Added Sacl enumeration to Get-DomainObjectACL

ExpOrz · Jun 17, 2017 · 7e4d7ee · 7e4d7ee
1 parent d0e4e27
commit 7e4d7ee
Showing 1 changed file with 23 additions and 5 deletions.
diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1
@@ -7438,7 +7438,8 @@ function Get-DomainObjectAcl {
 <#
 .SYNOPSIS
 
-Returns the ACLs associated with a specific active directory object.
+Returns the ACLs associated with a specific active directory object. By default
+the DACL for the object(s) is returned, but the SACL can be returned with -Sacl.
 
 Author: Will Schroeder (@harmj0y)  
 License: BSD 3-Clause  
@@ -7450,6 +7451,10 @@ A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=
 SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201).
 Wildcards accepted.
 
+.PARAMETER Sacl
+
+Switch. Return the SACL instead of the DACL for the object (default behavior).
+
 .PARAMETER ResolveGUIDs
 
 Switch. Resolve GUIDs to their display names.
@@ -7511,6 +7516,12 @@ Enumerate the ACL permissions for all OUs in the domain.
 
 .EXAMPLE
 
+Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs -Sacl
+
+Enumerate the SACLs for all OUs in the domain, resolving GUIDs.
+
+.EXAMPLE
+
 $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
 $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
 Get-DomainObjectAcl -Credential $Cred -ResolveGUIDs
@@ -7531,6 +7542,9 @@ Custom PSObject with ACL entries.
         [String[]]
         $Identity,
 
+        [Switch]
+        $Sacl,
+
         [Switch]
         $ResolveGUIDs,
 
@@ -7580,9 +7594,15 @@ Custom PSObject with ACL entries.
 
     BEGIN {
         $SearcherArguments = @{
-            'SecurityMasks' = 'Dacl'
             'Properties' = 'samaccountname,ntsecuritydescriptor,distinguishedname,objectsid'
         }
+
+        if ($PSBoundParameters['Sacl']) {
+            $SearcherArguments['SecurityMasks'] = 'Sacl'
+        }
+        else {
+            $SearcherArguments['SecurityMasks'] = 'Dacl'
+        }
         if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain }
         if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase }
         if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
@@ -7655,8 +7675,7 @@ Custom PSObject with ACL entries.
                 }
 
                 try {
-                    New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $Object['ntsecuritydescriptor'][0], 0 | Select-Object -Expand DiscretionaryAcl | ForEach-Object {
-
+                    New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $Object['ntsecuritydescriptor'][0], 0 | ForEach-Object { if ($PSBoundParameters['Sacl']) {$_.SystemAcl} else {$_.DiscretionaryAcl} } | ForEach-Object {
                         if ($PSBoundParameters['RightsFilter']) {
                             $GuidFilter = Switch ($RightsFilter) {
                                 'ResetPassword' { '00299570-246d-11d0-a768-00aa006e0529' }
@@ -7677,7 +7696,6 @@ Custom PSObject with ACL entries.
 
                         if ($Continue) {
                             $_ | Add-Member NoteProperty 'ActiveDirectoryRights' ([Enum]::ToObject([System.DirectoryServices.ActiveDirectoryRights], $_.AccessMask))
-
                             if ($GUIDs) {
                                 # if we're resolving GUIDs, map them them to the resolved hash table
                                 $AclProperties = @{}