techspence/ScriptSentry techspence/ScriptSentry

  • Stars
    star
    152
  • Rank 242,724 (Top 5 %)
  • Language
    PowerShell
  • Created about 1 year ago
  • Updated 4 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
techspence/ScriptSentry
github

techspence

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

ScriptSentry finds misconfigured and dangerous logon scripts.

ScriptSentry

ScriptSentry

ScriptSentry finds misconfigured and dangerous logon scripts.

Additional Planned Features

status Feature Notes
Done make output an object Testing successful
Done Multi domain/forest support Added multi-domain support
Done Check for misconfigured NETLOGON and SYSVOL share Added check for unsafe permissions
Done Add additional mapped drive checks Added check for mapped drives via New-SmbMapping (pwsh) & .MapNetworkDrive (vbs)
Done Improved the ASCII art Because its fun
Done Improved regex to reduce false positives Because regex is hard
Done Added support for finding nonexistent shares Checks DNS for file shares that don't exist
Done Write a blog post about this tool/why I made it Link to blog post below
Done Add check for Logon Scripts that have been configured via GPO Implemented
Done Slight changes to NETLOGON & SYSVOL misconfiguration check & result output Implemented
Done Simplified the project. Maybe someday I will build an actual PSGallery Module Implemented
Done ScriptSentry now checks all admins for logonscripts not just domain admins Implemented
Done Added a couple PowerView functions to make group/user searching easier (Get-DomainSearcher, Get-DomainGroupMember, Get-DomainUser, Get-DomainObject, Convert-LDAPProperty) Implemented
In progress Additional regex to search for other dangerous stuff in logon scripts More detections in the pipeline

Read the blog post

https://offsec.blog/hidden-menace-how-to-identify-misconfigured-and-dangerous-logon-scripts/

Installing & Running

# Clone, run, and display results on the console
git clone https://github.com/techspence/ScriptSentry
.\Invoke-ScriptSentry.ps1

# Run ScriptSentry and save results to a text file
.\Invoke-ScriptSentry.ps1 | Out-File c:\temp\ScriptSentry.txt

# Run ScriptSentry and save results to separate csv files in the current directory
.\Invoke-ScriptSentry.ps1 -SaveOutput $true

Example Output

 _______  _______  _______ _________ _______ _________ _______  _______  _       _________ _______
(  ____ \(  ____ \(  ____ )\__   __/(  ____ )\__   __/(  ____ \(  ____ \( (    /|\__   __/(  ____ )|\     /|
| (    \/| (    \/| (    )|   ) (   | (    )|   ) (   | (    \/| (    \/|  \  ( |   ) (   | (    )|( \   / )
| (_____ | |      | (____)|   | |   | (____)|   | |   | (_____ | (__    |   \ | |   | |   | (____)| \ (_) /
(_____  )| |      |     __)   | |   |  _____)   | |   (_____  )|  __)   | (\ \) |   | |   |     __)  \   /
      ) || |      | (\ (      | |   | (         | |         ) || (      | | \   |   | |   | (\ (      ) (
/\____) || (____/\| ) \ \_____) (___| )         | |   /\____) || (____/\| )  \  |   | |   | ) \ \__   | |
\_______)(_______/|/   \__/\_______/|/          )_(   \_______)(_______/|/    )_)   )_(   |/   \__/   \_/
                              by: Spencer Alessi @techspence
                                          v0.4
                                      __,_______
                                     / __.==---/ * * * * * *
                                    / (-'
                                    `-'
                            Setting phasers to stun, please wait..

########## Unsafe UNC folder permissions ##########

Type                      File                                User          Rights
----                      ----                                ----          ------
UnsafeUNCFolderPermission \\eureka-dc01\fileshare1            Everyone FullControl
UnsafeUNCFolderPermission \\eureka-dc01\fileshare1\accounting Everyone FullControl
UnsafeUNCFolderPermission \\eureka-dc01\fileshare1\IT         Everyone FullControl


########## Unsafe logon script permissions ##########

Type                        File                                                   User                                                  Rights
----                        ----                                                   ----                                                  ------
UnsafeLogonScriptPermission \\eureka.local\sysvol\eureka.local\scripts\elevate.vbs NT AUTHORITY\Authenticated Users ReadAndExecute, Synchronize
UnsafeLogonScriptPermission \\eureka.local\sysvol\eureka.local\scripts\run.vbs     NT AUTHORITY\Authenticated Users ReadAndExecute, Synchronize
UnsafeLogonScriptPermission \\eureka.local\sysvol\eureka.local\scripts\test.cmd    EUREKA\Domain Users                      Modify, Synchronize


########## Unsafe GPO logon script permissions ##########

Type                           File                             User                                        Rights
----                           ----                             ----                                        ------
UnsafeGPOLogonScriptPermission \\eureka-dc01\fileshare1\run.bat EUREKA\testuser Write, ReadAndExecute, Synchronize
UnsafeGPOLogonScriptPermission \\eureka-dc01\fileshare1\run.bat Everyone                               FullControl


########## Unsafe UNC file permissions ##########

Type                    File                                              User                                        Rights
----                    ----                                              ----                                        ------
UnsafeUNCFilePermission \\eureka-dc01\fileshare1\IT\securit360pentest.bat Everyone                               FullControl


