Skip to content

Instantly share code, notes, and snippets.

@mbrownnycnyc
Last active June 23, 2022 19:52
Show Gist options
  • Save mbrownnycnyc/16a1bc8a23b80b8bbae3d701aa723632 to your computer and use it in GitHub Desktop.
Save mbrownnycnyc/16a1bc8a23b80b8bbae3d701aa723632 to your computer and use it in GitHub Desktop.
script used to assist in building a risk scoring spreadsheet for AD prived groups and users (adjust baseline risk of each group)
#https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory
$userrights_readable = "Access Credential Manager as a trusted caller","Access this computer from the network","Act as part of the operating system","Add workstations to domain","Adjust memory quotas for a process","Allow log on locally","Allow log on through Remote Desktop Services","Back up files and directories","Bypass traverse checking","Change the system time","Change the time zone","Create a pagefile","Create a token object","Create global objects","Create permanent shared objects","Create symbolic links","Debug programs","Deny access to this computer from the network","Deny log on as a batch job","Deny log on as a service","Deny log on locally","Deny log on through Terminal Services","Enable computer and user accounts to be trusted for delegation","Force shutdown from a remote system","Generate security audits","Impersonate a client after authentication","Increase a process working set","Increase scheduling priority","Load and unload device drivers","Lock pages in memory","Log on as a batch job","Log on as a service","Manage auditing and security log","Modify an object label","Modify firmware environment values","Perform volume maintenance tasks","Profile single process","Profile system performance","Remove computer from docking station","Replace a process level token","Restore files and directories","Shut down the system","Synchronize directory service data","Take ownership of files or other objects"
$userrights_constant = "SeTrustedCredManAccessPrivilege","SeNetworkLogonRight","SeTcbPrivilege","SeMachineAccountPrivilege","SeIncreaseQuotaPrivilege","SeInteractiveLogonRight","SeRemoteInteractiveLogonRight","SeBackupPrivilege","SeChangeNotifyPrivilege","SeSystemtimePrivilege","SeTimeZonePrivilege","SeCreatePagefilePrivilege","SeCreateTokenPrivilege","SeCreateGlobalPrivilege","SeCreatePermanentPrivilege","SeCreateSymbolicLinkPrivilege","SeDebugPrivilege","SeDenyNetworkLogonRight","SeDenyBatchLogonRight","SeDenyServiceLogonRight","SeDenyInteractiveLogonRight","SeDenyRemoteInteractiveLogonRight","SeEnableDelegationPrivilege","SeRemoteShutdownPrivilege","SeAuditPrivilege","SeImpersonatePrivilege","SeIncreaseWorkingSetPrivilege","SeIncreaseBasePriorityPrivilege","SeLoadDriverPrivilege","SeLockMemoryPrivilege","SeBatchLogonRight","SeServiceLogonRight","SeSecurityPrivilege","SeRelabelPrivilege","SeSystemEnvironmentPrivilege","SeManageVolumePrivilege","SeProfileSingleProcessPrivilege","SeSystemProfilePrivilege","SeUndockPrivilege","SeAssignPrimaryTokenPrivilege","SeRestorePrivilege","SeShutdownPrivilege","SeSyncAgentPrivilege","SeTakeOwnershipPrivilege"
$ntrights = @()
foreach ($item in $userrights_readable) {
$tempobj = "" | select readable, constant
$tempobj.readable = $item
$tempobj.constant = $userrights_constant[$userrights_readable.indexof($item)]
$ntrights += $tempobj
}
#here you can paste in readble privs and
$here = @"
Access this computer from the network
Add workstations to domain
Adjust memory quotas for a process
Allow log on locally
Allow log on through Remote Desktop Services
Back up files and directories
Bypass traverse checking
Change the system time
Change the time zone
Create a pagefile
Create global objects
Create symbolic links
Debug programs
Enable computer and user accounts to be trusted for delegation
Force shutdown from a remote system
Impersonate a client after authentication
Increase a process working set
Increase scheduling priority
Load and unload device drivers
Log on as a batch job
Manage auditing and security log
Modify firmware environment values
Perform volume maintenance tasks
Profile single process
Profile system performance
Remove computer from docking station
Restore files and directories
Shut down the system
"@
$listtolookup = $here -split "`n"
#determine the location of each $listtolookup item in the $ntrights.readable array and replace '1's with tab characters (`t)
$locationstoreplace = @()
foreach ($item in $listtolookup) {
$locationstoreplace += $userrights_readable.indexof($item) + 1
}
#this will help populate columns in a spreadsheet where all privs are listed in a row
# you can create a risk score for each priv, then multiply by the item per row
#this will allow for risk scoring per group or user, which will help set a threshold of risk for prived groups
$instring = ""
for ($i=1; $i -le $userrights_readable.count; $i++) {
$i
if ($locationstoreplace -contains $i) {
$instring += "1`t"
} else {
$instring += "`t"
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment