Last active
June 23, 2022 19:52
-
-
Save mbrownnycnyc/16a1bc8a23b80b8bbae3d701aa723632 to your computer and use it in GitHub Desktop.
script used to assist in building a risk scoring spreadsheet for AD prived groups and users (adjust baseline risk of each group)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory | |
$userrights_readable = "Access Credential Manager as a trusted caller","Access this computer from the network","Act as part of the operating system","Add workstations to domain","Adjust memory quotas for a process","Allow log on locally","Allow log on through Remote Desktop Services","Back up files and directories","Bypass traverse checking","Change the system time","Change the time zone","Create a pagefile","Create a token object","Create global objects","Create permanent shared objects","Create symbolic links","Debug programs","Deny access to this computer from the network","Deny log on as a batch job","Deny log on as a service","Deny log on locally","Deny log on through Terminal Services","Enable computer and user accounts to be trusted for delegation","Force shutdown from a remote system","Generate security audits","Impersonate a client after authentication","Increase a process working set","Increase scheduling priority","Load and unload device drivers","Lock pages in memory","Log on as a batch job","Log on as a service","Manage auditing and security log","Modify an object label","Modify firmware environment values","Perform volume maintenance tasks","Profile single process","Profile system performance","Remove computer from docking station","Replace a process level token","Restore files and directories","Shut down the system","Synchronize directory service data","Take ownership of files or other objects" | |
$userrights_constant = "SeTrustedCredManAccessPrivilege","SeNetworkLogonRight","SeTcbPrivilege","SeMachineAccountPrivilege","SeIncreaseQuotaPrivilege","SeInteractiveLogonRight","SeRemoteInteractiveLogonRight","SeBackupPrivilege","SeChangeNotifyPrivilege","SeSystemtimePrivilege","SeTimeZonePrivilege","SeCreatePagefilePrivilege","SeCreateTokenPrivilege","SeCreateGlobalPrivilege","SeCreatePermanentPrivilege","SeCreateSymbolicLinkPrivilege","SeDebugPrivilege","SeDenyNetworkLogonRight","SeDenyBatchLogonRight","SeDenyServiceLogonRight","SeDenyInteractiveLogonRight","SeDenyRemoteInteractiveLogonRight","SeEnableDelegationPrivilege","SeRemoteShutdownPrivilege","SeAuditPrivilege","SeImpersonatePrivilege","SeIncreaseWorkingSetPrivilege","SeIncreaseBasePriorityPrivilege","SeLoadDriverPrivilege","SeLockMemoryPrivilege","SeBatchLogonRight","SeServiceLogonRight","SeSecurityPrivilege","SeRelabelPrivilege","SeSystemEnvironmentPrivilege","SeManageVolumePrivilege","SeProfileSingleProcessPrivilege","SeSystemProfilePrivilege","SeUndockPrivilege","SeAssignPrimaryTokenPrivilege","SeRestorePrivilege","SeShutdownPrivilege","SeSyncAgentPrivilege","SeTakeOwnershipPrivilege" | |
$ntrights = @() | |
foreach ($item in $userrights_readable) { | |
$tempobj = "" | select readable, constant | |
$tempobj.readable = $item | |
$tempobj.constant = $userrights_constant[$userrights_readable.indexof($item)] | |
$ntrights += $tempobj | |
} | |
#here you can paste in readble privs and | |
$here = @" | |
Access this computer from the network | |
Add workstations to domain | |
Adjust memory quotas for a process | |
Allow log on locally | |
Allow log on through Remote Desktop Services | |
Back up files and directories | |
Bypass traverse checking | |
Change the system time | |
Change the time zone | |
Create a pagefile | |
Create global objects | |
Create symbolic links | |
Debug programs | |
Enable computer and user accounts to be trusted for delegation | |
Force shutdown from a remote system | |
Impersonate a client after authentication | |
Increase a process working set | |
Increase scheduling priority | |
Load and unload device drivers | |
Log on as a batch job | |
Manage auditing and security log | |
Modify firmware environment values | |
Perform volume maintenance tasks | |
Profile single process | |
Profile system performance | |
Remove computer from docking station | |
Restore files and directories | |
Shut down the system | |
"@ | |
$listtolookup = $here -split "`n" | |
#determine the location of each $listtolookup item in the $ntrights.readable array and replace '1's with tab characters (`t) | |
$locationstoreplace = @() | |
foreach ($item in $listtolookup) { | |
$locationstoreplace += $userrights_readable.indexof($item) + 1 | |
} | |
#this will help populate columns in a spreadsheet where all privs are listed in a row | |
# you can create a risk score for each priv, then multiply by the item per row | |
#this will allow for risk scoring per group or user, which will help set a threshold of risk for prived groups | |
$instring = "" | |
for ($i=1; $i -le $userrights_readable.count; $i++) { | |
$i | |
if ($locationstoreplace -contains $i) { | |
$instring += "1`t" | |
} else { | |
$instring += "`t" | |
} | |
} | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment