-
-
Save jlawhon/c1d7269f83be02ac981c606a8d24902a to your computer and use it in GitHub Desktop.
Revisions
-
IISResetMe revised this gist
Jul 30, 2021 . 1 changed file with 24 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,24 @@ # Discover schema NC $rootDSE = Get-ADRootDSE $schemaNC = $rootDSE.schemaNamingContext # Discover schema master $schemaMaster = Get-ADObject $schemaNC -Properties fSMORoleOwner | Get-ADDomainController -Identity { $_.fSMORoleOwner } # Re-bind against RootDSE on schema master $rootDSE = [ADSI]::new("LDAP://$($schemaMaster.HostName)/RootDSE") # Prepare to refresh the schema!!! $schemaRefresh = { $rootDSE.Put("schemaUpdateNow", 1) $rootDSE.SetInfo() } # Fetch msExchStorageGroup schema object $schemaObject = Get-ADObject -LDAPFilter '(&(objectClass=classSchema)(lDAPDisplayName=msExchStorageGroup))' # Update schema object Set-ADObject -Identity $schemaObject.distinguishedName -Remove @{possSuperiors = 'computer'} -Server $schemaMaster # Refresh schema & $schemaRefresh -
Jul 30, 2021 . 1 changed file with 0 additions and 0 deletions.There are no files selected for viewing
File renamed without changes. -
Jul 30, 2021 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,34 @@ # Dictionary to hold superclass names $superClass = @{} # List to hold class names that inherit from container and are allowed to live under computer object $vulnerableSchemas = [System.Collections.Generic.List[string]]::new() # Resolve schema naming context $schemaNC = (Get-ADRootDSE).schemaNamingContext # Enumerate all class schemas $classSchemas = Get-ADObject -LDAPFilter '(objectClass=classSchema)' -SearchBase $schemaNC -Properties lDAPDisplayName,subClassOf,possSuperiors # Enumerate all class schemas that computer is allowed to contain $computerInferiors = $classSchemas |Where-Object possSuperiors -eq 'computer' # Populate superclass table $classSchemas |ForEach-Object { $superClass[$_.lDAPDisplayName] = $_.subClassOf } # Resolve class inheritance for computer inferiors $computerInferiors |ForEach-Object { $class = $cursor = $_.lDAPDisplayName while($superClass[$cursor] -notin 'top'){ if($superClass[$cursor] -eq 'container'){ $vulnerableSchemas.Add($class) break } $cursor = $superClass[$cursor] } } # Outpupt list of vulnerable class schemas $vulnerableSchemas