From 641c78ab404a160ef5600bd23458420af6276e56 Mon Sep 17 00:00:00 2001 From: Mike Loss Date: Sun, 4 Feb 2018 20:40:40 +0800 Subject: [PATCH 1/9] how do i git --- TODO | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TODO b/TODO index 68c4af1..238fe92 100644 --- a/TODO +++ b/TODO @@ -1,4 +1,4 @@ Get-GPORegSettings - implement filtering - very noisy -Get-GPORegSettings - fix output of .value, add output for *.extension.policy.dropdownlist.value.name.innertext +Get-GPORegSettings - fix output of .value Get-GPOFilePerms - parse SDDL Get-GPOAccountSettings - implement filtering From cd80b6db5f3044b74d5ff3279c5beeda3b5a757f Mon Sep 17 00:00:00 2001 From: Mike Loss Date: Mon, 5 Feb 2018 11:36:57 +0800 Subject: [PATCH 2/9] Added file path permission checks where appropriate. --- TODO | 1 + grouper.ps1 | 157 +++++++++++++++++++++++++++++++++++++++------------- 2 files changed, 120 insertions(+), 38 deletions(-) diff --git a/TODO b/TODO index 238fe92..f6181a0 100644 --- a/TODO +++ b/TODO @@ -2,3 +2,4 @@ Get-GPORegSettings - implement filtering - very noisy Get-GPORegSettings - fix output of .value Get-GPOFilePerms - parse SDDL Get-GPOAccountSettings - implement filtering +Get-GPOFolderRedirection - get permissions on target path \ No newline at end of file diff --git a/grouper.ps1 b/grouper.ps1 index 0868106..1f9dd6c 100644 --- a/grouper.ps1 +++ b/grouper.ps1 @@ -72,6 +72,11 @@ $Global:intRights += "SeCreateGlobalPrivilege" $Global:intRights += "SeLoadDriverPrivilege" $Global:intRights += "SeRemoteInteractiveLogonRight" +$Global:boringTrustees = @() +$Global:boringTrustees += "BUILTIN\Administrators" +$Global:boringTrustees += "NT AUTHORITY\SYSTEM" + + #____________________ GPO Check functions _______________ # There's a whole pile of these functions. Each one consumes a single object from a Get-GPOReport XML report, @@ -369,19 +374,33 @@ Function Get-GPOMSIInstallation { ###### # Description: Checks for MSI installers being used to install software. # Vulnerable: TODO Only show instances where the file is writable by the current user or 'Everyone' or 'Domain Users' or 'Authenticated Users'. - # Interesting: TODO Also show instances where any user/group other than the usual default Domain/Enterprise Admins has 'Full Control'. + # Interesting: All MSI installations. # Boring: All MSI installations. ###### - $computerMSIInstallation = ($polXml.Computer.ExtensionData.Extension.MsiApplication | Sort-Object GPOSettingOrder) + $MSIInstallation = ($polXml.ExtensionData.Extension.MsiApplication | Sort-Object GPOSettingOrder) - if ($computerMSIInstallation) { - foreach ($setting in $computerMSIInstallation) { - if ($level -eq 1) { + if ($MSIInstallation) { + foreach ($setting in $MSIInstallation) { + if ($level -le 2) { $output = @{} + $MSIPath = $setting.Path $output.Add("Name", $setting.Name) - $output.Add("Path", $setting.Path) + $output.Add("Path", $MSIPath) + if ($Global:onlineChecks -eq 1) { + if ($MSIPath.StartsWith("\\")) { + $MSIPathACL = Get-ACL $MSIPath + $MSIPathOwner = $MSIPathACL.Owner + $MSIPathAccess = $MSIPathACL.Access | Where-Object {-Not ($Global:boringTrustees -Contains $_.IdentityReference)} | select FileSystemRights,AccessControlType,IdentityReference + $output.Add("Owner", $MSIPathOwner) + } + } Write-NoEmpties -output $output + if ($MSIPathAccess) { + "`r`n" + Write-Title -Text "Permissions on source file:" -DividerChar "-" + Write-Output $MSIPathAccess + } "`r`n" } } @@ -398,7 +417,7 @@ Function Get-GPOScripts { ###### # Description: Checks for startup/shutdown/logon/logoff scripts. # Vulnerable: TODO Only show instances where the file is writable by the current user or 'Everyone' or 'Domain Users' or 'Authenticated Users'. - # Interesting: TODO Also show instances where any user/group other than the usual default Domain/Enterprise Admins has 'Full Control' or where 'Parameters' is set. + # Interesting: All scripts. # Boring: All scripts. ###### @@ -406,12 +425,29 @@ Function Get-GPOScripts { if ($settingsScripts) { foreach ($setting in $settingsScripts) { - if ($level -eq 1) { + $commandPath = $setting.Command + + if ($level -le 2) { $output = @{} - $output.Add("Command", $setting.Command) + $output.Add("Command", $commandPath) $output.Add("Type", $setting.Type) $output.Add("Parameters", $setting.Parameters) - Write-NoEmpties -output $output + + if ($Global:onlineChecks -eq 1) { + if ($commandPath.StartsWith("\\")) { + $commandPathACL = Get-ACL $commandPath + $commandPathOwner = $commandPathACL.Owner + $commandPathAccess = $commandPathACL.Access | Where-Object {-Not ($Global:boringTrustees -Contains $_.IdentityReference)} | select FileSystemRights,AccessControlType,IdentityReference + $output.Add("Owner", $commandPathOwner) + } + } + + Write-NoEmpties -output $output + if ($commandPathAccess) { + "`r`n" + Write-Title -Text "Permissions on source file:" -DividerChar "-" + Write-Output $commandPathAccess + } "`r`n" } } @@ -426,9 +462,9 @@ Function Get-GPOFileUpdate { ) ###### - # Description: Checks for MSI installers being used to install software. + # Description: Checks for files being copied/updated/whatever. # Vulnerable: TODO Only show instances where the 'fromPath' file is writable by the current user or 'Everyone' or 'Domain Users' or 'Authenticated Users'. - # Interesting: TODO Also show instances where any user/group other than the usual default Domain/Enterprise Admins has 'Full Control' of the 'fromPath' file. + # Interesting: All File Updates where FromPath is a network share # Boring: All File Updates. ###### @@ -436,13 +472,26 @@ Function Get-GPOFileUpdate { if ($settingsFiles) { foreach ($setting in $settingsFiles.File) { - if ($level -eq 1) { + $fromPath = $setting.Properties.fromPath + if ((($level -le 2) -And ($fromPath.StartsWith("\\"))) -Or ($level -eq 1)) { $output = @{} $output.Add("Name", $setting.name) $output.Add("Action", $setting.Properties.action) - $output.Add("fromPath", $setting.Properties.fromPath) + $output.Add("fromPath", $fromPath) $output.Add("targetPath", $setting.Properties.targetPath) + if ($Global:onlineChecks -eq 1) { + if ($fromPath.StartsWith("\\")) { + $fromPathACL = Get-ACL $fromPath + $fromPathOwner = $fromPathACL.Owner + $fromPathAccess = $fromPathACL.Access | Where-Object {-Not ($Global:boringTrustees -Contains $_.IdentityReference)} | select FileSystemRights,AccessControlType,IdentityReference + $output.Add("Owner", $fromPathOwner) + } + } Write-NoEmpties -output $output + if ($fromPathAccess) { + Write-Title -Text "Permissions on source file:" -DividerChar "-" + Write-Output $fromPathAccess + } "`r`n" } } @@ -1017,7 +1066,8 @@ Function Get-GPOShortcuts { if ($settingsShortcuts) { # Iterate over array of settings, writing out only those we care about. foreach ($setting in $settingsShortcuts) { - if ($level -eq 1) { + $targetPath = $setting.properties.targetPath + if (($level -eq 1) -Or (($level -le 2) -And ($targetPath.StartsWith("\\")))) { $output = @{} $output.Add("Name", $setting.name) $output.Add("Status", $setting.status) @@ -1029,7 +1079,20 @@ Function Get-GPOShortcuts { $output.Add("targetPath", $setting.properties.targetPath) $output.Add("iconPath", $setting.properties.iconPath) $output.Add("shortcutPath", $setting.properties.shortcutPath) + if ($Global:onlineChecks -eq 1) { + if ($targetPath.StartsWith("\\")) { + $targetPathACL = Get-ACL $targetPath + $targetPathOwner = $targetPathACL.Owner + $targetPathAccess = $targetPathACL.Access | Where-Object {-Not ($Global:boringTrustees -Contains $_.IdentityReference)} | select FileSystemRights,AccessControlType,IdentityReference + $output.Add("Owner", $targetPathOwner) + } + } Write-NoEmpties -output $output + if ($targetPathAccess) { + "`r`n" + Write-Title -Text "Permissions on source file:" -DividerChar "-" + Write-Output $targetPathAccess + } "`r`n" } } @@ -1166,32 +1229,33 @@ Function Invoke-AuditGPO { # Build an array of all our Get-GPO* check scriptblocks $polchecks = @() - $polchecks += {Get-GPORegKeys -Level $level -polXML $computerSettings} - $polchecks += {Get-GPORegKeys -Level $level -polXML $userSettings} - $polchecks += {Get-GPOUsers -Level $level -polXML $userSettings} - $polchecks += {Get-GPOUsers -Level $level -polXML $computerSettings} - $polchecks += {Get-GPOGroups -Level $level -polXML $userSettings} - $polchecks += {Get-GPOGroups -Level $level -polXML $computerSettings} + #$polchecks += {Get-GPORegKeys -Level $level -polXML $computerSettings} + #$polchecks += {Get-GPORegKeys -Level $level -polXML $userSettings} + #$polchecks += {Get-GPOUsers -Level $level -polXML $userSettings} + #$polchecks += {Get-GPOUsers -Level $level -polXML $computerSettings} + #$polchecks += {Get-GPOGroups -Level $level -polXML $userSettings} + #$polchecks += {Get-GPOGroups -Level $level -polXML $computerSettings} $polchecks += {Get-GPOScripts -Level $level -polXML $userSettings} $polchecks += {Get-GPOScripts -Level $level -polXML $computerSettings} $polchecks += {Get-GPOFileUpdate -Level $level -polXML $userSettings} $polchecks += {Get-GPOFileUpdate -Level $level -polXML $computerSettings} - $polchecks += {Get-GPOMSIInstallation -Level $level -polXML $xmlgpo} - $polchecks += {Get-GPOUserRights -Level $level -polXML $xmlgpo} - $polchecks += {Get-GPOSchedTasks -Level $level -polXML $xmlgpo} - $polchecks += {Get-GPOFolderRedirection -Level $level -polXML $xmlgpo} - $polchecks += {Get-GPOFilePerms -Level $level -polXML $xmlgpo} - $polchecks += {Get-GPOSecurityOptions -Level $level -polXML $xmlgpo} - $polchecks += {Get-GPOAccountSettings -Level $level -polXML $xmlgpo} - $polchecks += {Get-GPONetworkShares -Level $level -polXml $xmlgpo} - $polchecks += {Get-GPOFolders -Level $level -polXML $userSettings} - $polchecks += {Get-GPOFolders -Level $level -polXML $computerSettings} - $polchecks += {Get-GPORegSettings -Level $level -polXML $computerSettings} - $polchecks += {Get-GPORegSettings -Level $level -polXML $userSettings} - $polchecks += {Get-GPOIniFiles -Level $level -polXML $computerSettings} - $polchecks += {Get-GPOIniFiles -Level $level -polXML $userSettings} - $polchecks += {Get-GPOEnvVars -Level $level -polXML $computerSettings} - $polchecks += {Get-GPOEnvVars -Level $level -polXML $userSettings} + $polchecks += {Get-GPOMSIInstallation -Level $level -polXML $userSettings} + $polchecks += {Get-GPOMSIInstallation -Level $level -polXML $computerSettings} + #$polchecks += {Get-GPOUserRights -Level $level -polXML $xmlgpo} + #$polchecks += {Get-GPOSchedTasks -Level $level -polXML $xmlgpo} + #$polchecks += {Get-GPOFolderRedirection -Level $level -polXML $xmlgpo} + #$polchecks += {Get-GPOFilePerms -Level $level -polXML $xmlgpo} + #$polchecks += {Get-GPOSecurityOptions -Level $level -polXML $xmlgpo} + #$polchecks += {Get-GPOAccountSettings -Level $level -polXML $xmlgpo} + #$polchecks += {Get-GPONetworkShares -Level $level -polXml $xmlgpo} + #$polchecks += {Get-GPOFolders -Level $level -polXML $userSettings} + #$polchecks += {Get-GPOFolders -Level $level -polXML $computerSettings} + #$polchecks += {Get-GPORegSettings -Level $level -polXML $computerSettings} + #$polchecks += {Get-GPORegSettings -Level $level -polXML $userSettings} + #$polchecks += {Get-GPOIniFiles -Level $level -polXML $computerSettings} + #$polchecks += {Get-GPOIniFiles -Level $level -polXML $userSettings} + #$polchecks += {Get-GPOEnvVars -Level $level -polXML $computerSettings} + #$polchecks += {Get-GPOEnvVars -Level $level -polXML $userSettings} $polchecks += {Get-GPOShortcuts -Level $level -polXml $userSettings} $polchecks += {Get-GPOShortcuts -Level $level -polXml $computerSettings} @@ -1332,7 +1396,9 @@ Function Invoke-AuditGPOReport { ParameterSetName='WithoutFile', Mandatory=$false )] [ValidateSet(1,2,3)] - [int]$level = 2 + [int]$level = 2, + + [switch]$online ) Write-Banner @@ -1353,6 +1419,20 @@ Function Invoke-AuditGPOReport { $Global:showDisabled = 1 } + # quick and dirty check to make sure that if the user said to do 'online' checks that we can actually reach the domain. + $Global:onlineChecks = 0 + if ($online) { + try { + net accounts /domain 1> $null + $Global:onlineChecks = 1 + } + catch { + Write-Output "Couldn't talk to the domain, falling back to offline mode." + $Global:onlineChecks =0 + } + + } + if ($lazyMode) { $requiredModules = @('GroupPolicy') $requiredModules | Import-Module -Verbose:$false -ErrorAction SilentlyContinue @@ -1395,3 +1475,4 @@ Function Invoke-AuditGPOReport { Write-Output $stats } +Invoke-AuditGPOReport -path C:\temp\gporeport.xml -Level 1 -online \ No newline at end of file From 0394fa394af0cd821545115227159ed563fdb420 Mon Sep 17 00:00:00 2001 From: Mike Loss Date: Mon, 5 Feb 2018 11:37:44 +0800 Subject: [PATCH 3/9] fuck --- grouper.ps1 | 1 - 1 file changed, 1 deletion(-) diff --git a/grouper.ps1 b/grouper.ps1 index 1f9dd6c..8ec574f 100644 --- a/grouper.ps1 +++ b/grouper.ps1 @@ -1475,4 +1475,3 @@ Function Invoke-AuditGPOReport { Write-Output $stats } -Invoke-AuditGPOReport -path C:\temp\gporeport.xml -Level 1 -online \ No newline at end of file From 0b27bc8ddf18e0781e333ef606763cc016127d13 Mon Sep 17 00:00:00 2001 From: Mike Loss Date: Mon, 5 Feb 2018 12:58:07 +0800 Subject: [PATCH 4/9] added 'can current user write' checks --- grouper.ps1 | 70 ++++++++++++++++++++++++++++++++++++----------------- 1 file changed, 48 insertions(+), 22 deletions(-) diff --git a/grouper.ps1 b/grouper.ps1 index 8ec574f..e75f367 100644 --- a/grouper.ps1 +++ b/grouper.ps1 @@ -76,7 +76,6 @@ $Global:boringTrustees = @() $Global:boringTrustees += "BUILTIN\Administrators" $Global:boringTrustees += "NT AUTHORITY\SYSTEM" - #____________________ GPO Check functions _______________ # There's a whole pile of these functions. Each one consumes a single object from a Get-GPOReport XML report, @@ -397,6 +396,13 @@ Function Get-GPOMSIInstallation { } Write-NoEmpties -output $output if ($MSIPathAccess) { + "`r`n" + Try {[io.file]::OpenWrite($MSIPath).close() + Write-Title -Color Red -Text "Current user $env:username has write permissions on source file!" + } + Catch { + Write-Output "Current user $env:username does not have write permissions on source file." + } "`r`n" Write-Title -Text "Permissions on source file:" -DividerChar "-" Write-Output $MSIPathAccess @@ -445,6 +451,12 @@ Function Get-GPOScripts { Write-NoEmpties -output $output if ($commandPathAccess) { "`r`n" + Try {[io.file]::OpenWrite($commandPath).close() + Write-Title -Color Red -Text "Current user $env:username has write permissions on source file!" + } + Catch { + Write-Output "Current user $env:username does not have write permissions on source file." + } Write-Title -Text "Permissions on source file:" -DividerChar "-" Write-Output $commandPathAccess } @@ -489,6 +501,13 @@ Function Get-GPOFileUpdate { } Write-NoEmpties -output $output if ($fromPathAccess) { + "`r`n" + Try {[io.file]::OpenWrite($fromPath).close() + Write-Title -Color Red -Text "Current user $env:username has write permissions on source file!" + } + Catch { + Write-Output "Current user $env:username does not have write permissions on source file." + } Write-Title -Text "Permissions on source file:" -DividerChar "-" Write-Output $fromPathAccess } @@ -1089,6 +1108,13 @@ Function Get-GPOShortcuts { } Write-NoEmpties -output $output if ($targetPathAccess) { + "`r`n" + Try {[io.file]::OpenWrite($targetPath).close() + Write-Title -Color Red -Text "Current user $env:username has write permissions on source file!" + } + Catch { + Write-Output "Current user $env:username does not have write permissions on source file." + } "`r`n" Write-Title -Text "Permissions on source file:" -DividerChar "-" Write-Output $targetPathAccess @@ -1229,33 +1255,33 @@ Function Invoke-AuditGPO { # Build an array of all our Get-GPO* check scriptblocks $polchecks = @() - #$polchecks += {Get-GPORegKeys -Level $level -polXML $computerSettings} - #$polchecks += {Get-GPORegKeys -Level $level -polXML $userSettings} - #$polchecks += {Get-GPOUsers -Level $level -polXML $userSettings} - #$polchecks += {Get-GPOUsers -Level $level -polXML $computerSettings} - #$polchecks += {Get-GPOGroups -Level $level -polXML $userSettings} - #$polchecks += {Get-GPOGroups -Level $level -polXML $computerSettings} + $polchecks += {Get-GPORegKeys -Level $level -polXML $computerSettings} + $polchecks += {Get-GPORegKeys -Level $level -polXML $userSettings} + $polchecks += {Get-GPOUsers -Level $level -polXML $userSettings} + $polchecks += {Get-GPOUsers -Level $level -polXML $computerSettings} + $polchecks += {Get-GPOGroups -Level $level -polXML $userSettings} + $polchecks += {Get-GPOGroups -Level $level -polXML $computerSettings} $polchecks += {Get-GPOScripts -Level $level -polXML $userSettings} $polchecks += {Get-GPOScripts -Level $level -polXML $computerSettings} $polchecks += {Get-GPOFileUpdate -Level $level -polXML $userSettings} $polchecks += {Get-GPOFileUpdate -Level $level -polXML $computerSettings} $polchecks += {Get-GPOMSIInstallation -Level $level -polXML $userSettings} $polchecks += {Get-GPOMSIInstallation -Level $level -polXML $computerSettings} - #$polchecks += {Get-GPOUserRights -Level $level -polXML $xmlgpo} - #$polchecks += {Get-GPOSchedTasks -Level $level -polXML $xmlgpo} - #$polchecks += {Get-GPOFolderRedirection -Level $level -polXML $xmlgpo} - #$polchecks += {Get-GPOFilePerms -Level $level -polXML $xmlgpo} - #$polchecks += {Get-GPOSecurityOptions -Level $level -polXML $xmlgpo} - #$polchecks += {Get-GPOAccountSettings -Level $level -polXML $xmlgpo} - #$polchecks += {Get-GPONetworkShares -Level $level -polXml $xmlgpo} - #$polchecks += {Get-GPOFolders -Level $level -polXML $userSettings} - #$polchecks += {Get-GPOFolders -Level $level -polXML $computerSettings} - #$polchecks += {Get-GPORegSettings -Level $level -polXML $computerSettings} - #$polchecks += {Get-GPORegSettings -Level $level -polXML $userSettings} - #$polchecks += {Get-GPOIniFiles -Level $level -polXML $computerSettings} - #$polchecks += {Get-GPOIniFiles -Level $level -polXML $userSettings} - #$polchecks += {Get-GPOEnvVars -Level $level -polXML $computerSettings} - #$polchecks += {Get-GPOEnvVars -Level $level -polXML $userSettings} + $polchecks += {Get-GPOUserRights -Level $level -polXML $xmlgpo} + $polchecks += {Get-GPOSchedTasks -Level $level -polXML $xmlgpo} + $polchecks += {Get-GPOFolderRedirection -Level $level -polXML $xmlgpo} + $polchecks += {Get-GPOFilePerms -Level $level -polXML $xmlgpo} + $polchecks += {Get-GPOSecurityOptions -Level $level -polXML $xmlgpo} + $polchecks += {Get-GPOAccountSettings -Level $level -polXML $xmlgpo} + $polchecks += {Get-GPONetworkShares -Level $level -polXml $xmlgpo} + $polchecks += {Get-GPOFolders -Level $level -polXML $userSettings} + $polchecks += {Get-GPOFolders -Level $level -polXML $computerSettings} + $polchecks += {Get-GPORegSettings -Level $level -polXML $computerSettings} + $polchecks += {Get-GPORegSettings -Level $level -polXML $userSettings} + $polchecks += {Get-GPOIniFiles -Level $level -polXML $computerSettings} + $polchecks += {Get-GPOIniFiles -Level $level -polXML $userSettings} + $polchecks += {Get-GPOEnvVars -Level $level -polXML $computerSettings} + $polchecks += {Get-GPOEnvVars -Level $level -polXML $userSettings} $polchecks += {Get-GPOShortcuts -Level $level -polXml $userSettings} $polchecks += {Get-GPOShortcuts -Level $level -polXml $computerSettings} From dc0601f6c6b6e3cb6d1e5832dd53dbd196784376 Mon Sep 17 00:00:00 2001 From: Mike Loss Date: Mon, 5 Feb 2018 13:50:08 +0800 Subject: [PATCH 5/9] fixed some error handling --- grouper.ps1 | 104 +++++++++++++++++++++++++++++++--------------------- 1 file changed, 63 insertions(+), 41 deletions(-) diff --git a/grouper.ps1 b/grouper.ps1 index e75f367..9bbce82 100644 --- a/grouper.ps1 +++ b/grouper.ps1 @@ -388,11 +388,17 @@ Function Get-GPOMSIInstallation { $output.Add("Path", $MSIPath) if ($Global:onlineChecks -eq 1) { if ($MSIPath.StartsWith("\\")) { - $MSIPathACL = Get-ACL $MSIPath - $MSIPathOwner = $MSIPathACL.Owner - $MSIPathAccess = $MSIPathACL.Access | Where-Object {-Not ($Global:boringTrustees -Contains $_.IdentityReference)} | select FileSystemRights,AccessControlType,IdentityReference - $output.Add("Owner", $MSIPathOwner) + try { + $MSIPathACL = Get-ACL $MSIPath -ErrorAction Stop + $MSIPathOwner = $MSIPathACL.Owner + $MSIPathAccess = $MSIPathACL.Access | Where-Object {-Not ($Global:boringTrustees -Contains $_.IdentityReference)} | select FileSystemRights,AccessControlType,IdentityReference + $output.Add("Owner", $MSIPathOwner) + } + catch [System.Exception] { + Write-Output "Failed to read source file ACL. File could be missing or we might not have permissions to read it." + } } + } Write-NoEmpties -output $output if ($MSIPathAccess) { @@ -400,7 +406,7 @@ Function Get-GPOMSIInstallation { Try {[io.file]::OpenWrite($MSIPath).close() Write-Title -Color Red -Text "Current user $env:username has write permissions on source file!" } - Catch { + Catch [System.Exception] { Write-Output "Current user $env:username does not have write permissions on source file." } "`r`n" @@ -441,14 +447,21 @@ Function Get-GPOScripts { if ($Global:onlineChecks -eq 1) { if ($commandPath.StartsWith("\\")) { - $commandPathACL = Get-ACL $commandPath - $commandPathOwner = $commandPathACL.Owner - $commandPathAccess = $commandPathACL.Access | Where-Object {-Not ($Global:boringTrustees -Contains $_.IdentityReference)} | select FileSystemRights,AccessControlType,IdentityReference - $output.Add("Owner", $commandPathOwner) + try { + $commandPathACL = Get-ACL $commandPath -ErrorAction Stop + $commandPathOwner = $commandPathACL.Owner + $commandPathAccess = $commandPathACL.Access | Where-Object {-Not ($Global:boringTrustees -Contains $_.IdentityReference)} | select FileSystemRights,AccessControlType,IdentityReference + $output.Add("Owner", $commandPathOwner) + } + catch [System.Exception] { + Write-Output "Failed to read source file ACL. File could be missing or we might not have permissions to read it." + } + } } Write-NoEmpties -output $output + if ($commandPathAccess) { "`r`n" Try {[io.file]::OpenWrite($commandPath).close() @@ -493,19 +506,24 @@ Function Get-GPOFileUpdate { $output.Add("targetPath", $setting.Properties.targetPath) if ($Global:onlineChecks -eq 1) { if ($fromPath.StartsWith("\\")) { - $fromPathACL = Get-ACL $fromPath - $fromPathOwner = $fromPathACL.Owner - $fromPathAccess = $fromPathACL.Access | Where-Object {-Not ($Global:boringTrustees -Contains $_.IdentityReference)} | select FileSystemRights,AccessControlType,IdentityReference - $output.Add("Owner", $fromPathOwner) + try { + $fromPathACL = Get-ACL $fromPath -ErrorAction Stop + $fromPathOwner = $fromPathACL.Owner + $fromPathAccess = $fromPathACL.Access | Where-Object {-Not ($Global:boringTrustees -Contains $_.IdentityReference)} | select FileSystemRights,AccessControlType,IdentityReference + $output.Add("Owner", $fromPathOwner) + } + catch [System.Exception] { + Write-Output "Failed to read source file ACL. File could be missing or we might not have permissions to read it." + } } } Write-NoEmpties -output $output if ($fromPathAccess) { "`r`n" Try {[io.file]::OpenWrite($fromPath).close() - Write-Title -Color Red -Text "Current user $env:username has write permissions on source file!" + Write-Title -Color Red -Text "Current user $env:username has write permissions on source file!" } - Catch { + Catch [System.Exception] { Write-Output "Current user $env:username does not have write permissions on source file." } Write-Title -Text "Permissions on source file:" -DividerChar "-" @@ -1100,10 +1118,15 @@ Function Get-GPOShortcuts { $output.Add("shortcutPath", $setting.properties.shortcutPath) if ($Global:onlineChecks -eq 1) { if ($targetPath.StartsWith("\\")) { - $targetPathACL = Get-ACL $targetPath - $targetPathOwner = $targetPathACL.Owner - $targetPathAccess = $targetPathACL.Access | Where-Object {-Not ($Global:boringTrustees -Contains $_.IdentityReference)} | select FileSystemRights,AccessControlType,IdentityReference - $output.Add("Owner", $targetPathOwner) + try { + $targetPathACL = Get-ACL $targetPath -ErrorAction Stop + $targetPathOwner = $targetPathACL.Owner + $targetPathAccess = $targetPathACL.Access | Where-Object {-Not ($Global:boringTrustees -Contains $_.IdentityReference)} | select FileSystemRights,AccessControlType,IdentityReference + $output.Add("Owner", $targetPathOwner) + } + catch { + Write-Output "Failed to read source file ACL. File could be missing or we might not have permissions to read it." + } } } Write-NoEmpties -output $output @@ -1255,33 +1278,33 @@ Function Invoke-AuditGPO { # Build an array of all our Get-GPO* check scriptblocks $polchecks = @() - $polchecks += {Get-GPORegKeys -Level $level -polXML $computerSettings} - $polchecks += {Get-GPORegKeys -Level $level -polXML $userSettings} - $polchecks += {Get-GPOUsers -Level $level -polXML $userSettings} - $polchecks += {Get-GPOUsers -Level $level -polXML $computerSettings} - $polchecks += {Get-GPOGroups -Level $level -polXML $userSettings} - $polchecks += {Get-GPOGroups -Level $level -polXML $computerSettings} + #$polchecks += {Get-GPORegKeys -Level $level -polXML $computerSettings} + #$polchecks += {Get-GPORegKeys -Level $level -polXML $userSettings} + #$polchecks += {Get-GPOUsers -Level $level -polXML $userSettings} + #$polchecks += {Get-GPOUsers -Level $level -polXML $computerSettings} + #$polchecks += {Get-GPOGroups -Level $level -polXML $userSettings} + #$polchecks += {Get-GPOGroups -Level $level -polXML $computerSettings} $polchecks += {Get-GPOScripts -Level $level -polXML $userSettings} $polchecks += {Get-GPOScripts -Level $level -polXML $computerSettings} $polchecks += {Get-GPOFileUpdate -Level $level -polXML $userSettings} $polchecks += {Get-GPOFileUpdate -Level $level -polXML $computerSettings} $polchecks += {Get-GPOMSIInstallation -Level $level -polXML $userSettings} $polchecks += {Get-GPOMSIInstallation -Level $level -polXML $computerSettings} - $polchecks += {Get-GPOUserRights -Level $level -polXML $xmlgpo} - $polchecks += {Get-GPOSchedTasks -Level $level -polXML $xmlgpo} - $polchecks += {Get-GPOFolderRedirection -Level $level -polXML $xmlgpo} - $polchecks += {Get-GPOFilePerms -Level $level -polXML $xmlgpo} - $polchecks += {Get-GPOSecurityOptions -Level $level -polXML $xmlgpo} - $polchecks += {Get-GPOAccountSettings -Level $level -polXML $xmlgpo} - $polchecks += {Get-GPONetworkShares -Level $level -polXml $xmlgpo} - $polchecks += {Get-GPOFolders -Level $level -polXML $userSettings} - $polchecks += {Get-GPOFolders -Level $level -polXML $computerSettings} - $polchecks += {Get-GPORegSettings -Level $level -polXML $computerSettings} - $polchecks += {Get-GPORegSettings -Level $level -polXML $userSettings} - $polchecks += {Get-GPOIniFiles -Level $level -polXML $computerSettings} - $polchecks += {Get-GPOIniFiles -Level $level -polXML $userSettings} - $polchecks += {Get-GPOEnvVars -Level $level -polXML $computerSettings} - $polchecks += {Get-GPOEnvVars -Level $level -polXML $userSettings} + #$polchecks += {Get-GPOUserRights -Level $level -polXML $xmlgpo} + #$polchecks += {Get-GPOSchedTasks -Level $level -polXML $xmlgpo} + #$polchecks += {Get-GPOFolderRedirection -Level $level -polXML $xmlgpo} + #$polchecks += {Get-GPOFilePerms -Level $level -polXML $xmlgpo} + #$polchecks += {Get-GPOSecurityOptions -Level $level -polXML $xmlgpo} + #$polchecks += {Get-GPOAccountSettings -Level $level -polXML $xmlgpo} + #$polchecks += {Get-GPONetworkShares -Level $level -polXml $xmlgpo} + #$polchecks += {Get-GPOFolders -Level $level -polXML $userSettings} + #$polchecks += {Get-GPOFolders -Level $level -polXML $computerSettings} + #$polchecks += {Get-GPORegSettings -Level $level -polXML $computerSettings} + #$polchecks += {Get-GPORegSettings -Level $level -polXML $userSettings} + #$polchecks += {Get-GPOIniFiles -Level $level -polXML $computerSettings} + #$polchecks += {Get-GPOIniFiles -Level $level -polXML $userSettings} + #$polchecks += {Get-GPOEnvVars -Level $level -polXML $computerSettings} + #$polchecks += {Get-GPOEnvVars -Level $level -polXML $userSettings} $polchecks += {Get-GPOShortcuts -Level $level -polXml $userSettings} $polchecks += {Get-GPOShortcuts -Level $level -polXml $computerSettings} @@ -1500,4 +1523,3 @@ Function Invoke-AuditGPOReport { $stats += ('Total GPOs: {0}' -f $gpocount) Write-Output $stats } - From 42e842d95bd22143832268e8dd7ffc0da95a9183 Mon Sep 17 00:00:00 2001 From: Mike Loss Date: Mon, 5 Feb 2018 14:53:07 +0800 Subject: [PATCH 6/9] Fixed things --- grouper.ps1 | 226 ++++++++++++++++++++++++++++------------------------ 1 file changed, 120 insertions(+), 106 deletions(-) diff --git a/grouper.ps1 b/grouper.ps1 index 9bbce82..41f294c 100644 --- a/grouper.ps1 +++ b/grouper.ps1 @@ -381,40 +381,43 @@ Function Get-GPOMSIInstallation { if ($MSIInstallation) { foreach ($setting in $MSIInstallation) { - if ($level -le 2) { - $output = @{} - $MSIPath = $setting.Path - $output.Add("Name", $setting.Name) - $output.Add("Path", $MSIPath) - if ($Global:onlineChecks -eq 1) { - if ($MSIPath.StartsWith("\\")) { - try { - $MSIPathACL = Get-ACL $MSIPath -ErrorAction Stop - $MSIPathOwner = $MSIPathACL.Owner - $MSIPathAccess = $MSIPathACL.Access | Where-Object {-Not ($Global:boringTrustees -Contains $_.IdentityReference)} | select FileSystemRights,AccessControlType,IdentityReference - $output.Add("Owner", $MSIPathOwner) + $output = @{} + $MSIPath = $setting.Path + $output.Add("Name", $setting.Name) + $output.Add("Path", $MSIPath) + + if ($Global:onlineChecks -eq 1) { + if ($MSIPath.StartsWith("\\")) { + try { + $MSIPathACL = Get-ACL $MSIPath -ErrorAction Stop + $MSIPathOwner = $MSIPathACL.Owner + $MSIPathAccess = $MSIPathACL.Access | Where-Object {-Not ($Global:boringTrustees -Contains $_.IdentityReference)} | select FileSystemRights,AccessControlType,IdentityReference + $output.Add("Owner", $MSIPathOwner) + Try { + [io.file]::OpenWrite($MSIPath).close() + Write-Output "Current user $env:username has write permissions on source file!" + $settingisVulnerable = 1 } - catch [System.Exception] { - Write-Output "Failed to read source file ACL. File could be missing or we might not have permissions to read it." + Catch { + Write-Output "Current user $env:username does not have write permissions on source file." } } - + catch [System.Exception] { + Write-Output "Failed to read source file ACL. File could be missing or we might not have permissions to read it." + } + } + } + + if (($level -le 2) -Or (($level -le 3) -And ($settingisVulnerable -eq 1))) { Write-NoEmpties -output $output if ($MSIPathAccess) { - "`r`n" - Try {[io.file]::OpenWrite($MSIPath).close() - Write-Title -Color Red -Text "Current user $env:username has write permissions on source file!" - } - Catch [System.Exception] { - Write-Output "Current user $env:username does not have write permissions on source file." - } - "`r`n" - Write-Title -Text "Permissions on source file:" -DividerChar "-" + "" + Write-Title -Text "Permissions on source file:" -DividerChar "-" Write-Output $MSIPathAccess } - "`r`n" } + "`r`n" } } } @@ -438,43 +441,45 @@ Function Get-GPOScripts { if ($settingsScripts) { foreach ($setting in $settingsScripts) { $commandPath = $setting.Command - - if ($level -le 2) { - $output = @{} - $output.Add("Command", $commandPath) - $output.Add("Type", $setting.Type) - $output.Add("Parameters", $setting.Parameters) - - if ($Global:onlineChecks -eq 1) { - if ($commandPath.StartsWith("\\")) { - try { - $commandPathACL = Get-ACL $commandPath -ErrorAction Stop - $commandPathOwner = $commandPathACL.Owner - $commandPathAccess = $commandPathACL.Access | Where-Object {-Not ($Global:boringTrustees -Contains $_.IdentityReference)} | select FileSystemRights,AccessControlType,IdentityReference - $output.Add("Owner", $commandPathOwner) + $output = @{} + $output.Add("Command", $commandPath) + $output.Add("Type", $setting.Type) + $output.Add("Parameters", $setting.Parameters) + $settingIsVulnerable = 0 + + if ($Global:onlineChecks -eq 1) { + if ($commandPath.StartsWith("\\")) { + try { + $commandPathACL = Get-ACL $commandPath -ErrorAction Stop + $commandPathOwner = $commandPathACL.Owner + $commandPathAccess = $commandPathACL.Access | Where-Object {-Not ($Global:boringTrustees -Contains $_.IdentityReference)} | select FileSystemRights,AccessControlType,IdentityReference + $output.Add("Owner", $commandPathOwner) + Try { + [io.file]::OpenWrite($commandPath).close() + Write-Output "Current user $env:username has write permissions on source file!" + $settingisVulnerable = 1 } - catch [System.Exception] { - Write-Output "Failed to read source file ACL. File could be missing or we might not have permissions to read it." + Catch { + Write-Output "Current user $env:username does not have write permissions on source file." } - } + catch [System.Exception] { + Write-Output "Failed to read source file ACL. File could be missing or we might not have permissions to read it." + } + } - + } + + if (($level -le 2) -Or (($level -le 3) -And ($settingisVulnerable -eq 1))) { Write-NoEmpties -output $output - if ($commandPathAccess) { - "`r`n" - Try {[io.file]::OpenWrite($commandPath).close() - Write-Title -Color Red -Text "Current user $env:username has write permissions on source file!" - } - Catch { - Write-Output "Current user $env:username does not have write permissions on source file." - } + "" Write-Title -Text "Permissions on source file:" -DividerChar "-" Write-Output $commandPathAccess } - "`r`n" } + "`r`n" + } } } @@ -498,39 +503,45 @@ Function Get-GPOFileUpdate { if ($settingsFiles) { foreach ($setting in $settingsFiles.File) { $fromPath = $setting.Properties.fromPath - if ((($level -le 2) -And ($fromPath.StartsWith("\\"))) -Or ($level -eq 1)) { - $output = @{} - $output.Add("Name", $setting.name) - $output.Add("Action", $setting.Properties.action) - $output.Add("fromPath", $fromPath) - $output.Add("targetPath", $setting.Properties.targetPath) - if ($Global:onlineChecks -eq 1) { - if ($fromPath.StartsWith("\\")) { - try { - $fromPathACL = Get-ACL $fromPath -ErrorAction Stop - $fromPathOwner = $fromPathACL.Owner - $fromPathAccess = $fromPathACL.Access | Where-Object {-Not ($Global:boringTrustees -Contains $_.IdentityReference)} | select FileSystemRights,AccessControlType,IdentityReference - $output.Add("Owner", $fromPathOwner) + $targetPath = $setting.Properties.targetPath + $output = @{} + $output.Add("Name", $setting.name) + $output.Add("Action", $setting.Properties.action) + $output.Add("fromPath", $fromPath) + $output.Add("targetPath", $targetPath) + $settingIsVulnerable = 0 + + if ($Global:onlineChecks -eq 1) { + if ($fromPath.StartsWith("\\")) { + try { + $fromPathACL = Get-ACL $fromPath -ErrorAction Stop + $fromPathOwner = $fromPathACL.Owner + $fromPathAccess = $fromPathACL.Access | Where-Object {-Not ($Global:boringTrustees -Contains $_.IdentityReference)} | select FileSystemRights,AccessControlType,IdentityReference + $output.Add("Owner", $fromPathOwner) + Try { + [io.file]::OpenWrite($fromPath).close() + Write-Output "Current user $env:username has write permissions on source file!" + $settingisVulnerable = 1 } - catch [System.Exception] { - Write-Output "Failed to read source file ACL. File could be missing or we might not have permissions to read it." + Catch { + Write-Output "Current user $env:username does not have write permissions on source file." } } + catch [System.Exception] { + Write-Output "Failed to read source file ACL. File could be missing or we might not have permissions to read it." + } } + } + + if (($level -le 2) -Or (($level -le 3) -And ($settingisVulnerable -eq 1))) { Write-NoEmpties -output $output if ($fromPathAccess) { - "`r`n" - Try {[io.file]::OpenWrite($fromPath).close() - Write-Title -Color Red -Text "Current user $env:username has write permissions on source file!" - } - Catch [System.Exception] { - Write-Output "Current user $env:username does not have write permissions on source file." - } - Write-Title -Text "Permissions on source file:" -DividerChar "-" + "" + Write-Title -Text "Permissions on source file:" -DividerChar "-" Write-Output $fromPathAccess } - "`r`n" } + "`r`n" } } } @@ -1104,46 +1115,48 @@ Function Get-GPOShortcuts { # Iterate over array of settings, writing out only those we care about. foreach ($setting in $settingsShortcuts) { $targetPath = $setting.properties.targetPath - if (($level -eq 1) -Or (($level -le 2) -And ($targetPath.StartsWith("\\")))) { - $output = @{} - $output.Add("Name", $setting.name) - $output.Add("Status", $setting.status) - $output.Add("targetType", $setting.properties.targetType) - $output.Add("Action", $setting.properties.Action) - $output.Add("comment", $setting.properties.comment) - $output.Add("startIn", $setting.properties.startIn) - $output.Add("arguments", $setting.properties.arguments) - $output.Add("targetPath", $setting.properties.targetPath) - $output.Add("iconPath", $setting.properties.iconPath) - $output.Add("shortcutPath", $setting.properties.shortcutPath) - if ($Global:onlineChecks -eq 1) { - if ($targetPath.StartsWith("\\")) { - try { - $targetPathACL = Get-ACL $targetPath -ErrorAction Stop - $targetPathOwner = $targetPathACL.Owner - $targetPathAccess = $targetPathACL.Access | Where-Object {-Not ($Global:boringTrustees -Contains $_.IdentityReference)} | select FileSystemRights,AccessControlType,IdentityReference - $output.Add("Owner", $targetPathOwner) + $output = @{} + $output.Add("Name", $setting.name) + $output.Add("Status", $setting.status) + $output.Add("targetType", $setting.properties.targetType) + $output.Add("Action", $setting.properties.Action) + $output.Add("comment", $setting.properties.comment) + $output.Add("startIn", $setting.properties.startIn) + $output.Add("arguments", $setting.properties.arguments) + $output.Add("targetPath", $setting.properties.targetPath) + $output.Add("iconPath", $setting.properties.iconPath) + $output.Add("shortcutPath", $setting.properties.shortcutPath) + if ($Global:onlineChecks -eq 1) { + if ($targetPath.StartsWith("\\")) { + try { + $targetPathACL = Get-ACL $targetPath -ErrorAction Stop + $targetPathOwner = $targetPathACL.Owner + $targetPathAccess = $targetPathACL.Access | Where-Object {-Not ($Global:boringTrustees -Contains $_.IdentityReference)} | select FileSystemRights,AccessControlType,IdentityReference + $output.Add("Owner", $targetPathOwner) + Try { + [io.file]::OpenWrite($targetPath).close() + Write-Output "Current user $env:username has write permissions on source file!" + $settingisVulnerable = 1 } - catch { - Write-Output "Failed to read source file