├── .gitignore ├── ADeleginator.png ├── Invoke-ADeleginator.ps1 └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | *.csv 2 | ADeleg.exe -------------------------------------------------------------------------------- /ADeleginator.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/techspence/ADeleginator/fb867a69cadd52b1cfc0a495f124540d9a6e6ffc/ADeleginator.png -------------------------------------------------------------------------------- /Invoke-ADeleginator.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | A companion tool that uses ADeleg to find insecure trustee and resource delegations in Active Directory. 4 | 5 | .DESCRIPTION 6 | ADeleginator finds insecure Active Directory delegations by 7 | 1) Running ADeleg.exe and creating a csv report 8 | 2) Reads the csv report to find common insecure delegations 9 | 3) Creates a report containing only the insecure delegations 10 | 11 | .EXAMPLE 12 | Invoke-ADeleginator 13 | 14 | .EXAMPLE 15 | Invoke-ADeleginator -PathToADeleg 'C:\Tools\ADeleg.exe' 16 | 17 | .EXAMPLE 18 | Invoke-ADeleginator -Server dc01.acme.com -PathToADeleg 'C:\Tools\ADeleg.exe' 19 | 20 | #> 21 | function Invoke-ADeleginator { 22 | [CmdletBinding()] 23 | Param( 24 | $PathToADeleg, 25 | $Server 26 | ) 27 | 28 | function Get-CurrentUserGroups { 29 | ([ADSISearcher]"samaccountname=$($env:USERNAME)").Findone().Properties.memberof -replace '^CN=([^,]+).+$','$1' 30 | } 31 | 32 | # Create ADeleg csv or json report in the current directory 33 | function Create-ADelegReport{ 34 | [CmdletBinding()] 35 | Param( 36 | $PathToADeleg, 37 | $ReportName 38 | ) 39 | 40 | if ($Server) { 41 | try { 42 | & $PathToADeleg --server $Server --csv "ADelegReport_$(Get-Date -Format ddMMyyyy).csv" 43 | } catch {} 44 | } else { 45 | try { 46 | & $PathToADeleg --csv "ADelegReport_$(Get-Date -Format ddMMyyyy).csv" 47 | } catch {} 48 | } 49 | } 50 | 51 | # find insecure trustee delegations 52 | function Find-InsecureTrusteeDelegations{ 53 | [CmdletBinding()] 54 | Param( 55 | $ADelegReport, 56 | $UnsafeTrustees, 57 | $UnsafeDelegations 58 | ) 59 | 60 | foreach ($Entry in $ADelegReport) { 61 | if ($Entry.Trustee -match $UnsafeTrustees -and $Entry.Category -match "Allow" ` 62 | -and $Entry.Details -match $UnsafeDelegations) { 63 | $InsecureTrusteeDelegations = [pscustomobject]@{ 64 | Trustee = $Entry.Trustee 65 | TrusteeType = $Entry.'Trustee Type' 66 | Resource = $Entry.Resource 67 | Category = $Entry.Category 68 | Delegations = $Entry.Details 69 | } 70 | $InsecureTrusteeDelegations 71 | } 72 | } 73 | } 74 | 75 | # find insecure resource delegations 76 | function Find-InsecureResourceDelegations { 77 | [CmdletBinding()] 78 | Param( 79 | $ADelegReport, 80 | $UnsafeTrustees, 81 | $Tier0Resources, 82 | $UnsafeDelegations 83 | ) 84 | 85 | foreach ($Entry in $ADelegReport) { 86 | if ($Entry.Trustee -match $UnsafeTrustees -and $Entry.Resource -match $Tier0Resources ` 87 | -and $Entry.Category -match "Allow" -and $Entry.Details -match $UnsafeDelegations) { 88 | $InsecureResourceDelegations = [pscustomobject]@{ 89 | Trustee = $Entry.Trustee 90 | TrusteeType = $Entry.'Trustee Type' 91 | Resource = $Entry.Resource 92 | Category = $Entry.Category 93 | Delegations = $Entry.Details 94 | } 95 | $InsecureResourceDelegations 96 | } 97 | } 98 | } 99 | 100 | $UnsafeTrustees = 'Domain Users|Authenticated Users|Everyone' 101 | $Tier0Resources = 'Account Operators|Administrator|Administrators|AdminSDHolder|Backup Operators|Cryptographic Operators|Distributed COM Users|Domain Admins|Domain Controllers|Domain Controllers (OU)|Domain root object|DnsAdmins|Enterprise Admins|GPO linked to Tier Zero container|krbtgt|Print Operators|RODC computer object|Schema Admins|Server Operators|Users (container)' 102 | $UnsafeDelegations = 'owns|write all properties|create child objects|delete child objects|Change the owner|add/delete delegations|delete' 103 | 104 | $CurrentUserGroups = Get-CurrentUserGroups 105 | if ($CurrentUserGroups -notmatch $Tier0Resources) { 106 | $UnsafeTrustees += "|" + $CurrentUserGroups 107 | } 108 | 109 | $PathToADeleg = '.\ADeleg.exe' 110 | $ReportName = "ADelegReport_$(Get-Date -Format ddMMyyyy).csv" 111 | 112 | #ASCII! 113 | Write-Host @" 114 | 115 | Go, go ADeleginator! 116 | 117 | .'| 118 | | | _ _ 119 | | | (_X_) 120 | | | | 121 | ``.|_.-"-._ 122 | |.-"""-.| 123 | _;.-"""-.;_ 124 | _.-' _..-.-.._ '-._ 125 | ';--.-(_o_I_o_)-.--;' 126 | ``. | | | | | | .`` 127 | ``-\| | | |/-' 128 | | | | | 129 | | \_/ | 130 | _.'; ._._. ;'._ 131 | _.-'``; | \ - / | ;'-. 132 | .' : / | | | | \ '. 133 | / : /__ \ \___/ / __\ : ``. 134 | / | / '._/_\_.' \ : ``\ 135 | / . ``---;"""""'-----`` . \ 136 | / | |() () | \ 137 | / /| | |\ \ 138 | / / | |() () | \ \ 139 | | | 140 | \ \ | ][ | | ][ | / / 141 | \ \ ;=""====='"""'====""==; / / 142 | |/``\ \/ |() () \/ /``\| 143 | |_/.-'; | |``-.\_| 144 | / | ; : \ 145 | |__.| | |.__| 146 | ; | | 147 | | : ; 148 | | : | 149 | ; | | 150 | ; | ; 151 | | : | 152 | | | ; 153 | | | ; 154 | '-._ ; _.-' 155 | ``;"--.....--";`` 156 | | | | | 157 | | | | | 158 | | | | | 159 | T----T T----T 160 | _..._L____J L____J _..._ 161 | .`` "-. ``% | | %`` .-" ``. 162 | / \ .: :. / \ 163 | '-..___|_..=:`` ``-:=.._|___..-' 164 | diddle by VK 165 | 166 | ____ ___ ____ _ ____ ____ _ _ _ ____ ___ ____ ____ 167 | |__| | \ |___ | |___ | __ | |\ | |__| | | | |__/ 168 | | | |__/ |___ |___ |___ |__] | | \| | | | |__| | \ 169 | 170 | by: Spencer Alessi @techspence v0.1 171 | 172 | "@ 173 | 174 | if (Get-Item $PathToADeleg -ErrorAction SilentlyContinue) { 175 | #continue 176 | } else { 177 | Write-Warning "ADeleg not found in the current directory. Download and place ADeleg.exe in the same folder as this script, then run ADeleginator again." 178 | Write-Warning "You can download ADeleg from here: https://github.com/mtth-bfft/adeleg/releases" 179 | break; 180 | } 181 | 182 | Write-Host "[i] Running ADeleg and creating $ReportName" 183 | 184 | Create-ADelegReport -PathToADeleg $PathToADeleg -ReportName $ReportName 185 | 186 | $ADelegReport = Import-Csv -Path $ReportName 187 | 188 | Write-Host "[i] Checking for insecure trustee/resource delegations..." 