Added privilege assignment to collector (will need admin mode to grab…

… this data), renamed som Pwn names
lkarlslund · Feb 22, 2022 · 1e79f62 · 1e79f62
1 parent 056563b
commit 1e79f62
Show file tree

Hide file tree

Showing 7 changed files with 927 additions and 160 deletions.
diff --git a/modules/integrations/activedirectory/analyze/analyze-ad.go b/modules/integrations/activedirectory/analyze/analyze-ad.go
@@ -171,7 +171,7 @@ func init() {
 							// Enforcement required, but this is not an enforced GPO
 							continue
 						}
-						gpo.Pwns(o, activedirectory.PwnComputerAffectedByGPO)
+						gpo.Pwns(o, activedirectory.PwnAffectedByGPO)
 					}
 
 					gpoptions := p.OneAttrString(activedirectory.GPOptions)
@@ -193,12 +193,9 @@ func init() {
 				// Only for computers, you can't really pwn users this way
 				p, hasparent := ao.DistinguishedParent(o)
 				if !hasparent || p.Type() != engine.ObjectTypeGroupPolicyContainer {
-					if strings.Contains(p.DN(), "Policies") {
-						log.Debug().Msgf("%v+", p)
-					}
 					return
 				}
-				p.Pwns(o, activedirectory.PwnGPOMachineConfigPartOfGPO)
+				p.Pwns(o, activedirectory.PartOfGPO)
 			},
 		},
 		engine.PwnAnalyzer{
@@ -210,10 +207,10 @@ func init() {
 				}
 				// Only for users, you can't really pwn users this way
 				p, hasparent := ao.DistinguishedParent(o)
-				if o.Type() != engine.ObjectTypeContainer || !hasparent || p.Type() != engine.ObjectTypeGroupPolicyContainer {
+				if !hasparent || p.Type() != engine.ObjectTypeGroupPolicyContainer {
 					return
 				}
-				p.Pwns(o, activedirectory.PwnGPOUserConfigPartOfGPO)
+				p.Pwns(o, activedirectory.PartOfGPO)
 			},
 		},
 		engine.PwnAnalyzer{
@@ -256,7 +253,7 @@ func init() {
 		},
 		engine.PwnAnalyzer{
 			// Method: activedirectory.PwnCreateComputer,
-			Description: "Permissions that lets someone to create a computer object in a container",
+			Description: "Permissions that lets someone create a computer object in a container",
 			ObjectAnalyzer: func(o *engine.Object, ao *engine.Objects) {
 				// Only for containers and org units
 				if o.Type() != engine.ObjectTypeContainer && o.Type() != engine.ObjectTypeOrganizationalUnit && o.Type() != engine.ObjectTypeDomainDNS {
@@ -275,7 +272,7 @@ func init() {
 		},
 		engine.PwnAnalyzer{
 			// Method: activedirectory.PwnCreateAnyObject,
-			Description: "Permissions that lets someone to create any kind of object in a container",
+			Description: "Permissions that lets someone create any kind of object in a container",
 			ObjectAnalyzer: func(o *engine.Object, ao *engine.Objects) {
 				// Only for containers and org units
 				if o.Type() != engine.ObjectTypeContainer && o.Type() != engine.ObjectTypeOrganizationalUnit {
@@ -294,7 +291,7 @@ func init() {
 		},
 		engine.PwnAnalyzer{
 			// Method: activedirectory.PwnDeleteObject,
-			Description: "Permissions that lets someone to delete any kind of object in a container",
+			Description: "Permissions that lets someone delete any kind of object in a container",
 			ObjectAnalyzer: func(o *engine.Object, ao *engine.Objects) {
 				// Only for containers and org units
 				sd, err := o.SecurityDescriptor()
@@ -310,7 +307,7 @@ func init() {
 		},
 		engine.PwnAnalyzer{
 			// Method: activedirectory.PwnDeleteChildrenTarget,
-			Description: "Permissions that lets someone to delete any kind of object in a container (via the DS_DELETE_CHILD permission)",
+			Description: "Permissions that lets someone delete any kind of object in a container (via the DS_DELETE_CHILD permission)",
 			ObjectAnalyzer: func(o *engine.Object, ao *engine.Objects) {
 				// If parent has DELETE CHILD, I can be deleted by some SID
 				if parent, found := ao.DistinguishedParent(o); found {
@@ -992,9 +989,13 @@ func init() {
 					continue
 				}
 
