Merge pull request #1 from GhostPack/master

pull upstream

README.md

@@ -34,19 +34,19 @@ Seatbelt is licensed under the BSD 3-Clause license.
 ```
 
 
-                        %&&@@@&&
-                        &&&&&&&%%%,                       #&&@@@@@@%%%%%%###############%
+                        %&&@@@&&                                                                                  
+                        &&&&&&&%%%,                       #&&@@@@@@%%%%%%###############%                         
                         &%&   %&%%                        &////(((&%%%%%#%################//((((###%%%%%%%%%%%%%%%
 %%%%%%%%%%%######%%%#%%####%  &%%**#                      @////(((&%%%%%%######################(((((((((((((((((((
 #%#%%%%%%%#######%#%%#######  %&%,,,,,,,,,,,,,,,,         @////(((&%%%%%#%#####################(((((((((((((((((((
 #%#%%%%%%#####%%#%#%%#######  %%%,,,,,,  ,,.   ,,         @////(((&%%%%%%%######################(#(((#(#((((((((((
 #####%%%####################  &%%......  ...   ..         @////(((&%%%%%%%###############%######((#(#(####((((((((
 #######%##########%#########  %%%......  ...   ..         @////(((&%%%%%#########################(#(#######((#####
 ###%##%%####################  &%%...............          @////(((&%%%%%%%%##############%#######(#########((#####
-#####%######################  %%%..                       @////(((&%%%%%%%################
-                        &%&   %%%%%      Seatbelt         %////(((&%%%%%%%%#############*
-                        &%%&&&%%%%%        v1.2.0         ,(((&%%%%%%%%%%%%%%%%%,
-                         #%%%%##,
+#####%######################  %%%..                       @////(((&%%%%%%%################                        
+                        &%&   %%%%%      Seatbelt         %////(((&%%%%%%%%#############*                         
+                        &%%&&&%%%%%        v1.2.1         ,(((&%%%%%%%%%%%%%%%%%,                                 
+                         #%%%%##,                                                                                 
 
 
 Available commands (+ means remote usage is supported):
@@ -58,8 +58,9 @@ Available commands (+ means remote usage is supported):
       AuditPolicies          - Enumerates classic and advanced audit policy settings
     + AuditPolicyRegistry    - Audit settings via the registry
     + AutoRuns               - Auto run executables/scripts/programs
+      azuread                - Return AzureAD info
       Certificates           - Finds user and machine personal certificate files
-      CertificateThumbprints - Finds thumbprints for all certificate store certs on the systen
+      CertificateThumbprints - Finds thumbprints for all certificate store certs on the system
     + ChromiumBookmarks      - Parses any found Chrome/Edge/Brave/Opera bookmark files
     + ChromiumHistory        - Parses any found Chrome/Edge/Brave/Opera history files
     + ChromiumPresence       - Checks if interesting Chrome/Edge/Brave/Opera files exist
@@ -71,7 +72,6 @@ Available commands (+ means remote usage is supported):
     + DNSCache               - DNS cache entries (via WMI)
     + DotNet                 - DotNet versions
     + DpapiMasterKeys        - List DPAPI master keys
-      Dsregcmd               - Return Tenant information - Replacement for Dsregcmd /status
       EnvironmentPath        - Current environment %PATH$ folders and SDDL information
     + EnvironmentVariables   - Current environment variables
     + ExplicitLogonEvents    - Explicit Logon events (Event ID 4648) from the security event log. Default of 7 days, argument == last X days.
@@ -104,6 +104,7 @@ Available commands (+ means remote usage is supported):
       McAfeeConfigs          - Finds McAfee configuration files
       McAfeeSiteList         - Decrypt any found McAfee SiteList.xml configuration files.
       MicrosoftUpdates       - All Microsoft updates (via COM)
+      MTPuTTY                - MTPuTTY configuration files
       NamedPipes             - Named pipe names, any readable ACL information and associated process information.
     + NetworkProfiles        - Windows network profiles
     + NetworkShares          - Network shares exposed by the machine (via WMI)
@@ -136,6 +137,7 @@ Available commands (+ means remote usage is supported):
     + ScheduledTasks         - Scheduled tasks (via WMI) that aren't authored by 'Microsoft', "-full" dumps all Scheduled tasks
       SearchIndex            - Query results from the Windows Search Index, default term of 'passsword'. (argument(s) == <search path> <pattern1,pattern2,...>
       SecPackageCreds        - Obtains credentials from security packages
+    + SecureBoot             - Secure Boot configuration
       SecurityPackages       - Enumerates the security packages currently available using EnumerateSecurityPackagesA()
       Services               - Services with file info company names that don't contain 'Microsoft', "-full" dumps all processes
