Skip to main content

  In our security audits we’ve identified a vulnerability in the use of privileged accounts for desktop support. While it’s necessary to use privileged accounts to deliver support, profiles with cached credentials left on windows computers can be extracted and used to gain control of the domain. Here is a script to remove the cached profiles of your admin accounts.

Evaluation:

<#
.SYNOPSIS
This script evaluates if certain profiles are present on a windows device.
.DESCRIPTION
This test script sets a list of unwanted accounts and checks if they are present on a device. It returns a failure if any account in the list is present.
.Notes
File Name :Remove_Cached_Admins_Eval.ps1
Author :TJ Coppola
Prerequisite :PowerShell V2 over win7 and upper
#>

#ADD UNWANTED PROFILES THIS ARRAY
$AccountList = @()

$eval = 0

Foreach ($Account in $AccountList){
$instance = Get-CimInstance -ClassName Win32_UserProfile | ?{$_.LocalPath -like ('*'+$Account)}
if ($instance){
Write-Host $Account 'found.'
$eval = 1
}else{
Write-Host $Account 'not found'
}

Exit $eval

Remediation:

<#
.SYNOPSIS
This script checks if certain profiles are present on a windows device and removes them.
.DESCRIPTION
This test script sets a list of unwanted account profiles and checks if they are present on a device. It deletes any profile included in that list.
.Notes
File Name :Remove_Cached_Admins.ps1
Author :TJ Coppola
Prerequisite :PowerShell V2 over win7 and upper
#>

#ADD UNWANTED ACCOUNTS TO THIS ARRAY
$AccountList = @()

Foreach ($Account in $AccountList){
$instance = Get-CimInstance -ClassName Win32_UserProfile | ?{$_.LocalPath -like ('*'+$Account)}
if ($instance){
Write-Host $Account 'found. Deleting.'
$instance | Remove-CimInstance -Confirm:$false
}else{
Write-Host $Account 'not found'
}
}

 

Thanks for sharing, TJ! 


Reply