{"id":16564578,"url":"https://github.com/techspence/scriptsentry","last_synced_at":"2025-04-06T02:09:35.434Z","repository":{"id":183605398,"uuid":"669358370","full_name":"techspence/ScriptSentry","owner":"techspence","description":"ScriptSentry finds misconfigured and dangerous logon scripts.","archived":false,"fork":false,"pushed_at":"2024-07-23T19:59:49.000Z","size":374,"stargazers_count":321,"open_issues_count":2,"forks_count":32,"subscribers_count":10,"default_branch":"main","last_synced_at":"2024-10-12T20:44:39.737Z","etag":null,"topics":["active-directory","logon-script","script-sentry"],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/techspence.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-07-22T03:17:58.000Z","updated_at":"2024-10-10T13:58:36.000Z","dependencies_parsed_at":"2023-07-25T05:29:01.190Z","dependency_job_id":"f4559198-c83b-4811-97c7-fd145d6eea27","html_url":"https://github.com/techspence/ScriptSentry","commit_stats":null,"previous_names":["techspence/scriptsentry"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/techspence%2FScriptSentry","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/techspence%2FScriptSentry/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/techspence%2FScriptSentry/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/techspence%2FScriptSentry/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/techspence","download_url":"https://codeload.github.com/techspence/ScriptSentry/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247423515,"owners_count":20936626,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["active-directory","logon-script","script-sentry"],"created_at":"2024-10-11T20:44:31.915Z","updated_at":"2025-04-06T02:09:35.411Z","avatar_url":"https://github.com/techspence.png","language":"PowerShell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ScriptSentry\n![ScriptSentry](ScriptSentry.png)\n\nScriptSentry finds misconfigured and dangerous logon scripts.\n\n### Read the blog post\nhttps://offsec.blog/hidden-menace-how-to-identify-misconfigured-and-dangerous-logon-scripts/\n\n### Usage\n```PowerShell\n# Run ScriptSentry and display results on the console\nIEX(Invoke-WebRequest 'https://raw.githubusercontent.com/techspence/ScriptSentry/main/Invoke-ScriptSentry.ps1')\nInvoke-ScriptSentry\n\n# Run ScriptSentry and save output to a text file\nIEX(Invoke-WebRequest 'https://raw.githubusercontent.com/techspence/ScriptSentry/main/Invoke-ScriptSentry.ps1')\nInvoke-ScriptSentry | Out-File c:\\temp\\ScriptSentry.txt\n\n# Run ScriptSentry and save results to separate csv files in the current directory\nIEX(Invoke-WebRequest 'https://raw.githubusercontent.com/techspence/ScriptSentry/main/Invoke-ScriptSentry.ps1')\nInvoke-ScriptSentry -SaveOutput $true\n```\n\n### Example Output\n```\n _______  _______  _______ _________ _______ _________ _______  _______  _       _________ _______\n(  ____ \\(  ____ \\(  ____ )\\__   __/(  ____ )\\__   __/(  ____ \\(  ____ \\( (    /|\\__   __/(  ____ )|\\     /|\n| (    \\/| (    \\/| (    )|   ) (   | (    )|   ) (   | (    \\/| (    \\/|  \\  ( |   ) (   | (    )|( \\   / )\n| (_____ | |      | (____)|   | |   | (____)|   | |   | (_____ | (__    |   \\ | |   | |   | (____)| \\ (_) /\n(_____  )| |      |     __)   | |   |  _____)   | |   (_____  )|  __)   | (\\ \\) |   | |   |     __)  \\   /\n      ) || |      | (\\ (      | |   | (         | |         ) || (      | | \\   |   | |   | (\\ (      ) (\n/\\____) || (____/\\| ) \\ \\_____) (___| )         | |   /\\____) || (____/\\| )  \\  |   | |   | ) \\ \\__   | |\n\\_______)(_______/|/   \\__/\\_______/|/          )_(   \\_______)(_______/|/    )_)   )_(   |/   \\__/   \\_/\n                              by: Spencer Alessi @techspence\n                                          v0.6\n                                      __,_______\n                                     / __.==---/ * * * * * *\n                                    / (-'\n                                    `-'\n                            Setting phasers to stun, please wait..\n\n########## Unsafe UNC folder permissions ##########\n\nType                      File                                User          Rights\n----                      ----                                ----          ------\nUnsafeUNCFolderPermission \\\\eureka-dc01\\fileshare1            Everyone FullControl\nUnsafeUNCFolderPermission \\\\eureka-dc01\\fileshare1\\accounting Everyone FullControl\nUnsafeUNCFolderPermission \\\\eureka-dc01\\fileshare1\\IT         Everyone FullControl\n\n\n########## Unsafe logon script permissions ##########\n\nType                        File                                                   User                                                  Rights\n----                        ----                                                   ----                                                  ------\nUnsafeLogonScriptPermission \\\\eureka.local\\sysvol\\eureka.local\\scripts\\elevate.vbs NT AUTHORITY\\Authenticated Users ReadAndExecute, Synchronize\nUnsafeLogonScriptPermission \\\\eureka.local\\sysvol\\eureka.local\\scripts\\run.vbs     NT AUTHORITY\\Authenticated Users