# JEA

## Setting up JEA

This link is helpful:

{% embed url="<https://sid-500.com/2018/02/11/powershell-implementing-just-enough-administration-jea-step-by-step/>" %}

Create the session configuration file

```
New-PSSessionConfigurationFile -Path 'C:\Program Files\WindowsPowerShell\spooler_conf.pssc'
```

Edit the session configuration file

```
notepad 'C:\Program Files\WindowsPowerShell\spooler_conf.pssc'
```

It should look something like this&#x20;

```
@{

# Version number of the schema used for this document
SchemaVersion = '2.0.0.0'

# ID used to uniquely identify this document
GUID = '8c1e7490-3f03-450e-b97b-c4554e879535'

# Author of this document
Author = 'fcastle'

# Description of the functionality provided by these settings
# Description = ''

# Session type defaults to apply for this session configuration. Can be 'RestrictedRemoteServer' (recommended), 'Empty', or 'Default'
SessionType = 'RestrictedRemoteServer'

# Directory to place session transcripts for this session configuration
TranscriptDirectory = 'C:\Transcripts\'

# Whether to run this session configuration as the machine's (virtual) administrator account
# RunAsVirtualAccount = $true

# Scripts to run when applied to a session
# ScriptsToProcess = 'C:\ConfigData\InitScript1.ps1', 'C:\ConfigData\InitScript2.ps1'

# User roles (security groups), and the role capabilities that should be applied to them when applied to a session
RoleDefinitions = @{ 'horus-dc\fcastle' = @{ VisibleCmdlets = 'Get-Process' } } 

}
```

Note that the sessiontype was altered to restricted and that the role definition includes the user and the visible cmdlet. I dont know if thats needed but it was in the example document generated.

Create the directory

```
New-Item -Path 'C:\Program Files\WindowsPowerShell\Modules\JEA\RoleCapabilities' -ItemType Directory
```

Create the capability file&#x20;

```
New-PSRoleCapabilityFile -Path 'C:\Program Files\WindowsPowerShell\Modules\JEA\RoleCapabilities\spooler_admins.psrc'
```

Edit the capability file&#x20;

```
notepad 'C:\Program Files\WindowsPowerShell\Modules\JEA\RoleCapabilities\spooler_admins.psrc'
```

Should look something like below

```
@{

# ID used to uniquely identify this document
GUID = 'a6e0b3a5-4106-4cf2-a951-a8337fcd4a92'

# Author of this document
Author = 'fcastle'

# Description of the functionality provided by these settings
# Description = ''

# Company associated with this document
CompanyName = 'Unknown'

# Copyright statement for this document
Copyright = '(c) 2020 fcastle. All rights reserved.'

# Modules to import when applied to a session
# ModulesToImport = 'MyCustomModule', @{ ModuleName = 'MyCustomModule'; ModuleVersion = '1.0.0.0'; GUID = '4d30d5f0-cb16-4898-812d-f20a6c596bdf' }

# Aliases to make visible when applied to a session
# VisibleAliases = 'Item1', 'Item2'

# Cmdlets to make visible when applied to a session
VisibleCmdlets = 'Get-Process'

}
```

Note that the visible cmdlets has been uncommented and we can put the cmds in there. If we want something like whoami or net, we will need to add it as an external command since its not a cmdlet.

Start winrm on the box if not done already

```
winrm quickconfig
```

Register the JEA&#x20;

```
 Register-PSSessionConfiguration -Name Spooler_Admins -Path 'C:\Program Files\WindowsPowerShell\spooler_conf.pssc'
```

Restart service

```
Restart-Service WinRM
```

Test

```
Enter-PSSession -ComputerName COMP1 -ConfigurationName Spooler_Admins
```

With the above, when you type command the only cmdlet you should see is get-process. The others are functions.&#x20;

## Breaking Out of JEA

As the JEA session runs with higher privs, if a breakout happens then you can perform fun actions.

Breakouts will depend on the cmdlets available and as there are a huge amount it wont all be covered anywhere.

When enter the JEA session you can enum whats available with the command cmdlet:

```
command
```

Some cmdlets to look out for&#x20;

```
Set-PSSessionConfiguration
Start-Process
New-Service
Add-Computer
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://cheats.philkeeble.com/active-directory/ad-privilege-escalation/jea.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.