-				adminsdholder.Pwns(o, activedirectory.PwnAdminSDHolderOverwriteACL)
+				adminsdholder.Pwns(o, activedirectory.PwnOverwritesACL)
+				dm := o.Members(false)
+				idm := o.Members(true)
+				_ = dm
+				_ = idm
 				for _, member := range o.Members(true) {
-					adminsdholder.Pwns(member, activedirectory.PwnAdminSDHolderOverwriteACL)
+					adminsdholder.Pwns(member, activedirectory.PwnOverwritesACL)
 				}
 			}
 		}

diff --git a/modules/integrations/activedirectory/pwns.go b/modules/integrations/activedirectory/pwns.go
@@ -33,13 +33,13 @@ var (
 	PwnReadMSAPassword                      = engine.NewPwn("ReadMSAPassword")
 	PwnHasMSA                               = engine.NewPwn("HasMSA")
 	PwnWriteKeyCredentialLink               = engine.NewPwn("WriteKeyCredentialLink")
-	PwnWriteAttributeSecurityGUID           = engine.NewPwn("WriteAttributeSecurityGUID").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability { return 5 }) // Only if you patch the DC, so this will actually never work
+	PwnWriteAttributeSecurityGUID           = engine.NewPwn("WriteAttrSecurityGUID").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability { return 5 }) // Only if you patch the DC, so this will actually never work
 	PwnSIDHistoryEquality                   = engine.NewPwn("SIDHistoryEquality")
 	PwnAllExtendedRights                    = engine.NewPwn("AllExtendedRights")
 	PwnDSReplicationSyncronize              = engine.NewPwn("DSReplSync")
 	PwnDSReplicationGetChanges              = engine.NewPwn("DSReplGetChngs")
 	PwnDSReplicationGetChangesAll           = engine.NewPwn("DSReplGetChngsAll")
-	PwnDSReplicationGetChangesInFilteredSet = engine.NewPwn("DSReplGetChngsInFilteredSet")
+	PwnDSReplicationGetChangesInFilteredSet = engine.NewPwn("DSReplGetChngsInFiltSet")
 	PwnDCsync                               = engine.NewPwn("DCsync")
 	PwnReadLAPSPassword                     = engine.NewPwn("ReadLAPSPassword")
 	PwnMemberOfGroup                        = engine.NewPwn("MemberOfGroup")
@@ -57,16 +57,15 @@ var (
 		}
 		return 50
 	})
-	PwnAdminSDHolderOverwriteACL  = engine.NewPwn("AdminSDHolderOverwriteACL")
-	PwnComputerAffectedByGPO      = engine.NewPwn("ComputerAffectedByGPO")
-	PwnGPOMachineConfigPartOfGPO  = engine.NewPwn("GPOMachineConfigPartOfGPO")
-	PwnGPOUserConfigPartOfGPO     = engine.NewPwn("GPOUserConfigPartOfGPO")
+	PwnOverwritesACL              = engine.NewPwn("OverwritesACL")
+	PwnAffectedByGPO              = engine.NewPwn("AffectedByGPO")
+	PartOfGPO                     = engine.NewPwn("PartOfGPO")
 	PwnLocalAdminRights           = engine.NewPwn("AdminRights")
 	PwnLocalRDPRights             = engine.NewPwn("RDPRights").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability { return 30 })
 	PwnLocalDCOMRights            = engine.NewPwn("DCOMRights").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability { return 50 })
-	PwnScheduledTaskOnUNCPath     = engine.NewPwn("ScheduledTaskOnUNCPath")
+	PwnScheduledTaskOnUNCPath     = engine.NewPwn("SchedTaskOnUNCPath")
 	PwnMachineScript              = engine.NewPwn("MachineScript")
-	PwnWriteAltSecurityIdentities = engine.NewPwn("WriteAltSecurityIdentities")
+	PwnWriteAltSecurityIdentities = engine.NewPwn("WriteAltSecIdent")
 	PwnWriteProfilePath           = engine.NewPwn("WriteProfilePath")
 	PwnWriteScriptPath            = engine.NewPwn("WriteScriptPath")
 	PwnCertificateEnroll          = engine.NewPwn("CertificateEnroll")