ACL. File could be missing or we might not have permissions to read it." + Catch { + Write-Output "Current user $env:username does not have write permissions on source file." } } + catch [System.Exception] { + Write-Output "Failed to read source file ACL. File could be missing or we might not have permissions to read it." + } } + } + + if (($level -le 2) -Or (($level -le 3) -And ($settingisVulnerable -eq 1))) { Write-NoEmpties -output $output if ($targetPathAccess) { - "`r`n" - Try {[io.file]::OpenWrite($targetPath).close() - Write-Title -Color Red -Text "Current user $env:username has write permissions on source file!" - } - Catch { - Write-Output "Current user $env:username does not have write permissions on source file." - } - "`r`n" + "" Write-Title -Text "Permissions on source file:" -DividerChar "-" Write-Output $targetPathAccess } - "`r`n" } + "`r`n" } } } @@ -1523,3 +1536,4 @@ Function Invoke-AuditGPOReport { $stats += ('Total GPOs: {0}' -f $gpocount) Write-Output $stats } + From 31c56f78920b57c2ae949d3eb60900b3a35ff01b Mon Sep 17 00:00:00 2001 From: Mike Loss Date: Thu, 8 Feb 2018 10:46:51 +0800 Subject: [PATCH 7/9] turned ACL check into a function --- TODO | 3 +- grouper.ps1 | 111 +++++++++++++++++++++------------------------------- 2 files changed, 47 insertions(+), 67 deletions(-) diff --git a/TODO b/TODO index f6181a0..8f0c968 100644 --- a/TODO +++ b/TODO @@ -2,4 +2,5 @@ Get-GPORegSettings - implement filtering - very noisy Get-GPORegSettings - fix output of .value Get-GPOFilePerms - parse SDDL Get-GPOAccountSettings - implement filtering -Get-GPOFolderRedirection - get permissions on target path \ No newline at end of file +Get-GPOFolderRedirection - get permissions on target path + diff --git a/grouper.ps1 b/grouper.ps1 index 41f294c..217f896 100644 --- a/grouper.ps1 +++ b/grouper.ps1 @@ -388,24 +388,12 @@ Function Get-GPOMSIInstallation { if ($Global:onlineChecks -eq 1) { if ($MSIPath.StartsWith("\\")) { - try { - $MSIPathACL = Get-ACL $MSIPath -ErrorAction Stop - $MSIPathOwner = $MSIPathACL.Owner - $MSIPathAccess = $MSIPathACL.Access | Where-Object {-Not ($Global:boringTrustees -Contains $_.IdentityReference)} | select FileSystemRights,AccessControlType,IdentityReference - $output.Add("Owner", $MSIPathOwner) - Try { - [io.file]::OpenWrite($MSIPath).close() - Write-Output "Current user $env:username has write permissions on source file!" - $settingisVulnerable = 1 - } - Catch { - Write-Output "Current user $env:username does not have write permissions on source file." - } - } - catch [System.Exception] { - Write-Output "Failed to read source file ACL. File could be missing or we might not have permissions to read it." + $ACLData = Find-IntACL -Path $MSIPath + $output.Add("Owner",$ACLData["Owner"]) + if ($ACLData["Vulnerable"] -eq "True") { + $settingisvulnerable = 1 } - + $MSIPathAccess = $ACLData["Trustees"] } } @@ -449,24 +437,12 @@ Function Get-GPOScripts { if ($Global:onlineChecks -eq 1) { if ($commandPath.StartsWith("\\")) { - try { - $commandPathACL = Get-ACL $commandPath -ErrorAction Stop - $commandPathOwner = $commandPathACL.Owner - $commandPathAccess = $commandPathACL.Access | Where-Object {-Not ($Global:boringTrustees -Contains $_.IdentityReference)} | select FileSystemRights,AccessControlType,IdentityReference - $output.Add("Owner", $commandPathOwner) - Try { - [io.file]::OpenWrite($commandPath).close() - Write-Output "Current user $env:username has write permissions on source file!" - $settingisVulnerable = 1 - } - Catch { - Write-Output "Current user $env:username does not have write permissions on source file." - } + $ACLData = Find-IntACL -Path $commandPath + $output.Add("Owner",$ACLData["Owner"]) + if ($ACLData["Vulnerable"] -eq "True") { + $settingisvulnerable = 1 } - catch [System.Exception] { - Write-Output "Failed to read source file ACL. File could be missing or we might not have permissions to read it." - } - + $commandPathAccess = $ACLData["Trustees"] } } @@ -513,23 +489,12 @@ Function Get-GPOFileUpdate { if ($Global:onlineChecks -eq 1) { if ($fromPath.StartsWith("\\")) { - try { - $fromPathACL = Get-ACL $fromPath -ErrorAction Stop - $fromPathOwner = $fromPathACL.Owner - $fromPathAccess = $fromPathACL.Access | Where-Object {-Not ($Global:boringTrustees -Contains $_.IdentityReference)} | select FileSystemRights,AccessControlType,IdentityReference - $output.Add("Owner", $fromPathOwner) - Try { - [io.file]::OpenWrite($fromPath).close() - Write-Output "Current user $env:username has write permissions on source file!" - $settingisVulnerable = 1 - } - Catch { - Write-Output "Current user $env:username does not have write permissions on source file." - } - } - catch [System.Exception] { - Write-Output "Failed to read source file ACL. File could be missing or we might not have permissions to read it." + $ACLData = Find-IntACL -Path $fromPath + $output.Add("Owner",$ACLData["Owner"]) + if ($ACLData["Vulnerable"] -eq "True") { + $settingisvulnerable = 1 } + $fromPathAccess = $ACLData["Trustees"] } } @@ -1128,23 +1093,12 @@ Function Get-GPOShortcuts { $output.Add("shortcutPath", $setting.properties.shortcutPath) if ($Global:onlineChecks -eq 1) { if ($targetPath.StartsWith("\\")) { - try { - $targetPathACL = Get-ACL $targetPath -ErrorAction Stop - $targetPathOwner = $targetPathACL.Owner - $targetPathAccess = $targetPathACL.Access | Where-Object {-Not ($Global:boringTrustees -Contains $_.IdentityReference)} | select FileSystemRights,AccessControlType,IdentityReference - $output.Add("Owner", $targetPathOwner) - Try { - [io.file]::OpenWrite($targetPath).close() - Write-Output "Current user $env:username has write permissions on source file!" - $settingisVulnerable = 1 - } - Catch { - Write-Output "Current user $env:username does not have write permissions on source file." - } - } - catch [System.Exception] { - Write-Output "Failed to read source file ACL. File could be missing or we might not have permissions to read it." + $ACLData = Find-IntACL -Path $targetPath + $output.Add("Owner",$ACLData["Owner"]) + if ($ACLData["Vulnerable"] -eq "True") { + $settingisvulnerable = 1 } + $targetPathAccess = $ACLData["Trustees"] } } @@ -1259,6 +1213,30 @@ Function Write-Banner { } } +Function Find-IntACL { + Param ( + [Parameter(Mandatory=$true)][ValidateNotNullOrEmpty()][string]$Path + ) + $ACLData = @{} + try { + $targetPathACL = Get-ACL $Path -ErrorAction Stop + $targetPathOwner = $targetPathACL.Owner + $targetPathAccess = $targetPathACL.Access | Where-Object {-Not ($Global:boringTrustees -Contains $_.IdentityReference)} | select FileSystemRights,AccessControlType,IdentityReference + $ACLData.Add("Owner", $targetPathOwner) + $ACLData.Add("Trustees", $targetPathAccess) + Try { + [io.file]::OpenWrite($targetPath).close() + $ACLData.Add("Vulnerable","True") + } + Catch { + $ACLData.Add("Vulnerable","False") + } + } + catch [System.Exception] { + $ACLData.Add("Vulnerable","Error") + } + return $ACLData +} #_____________________________________________________________________ Function Invoke-AuditGPO { @@ -1537,3 +1515,4 @@ Function Invoke-AuditGPOReport { Write-Output $stats } +#Invoke-AuditGPOReport -Path C:\temp\gporeport.xml -Level 2 -online \ No newline at end of file From 01a474d4acb02d4071f478bf0ecf7a04d85ce257 Mon Sep 17 00:00:00 2001 From: Mike Loss Date: Thu, 8 Feb 2018 11:01:01 +0800 Subject: [PATCH 8/9] removed debug commenting --- grouper.ps1 | 42 +++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/grouper.ps1 b/grouper.ps1 index 217f896..8a3be60 100644 --- a/grouper.ps1 +++ b/grouper.ps1 @@ -1269,33 +1269,33 @@ Function Invoke-AuditGPO { # Build an array of all our Get-GPO* check scriptblocks $polchecks = @() - #$polchecks += {Get-GPORegKeys -Level $level -polXML $computerSettings} - #$polchecks += {Get-GPORegKeys -Level $level -polXML $userSettings} - #$polchecks += {Get-GPOUsers -Level $level -polXML $userSettings} - #$polchecks += {Get-GPOUsers -Level $level -polXML $computerSettings} - #$polchecks += {Get-GPOGroups -Level $level -polXML $userSettings} - #$polchecks += {Get-GPOGroups -Level $level -polXML $computerSettings} + $polchecks += {Get-GPORegKeys -Level $level -polXML $computerSettings} + $polchecks += {Get-GPORegKeys -Level $level -polXML $userSettings} + $polchecks += {Get-GPOUsers -Level $level -polXML $userSettings} + $polchecks += {Get-GPOUsers -Level $level -polXML $computerSettings} + $polchecks += {Get-GPOGroups -Level $level -polXML $userSettings} + $polchecks += {Get-GPOGroups -Level $level -polXML $computerSettings} $polchecks += {Get-GPOScripts -Level $level -polXML $userSettings} $polchecks += {Get-GPOScripts -Level $level -polXML $computerSettings} $polchecks += {Get-GPOFileUpdate -Level $level -polXML $userSettings} $polchecks += {Get-GPOFileUpdate -Level $level -polXML $computerSettings} $polchecks += {Get-GPOMSIInstallation -Level $level -polXML $userSettings} $polchecks += {Get-GPOMSIInstallation -Level $level -polXML $computerSettings} - #$polchecks += {Get-GPOUserRights -Level $level -polXML $xmlgpo} - #$polchecks += {Get-GPOSchedTasks -Level $level -polXML $xmlgpo} - #$polchecks += {Get-GPOFolderRedirection -Level $level -polXML $xmlgpo} - #$polchecks += {Get-GPOFilePerms -Level $level -polXML $xmlgpo} - #$polchecks += {Get-GPOSecurityOptions -Level $level -polXML $xmlgpo} - #$polchecks += {Get-GPOAccountSettings -Level $level -polXML $xmlgpo} - #$polchecks += {Get-GPONetworkShares -Level $level -polXml $xmlgpo} - #$polchecks += {Get-GPOFolders -Level $level -polXML $userSettings} - #$polchecks += {Get-GPOFolders -Level $level -polXML $computerSettings} - #$polchecks += {Get-GPORegSettings -Level $level -polXML $computerSettings} - #$polchecks += {Get-GPORegSettings -Level $level -polXML $userSettings} - #$polchecks += {Get-GPOIniFiles -Level $level -polXML $computerSettings} - #$polchecks += {Get-GPOIniFiles -Level $level -polXML $userSettings} - #$polchecks += {Get-GPOEnvVars -Level $level -polXML $computerSettings} - #$polchecks += {Get-GPOEnvVars -Level $level -polXML $userSettings} + $polchecks += {Get-GPOUserRights -Level $level -polXML $xmlgpo} + $polchecks += {Get-GPOSchedTasks -Level $level -polXML $xmlgpo} + $polchecks += {Get-GPOFolderRedirection -Level $level -polXML $xmlgpo} + $polchecks += {Get-GPOFilePerms -Level $level -polXML $xmlgpo} + $polchecks += {Get-GPOSecurityOptions -Level $level -polXML $xmlgpo} + $polchecks += {Get-GPOAccountSettings -Level $level -polXML $xmlgpo} + $polchecks += {Get-GPONetworkShares -Level $level -polXml $xmlgpo} + $polchecks += {Get-GPOFolders -Level $level -polXML $userSettings} + $polchecks += {Get-GPOFolders -Level $level -polXML $computerSettings} + $polchecks += {Get-GPORegSettings -Level $level -polXML $computerSettings} + $polchecks += {Get-GPORegSettings -Level $level -polXML $userSettings} + $polchecks += {Get-GPOIniFiles -Level $level -polXML $computerSettings} + $polchecks += {Get-GPOIniFiles -Level $level -polXML $userSettings} + $polchecks += {Get-GPOEnvVars -Level $level -polXML $computerSettings} + $polchecks += {Get-GPOEnvVars -Level $level -polXML $userSettings} $polchecks += {Get-GPOShortcuts -Level $level -polXml $userSettings} $polchecks += {Get-GPOShortcuts -Level $level -polXml $computerSettings} From 16f1066ac4df721a7f0f5dda974b4890438bb55a Mon Sep 17 00:00:00 2001 From: Mike Loss Date: Thu, 8 Feb 2018 19:39:11 +0800 Subject: [PATCH 9/9] tidy before push to master --- grouper.ps1 | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/grouper.ps1 b/grouper.ps1 index 8a3be60..f8557d0 100644 --- a/grouper.ps1 +++ b/grouper.ps1 @@ -392,6 +392,7 @@ Function Get-GPOMSIInstallation { $output.Add("Owner",$ACLData["Owner"]) if ($ACLData["Vulnerable"] -eq "True") { $settingisvulnerable = 1 + $output.Add("[!]", "Source file writable by current user!") } $MSIPathAccess = $ACLData["Trustees"] } @@ -441,6 +442,7 @@ Function Get-GPOScripts { $output.Add("Owner",$ACLData["Owner"]) if ($ACLData["Vulnerable"] -eq "True") { $settingisvulnerable = 1 + $output.Add("[!]", "Source file writable by current user!") } $commandPathAccess = $ACLData["Trustees"] } @@ -493,6 +495,7 @@ Function Get-GPOFileUpdate { $output.Add("Owner",$ACLData["Owner"]) if ($ACLData["Vulnerable"] -eq "True") { $settingisvulnerable = 1 + $output.Add("[!]", "Source file writable by current user!") } $fromPathAccess = $ACLData["Trustees"] } @@ -1097,6 +1100,7 @@ Function Get-GPOShortcuts { $output.Add("Owner",$ACLData["Owner"]) if ($ACLData["Vulnerable"] -eq "True") { $settingisvulnerable = 1 + $output.Add("[!]", "Source file writable by current user!") } $targetPathAccess = $ACLData["Trustees"] } @@ -1514,5 +1518,3 @@ Function Invoke-AuditGPOReport { $stats += ('Total GPOs: {0}' -f $gpocount) Write-Output $stats } - -#Invoke-AuditGPOReport -Path C:\temp\gporeport.xml -Level 2 -online \ No newline at end of file