该脚本使用WMI来获取服务的ACL,并识别非管理员的DC、WD或WO权限。
这些权限中的任何一个都允许持有该权限的用户立即提升到localsystem。
$DebugPreference = "Continue"$services = (Get-WmiObject Win32_Service -EnableAllPrivileges)foreach ($srv in $services){$sd = ($srv.GetSecurityDescriptor())if ($sd.ReturnValue -ne 0){Write-Debug ("Service: "+$srv.name+"`tError "+$sd.ReturnValue) -ErrorAction SilentlyContinuecontinue}$SDDL = ([wmiclass]"win32_SecurityDescriptorHelper").Win32SDtoSDDL($sd.Descriptor).SDDLforeach ($ACE in $sddl.split("()")){if ($ACE.Split(";")[0] -ne "A"){continue #as we have non "allow something" ACE}# we should have set of permissions in the $ACE.Split(";")[2]# and the security principal (user/group/etc) in the $ACE.Split(";")[5]if ( ($ACE.Split(";")[2]).Contains("WD") -or ($ACE.Split(";")[2]).Contains("WO") -or ($ACE.Split(";")[2]).Contains("DC") ){if ( (($ACE.Split(";")[5]) -eq "BA") -or (($ACE.Split(";")[5]) -eq "SY"))# we do not care about local administrators and localsystem as they should have such permissions{continue}$PrincipalName = ($ACE.Split(";")[5])if ($PrincipalName.StartsWith("S-1-5-")){$SID = New-Object System.Security.Principal.SecurityIdentifier(($ACE.Split(";")[5]))$PrincipalName = $SID.Translate([System.Security.Principal.NTAccount]).Value}Write-Host $srv.Name - $ACE.Split(";")[2] - $ACE.Split(";")[5] - $PrincipalName}}}
参考:
https://support.microsoft.com/en-us/help/914392/best-practices-and-guidance-for-writers-of-service-discretionary-acces
原文始发于微信公众号(Khan安全攻防实验室):应急响应 - 通过PowerShell来识别可疑的DLL服务
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论