Private/Test/Test-IsDangerousPrincipal.ps1
|
function Test-IsDangerousPrincipal { <# .SYNOPSIS Tests if a security principal matches known dangerous principal patterns. .DESCRIPTION Examines security principal identifiers (SIDs or NTAccount names) $colors = [enum]::GetValues([System.ConsoleColor])to determine if they match well-known dangerous principals that represent overly broad security groups. This function is used by enrollee detection functions to identify templates with overly permissive permissions that could lead to privilege escalation vulnerabilities. .PARAMETER IdentityReference One or more security principal identifiers to test. Can be SIDs, NTAccount names, or any string representation of a security principal. .PARAMETER DangerousEnrollee An array of SIDs, NTAccount names, and regex patterns identifying dangerous principals. Default includes NULL SID, Everyone, Anonymous Logon, BUILTIN\Users, Authenticated Users, Domain Users, and Domain Computers. .INPUTS System.String[] You can pipe security principal identifiers to this function. .OUTPUTS System.Boolean Returns $true if the principal matches a dangerous pattern, $false otherwise. When multiple principals are provided, returns one boolean per principal. .EXAMPLE Test-IsDangerousPrincipal -IdentityReference 'Everyone' Returns $true as 'Everyone' is a dangerous principal. .EXAMPLE Test-IsDangerousPrincipal -IdentityReference 'S-1-5-21-1234567890-1234567890-1234567890-513' Returns $true as SIDs ending in -513 represent Domain Users groups. .EXAMPLE $ace.IdentityReference | Test-IsDangerousPrincipal Tests an ACE's identity reference against dangerous principal patterns. .EXAMPLE 'CONTOSO\Domain Admins' | Test-IsDangerousPrincipal Returns $false as Domain Admins is not a dangerous principal. .EXAMPLE $customDangerous = @('Everyone', 'S-1-1-0', '-513$') Test-IsDangerousPrincipal -IdentityReference 'Everyone' -DangerousEnrollee $customDangerous Uses a custom list of dangerous principal patterns. .NOTES Well-known dangerous principals checked by default: - S-1-0-0: NULL SID - S-1-1-0: Everyone (all users possibly including anonymous) - S-1-5-7: Anonymous Logon - S-1-5-32-545: BUILTIN\Users - S-1-5-11: Authenticated Users - SIDs ending in -513: Domain Users groups - SIDs ending in -515: Domain Computers groups The function uses regex matching to support both exact matches (SIDs, NTAccount names) and pattern matches (SID suffixes like -513$). .LINK https://posts.specterops.io/certified-pre-owned-d95910965cd2 #> [CmdletBinding()] [OutputType([bool])] param ( [Parameter(Mandatory, ValueFromPipeline)] [string[]]$IdentityReference, [Parameter()] [string[]]$DangerousEnrollee ) #requires -Version 5.1 begin { # Load dangerous principal patterns from data file if not provided if (-not $DangerousEnrollee) { $principalDefinitions = Import-PowerShellDataFile -Path "$PSScriptRoot\..\Data\PrincipalDefinitions.psd1" $DangerousEnrollee = $principalDefinitions.DangerousPrincipals Write-Verbose "Loaded $($DangerousEnrollee.Count) dangerous principal patterns from PrincipalDefinitions.psd1" } $dangerousEnrolleePattern = $DangerousEnrollee -join '|' } process { $IdentityReference | ForEach-Object { Write-Verbose "Testing if '$_' is a dangerous principal..." $isDangerous = $_ -match $dangerousEnrolleePattern if ($isDangerous) { Write-Verbose "'$_' matches dangerous principal pattern" } else { Write-Verbose "'$_' is not a dangerous principal" } $isDangerous } } end { } } |