-
Notifications
You must be signed in to change notification settings - Fork 212
/
CheckLAdminContext.ps1
76 lines (70 loc) · 2.53 KB
/
CheckLAdminContext.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
# For: Cobalt Stike Admin Checks
# @Killswitch-GUI
# Ref: http://stackoverflow.com/questions/18674801/administrative-privileges
# http://www.fixitscripts.com/problems/script-to-detect-current-user-and-determine-if-that-user-is-a-local-admin-or-not
function Invoke-LocalAdminCheck {
<#
.SYNOPSIS
Checks to see if current user is the local Admin group and returns a string to console for Cobalt strike to grab.
This Allows me to automat Bypass UAC and Getsystem
.PARAMETER Initial
Decalre if the commmand was run from the CS terminal or on intial load of agent.
#>
[cmdletbinding()]
param(
[Parameter(Position=0,ValueFromPipeline=$true)]
[String[]]
$Initial
)
process {
$User = [Security.Principal.WindowsIdentity]::GetCurrent()
$IsAdmin = (New-Object Security.Principal.WindowsPrincipal $User).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
$SecondCheck = Get-SecondCheck
If ($IsAdmin -or $SecondCheck)
{
If ($Initial)
{
write-output "[!] Agent-Started-in-LocalAdmin-Context"
}
Else
{
write-output "[!] Currently-in-LocalAdmin-Context"
}
}
Else
{
write-output "[!] Current-User-Not-LocalAdmin-Context"
}
}
}
function Get-SecondCheck {
<#
.SYNOPSIS
Checks to see if current user is the local Admin group and returns a string to console for Cobalt strike to grab.
This Allows me to automat Bypass UAC and Getsystem
.PARAMETER Initial
Decalre if the commmand was run from the CS terminal or on intial load of agent.
#>
process {
Try {
$admUsers = @()
$curUser = $env:username
$strComputer = "."
$computer = [ADSI]("WinNT://" + $strComputer + ",computer")
$Group = $computer.psbase.children.find("Administrators")
$members= $Group.psbase.invoke("Members") | %{$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)}
ForEach($user in $members) {
$admUsers += $user
}
if(($admUsers -contains $curUser) -eq $True) {
return $true
}
else {
return $false
}
}
Catch {
write-output "Script Check Failed"
}
}
}