ScriptSentry: Detect Misconfigured and Dangerous Logon Scripts

By /

Listen to this Post

Featured Image
ScriptSentry is a free tool designed to identify misconfigured and dangerous logon scripts in Windows environments. It helps security professionals and system administrators detect:
– Plaintext credentials in logon scripts
– Logon scripts with improper permissions
– Scripts referencing files/folders with insecure permissions
– Admins using logon scripts (potential privilege escalation risks)

🔗 GitHub Repo: github.com/techspence/ScriptSentry

You Should Know: How to Use ScriptSentry & Related Security Checks

1. Install & Run ScriptSentry

 Clone the repository 
git clone https://github.com/techspence/ScriptSentry.git 
cd ScriptSentry

Execute ScriptSentry (Admin privileges required) 
.\ScriptSentry.ps1

2. Check for Plaintext Passwords in Scripts

Manually search for credentials using PowerShell:

Get-ChildItem -Path "C:\Scripts" -Recurse -Include .bat,.ps1,.vbs | Select-String -Pattern "password|pwd|pass="

3. Verify Script Permissions

Check who can modify logon scripts:

Get-Acl "C:\Scripts\login_script.bat" | Format-List

Fix insecure permissions:

icacls "C:\Scripts\login_script.bat" /reset 
icacls "C:\Scripts\login_script.bat" /grant "DOMAIN\Admins:(F)"

4. Detect Weak Folder Permissions

Find writable folders referenced in logon scripts:

Get-ChildItem -Path "C:\Scripts" -Recurse | % { 
$acl = Get-Acl $<em>.FullName 
if ($acl.Access | Where-Object { $</em>.IdentityReference -notmatch "Administrators" -and $<em>.FileSystemRights -match "Write" }) { 
Write-Host "Insecure Permissions: $($</em>.FullName)" 
} 
}

5. Monitor Admin Logon Scripts

List all users with logon scripts:

Get-ADUser -Filter  -Properties ScriptPath | Where-Object { $_.ScriptPath } | Select-Object Name, ScriptPath

What Undercode Say

Logon scripts are a common attack vector in Windows environments. Attackers exploit weak permissions to escalate privileges or steal credentials. Tools like ScriptSentry help automate detection, but manual verification is crucial.

Additional Security Checks:

  • Audit GPO Logon Scripts:
    Get-GPO -All | Where-Object { $<em>.User.LogonScript -or $</em>.Computer.StartupScript }
  • Log Suspicious Modifications:
    Auditpol /set /subcategory:"File System" /success:enable /failure:enable
  • Restrict Script Execution:
    Set-ExecutionPolicy -ExecutionPolicy Restricted -Force
  • Use LAPS for Local Admin Passwords:
    Get-AdmPwdPassword -ComputerName "TargetPC"

Expected Output:

A secured logon script environment with no plaintext credentials, strict permissions, and monitored script changes.

🔗 Further Reading: Microsoft Security Baselines

References:

Reported By: Spenceralessi Github – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: