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18764,6 +18764,68 @@ Custom PSObject with translated domain API trust result fields.
}
}

function Get-GPODelegation
{
<#
.SYNOPSIS
Finds users with write permissions on GPO objects which may allow privilege escalation within the domain.

Author: Itamar Mizrahi (@MrAnde7son)
License: GNU v3
Required Dependencies: None
Optional Dependencies: None

.DESCRIPTION

.PARAMETER GPOName
The GPO display name to query for, wildcards accepted.

.PARAMETER PageSize

.EXAMPLE
PS C:\> Get-GPODelegation
Returns all GPO delegations in current forest.

.EXAMPLE
PS C:\> Get-GPODelegation -GPOName
Returns all GPO delegations on a given GPO.
#>
[CmdletBinding()]
Param (
[String]
$GPOName = '*',

[ValidateRange(1,10000)]
[Int]
$PageSize = 200
)

$Exclusions = @("SYSTEM","Domain Admins","Enterprise Admins")

$Forest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
$DomainList = @($Forest.Domains)
$Domains = $DomainList | foreach { $_.GetDirectoryEntry() }
foreach ($Domain in $Domains) {
$Filter = "(&(objectCategory=groupPolicyContainer)(displayname=$GPOName))"
$Searcher = New-Object System.DirectoryServices.DirectorySearcher
$Searcher.SearchRoot = $Domain
$Searcher.Filter = $Filter
$Searcher.PageSize = $PageSize
$Searcher.SearchScope = "Subtree"
$listGPO = $Searcher.FindAll()
foreach ($gpo in $listGPO){
$ACL = ([ADSI]$gpo.path).ObjectSecurity.Access | ? {$_.ActiveDirectoryRights -match "Write" -and $_.AccessControlType -eq "Allow" -and $Exclusions -notcontains $_.IdentityReference.toString().split("\")[1] -and $_.IdentityReference -ne "CREATOR OWNER"}
if ($ACL -ne $null){
$GpoACL = New-Object psobject
$GpoACL | Add-Member Noteproperty 'ADSPath' $gpo.Properties.adspath
$GpoACL | Add-Member Noteproperty 'GPODisplayName' $gpo.Properties.displayname
$GpoACL | Add-Member Noteproperty 'IdentityReference' $ACL.IdentityReference
$GpoACL | Add-Member Noteproperty 'ActiveDirectoryRights' $ACL.ActiveDirectoryRights
$GpoACL
}
}
}
}

########################################################
#
Expand Down