-
Notifications
You must be signed in to change notification settings - Fork 6.6k
Expand file tree
/
Copy pathGet-CIPPSchedulerBlockedCommands.ps1
More file actions
56 lines (49 loc) · 1.7 KB
/
Get-CIPPSchedulerBlockedCommands.ps1
File metadata and controls
56 lines (49 loc) · 1.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
function Get-CIPPSchedulerBlockedCommands {
<#
.SYNOPSIS
Returns the list of commands that are blocked from execution via the CIPP scheduler.
.DESCRIPTION
Prevents privilege escalation and credential exfiltration by blocking functions that
return tokens, secrets, keys, credentials, tenant lists, or perform SAM/CPV configuration
from being executed as user-scheduled tasks.
#>
[CmdletBinding()]
param()
return @(
# Token & authentication functions - would exfiltrate access/refresh tokens
'Get-GraphToken'
'Get-GraphTokenFromCert'
'Get-ClassicAPIToken'
'Get-CIPPAzIdentityToken'
'Get-CIPPAuthentication'
'New-CIPPAzServiceSAS'
# Extension authentication tokens
'Get-GradientToken'
'Get-HaloToken'
'Get-NinjaOneToken'
'Get-SherwebAuthentication'
'Get-HIBPAuth'
# Secret & key material
'Get-CippKeyVaultSecret'
'Remove-CippKeyVaultSecret'
'Get-ExtensionAPIKey'
'Set-ExtensionAPIKey'
'Remove-ExtensionAPIKey'
# Tenant enumeration - would reveal full tenant list
'Get-Tenants'
# SAM permission enumeration - exposes which permissions the SAM app holds
'Get-CippSamPermissions'
# Direct storage access - bypasses CIPP data access controls
'Get-CIPPTable'
'Get-CIPPAzDataTableEntity'
'Get-AzDataTableEntity'
'Get-AzDataTable'
'Add-CIPPAzDataTableEntity'
'Add-AzDataTableEntity'
'Update-AzDataTableEntity'
'Remove-AzDataTableEntity'
'Remove-AzDataTable'
# Backup & restore
'Get-CIPPBackup'
)
}