Sign in to follow this  
Followers 0
iamtheky

AD - All accounts in privileged groups on domain machines

1 post in this topic

#1 ·  Posted (edited)

1) Enumerate all computers in AD

2) Loop through those computers using

      a ) ADSI to return all members of a group

      b ) Net Group to test members with a domain prefix against the DC to see if they are domain groups, and if so enum those members

3) every 5 computers, check the returnarray for elements, unique the array and write it to a CSV

 

#RequireAdmin
#include <AutoItConstants.au3>
#include<array.au3>

$OUTcsv = "Privileged_Accounts"
If FileExists($OUTcsv) Then FileDelete($OUTcsv)

;--------------------------------PULL ALL COMPUTERS FROM AD---------------------------------------------

Tooltip("Getting AD Computers" , 0 , 0)

$sCommands = 'powershell -Command import-module ActiveDirectory; "Get-ADComputer -Filter * | Select -Expand Name"'
$iPID = Run(@ComSpec & " /c " & $sCommands, "", @SW_HIDE , $stdout_child)

$sOutput = ""

 While 1
        $sOutput &= StdoutRead($iPID)
        If @error Then
            ExitLoop
        EndIf
 WEnd

$aComps = stringsplit(stringstripws($sOutput , 2), @LF , 2)



;--------------------------------Loop through list of COMPUTERS FROM AD to get group members---------------------------------------------

local $aSelectedGroups[] = ["Administrators" , "Backup Operators"]   ; Array Of Privileged Groups

local $aReturn[0]
local $aTestedGroups[0]
$sDomain = "DOMAIN/"
$sReturn = ""
$start = 0
$nEntries = 0

For $c = 0 to ubound($aComps) - 1

    Tooltip("")
    Tooltip("Computer " & $c & " of " &  ubound($aComps) - 1, 0 , 0)

    $sComp = stringstripws($aComps[$c] , 3)

    $sOutput = ""
    $sErr = ""

        For $i = 0 to ubound($aSelectedGroups) - 1

            $PsCommand = '"' & "$([ADSI]'WinNT://" & $sComp & "/" & stringstripws($aSelectedGroups[$i] , 3) &",group').psbase.Invoke('Members') | foreach { $_.GetType().InvokeMember('ADspath', 'GetProperty', $null, $_, $null).Replace('WinNT://', '') }" & '"'


            $TimerGroupADSI = TimerInit()

            $iPID = run("powershell " & $PsCommand, "" , @SW_HIDE , $stdout_child + $STDERR_CHILD)

             While 1
                    $sOutput &= StdoutRead($iPID)
                    $sErr &= StderrRead($iPID)
                    If @error Or StringinStr($sErr , "Exception") OR TimerDiff($TimerGroupADSI) > 10000 Then ExitLoop
             WEnd

        Next

        ProcessClose($iPID)

    $aFinal = stringsplit($sOutput , @LF , 2)
    $aFinal = _ArrayUnique($aFinal)

            For $i = 0 to ubound($aFinal) - 1
                If stringinstr($aFinal[$i] , "/") Then
                    $aFrmt = stringsplit($aFinal[$i] , "/" , 2)
                    $aFinal[$i] = $aFrmt[ubound($aFrmt) - 2] & "/" & $aFrmt[ubound($aFrmt) - 1]
                EndIf
            Next

_ArrayDelete($aFinal , ubound($aFinal) - 1)


;;;----Prep Work Done, Loop through the array of group members to enumerate any domain groups-------------------


$nLen = stringlen($sDomain)


    For $i = 1 to ubound($aFinal) - 1


        Tooltip("Computer " & $c & " of " &  ubound($aComps) - 1 & " :: " & $aFinal[$i] , 0 , 0)

        $sOutput = ""


        If $sDomain = stringleft($aFinal[$i] , $nLen) Then

            If IsArray(_ArrayFindAll($aTestedGroups , $aFinal[$i])) Then continueloop

            _ArrayAdd($aTestedGroups , $aFinal[$i])

            $sGroup = stringstripws(stringtrimleft($aFinal[$i] , $nLen) , 3)

            $TimerNetGroup = TimerInit()

                    $iPID = run('net group ' & '"' & $sGroup & '"' & ' /DOMAIN' , "" , @SW_HIDE , $stdout_child)

                     While 1
                            $sOutput &= StdoutRead($iPID)
                            If @error OR TimerDiff($TimerNetGroup) > 5000 Then
                                ExitLoop
                            EndIf
                     WEnd

                    ProcessClose($iPID)

            $aDomainMembers = stringsplit(stringstripws($sOutput,2) , @CRLF , 3)

                    If UBound($aDomainMembers) > 7 Then

                        $sOutDomainMembers = _ArrayToString($aDomainMembers , "" , 8 , ubound($aDomainMembers) - 2)
                        $sOutRepl = stringregexpreplace(stringstripws($sOutDomainMembers , 2) , "\s\s+" , ",")
                        $aOut = stringsplit($sOutRepl , "," , 2)
                        _ArrayConcatenate($aReturn , $aOut)
                    Else
                        _ArrayAdd($aReturn , $aFinal[$i])
                    EndIf

        Else

            _ArrayAdd($aReturn , $aFinal[$i])

        EndIf

    Next

tooltip("")


$nEntries += 1

            If $nEntries = 5 Then

                If ubound($aReturn) < 1 Then
                    $nEntries = 0
                    ContinueLoop
                EndIf

                $finish = $c

                $aReturnUnique = _ArrayUnique($aReturn)
                _ArrayDelete($aReturnUnique , 0)

                filewrite($OUTcsv & "_" & $start & "_" & $finish , _ArrayToString($aReturnUnique , @LF))
                $start = $c + 1
                $nEntries = 0
                local $aReturn[0]

            EndIf

Next

 

Then you can use this to combine all the csvs, deduplicate, and return a master list of accounts that have privileged access on at least one machine on the network.

 

;Combine_CSV

#include<file.au3>
local $aReturn[0]
local $aArray
local $sOutFile = "COMBINED.csv"
$FileList = _FileListToArray(@ScriptDir , "*.csv")

For $i = 1 To $FileList[0]-1
    _FileReadToArray(@ScriptDir & "\" & $FileList[$i] , $aArray , 0)
    _ArrayConcatenate($aReturn , $aArray)
Next

$aUnique = _ArrayUnique($aReturn)
_ArrayDelete($aUnique , 0)
_FileWriteFromArray($sOutFile , $aUnique)
ShellExecute($sOutFile)

 

Edited by iamtheky
csvs not cumulative

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites



Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0