iamtheky Posted February 5, 2016 Share Posted February 5, 2016 (edited) 1) Enumerate all computers in AD 2) Loop through those computers using a ) ADSI to return all members of a group b ) Net Group to test members with a domain prefix against the DC to see if they are domain groups, and if so enum those members 3) every 5 computers, check the returnarray for elements, unique the array and write it to a CSV expandcollapse popup#RequireAdmin #include <AutoItConstants.au3> #include<array.au3> $OUTcsv = "Privileged_Accounts" If FileExists($OUTcsv) Then FileDelete($OUTcsv) ;--------------------------------PULL ALL COMPUTERS FROM AD--------------------------------------------- Tooltip("Getting AD Computers" , 0 , 0) $sCommands = 'powershell -Command import-module ActiveDirectory; "Get-ADComputer -Filter * | Select -Expand Name"' $iPID = Run(@ComSpec & " /c " & $sCommands, "", @SW_HIDE , $stdout_child) $sOutput = "" While 1 $sOutput &= StdoutRead($iPID) If @error Then ExitLoop EndIf WEnd $aComps = stringsplit(stringstripws($sOutput , 2), @LF , 2) ;--------------------------------Loop through list of COMPUTERS FROM AD to get group members--------------------------------------------- local $aSelectedGroups[] = ["Administrators" , "Backup Operators"] ; Array Of Privileged Groups local $aReturn[0] local $aTestedGroups[0] $sDomain = "DOMAIN/" $sReturn = "" $start = 0 $nEntries = 0 For $c = 0 to ubound($aComps) - 1 Tooltip("") Tooltip("Computer " & $c & " of " & ubound($aComps) - 1, 0 , 0) $sComp = stringstripws($aComps[$c] , 3) $sOutput = "" $sErr = "" For $i = 0 to ubound($aSelectedGroups) - 1 $PsCommand = '"' & "$([ADSI]'WinNT://" & $sComp & "/" & stringstripws($aSelectedGroups[$i] , 3) &",group').psbase.Invoke('Members') | foreach { $_.GetType().InvokeMember('ADspath', 'GetProperty', $null, $_, $null).Replace('WinNT://', '') }" & '"' $TimerGroupADSI = TimerInit() $iPID = run("powershell " & $PsCommand, "" , @SW_HIDE , $stdout_child + $STDERR_CHILD) While 1 $sOutput &= StdoutRead($iPID) $sErr &= StderrRead($iPID) If @error Or StringinStr($sErr , "Exception") OR TimerDiff($TimerGroupADSI) > 10000 Then ExitLoop WEnd Next ProcessClose($iPID) $aFinal = stringsplit($sOutput , @LF , 2) $aFinal = _ArrayUnique($aFinal) For $i = 0 to ubound($aFinal) - 1 If stringinstr($aFinal[$i] , "/") Then $aFrmt = stringsplit($aFinal[$i] , "/" , 2) $aFinal[$i] = $aFrmt[ubound($aFrmt) - 2] & "/" & $aFrmt[ubound($aFrmt) - 1] EndIf Next _ArrayDelete($aFinal , ubound($aFinal) - 1) ;;;----Prep Work Done, Loop through the array of group members to enumerate any domain groups------------------- $nLen = stringlen($sDomain) For $i = 1 to ubound($aFinal) - 1 Tooltip("Computer " & $c & " of " & ubound($aComps) - 1 & " :: " & $aFinal[$i] , 0 , 0) $sOutput = "" If $sDomain = stringleft($aFinal[$i] , $nLen) Then If IsArray(_ArrayFindAll($aTestedGroups , $aFinal[$i])) Then continueloop _ArrayAdd($aTestedGroups , $aFinal[$i]) $sGroup = stringstripws(stringtrimleft($aFinal[$i] , $nLen) , 3) $TimerNetGroup = TimerInit() $iPID = run('net group ' & '"' & $sGroup & '"' & ' /DOMAIN' , "" , @SW_HIDE , $stdout_child) While 1 $sOutput &= StdoutRead($iPID) If @error OR TimerDiff($TimerNetGroup) > 5000 Then ExitLoop EndIf WEnd ProcessClose($iPID) $aDomainMembers = stringsplit(stringstripws($sOutput,2) , @CRLF , 3) If UBound($aDomainMembers) > 7 Then $sOutDomainMembers = _ArrayToString($aDomainMembers , "" , 8 , ubound($aDomainMembers) - 2) $sOutRepl = stringregexpreplace(stringstripws($sOutDomainMembers , 2) , "\s\s+" , ",") $aOut = stringsplit($sOutRepl , "," , 2) _ArrayConcatenate($aReturn , $aOut) Else _ArrayAdd($aReturn , $aFinal[$i]) EndIf Else _ArrayAdd($aReturn , $aFinal[$i]) EndIf Next tooltip("") $nEntries += 1 If $nEntries = 5 Then If ubound($aReturn) < 1 Then $nEntries = 0 ContinueLoop EndIf $finish = $c $aReturnUnique = _ArrayUnique($aReturn) _ArrayDelete($aReturnUnique , 0) filewrite($OUTcsv & "_" & $start & "_" & $finish , _ArrayToString($aReturnUnique , @LF)) $start = $c + 1 $nEntries = 0 local $aReturn[0] EndIf Next Then you can use this to combine all the csvs, deduplicate, and return a master list of accounts that have privileged access on at least one machine on the network. ;Combine_CSV #include<file.au3> local $aReturn[0] local $aArray local $sOutFile = "COMBINED.csv" $FileList = _FileListToArray(@ScriptDir , "*.csv") For $i = 1 To $FileList[0]-1 _FileReadToArray(@ScriptDir & "\" & $FileList[$i] , $aArray , 0) _ArrayConcatenate($aReturn , $aArray) Next $aUnique = _ArrayUnique($aReturn) _ArrayDelete($aUnique , 0) _FileWriteFromArray($sOutFile , $aUnique) ShellExecute($sOutFile) Edited February 5, 2016 by iamtheky csvs not cumulative ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__) Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now