Comments (4)
it is displayed below in the user & computer section will all the users / computers impacted.
from pingcastle.
I see the concerned user in this example:
But I don't see which abnormal primary group ID/name it has.
from pingcastle.
@cnotin is there any need to know what the primary group was? did you notice any wrong detection or were you able to change the primary group just to be "domain-users". Reading the text you could user PowerShell.... later more about that.
i would add the following questions:
- how about a user that is ONLY a member in a self created group "service accounts" or something like that.
- Am i wrong with that assumption that you should focus on admins here? The detection rule and the PowerShell search example should be more detailed or it should be split in two RuleIDs.
2.1. One rule (the existing one) could validate the critical objects (any admincount=1 user & DomainController) and add a total of 15 points
2.2. Second rule (a new one) could validate any non critical object and add a total of 0 Points just to make someone aware of that uncommon configuration. - The Powershell Example only is for users and misses Computers and DomainController!
Regarding the Powershell check:
i was just doing the following that lists users not having the common primary group
Get-ADUser -Properties PrimaryGroupID -Filter 'PrimaryGroupID -ne 512 -and PrimaryGroupID -ne 513 -and PrimaryGroupID -ne 514'
But you might need some more complex query for user check like that:
$DefaultUserMemberOfGroupsDNs = @()
$DomainSID = (Get-ADDomain).DomainSID
foreach ($ID in "512","513","514") {
$WellKnownSid = $DomainSID.value + '-' + $ID
$DefaultUserMemberOfGroupsDNs += (Get-ADGroup -Filter 'SID -eq $WellKnownSid').DistinguishedName
}
Write-Host -ForegroundColor Green "Default Groups detected:"
$DefaultUserMemberOfGroupsDNs
""
$NonDefaultUsers = Get-ADUser -Properties PrimaryGroupID,MemberOf -Filter 'PrimaryGroupID -ne 512 -and PrimaryGroupID -ne 513 -and PrimaryGroupID -ne 514'
Write-Host -ForegroundColor Green "Listing all Users not having one of the three memberships as default"
$NonDefaultUsers
Write-Host -ForegroundColor Green "Listing all Users not having one of the three memberships as default that could be corrected"
$NonDefaultUsers | where {@(Compare-Object $_.memberof $DefaultUserMemberOfGroupsDNs -ExcludeDifferent -IncludeEqual).count -gt 0}
Write-Host -ForegroundColor Green "Listing all Users not having one of the three memberships as default but that might be normal for these"
$NonDefaultUsers | where {@(Compare-Object $_.memberof $DefaultUserMemberOfGroupsDNs -ExcludeDifferent -IncludeEqual).count -eq 0}
if you are interested i might do one for computer/domaincontroller too
from pingcastle.
Extending Pingcastle would mean to edit / duplicate this function to have "PrimaryGroup" (DistinguishedName) included here:
https://github.com/vletoux/pingcastle/blob/master/Healthcheck/HealthcheckAnalyzer.cs#L608
use the new function here https://github.com/vletoux/pingcastle/blob/master/Healthcheck/Healthcheck.cs#L411
...and here https://github.com/vletoux/pingcastle/blob/master/Healthcheck/Healthcheck.cs#L428
and for the output need a if query if "id" is "sectionbadprimarygroup" then add "PrimaryGroup" data to https://github.com/vletoux/pingcastle/blob/master/Report/ReportHealthCheckSingle.cs#L1098
as c# is not my native language ;D cannot go more into detail without having to waste a lot of hours.
if @vletoux wants to expand the table, but make it very wide this data might help.
from pingcastle.
Related Issues (20)
- Broken hyperlinks in AD report HOT 1
- Add descriptive text and fix colour for MSV1_0\RestrictSendingNTLMTraffic HOT 1
- Incorrect "no applicable GPO found" detections for GPO security settings HOT 1
- Idea: Check for correct functioning of trust scanner for AD trusts HOT 9
- P-ProtectedUsers and MSA/gMSA HOT 2
- Rule S-ADRegistration wont trigger if the "ms-DS-MachineAccountQuota" is not set, but adding computers is possible.
- Pingcastle crash, probably new RPC tests
- Bug: Wrong --foreigndomain parameter ignored
- Increase points for "Check if authentication certificate templates allow users to control the subject" ? HOT 1
- GPO from forest root domain doesn't seem to be detected at child domains
- GPO Group Member/Regestry/Preference with targeting
- DHCP Admin group
- Missing Vuln Cert Template check for Domain Computers
- Question regarding TrustedToAuthenticateForDelegation
- Cannot add multiple HoneyPot Exclusions with DistinguishedName
- runnning on AD Explorer snapshot
- Feature Request: Add flag to specify alternate output path
- Reported control path does not seem exploitable
- Example Report
- Bug: Certificate-based authentication (P12) with --azuread fails
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pingcastle.