diff --git a/modules/integrations/localmachine/analyze/analyzer.go b/modules/integrations/localmachine/analyze/analyzer.go
@@ -36,6 +36,19 @@ var (
 	PwnFileModifyDACL               = engine.NewPwn("FileModifyDACL")
 	PwnRegistryWrite                = engine.NewPwn("RegistryWrite")
 	PwnRegistryModifyDACL           = engine.NewPwn("RegistryModifyDACL")
+
+	PwnSeBackupPrivilege        = engine.NewPwn("SeBackupPrivilege")
+	PwnSeRestorePrivilege       = engine.NewPwn("SeRestorePrivilege")
+	PwnSeTakeOwnershipPrivilege = engine.NewPwn("SeTakeOwnershipPrivilege")
+
+	PwnSeAssignPrimaryToken = engine.NewPwn("SeAssignPrimaryToken")
+	PwnSeCreateToken        = engine.NewPwn("SeCreateToken")
+	PwnSeDebug              = engine.NewPwn("SeDebug")
+	PwnSeImpersonate        = engine.NewPwn("SeImpersonate")
+	PwnSeLoadDriver         = engine.NewPwn("SeLoadDriver")
+	PwnSeManageVolume       = engine.NewPwn("SeManageVolume")
+	PwnSeTakeOwnership      = engine.NewPwn("SeTakeOwnership")
+	PwnSeTcb                = engine.NewPwn("SeTcb")
 )
 
 func ImportCollectorInfo(cinfo localmachine.Info, ao *engine.Objects) error {
@@ -460,5 +473,46 @@ func ImportCollectorInfo(cinfo localmachine.Info, ao *engine.Objects) error {
 	if len(installedsoftware) > 0 {
 		computerobject.Set(localmachine.InstalledSoftware, installedsoftware)
 	}
+
+	// Privileges to exploits - from https://github.com/gtworek/Priv2Admin
+	for _, pi := range cinfo.Privileges {
+		var pwn engine.PwnMethod
+		switch pi.Name {
+		case "SeBackupPrivilege":
+			pwn = PwnSeBackupPrivilege
+		case "SeRestorePrivilege":
+			pwn = PwnSeRestorePrivilege
+		case "SeAssignPrimaryToken":
+			pwn = PwnSeAssignPrimaryToken
+		case "SeCreateToken":
+			pwn = PwnSeCreateToken
+		case "SeDebug":
+			pwn = PwnSeDebug
+		case "SeImpersonate":
+			pwn = PwnSeImpersonate
+		case "SeLoadDriver":
+			pwn = PwnSeLoadDriver
+		case "SeManageVolume":
+			pwn = PwnSeManageVolume
+		case "SeTakeOwnership":
+			pwn = PwnSeTakeOwnership
+		case "SeTcb":
+			pwn = PwnSeTcb
+		default:
+			continue
+		}
+
+		for _, sidstring := range pi.AssignedSIDs {
+			sid, err := windowssecurity.SIDFromString(sidstring)
+			if err != nil {
+				log.Error().Msgf("Invalid SID %v: %v", sidstring, err)
+				continue
+			}
+			assignee, _ := ao.FindOrAdd(
+				activedirectory.ObjectSid, engine.AttributeValueSID(sid),
+			)
+			assignee.Pwns(computerobject, pwn)
+		}
+	}
 	return nil
 }
diff --git a/modules/integrations/localmachine/collect/main.go b/modules/integrations/localmachine/collect/main.go
@@ -615,6 +615,28 @@ func Collect(outputpath string) error {
 
 	hwinfo, osinfo, meminfo, _, _, _ := winapi.GetSystemProfile()
 
+	var privilegesinfo localmachine.Privileges
+	pol, err := LsaOpenPolicy("", _POLICY_LOOKUP_NAMES|_POLICY_VIEW_LOCAL_INFORMATION)
+	if err == nil {
+		for _, privilege := range PRIVILEGE_NAMES {
+			sids, err := LsaEnumerateAccountsWithUserRight(*pol, string(privilege))
+			if err == nil {
+				sidstrings := make([]string, len(sids))
+				for i, sid := range sids {
+					sidstrings[i] = sid.String()
+				}
+				privilegesinfo = append(privilegesinfo, localmachine.Privilege{
+					Name:         string(privilege),
+					AssignedSIDs: sidstrings,
+				})
+			} else if err != STATUS_NO_MORE_ENTRIES {
+				log.Warn().Msgf("Problem enumerating %v: %v", privilege, err)
+			}
+		}
+		LsaClose(*pol)
+	} else {
+		log.Warn().Msgf("Could not open LSA policy: %v", err)
+	}
 	info := localmachine.Info{
 		Common: basedata.Common{
 			Collector: "collector",
@@ -637,6 +659,7 @@ func Collect(outputpath string) error {
 		Shares:          sharesinfo,
 		Services:        servicesinfo,
 		Software:        softwareinfo,
+		Privileges:      privilegesinfo,
 	}
 
 	if outputpath == "" {