ReadAndExecute, Synchronize\nUnsafeLogonScriptPermission \\\\eureka.local\\sysvol\\eureka.local\\scripts\\test.cmd    EUREKA\\Domain Users                      Modify, Synchronize\n\n\n########## Unsafe GPO logon script permissions ##########\n\nType                           File                             User                                        Rights\n----                           ----                             ----                                        ------\nUnsafeGPOLogonScriptPermission \\\\eureka-dc01\\fileshare1\\run.bat EUREKA\\testuser Write, ReadAndExecute, Synchronize\nUnsafeGPOLogonScriptPermission \\\\eureka-dc01\\fileshare1\\run.bat Everyone                               FullControl\n\n\n########## Unsafe UNC file permissions ##########\n\nType                    File                                              User                                        Rights\n----                    ----                                              ----                                        ------\nUnsafeUNCFilePermission \\\\eureka-dc01\\fileshare1\\IT\\securit360pentest.bat Everyone                               FullControl\n\n\n########## Unsafe NETLOGON/SYSVOL permissions ##########\n\nType                 Folder                  User                                          Rights\n----                 ------                  ----                                          ------\nUnsafeNetlogonSysvol \\\\eureka.local\\NETLOGON EUREKA\\Domain Users              Modify, Synchronize\nUnsafeNetlogonSysvol \\\\eureka.local\\SYSVOL   NT AUTHORITY\\Authenticated Users Modify, Synchronize\n\n########## Plaintext credentials ##########\n\nType        File                                                   Credential\n----        ----                                                   ----------\nCredentials \\\\eureka.local\\sysvol\\eureka.local\\scripts\\ADCheck.ps1 $password = ConvertTo-SecureString -String \"Password2468!\" -AsPlainText -Force\nCredentials \\\\eureka.local\\sysvol\\eureka.local\\scripts\\shares.cmd  net use f: \\\\eureka-dc01\\fileshare1\\it /user:itadmin Password2468!\nCredentials \\\\eureka.local\\sysvol\\eureka.local\\scripts\\test.cmd    net use g: \\\\eureka-dc01\\fileshare1 /user:user1 Password3355!\nCredentials \\\\eureka.local\\sysvol\\eureka.local\\scripts\\test.cmd    net use h: \\\\eureka-dc01\\fileshare1\\accounting /user:userfoo Password5!\nCredentials \\\\eureka.local\\sysvol\\eureka.local\\scripts\\logon.kix   Use X: \"\\\\eureka-dc01\\fileshare2\" /USER:itadmin /P:Password2468!\n\n########## Nonexistent Shares ##########\n\nType             Server             Share                                 Script                                                   DNS Exploitable Admins\n----             ------             -----                                 ------                                                   --- ----------- ------\nNonexistentShare CUHOLDING          \\\\CUHOLDING\\QUICKBOOKS                \\\\eureka.local\\sysvol\\eureka.local\\scripts\\marketing.bat No  Potentially No    \nNonexistentShare eureka-srvnotexist \\\\eureka-srvnotexist\\NonExistingShare \\\\eureka.local\\sysvol\\eureka.local\\scripts\\test.cmd      No  Potentially No    \nNonexistentShare NAS                \\\\NAS\\PUBLIC                          \\\\eureka.local\\sysvol\\eureka.local\\scripts\\main.bat      No  Potentially No    \nNonexistentShare NAS                \\\\NAS\\SYMITAR                         \\\\eureka.local\\sysvol\\eureka.local\\scripts\\symregOLD.bat No  Potentially No    \n\n########## Admins with logonscripts ##########\n\nType             User                                                      LogonScript\n----             ----                                                      -----------\nAdminLogonScript LDAP://CN=Administrator,CN=Users,DC=eureka,DC=local       run.vbs\nAdminLogonScript LDAP://CN=it admin,OU=Admins,OU=Eureka,DC=eureka,DC=local elevate.vbs\n\n########## Admins with logonscripts mapped from nonexistent share ##########\n\nType                   Server             Share                                 Script                                              DNS Exploitable Admins                                                                \n----                   ------             -----                                 ------                                              --- ----------- ------                                                                \nExploitableLogonScript eureka-srvnotexist \\\\eureka-srvnotexist\\NonExistingShare \\\\eureka.local\\sysvol\\eureka.local\\scripts\\test.cmd No  Yes  LDAP://eureka.local/CN=it admin,OU=Admins,OU=Eureka,DC=eureka,DC=local\nExploitableLogonScript eureka-srvnotexist \\\\eureka-srvnotexist\\NonExistingShare \\\\eureka.local\\sysvol\\eureka.local\\scripts\\test.cmd No  Yes  LDAP://eureka.local/CN=user1,OU=Users,OU=Eureka,DC=eureka,DC=local  \n```","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftechspence%2Fscriptsentry","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftechspence%2Fscriptsentry","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftechspence%2Fscriptsentry/lists"}