########## Unsafe NETLOGON/SYSVOL permissions ##########

Type                 Folder                  User                                          Rights
----                 ------                  ----                                          ------
UnsafeNetlogonSysvol \\eureka.local\NETLOGON EUREKA\Domain Users              Modify, Synchronize
UnsafeNetlogonSysvol \\eureka.local\SYSVOL   NT AUTHORITY\Authenticated Users Modify, Synchronize

########## Plaintext credentials ##########

Type        File                                                   Credential
----        ----                                                   ----------
Credentials \\eureka.local\sysvol\eureka.local\scripts\ADCheck.ps1 $password = ConvertTo-SecureString -String "Password2468!" -AsPlainText -Force
Credentials \\eureka.local\sysvol\eureka.local\scripts\shares.cmd  net use f: \\eureka-dc01\fileshare1\it /user:itadmin Password2468!
Credentials \\eureka.local\sysvol\eureka.local\scripts\test.cmd    net use g: \\eureka-dc01\fileshare1 /user:user1 Password3355!
Credentials \\eureka.local\sysvol\eureka.local\scripts\test.cmd    net use h: \\eureka-dc01\fileshare1\accounting /user:userfoo Password5!

########## Nonexistent Shares ##########

Type             Server             Share                                 Script                                                   DNS Exploitable Admins
----             ------             -----                                 ------                                                   --- ----------- ------
NonexistentShare CUHOLDING          \\CUHOLDING\QUICKBOOKS                \\eureka.local\sysvol\eureka.local\scripts\marketing.bat No  Potentially No    
NonexistentShare eureka-srvnotexist \\eureka-srvnotexist\NonExistingShare \\eureka.local\sysvol\eureka.local\scripts\test.cmd      No  Potentially No    
NonexistentShare NAS                \\NAS\PUBLIC                          \\eureka.local\sysvol\eureka.local\scripts\main.bat      No  Potentially No    
NonexistentShare NAS                \\NAS\SYMITAR                         \\eureka.local\sysvol\eureka.local\scripts\symregOLD.bat No  Potentially No    

########## Admins with logonscripts ##########

Type             User                                                      LogonScript
----             ----                                                      -----------
AdminLogonScript LDAP://CN=Administrator,CN=Users,DC=eureka,DC=local       run.vbs
AdminLogonScript LDAP://CN=it admin,OU=Admins,OU=Eureka,DC=eureka,DC=local elevate.vbs

########## Admins with logonscripts mapped from nonexistent share ##########

Type                   Server             Share                                 Script                                              DNS Exploitable Admins                                                                
----                   ------             -----                                 ------                                              --- ----------- ------                                                                
ExploitableLogonScript eureka-srvnotexist \\eureka-srvnotexist\NonExistingShare \\eureka.local\sysvol\eureka.local\scripts\test.cmd No  Yes  LDAP://eureka.local/CN=it admin,OU=Admins,OU=Eureka,DC=eureka,DC=local
ExploitableLogonScript eureka-srvnotexist \\eureka-srvnotexist\NonExistingShare \\eureka.local\sysvol\eureka.local\scripts\test.cmd No  Yes  LDAP://eureka.local/CN=user1,OU=Users,OU=Eureka,DC=eureka,DC=local

More Repositories

1

ADeleginator

A companion tool that uses ADeleg to find insecure trustee and resource delegations in Active Directory
PowerShell
78
star
2

HackerArt

A collection of art inspired by the world of cybersecurity and hacking culture.
HTML
27
star
3

BadShares

A tool to create randomly insecure file shares that also contain unsecured credential files
PowerShell
24
star
4

EWSEmailAttachmentSaver

A Powershell script that looks for specific emails in an exchange users mailbox, downloads the attachments, then marks those emails as read and moves the messages to a processed folder for archiving.
PowerShell
14
star
5

Get-UserRDPLogon

A PowerShell module that searches Windows RDP Logon events for a specified user, on a specified serve, for a specified timeframe.
PowerShell
7
star
6

observer

A blue team tool for watching over domains using bug hunting methodology!
Shell
6
star
7

PhishingReporter

Report phishing emails and have the notification sent to your security team. A button is created in Outlook using the Microsoft Junk Reporting Add-in and Powershell for deployment across an enterprise.
PowerShell
6
star
8

EmployeeAlerts

A series of PowerShell scripts used to monitor employee Active Directory accounts and send alerts about important events or information
PowerShell
5
star
9

BluecoatLogParser

Parses Bluecoat logs for IP, Date, Time, User and Computer.
PowerShell
3
star
10

GetPhoneList

A PowerShell script that queries Active Directory for enabled users, sorts them by department and job title, exports the list to csv, then copies the csv to a folder
PowerShell
3
star
11

xymontoslack

Send Xymon alerts to Slack
Shell
2
star
12

Xymon-VMSnap

Gets snapshot information from ESXI and posts it to Xymon
PowerShell
2
star
13

SplashPWN

A local privilege escalation exploit for Splashtop Streamer for Windows prior to version 3.5.0.0
C++
1
star
14

techspence.github.io

JavaScript
1
star
15

TrackIT-Reports

Automated daily TrackIT Reports using vbscript.
Visual Basic
1
star
16

DA-ExcelleratorInator

A PowerShell script to find where admin and privileged accounts are running Scheduled Tasks and Services
PowerShell
1
star
17

gitdork.sh

Get dorky and search GitHub for sensitive information with this simple shell script
Shell
1
star
18

PhishingFilters

A repository for filters, regex, logic, etc. for the purposes of detecting all sorts of phishing emails
1
star