New SMB/WMI Module BitLocker

[termanix]

Checking BitLocker status on all drives.

[Adamkadaban]

Would it perhaps be better to run this via WMI? Seems slightly more op-sec safe.

I haven't tested, but it seems possible: https://4sysops.com/archives/check-the-bitlocker-status-of-all-pcs-in-the-network/#rtoc-3

[termanix]

Would it perhaps be better to run this via WMI? Seems slightly more op-sec safe.

I haven't tested, but it seems possible: https://4sysops.com/archives/check-the-bitlocker-status-of-all-pcs-in-the-network/#rtoc-3

Test's an great idea, I'm testing now, I will share results manually. Thank you.

[termanix]

It works @Adamkadaban I can also adapt it to this method. Let me edit it.

[Adamkadaban]

@termanix Sorry, I should've been clearer. I meant through the WMI protocol rather than through powershell

Just checked with wmiquery and it seems to work. Also produces less security events

I think this should work for doing it through WMI:

iInterface = dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login,wmi.IID_IWbemLevel1Login)
iWbemLevel1Login = wmi.IWbemLevel1Login(iInterface)

bitlockerNamespace = "root\\CIMv2\\Security\\MicrosoftVolumeEncryption"
try:
    iWbemServices= iWbemLevel1Login.NTLMLogin(bitlockerNamespace, NULL, NULL)
except Exception as e:
    if str(e).find("WBEM_E_INVALID_NAMESPACE") >= 0:
        iWbemLevel1Login.RemRelease()
        dcom.disconnect()
    else:
        nxc_logger.debug(str(e))

iWbemServices.get_dce_rpc().set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)

classQuery = "SELECT DriveLetter, ConversionStatus, ProtectionStatus, EncryptionMethod FROM Win32_EncryptableVolume"

try:
    iEnumWbemClassObject = iWbemServices.ExecQuery(classQuery)
    iWbemClassObject = iEnumWbemClassObject.Next(0xffffffff,1)[0]
    queryResult = iWbemClassObject.getProperties()
    # parse and print data from here
    iEnumWbemClassObject.RemRelease()
except Exception as e:
    if str(e).find("WBEM_E_INVALID_CLASS") >= 0:
        iWbemLevel1Login.RemRelease()
        iWbemServices.RemRelease()
        dcom.disconnect()
    print(str(e))
    nxc_logger.debug(str(e))

iWbemLevel1Login.RemRelease()
iWbemServices.RemRelease()
dcom.disconnect()

[termanix]

@termanix Sorry, I should've been clearer. I meant through the WMI protocol rather than through powershell

Just checked with wmiquery and it seems to work. Also produces less security events

I think this should work for doing it through WMI:

iInterface = dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login,wmi.IID_IWbemLevel1Login)
iWbemLevel1Login = wmi.IWbemLevel1Login(iInterface)

bitlockerNamespace = "root\\CIMv2\\Security\\MicrosoftVolumeEncryption"
try:
    iWbemServices= iWbemLevel1Login.NTLMLogin(bitlockerNamespace, NULL, NULL)
except Exception as e:
    if str(e).find("WBEM_E_INVALID_NAMESPACE") >= 0:
        iWbemLevel1Login.RemRelease()
        dcom.disconnect()
    else:
        nxc_logger.debug(str(e))

iWbemServices.get_dce_rpc().set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)

classQuery = "SELECT DriveLetter, ConversionStatus, ProtectionStatus, EncryptionMethod FROM Win32_EncryptableVolume"

try:
    iEnumWbemClassObject = iWbemServices.ExecQuery(classQuery)
    iWbemClassObject = iEnumWbemClassObject.Next(0xffffffff,1)[0]
    queryResult = iWbemClassObject.getProperties()
    # parse and print data from here
    iEnumWbemClassObject.RemRelease()
except Exception as e:
    if str(e).find("WBEM_E_INVALID_CLASS") >= 0:
        iWbemLevel1Login.RemRelease()
        iWbemServices.RemRelease()
        dcom.disconnect()
    print(str(e))
    nxc_logger.debug(str(e))

iWbemLevel1Login.RemRelease()
iWbemServices.RemRelease()
dcom.disconnect()

Oh okay, I didn't test it with wmi protocol yet. I was just be quick for get result.

Using WMI is your idea and I don't want to steal your idea :D I can add it for WMI if it's okay to you.

[Adamkadaban]

I can add it for WMI if it's okay to you.

Yes, feel free. Add me as a co-author to the commit if you so please ;)

[Marshall-Hallenbeck]

You could check exec-method and do SMB if it's smbexec, or WMI if it's wmiexec, and also add this to the WMI protocol and run it straight through WMI.

[termanix]

I can add it for WMI if it's okay to you.

Yes, feel free. Add me as a co-author to the commit if you so please ;)

Ofc. I will add it for WMI too then. If you joined discord can you contact me? We can implement it together.

[termanix]

It can be review now. I just cant pwned on Win 11 machine while using WMI protocol. But SMB works.

[Marshall-Hallenbeck]

@termanix can you add this module to the e2e tests file?

[termanix]

Update e2e_commands.txt

[termanix]

Updated @Marshall-Hallenbeck , It can be review.

[quahac]

First of all, very nice module!
Win10/11 is okay. However, Windows Server 2008 DC will raise an error on SMB:

My approach is to check services instead of calling functions, for AV and Legacy. I have been using this method for a long time, and I like it. Ensure error handling (on endpoint) for this sneaky approach ... -EA SilentlyContinue ... . Example:

[termanix]

First of all, very nice module! Win10/11 is okay. However, Windows Server 2008 DC will raise an error on SMB:

My approach is to check services instead of calling functions, for AV and Legacy. I have been using this method for a long time, and I like it. Ensure error handling (on endpoint) for this sneaky approach ... -EA SilentlyContinue ... . Example:

Hi, firstly thank you for your good comment ^^, I actually did it on older NetExec powershell. Now I fixed it again, i forgot it, thank you for reminding. Also thank you for suggestion. I added -EA SilentlyContinue for now, let's se how does it work.

[quahac]

@termanix , I see you're coding now. My mistake; I told you to use the -ErrorAction SilentlyContinue approach in my situation. However, since the function doesn't exist yet, you cannot call -EA, as it will also raise an error.
You have to try the function and catch the error:
try{Get-BitLockerVolume | Select-Object MountPoint, EncryptionMethod, ProtectionStatus}catch{}

[termanix]

@termanix , I see you're coding now. My mistake; I told you to use the -ErrorAction SilentlyContinue approach in my situation. However, since the function doesn't exist yet, you cannot call -EA, as it will also raise an error. You have to try the function and catch the error: try{Get-BitLockerVolume | Select-Object MountPoint, EncryptionMethod, ProtectionStatus}catch{}

Oh okay got it. But about try catch, I just want to show it on NetExec output if system has not get-bitlocker. Code checks it in output. But I got it what you mean.

[NeffIsBack]

Changed command execution to cmd as this is more reliable in my experience (also in my tests). Also fixed some bugs with parsing the output.

Detecting Bitlocker on my laptop but not on the DC. LGTM now:

[NeffIsBack]

Can't test wmi on my notebook as it is not domain joined, but the negative detectin on the dc seems to work:

@Marshall-Hallenbeck also saw your command regarding ps_execute. Changed it for now cause it fails on my most of the time and also is flagged pretty often by AVs (for example even win defender yelled at me lol). If that's fine for you please also approve (you have a pending change request)

[Marshall-Hallenbeck]

@NeffIsBack sounds good! Looks like my other changes were fixed

[NeffIsBack]

Great! I'll merge🚀