Improved probability calculation for RDP when INTERACTIVE gives admin…

… rights, other fixes

modules/integrations/activedirectory/attributes.go

@@ -46,6 +46,8 @@ var (
 	GPCFileSysPath             = engine.NewAttribute("gPCFileSysPath").Tag("AD").Merge()
 	SchemaIDGUID               = engine.NewAttribute("schemaIDGUID").Tag("AD").Type(engine.AttributeTypeGUID)
 	PossSuperiors              = engine.NewAttribute("possSuperiors")
+	SystemPossSuperiors        = engine.NewAttribute("possSuperiors")
+	SubClassOf                 = engine.NewAttribute("subClassOf").Tag("AD")
 	SystemMayContain           = engine.NewAttribute("systemMayContain")
 	SystemMustContain          = engine.NewAttribute("systemMustContain")
 	ServicePrincipalName       = engine.NewAttribute("servicePrincipalName").Tag("AD")

modules/integrations/localmachine/analyze/analyzer.go

@@ -13,8 +13,25 @@ var (
 	ServiceStart            = engine.NewAttribute("serviceStart")
 	ServiceType             = engine.NewAttribute("serviceType")
 
-	EdgeLocalAdminRights             = engine.NewEdge("AdminRights")
-	EdgeLocalRDPRights               = engine.NewEdge("RDPRights").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability { return 30 })
+	EdgeLocalAdminRights = engine.NewEdge("AdminRights")
+	EdgeLocalRDPRights   = engine.NewEdge("RDPRights").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability {
+		var probability engine.Probability
+		target.EdgeIterator(engine.In, func(potential *engine.Object, edge engine.EdgeBitmap) bool {
+			sid := potential.SID()
+			if sid.IsBlank() {
+				return true // continue
+			}
+			if sid == windowssecurity.InteractiveSID || sid == windowssecurity.RemoteInteractiveSID || sid == windowssecurity.AuthenticatedUsersSID || sid == windowssecurity.EveryoneSID {
+				probability = edge.MaxProbability(potential, target)
+				return false // break
+			}
+			return true
+		})
+		if probability < 30 {
+			probability = 30
+		}
+		return probability
+	})
 	EdgeLocalDCOMRights              = engine.NewEdge("DCOMRights").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability { return 50 })
 	EdgeLocalSMSAdmins               = engine.NewEdge("SMSAdmins").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability { return 50 })
 	EdgeLocalSessionLastDay          = engine.NewEdge("SessionLastDay").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability { return 80 })
@@ -47,6 +64,13 @@ var (
 	EdgeSeTrustedCredManAccess = engine.NewEdge("SeTrustedCredManAccess")
 	EdgeSeTcb                  = engine.NewEdge("SeTcb")
 
+	EdgeSeNetworkLogonRight = engine.NewEdge("SeNetworkLogonRight").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability { return 10 })
+	// RDPRight used ... EdgeSeRemoteInteractiveLogonRight = engine.NewEdge("SeRemoteInteractiveLogonRight").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability { return 10 })
+
+	// SeDenyNetworkLogonRight
+	// SeDenyInteractiveLogonRight
+	// SeDenyRemoteInteractiveLogonRight
+
 	EdgeSIDCollision = engine.NewEdge("SIDCollision")
 
 	DNSHostname         = engine.NewAttribute("dnsHostName")

modules/integrations/localmachine/analyze/import.go

@@ -140,10 +140,14 @@ func ImportCollectorInfo(ao *engine.Objects, cinfo localmachine.Info) (*engine.O
 	everyone, _, _ := ri.GetSIDObject(windowssecurity.EveryoneSID, Auto)
 	everyone.SetFlex(engine.ObjectCategorySimple, "Group") // This could go wrong
 
+	everyone.ChildOf(machine)
+
 	authenticatedusers, _, _ := ri.GetSIDObject(windowssecurity.AuthenticatedUsersSID, Auto)
 	authenticatedusers.SetFlex(engine.ObjectCategorySimple, "Group") // This could go wrong
 	authenticatedusers.EdgeTo(everyone, activedirectory.EdgeMemberOfGroup)
 
+	authenticatedusers.ChildOf(machine)
+
 	if cinfo.Machine.IsDomainJoined {
 		domainauthenticatedusers, _, _ := ri.GetSIDObject(windowssecurity.EveryoneSID, Domain)
 		domainauthenticatedusers.EdgeTo(authenticatedusers, activedirectory.EdgeMemberOfGroup)
@@ -189,6 +193,8 @@ func ImportCollectorInfo(ao *engine.Objects, cinfo localmachine.Info) (*engine.O
 	for _, pi := range cinfo.Privileges {
 		var pwn engine.Edge
 		switch pi.Name {
+		case "SeNetworkLogonRight":
+			pwn = EdgeSeNetworkLogonRight
 		case "SeRemoteInteractiveLogonRight":
 			pwn = EdgeLocalRDPRights
 			rdprightshandled = true
@@ -280,6 +286,7 @@ func ImportCollectorInfo(ao *engine.Objects, cinfo localmachine.Info) (*engine.O
 				engine.ObjectCategorySimple, "Group",
 				engine.DataSource, uniquesource,
 			)
+			groupobject.ChildOf(groupscontainer)
 
 			if err != nil && group.Name != "SMS Admins" {
 				ui.Warn().Msgf("Can't convert local group SID %v: %v", group.SID, err)
@@ -452,6 +459,7 @@ func ImportCollectorInfo(ao *engine.Objects, cinfo localmachine.Info) (*engine.O
 		engine.DownLevelLogonName, cinfo.Machine.Name+"\\Services",
 		engine.DataSource, cinfo.Machine.Name,
 	)
+	localservicesgroup.ChildOf(machine)
 
 	for _, service := range cinfo.Services {
 		serviceobject := engine.NewObject(
@@ -504,7 +512,7 @@ func ImportCollectorInfo(ao *engine.Objects, cinfo localmachine.Info) (*engine.O
 						engine.DownLevelLogonName, service.Account,
 					)
 				}
-
+				svcaccount.ChildOf(serviceobject)
 			}
 			if serviceaccountSID.Component(2) < 21 {
 				svcaccount.SetFlex(activedirectory.ObjectCategorySimple, "Group")

modules/windowssecurity/wellknown.go

@@ -92,6 +92,9 @@ var (
 
 	ServicesSID, _ = ParseStringSID("S-1-5-6")
 
+	InteractiveSID, _       = ParseStringSID("S-1-5-4")
+	RemoteInteractiveSID, _ = ParseStringSID("S-1-5-14")
+
 	SystemSID, _         = ParseStringSID("S-1-5-18")
 	LocalServiceSID, _   = ParseStringSID("S-1-5-19")
 	NetworkServiceSID, _ = ParseStringSID("S-1-5-20")