-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathAdminSDHolder.ps1
More file actions
146 lines (126 loc) · 5.73 KB
/
AdminSDHolder.ps1
File metadata and controls
146 lines (126 loc) · 5.73 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
<#
.SYNOPSIS
Interactive manager for AdminSDHolder-Toolkit.
.DESCRIPTION
Central launcher with menu-driven interface and non-interactive -Action mode.
Actions:
Audit - Audit orphaned AdminCount accounts (read-only)
Detect - Scan AdminSDHolder ACL for backdoors (read-only)
FullAudit - Audit + Detect combined (read-only)
Cleanup - Remediate orphaned AdminCount accounts (writes to AD)
Repair - Remove unauthorized ACL entries from AdminSDHolder (writes to AD)
Backdoor - Insert a GenericAll backdoor ACE on AdminSDHolder (writes to AD)
.PARAMETER Action
Optional. Run a specific action non-interactively.
Valid values: Audit, Detect, FullAudit, Cleanup, Repair, Backdoor
.EXAMPLE
.\AdminSDHolder.ps1
.EXAMPLE
.\AdminSDHolder.ps1 -Action FullAudit
.AUTHOR
franckferman
#>
param (
[ValidateSet("Audit", "Detect", "FullAudit", "Cleanup", "Repair", "Backdoor")]
[string]$Action
)
$ScriptRoot = $PSScriptRoot
$PublicPath = Join-Path $ScriptRoot 'Public'
# Verify all toolkit scripts are present
$RequiredScripts = @(
"Get-AdminSDHolderACL.ps1",
"Invoke-AdminSDHolderCleanup.ps1",
"Repair-AdminSDHolderACL.ps1",
"Add-AdminSDHolderBackdoor.ps1"
)
$Missing = $RequiredScripts | Where-Object { -not (Test-Path (Join-Path $PublicPath $_)) }
if ($Missing) {
Write-Host "[!] Missing scripts in Public/:" -ForegroundColor Red
$Missing | ForEach-Object { Write-Host " - $_" -ForegroundColor Red }
Exit 1
}
function Show-Banner {
Clear-Host
Write-Host ""
Write-Host " ==========================================================" -ForegroundColor Cyan
Write-Host " = =" -ForegroundColor Cyan
Write-Host " = AdminSDHolder-Toolkit =" -ForegroundColor Cyan
Write-Host " = Active Directory Persistence Toolkit =" -ForegroundColor Cyan
Write-Host " = =" -ForegroundColor Cyan
Write-Host " ==========================================================" -ForegroundColor Cyan
Write-Host ""
}
function Show-Menu {
Write-Host " ----------------------------------------------------------" -ForegroundColor DarkGray
Write-Host " | AUDIT (read-only) |" -ForegroundColor DarkGray
Write-Host " | [1] Audit orphaned AdminCount accounts |" -ForegroundColor White
Write-Host " | [2] Detect AdminSDHolder ACL backdoors |" -ForegroundColor White
Write-Host " | [3] Full Audit (1 + 2) |" -ForegroundColor White
Write-Host " | |" -ForegroundColor DarkGray
Write-Host " | REMEDIATION (modifies AD) |" -ForegroundColor DarkGray
Write-Host " | [4] Cleanup orphaned AdminCount accounts |" -ForegroundColor Yellow
Write-Host " | [5] Repair AdminSDHolder ACL |" -ForegroundColor Yellow
Write-Host " | |" -ForegroundColor DarkGray
Write-Host " | OFFENSIVE |" -ForegroundColor DarkGray
Write-Host " | [6] Insert AdminSDHolder backdoor ACE |" -ForegroundColor Red
Write-Host " | |" -ForegroundColor DarkGray
Write-Host " | [Q] Quit |" -ForegroundColor DarkGray
Write-Host " ----------------------------------------------------------" -ForegroundColor DarkGray
Write-Host ""
}
function Invoke-ToolkitAction {
param([string]$SelectedAction)
Write-Host ""
switch ($SelectedAction) {
{ $_ -in "1", "Audit" } {
& (Join-Path $PublicPath "Invoke-AdminSDHolderCleanup.ps1")
}
{ $_ -in "2", "Detect" } {
& (Join-Path $PublicPath "Get-AdminSDHolderACL.ps1")
}
{ $_ -in "3", "FullAudit" } {
Write-Host " === PHASE 1: Orphaned AdminCount Audit ===" -ForegroundColor Cyan
& (Join-Path $PublicPath "Invoke-AdminSDHolderCleanup.ps1")
Write-Host ""
Write-Host " === PHASE 2: AdminSDHolder ACL Backdoor Scan ===" -ForegroundColor Cyan
& (Join-Path $PublicPath "Get-AdminSDHolderACL.ps1")
}
{ $_ -in "4", "Cleanup" } {
& (Join-Path $PublicPath "Invoke-AdminSDHolderCleanup.ps1") -Remediate
}
{ $_ -in "5", "Repair" } {
& (Join-Path $PublicPath "Repair-AdminSDHolderACL.ps1") -Remediate
}
{ $_ -in "6", "Backdoor" } {
$TargetAccount = Read-Host " Account SamAccountName"
$RemoveChoice = Read-Host " Remove ACE after validation? (Y/N)"
$RemoveSwitch = if ($RemoveChoice -match "^[Yy]$") { @{ Remove = $true } } else { @{} }
& (Join-Path $PublicPath "Add-AdminSDHolderBackdoor.ps1") -Account $TargetAccount @RemoveSwitch
}
default {
Write-Host " [!] Invalid selection." -ForegroundColor Red
}
}
}
# Non-interactive mode
if ($Action) {
Show-Banner
Write-Host " [*] Running: $Action" -ForegroundColor Yellow
Invoke-ToolkitAction -SelectedAction $Action
Exit
}
# Interactive menu loop
do {
Show-Banner
Show-Menu
$Choice = Read-Host " Select an option"
if ($Choice -match "^[Qq]$") {
Write-Host ""
Write-Host " Goodbye." -ForegroundColor Cyan
Write-Host ""
break
}
Invoke-ToolkitAction -SelectedAction $Choice
Write-Host ""
Read-Host " Press ENTER to return to menu"
} while ($true)