0xSV1/Find-VulnerableSchemas.ps1

## Find-VulnerableSchemas.ps1
# Dictionary to hold superclass names
$superClass = @{}

# List to hold class names that inherit from container and are allowed to live under computer object
$vulnerableSchemas = [System.Collections.Generic.List[string]]::new()

# Resolve schema naming context
$schemaNC = (Get-ADRootDSE).schemaNamingContext

# Enumerate all class schemas
$classSchemas = Get-ADObject -LDAPFilter '(objectClass=classSchema)' -SearchBase $schemaNC -Properties lDAPDisplayName,subClassOf,possSuperiors

# Enumerate all class schemas that computer is allowed to contain
$computerInferiors = $classSchemas |Where-Object possSuperiors -eq 'computer'

# Populate superclass table
$classSchemas |ForEach-Object {
    $superClass[$_.lDAPDisplayName] = $_.subClassOf
}

# Resolve class inheritance for computer inferiors
$computerInferiors |ForEach-Object {
  $class = $cursor = $_.lDAPDisplayName
  while($superClass[$cursor] -notin 'top'){
    if($superClass[$cursor] -eq 'container'){
      $vulnerableSchemas.Add($class)
      break
    }
    $cursor = $superClass[$cursor]
  }
}

# Outpupt list of vulnerable class schemas
$vulnerableSchemas

## Update-msExchStorageGroupSchema.ps1
# Discover schema NC
$rootDSE = Get-ADRootDSE
$schemaNC = $rootDSE.schemaNamingContext

# Discover schema master
$schemaMaster = Get-ADObject $schemaNC -Properties fSMORoleOwner | Get-ADDomainController -Identity { $_.fSMORoleOwner }

# Re-bind against RootDSE on schema master
$rootDSE = [ADSI]::new("LDAP://$($schemaMaster.HostName)/RootDSE")

# Prepare to refresh the schema!!!
$schemaRefresh = {
  $rootDSE.Put("schemaUpdateNow", 1)
  $rootDSE.SetInfo()
}

# Fetch msExchStorageGroup schema object
$schemaObject = Get-ADObject -LDAPFilter '(&(objectClass=classSchema)(lDAPDisplayName=msExchStorageGroup))'

# Update schema object
Set-ADObject -Identity $schemaObject.distinguishedName -Remove @{possSuperiors = 'computer'} -Server $schemaMaster

# Refresh schema
& $schemaRefresh
	# Dictionary to hold superclass names
	$superClass = @{}

	# List to hold class names that inherit from container and are allowed to live under computer object
	$vulnerableSchemas = [System.Collections.Generic.List[string]]::new()

	# Resolve schema naming context
	$schemaNC = (Get-ADRootDSE).schemaNamingContext

	# Enumerate all class schemas
	$classSchemas = Get-ADObject -LDAPFilter '(objectClass=classSchema)' -SearchBase $schemaNC -Properties lDAPDisplayName,subClassOf,possSuperiors

	# Enumerate all class schemas that computer is allowed to contain
	$computerInferiors = $classSchemas \|Where-Object possSuperiors -eq 'computer'

	# Populate superclass table
	$classSchemas \|ForEach-Object {
	$superClass[$_.lDAPDisplayName] = $_.subClassOf
	}

	# Resolve class inheritance for computer inferiors
	$computerInferiors \|ForEach-Object {
	$class = $cursor = $_.lDAPDisplayName
	while($superClass[$cursor] -notin 'top'){
	if($superClass[$cursor] -eq 'container'){
	$vulnerableSchemas.Add($class)
	break
	}
	$cursor = $superClass[$cursor]
	}
	}

	# Outpupt list of vulnerable class schemas
	$vulnerableSchemas
	# Discover schema NC
	$rootDSE = Get-ADRootDSE
	$schemaNC = $rootDSE.schemaNamingContext

	# Discover schema master
	$schemaMaster = Get-ADObject $schemaNC -Properties fSMORoleOwner \| Get-ADDomainController -Identity { $_.fSMORoleOwner }

	# Re-bind against RootDSE on schema master
	$rootDSE = [ADSI]::new("LDAP://$($schemaMaster.HostName)/RootDSE")

	# Prepare to refresh the schema!!!
	$schemaRefresh = {
	$rootDSE.Put("schemaUpdateNow", 1)
	$rootDSE.SetInfo()
	}

	# Fetch msExchStorageGroup schema object
	$schemaObject = Get-ADObject -LDAPFilter '(&(objectClass=classSchema)(lDAPDisplayName=msExchStorageGroup))'

	# Update schema object
	Set-ADObject -Identity $schemaObject.distinguishedName -Remove @{possSuperiors = 'computer'} -Server $schemaMaster

	# Refresh schema
	& $schemaRefresh