Skip to content

Commit

Permalink
Pwnage by registry owner
Browse files Browse the repository at this point in the history
  • Loading branch information
@lkarlslund
lkarlslund committed Sep 7, 2022
1 parent 16fde72 commit 59a557d
Show file tree
Hide file tree
Showing 6 changed files with 82 additions and 18 deletions.
2 changes: 2 additions & 0 deletions modules/integrations/localmachine/analyze/analyzer.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,8 +32,10 @@ var (
PwnFileRead = engine.NewEdge("FileRead")
PwnFileModifyDACL = engine.NewEdge("FileModifyDACL")
PwnFileShare = engine.NewEdge("FileShare")
PwnRegistryOwns = engine.NewEdge("RegistryOwns")
PwnRegistryWrite = engine.NewEdge("RegistryWrite")
PwnRegistryModifyDACL = engine.NewEdge("RegistryModifyDACL")
PwnRegistryModifyOwner = engine.NewEdge("RegistryModifyOwner")

PwnSeBackupPrivilege = engine.NewEdge("SeBackupPrivilege")
PwnSeRestorePrivilege = engine.NewEdge("SeRestorePrivilege")
Expand Down
41 changes: 32 additions & 9 deletions modules/integrations/localmachine/analyze/import.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -409,32 +409,55 @@ func ImportCollectorInfo(ao *engine.Objects, cinfo localmachine.Info) (*engine.O
}

// Change service executable via registry
if service.RegistryOwner != "" {
ro, err := windowssecurity.SIDFromString(service.RegistryOwner)
if err == nil {
o := ao.AddNew(
activedirectory.ObjectSid, engine.AttributeValueSID(ro),
)
if ro.StripRID() == localsid || ro.Component(2) != 21 {
o.SetFlex(
engine.UniqueSource, uniquesource,
)
}
o.Pwns(serviceobject, PwnRegistryOwns)
}
}
if sd, err := engine.ParseACL(service.RegistryDACL); err == nil {
for _, entry := range sd.Entries {
entrysid := entry.SID
if entry.Type == engine.ACETYPE_ACCESS_ALLOWED {
if entry.Type == engine.ACETYPE_ACCESS_ALLOWED && (entry.ACEFlags&engine.AceFlagsInheritOnly) == 0 {
if entrysid == windowssecurity.AdministratorsSID || entrysid == windowssecurity.SystemSID || entrysid.Component(2) == 80 /* Service user */ {
// if we have local admin it's already game over so don't map this
continue
}

o := ao.AddNew(
activedirectory.ObjectSid, engine.AttributeValueSID(entrysid),
)
var o *engine.Object

if entrysid != windowssecurity.EveryoneSID && (entrysid.StripRID() == localsid || entrysid.Component(2) != 21) {
o.SetFlex(
engine.UniqueSource, uniquesource,
if entrysid == windowssecurity.SystemSID {
o = computerobject
} else {
o = ao.AddNew(
activedirectory.ObjectSid, engine.AttributeValueSID(entrysid),
)
if entrysid != windowssecurity.EveryoneSID && (entrysid.StripRID() == localsid || entrysid.Component(2) != 21) {
o.SetFlex(
engine.UniqueSource, uniquesource,
)
}
}

if entry.Mask&engine.KEY_SET_VALUE == engine.KEY_SET_VALUE {
if entry.Mask&engine.KEY_SET_VALUE != 0 {
o.Pwns(serviceobject, PwnRegistryWrite)
}

if entry.Mask&engine.RIGHT_WRITE_DACL == engine.RIGHT_WRITE_DACL {
if entry.Mask&engine.RIGHT_WRITE_DACL != 0 {
o.Pwns(serviceobject, PwnRegistryModifyDACL)
}

if entry.Mask&engine.RIGHT_WRITE_OWNER != 0 {
o.Pwns(serviceobject, PwnRegistryModifyOwner)
}
}
}
}
Expand Down
3 changes: 2 additions & 1 deletion modules/integrations/localmachine/collect/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -577,7 +577,7 @@ func Collect() (localmachine.Info, error) {
imagepath, _, _ := service_key.GetStringValue("ImagePath")

// Grab ImagePath key security
_, registrydacl, _ := windowssecurity.GetOwnerAndDACL(`MACHINE\SYSTEM\CurrentControlSet\Services\`+service+``, windows.SE_REGISTRY_KEY)
registryowner, registrydacl, _ := windowssecurity.GetOwnerAndDACL(`MACHINE\SYSTEM\CurrentControlSet\Services\`+service+``, windows.SE_REGISTRY_KEY)

// if strings.HasSuffix(imagepath, "locator.exe") {
// ui.Info().Msg("Jackpot!")
Expand Down Expand Up @@ -647,6 +647,7 @@ func Collect() (localmachine.Info, error) {
stype, _, _ := service_key.GetIntegerValue("Type")
if stype >= 16 {
servicesinfo = append(servicesinfo, localmachine.Service{
RegistryOwner: registryowner.String(),
RegistryDACL: registrydacl,
Name: service,
DisplayName: displayname,
Expand Down
3 changes: 2 additions & 1 deletion modules/integrations/localmachine/structs.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,8 @@ type Share struct {

type Services []Service
type Service struct {
RegistryDACL []byte `json:",omitempty"`
RegistryOwner string `json:",omitempty"`
RegistryDACL []byte `json:",omitempty"`

Name string `json:",omitempty"`
DisplayName string `json:",omitempty"`
Expand Down
16 changes: 14 additions & 2 deletions modules/integrations/localmachine/structs_easyjson.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

35 changes: 30 additions & 5 deletions modules/integrations/localmachine/structs_gen.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit 59a557d

Please sign in to comment.