该脚本使用WMI来获取服务的ACL,并识别非管理员的DC、WD或WO权限。
这些权限中的任何一个都允许持有该权限的用户立即提升到localsystem。
代码语言:javascript复制$DebugPreference = "Continue"
$services = (Get-WmiObject Win32_Service -EnableAllPrivileges)
foreach ($srv in $services)
{
$sd = ($srv.GetSecurityDescriptor())
if ($sd.ReturnValue -ne 0)
{
Write-Debug ("Service: " $srv.name "`tError " $sd.ReturnValue) -ErrorAction SilentlyContinue
continue
}
$SDDL = ([wmiclass]"win32_SecurityDescriptorHelper").Win32SDtoSDDL($sd.Descriptor).SDDL
foreach ($ACE in $sddl.split("()"))
{
if ($ACE.Split(";")[0] -ne "A")
{
continue #as we have non "allow something" ACE
}
# we should have set of permissions in the $ACE.Split(";")[2]
# and the security principal (user/group/etc) in the $ACE.Split(";")[5]
if ( ($ACE.Split(";")[2]).Contains("WD") -or ($ACE.Split(";")[2]).Contains("WO") -or ($ACE.Split(";")[2]).Contains("DC") )
{
if ( (($ACE.Split(";")[5]) -eq "BA") -or (($ACE.Split(";")[5]) -eq "SY"))# we do not care about local administrators and localsystem as they should have such permissions
{
continue
}
$PrincipalName = ($ACE.Split(";")[5])
if ($PrincipalName.StartsWith("S-1-5-"))
{
$SID = New-Object System.Security.Principal.SecurityIdentifier(($ACE.Split(";")[5]))
$PrincipalName = $SID.Translate([System.Security.Principal.NTAccount]).Value
}
Write-Host $srv.Name - $ACE.Split(";")[2] - $ACE.Split(";")[5] - $PrincipalName
}
}
}
参考:
https://support.microsoft.com/en-us/help/914392/best-practices-and-guidance-for-writers-of-service-discretionary-acces
