Below is the powershell for the script. Use with caution, only used in a test environment.
# Script built to detect suspicous entries in AD access control lists
# A paper written by Will Schroeder and Lee Christensen about "An Ace up the Sleeve" highlights hidding objects with denied privileges
# This script analyzes what is in the access control lists and then finds objects that are not listed in Get-ADUsers, Get-ADComputers and Get-ADGroups
# Version 0.2
# Fixes - In the test lab I could go off of the .Name object of an Account, Group or Computer. In a production environment the SamAccountName is necessary
# - Removed the compList because the SamAccountName of a computer has a $
# - The list of computers changed in the evaluation from compList to computerList due to the change above
Import-Module ActiveDirectory
# Pull in the list of user accounts output from Get-ADUser
$userList = (Get-ADUser -Filter *).SamAccountName
# Pull in the list of groups output from Get-ADGroup
$groupList = (Get-ADGroup -Filter *).SamAccountName
# Pull in the list of computers from Get-ADComputer
$computerList = (Get-ADComputer -Filter *).SamAccountName
$domain = $env:USERDOMAIN
# Capture interesting accounts
$interestingAccounts = @()
# Initial concept was to only look at the Organizational Units - Expanded to All Objects in the Domain
#$OUs = Get-ChildItem -Recurse -LiteralPath "AD:\DC=sec699-32,DC=lab" | Where ObjectClass -eq organizationalUnit
# Pull all of the Objects in the Domain into a Variable
$adObjects = Get-ChildItem -Recurse -LiteralPath "AD:\DC=sec699-32,DC=lab"
""
"Display Suspicious Access Privileges of an Object that is not Listed by Get-ADUser, Get-ADComputer or Get-ADGroup"
ForEach ($object in $adObjects) {
# Pull the access of each object
$accessRights = (Get-ACL -Path $object.PSpath).Access
# Iterate over each Access Right
ForEach ($accessRight in $accessRights) {
# If the IdentityReference in the Access Right contains the domain continue
If ($accessRight.IdentityReference -like "*$($domain)*") {
# Split the domain name from the account, group or computername
$domainName, $identity = $accessRight.IdentityReference.ToString().Split("\")
# Check to see if the account, group or computername exists in the lists pulled above from Get-ADUser, Get-ADComputer and Get-ADGroup
If (($identity -notin $userList) -and ($identity -notin $groupList) -and ($identity -notin $computerList)) {
# If the identity does not exist add it to the interesting accounts array
If ($identity -notin $interestingAccounts) {
$interestingAccounts += $identity
}
# Display the AD Object that is Interesting and that contains an identity that does not exist by default viewing
# Uncomment the below line to see the verbose output of each object
#
#"ADObject:$($object.name) ObjectClass:$($object.ObjectClass) DN:$($object.DistinguishedName) Account:$($accessRight.IdentityReference) Access:$($accessRight.AccessControlType) $($accessRight.ActiveDirectoryRights)"
}
}
}
}
"`n`n"
"Interesting Accounts, Groups or Computers Identified"
$interestingAccounts