189 | 190 | $InsecureTrusteeDelegations = Find-InsecureTrusteeDelegations -ADelegReport $ADelegReport -UnsafeTrustees $UnsafeTrustees -UnsafeDelegations $UnsafeDelegations 191 | 192 | $InsecureResourceDelegations = Find-InsecureResourceDelegations -ADelegReport $ADelegReport -UnsafeTrustees $UnsafeTrustees -Tier0Resources $Tier0Resources -UnsafeDelegations $UnsafeDelegations 193 | 194 | if ($InsecureTrusteeDelegations) { 195 | Write-Host "[!] Insecure trustee delegations found. Exporting report: ADeleg_InsecureTrusteeDelegationReport_$(Get-Date -Format ddMMyyyy).csv" -ForegroundColor Red 196 | $InsecureTrusteeDelegations | Export-Csv ADeleg_InsecureTrusteeDelegationReport_$(Get-Date -Format ddMMyyyy).csv -NoTypeInformation 197 | } else { 198 | Write-Host "[+] No insecure trustee delegations found. Eureka!" -ForegroundColor Green 199 | } 200 | 201 | if ($InsecureResourceDelegations) { 202 | Write-Host "[!] Insecure resource delegations found. Exporting report: ADeleg_InsecureResourceDelegationReport_$(Get-Date -Format ddMMyyyy).csv" -ForegroundColor Red 203 | $InsecureResourceDelegations | Export-Csv ADeleg_InsecureResourceDelegationReport_$(Get-Date -Format ddMMyyyy).csv -NoTypeInformation 204 | } else { 205 | Write-Host "[+] No insecure resource delegations found. Eureka!" -ForegroundColor Green 206 | } 207 | 208 | Write-Host "`n`nThank you for using ADeleginator. Godspeed! :O)`n" 209 | } -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ADeleginator 2 | A tool to find insecure trustee and resource delegations in Active Directory 3 | 4 | ``` 5 | ____ ___ ____ _ ____ ____ _ _ _ ____ ___ ____ ____ 6 | |__| | \ |___ | |___ | __ | |\ | |__| | | | |__/ 7 | | | |__/ |___ |___ |___ |__] | | \| | | | |__| | \ 8 | 9 | by: Spencer Alessi @techspence v0.1 10 | 11 | Go, go ADeleginator! 12 | 13 | .'| 14 | | | _ _ 15 | | | (_X_) 16 | | | | 17 | ``.|_.-"-._ 18 | |.-"""-.| 19 | _;.-"""-.;_ 20 | _.-' _..-.-.._ '-._ 21 | ';--.-(_o_I_o_)-.--;' 22 | ``. | | | | .`` 23 | ``-\| | | |/-' 24 | | | | | 25 | | \_/ | 26 | _.'; ._._. ;'._ 27 | _.-'`; | \ - / | ;'-. 28 | .' : / | | | | \ '. 29 | / : /__ \ \___/ / __\ : ``. 30 | / | / '._/_\_.' \ : ``\ 31 | / . ``---;"""""'-----``. \ 32 | / | |() () | \ 33 | / /| | |\ \ 34 | / / | |() () | \ \ 35 | \ \ | ][ | | ][ | / / 36 | \ \ ;=""====='"""'====""==; / / 37 | |/``\ \/ |() () \/ /``\| 38 | |_/.-'; | |`-.\_| 39 | / | ; : \ 40 | |__.| | |.__| 41 | ; | | 42 | | : ; 43 | | : | 44 | ; | | 45 | ; | ; 46 | | : | 47 | | | ; 48 | | | ; 49 | '-._ ; _.-' 50 | ``;"--.....--";`` 51 | | | | | 52 | | | | | 53 | | | | | 54 | T----T T----T 55 | _..._L____J L____J_..._ 56 | .`` "-. ``% | | %`` .-" ``. 57 | / \ .: :. / \ 58 | '-..___|_..=:` `:=.._|___..-' 59 | diddle by VK 60 | ``` 61 | 62 | # How to run 63 | 1. Copy `Invoke-ADeleginator.ps1` to your system or `git clone https://github.com/techspence/ADeleginator` 64 | 2. Download [ADeleg.exe](https://github.com/mtth-bfft/adeleg/releases) and place it in the same folder as `Invoke-ADeleginator` 65 | 3. Open PowerShell, navigate to the location of `Invoke-ADeleginator.ps1` and dot source it using: `. .\Invoke-ADeleginator.ps1` 66 | 4. Run with: `Invoke-ADeleginator` 67 | --------------------------------------------------------------------------------