Open licorsec opened 2 years ago
Thanks, it worked for me too
Update AdAudit.ps1 #20
Can be closed as per #20
I am having a similar issue with Find-DangerousACLPermissions
on Server 2012 R2
Modifying the function to use the old syntax no longer produces an error but I'm not able to confirm whether it's working properly at this time.
$acl = (Get-Acl AD:$computer).Access
(using $object.DistinguishedName) produces a type error.
#Specify the ACLs and Groups to check against
$dangerousAces = @('GenericAll', 'GenericWrite', 'ForceChangePassword', 'WriteDacl', 'WriteOwner', 'Delete')
$groupsToCheck = @('NT AUTHORITY\Authenticated Users', 'DOMAIN\Domain Users', 'Everyone')
# Find dangerous permissions on Computers
$computers = Get-ADObject -Filter { objectClass -eq 'computer' -and objectCategory -eq 'computer' } -Properties *
$computerResults = foreach ($computer in $computers) {
try {
#$acl = Get-Acl -Path "Microsoft.ActiveDirectory.Management.dll\ActiveDirectory:://RootDSE/$($computer.DistinguishedName)"
$acl = (Get-Acl AD:$computer).Access
}
catch {
Write-Warning "Could not retrieve ACL for computer '$computer': $_"
continue
}
$dangerousRules = $acl.Access | Where-Object { $_.ActiveDirectoryRights -in $dangerousAces -and $_.IdentityReference -in $groupsToCheck }
if ($dangerousRules) {
foreach ($rule in $dangerousRules) {
[PSCustomObject]@{
ObjectType = 'Computer'
ObjectName = $computer
IdentityReference = $rule.IdentityReference
AccessControlType = $rule.AccessControlType
ActiveDirectoryRights = $rule.ActiveDirectoryRights
}
}
}
Write-Progress -Activity "Searching for dangerous ACL permissions on computers" -Status "Computers searched: $($computers.IndexOf($computer) + 1)/$($computers.Count)" -PercentComplete (($computers.IndexOf($computer) + 1) / $computers.Count * 100)
}
# Find dangerous permissions on groups
$groups = Get-ADObject -Filter { objectClass -eq 'group' -and objectCategory -eq 'group' } -Properties *
$groupResults = foreach ($group in $groups) {
try {
#$acl = Get-Acl -Path "Microsoft.ActiveDirectory.Management.dll\ActiveDirectory:://RootDSE/$($group.DistinguishedName)"
$acl = (Get-Acl AD:$group).Access
}
catch {
Write-Warning "Could not retrieve ACL for group '$group': $_"
continue
}
$dangerousRules = $acl.Access | Where-Object { $_.ActiveDirectoryRights -in $dangerousAces -and $_.IdentityReference -in $groupsToCheck }
if ($dangerousRules) {
foreach ($rule in $dangerousRules) {
[PSCustomObject]@{
ObjectType = 'Group'
ObjectName = $group
IdentityReference = $rule.IdentityReference
AccessControlType = $rule.AccessControlType
ActiveDirectoryRights = $rule.ActiveDirectoryRights
}
}
}
Write-Progress -Activity "Searching for dangerous ACL permissions on groups" -Status "Groups searched: $($groups.IndexOf($group) + 1)/$($groups.Count)" -PercentComplete (($groups.IndexOf($group) + 1) / $groups.Count * 100)
}
# Find dangerous permissions on users
$users = Get-ADObject -Filter { objectClass -eq 'user' -and objectCategory -eq 'person' } -Properties *
$userResults = foreach ($user in $users) {
$acl = $null
#$acl = Get-Acl -Path "Microsoft.ActiveDirectory.Management.dll\ActiveDirectory:://RootDSE/$($user.DistinguishedName)"
$acl = (Get-Acl AD:$user).Access
if ($acl) {
$dangerousRules = $acl.Access | Where-Object { $_.ActiveDirectoryRights -in $dangerousAces -and $_.IdentityReference -in $groupsToCheck }
if ($dangerousRules) {
foreach ($rule in $dangerousRules) {
[PSCustomObject]@{
ObjectType = 'User'
ObjectName = $user
IdentityReference = $rule.IdentityReference
AccessControlType = $rule.AccessControlType
ActiveDirectoryRights = $rule.ActiveDirectoryRights
}
}
}
Write-Progress -Activity "Searching for dangerous ACL permissions on users" -Status "Users searched: $($users.IndexOf($user) + 1)/$($users.Count)" -PercentComplete (($users.IndexOf($user) + 1) / $users.Count * 100)
}
}
# Output results
if ($computerResults) {
$computerResults | ConvertTo-Html -Property @{ Label = "Type"; Expression = { "Computer" } }, @{ Label = "Computer Name"; Expression = { $_.ObjectName } }, @{ Label = "Allowed Group"; Expression = { $_.IdentityReference } }, AccessControlType, ActiveDirectoryRights | Out-File -Encoding UTF8 $outputdir\dangerousACLs.html -Append
$computerResults | Format-Table -AutoSize -Property ObjectType, ObjectName, IdentityReference, AccessControlType | Out-File $outputdir\dangerousACL_Computer.txt -Encoding UTF8
Write-Both " [!] Issue identified, vulnerable ACL on Computer, see $outputdir\dangerousACL_Computer.txt"
Write-Nessus-Finding "Weak Computer Permissions" "KB551" ([System.IO.File]::ReadAllText("$outputdir\dangerousACL_Computer.txt"))
}
else {
Write-Host " [+] No dangerous ACL permissions were found on any computer."
}
if ($groupResults) {
$groupResults | ConvertTo-Html -Property @{ Label = "Type"; Expression = { "Group" } }, @{ Label = "Group Name"; Expression = { $_.ObjectName } }, @{ Label = "Allowed Group"; Expression = { $_.IdentityReference } }, AccessControlType, ActiveDirectoryRights | Out-File -Encoding UTF8 $outputdir\dangerousACLs.html -Append
$groupResults | Format-Table -AutoSize -Property ObjectType, ObjectName, IdentityReference, AccessControlType, ActiveDirectoryRights | Out-File $outputdir\dangerousACL_Groups.txt
Write-Both " [!] Issue identified, vulnerable ACL on Group, see $outputdir\dangerousACL_Groups.txt"
Write-Nessus-Finding "Weak Group Permissions" "KB551" ([System.IO.File]::ReadAllText("$outputdir\dangerousACL_Groups.txt"))
}
else {
Write-Host " [+] No dangerous ACL permissions were found on any group."
}
if ($userResults) {
$userResults | ConvertTo-Html -Property @{ Label = "Type"; Expression = { "User" } }, @{ Label = "User"; Expression = { $_.ObjectName } }, @{ Label = "Allowed Group"; Expression = { $_.IdentityReference } }, AccessControlType, ActiveDirectoryRights | Out-File -Encoding UTF8 $outputdir\dangerousACLs.html -Append
$userResults | Format-Table -AutoSize -Property ObjectType, ObjectName, IdentityReference, AccessControlType, ActiveDirectoryRights | Out-File $outputdir\dangerousACLUsers.txt
Write-Both " [!] Issue identified, vulnerable ACL on User, see $outputdir\dangerousACLUsers.txt"
Write-Nessus-Finding "Weak User Permissions" "KB551" ([System.IO.File]::ReadAllText("$outputdir\dangerousACLUsers.txt"))
}
else {
Write-Host " [+] No dangerous ACL permissions were found on any user."
}
Edit for clarity
I was getting a "Get-Acl : The object name has bad syntax" when the Get-OUPerms function was running. According to this reddit post, it's a known issue. I simply changed
Get-Acl AD:$object
toGet-Acl "Microsoft.ActiveDirectory.Management.dll\ActiveDirectory:://RootDSE/$object"
and everything seems to be working again. By the way, thanks for taking the time to create and share this script. It pulls all the good stuff I would care about and saved me many hours by not having to put something together myself.