/ScriptSentry

ScriptSentry finds misconfigured and dangerous logon scripts.

Primary LanguagePowerShell

ScriptSentry

ScriptSentry

ScriptSentry finds misconfigured and dangerous logon scripts.

Additional Planned Features

  • Write a blog post about this tool/why I made it
  • Create an official release
  • Publish to PSGallery
  • Multi domain/forest support
  • Make output an object
  • Additional regex to search for other dangerous stuff in logon scripts

Installing & Running

# Clone, import and run, display results on the console
git clone https://github.com/techspence/ScriptSentry
Import-Module ScriptSentry.psm1
Invoke-ScriptSentry

# Run ScriptSentry and save results to a file
Invoke-ScriptSentry | Out-File c:\temp\ScriptSentry.txt

# Run the standalone ScriptSentry script
git clone https://github.com/techspence/ScriptSentry
ScriptSentry.ps1

# Customize & build it yourself
git clone https://github.com/techspence/ScriptSentry
.\Build\Build-Module.ps1
Import-Module ScriptSentry.psm1
Invoke-ScriptSentry

Example Output

 _______  _______  _______ _________ _______ _________ _______  _______  _       _________ _______
(  ____ \(  ____ \(  ____ )\__   __/(  ____ )\__   __/(  ____ \(  ____ \( (    /|\__   __/(  ____ )|\     /|
| (    \/| (    \/| (    )|   ) (   | (    )|   ) (   | (    \/| (    \/|  \  ( |   ) (   | (    )|( \   / )
| (_____ | |      | (____)|   | |   | (____)|   | |   | (_____ | (__    |   \ | |   | |   | (____)| \ (_) /
(_____  )| |      |     __)   | |   |  _____)   | |   (_____  )|  __)   | (\ \) |   | |   |     __)  \   /
      ) || |      | (\ (      | |   | (         | |         ) || (      | | \   |   | |   | (\ (      ) (
/\____) || (____/\| ) \ \_____) (___| )         | |   /\____) || (____/\| )  \  |   | |   | ) \ \__   | |
\_______)(_______/|/   \__/\_______/|/          )_(   \_______)(_______/|/    )_)   )_(   |/   \__/   \_/
                              by: Spencer Alessi @techspence
                                          v0.1                                
[!] UNSAFE ACL FOUND!
- File: \\eureka.local\sysvol\eureka.local\scripts\run.vbs
- User: BUILTIN\Server Operators
- Rights: ReadAndExecute, Synchronize

[!] Admins found with logon scripts
- User: LDAP://CN=Administrator,CN=Users,DC=eureka,DC=local
- logonscript: run.vbs

- User: LDAP://CN=it admin,OU=Admins,OU=Eureka,DC=eureka,DC=local
- logonscript: test.cmd

[!] CREDENTIALS FOUND!
- File: \\eureka.local\sysvol\eureka.local\scripts\test.cmd
        - Credential: net use g: \\eureka-dc01\fileshare1 /user:user1 Password3355!
        - Credential: net use h: \\eureka-dc01\fileshare1\accounting /user:userfoo Password5!