     + SlackDownloads         - Parses any found 'slack-downloads' files
@@ -175,32 +177,32 @@ Seatbelt has the following command groups: All, User, System, Slack, Chromium, R
 
    "Seatbelt.exe -group=user" runs the following commands:
 
-        Certificates, CertificateThumbprints, ChromiumPresence, CloudCredentials, CloudSyncProviders,
-        CredEnum, dir, DpapiMasterKeys, Dsregcmd,
-        ExplorerMRUs, ExplorerRunCommands, FileZilla, FirefoxPresence,
-        IdleTime, IEFavorites, IETabs, IEUrls,
-        KeePass, MappedDrives, OfficeMRUs, OneNote,
-        OracleSQLDeveloper, PowerShellHistory, PuttyHostKeys, PuttySessions,
-        RDCManFiles, RDPSavedConnections, SecPackageCreds, SlackDownloads,
-        SlackPresence, SlackWorkspaces, SuperPutty, TokenGroups,
-        WindowsCredentialFiles, WindowsVault
+        azuread, Certificates, CertificateThumbprints, ChromiumPresence, CloudCredentials, 
+        CloudSyncProviders, CredEnum, dir, DpapiMasterKeys, 
+        ExplorerMRUs, ExplorerRunCommands, FileZilla, FirefoxPresence, 
+        IdleTime, IEFavorites, IETabs, IEUrls, 
+        KeePass, MappedDrives, MTPuTTY, OfficeMRUs, 
+        OneNote, OracleSQLDeveloper, PowerShellHistory, PuttyHostKeys, 
+        PuttySessions, RDCManFiles, RDPSavedConnections, SecPackageCreds, 
+        SlackDownloads, SlackPresence, SlackWorkspaces, SuperPutty, 
+        TokenGroups, WindowsCredentialFiles, WindowsVault
 
    "Seatbelt.exe -group=system" runs the following commands:
 
-        AMSIProviders, AntiVirus, AppLocker, ARPTable, AuditPolicies,
-        AuditPolicyRegistry, AutoRuns, Certificates, CertificateThumbprints,
-        CredGuard, DNSCache, DotNet, EnvironmentPath,
-        EnvironmentVariables, Hotfixes, InterestingProcesses, InternetSettings,
-        LAPS, LastShutdown, LocalGPOs, LocalGroups,
-        LocalUsers, LogonSessions, LSASettings, McAfeeConfigs,
-        NamedPipes, NetworkProfiles, NetworkShares, NTLMSettings,
-        OptionalFeatures, OSInfo, PoweredOnEvents, PowerShell,
-        Processes, PSSessionSettings, RDPSessions, RDPsettings,
-        SCCM, Services, Sysmon, TcpConnections,
-        TokenPrivileges, UAC, UdpConnections, UserRightAssignments,
-        WifiProfile, WindowsAutoLogon, WindowsDefender, WindowsEventForwarding,
-        WindowsFirewall, WMI, WMIEventConsumer, WMIEventFilter,
-        WMIFilterBinding, WSUS
+        AMSIProviders, AntiVirus, AppLocker, ARPTable, AuditPolicies, 
+        AuditPolicyRegistry, AutoRuns, Certificates, CertificateThumbprints, 
+        CredGuard, DNSCache, DotNet, EnvironmentPath, 
+        EnvironmentVariables, Hotfixes, InterestingProcesses, InternetSettings, 
+        LAPS, LastShutdown, LocalGPOs, LocalGroups, 
+        LocalUsers, LogonSessions, LSASettings, McAfeeConfigs, 
+        NamedPipes, NetworkProfiles, NetworkShares, NTLMSettings, 
+        OptionalFeatures, OSInfo, PoweredOnEvents, PowerShell, 
+        Processes, PSSessionSettings, RDPSessions, RDPsettings, 
+        SCCM, SecureBoot, Services, Sysmon, 
+        TcpConnections, TokenPrivileges, UAC, UdpConnections, 
+        UserRightAssignments, WifiProfile, WindowsAutoLogon, WindowsDefender, 
+        WindowsEventForwarding, WindowsFirewall, WMI, WMIEventConsumer, 
+        WMIEventFilter, WMIFilterBinding, WSUS
 
    "Seatbelt.exe -group=slack" runs the following commands:
 
@@ -212,24 +214,25 @@ Seatbelt has the following command groups: All, User, System, Slack, Chromium, R
 
    "Seatbelt.exe -group=remote" runs the following commands:
 
-        AMSIProviders, AntiVirus, AuditPolicyRegistry, ChromiumPresence, CloudCredentials,
-        DNSCache, DotNet, DpapiMasterKeys, EnvironmentVariables,
-        ExplicitLogonEvents, ExplorerRunCommands, FileZilla, Hotfixes,
-        InterestingProcesses, KeePass, LastShutdown, LocalGroups,
-        LocalUsers, LogonEvents, LogonSessions, LSASettings,
-        MappedDrives, NetworkProfiles, NetworkShares, NTLMSettings,
-        OptionalFeatures, OSInfo, PoweredOnEvents, PowerShell,
-        ProcessOwners, PSSessionSettings, PuttyHostKeys, PuttySessions,
-        RDPSavedConnections, RDPSessions, RDPsettings, Sysmon,
-        WindowsDefender, WindowsEventForwarding, WindowsFirewall
+        AMSIProviders, AntiVirus, AuditPolicyRegistry, ChromiumPresence, CloudCredentials, 
+        DNSCache, DotNet, DpapiMasterKeys, EnvironmentVariables, 
+        ExplicitLogonEvents, ExplorerRunCommands, FileZilla, Hotfixes, 
+        InterestingProcesses, KeePass, LastShutdown, LocalGroups, 
+        LocalUsers, LogonEvents, LogonSessions, LSASettings, 
+        MappedDrives, NetworkProfiles, NetworkShares, NTLMSettings, 
+        OptionalFeatures, OSInfo, PoweredOnEvents, PowerShell, 
+        ProcessOwners, PSSessionSettings, PuttyHostKeys, PuttySessions, 
+        RDPSavedConnections, RDPSessions, RDPsettings, SecureBoot, 
+        Sysmon, WindowsDefender, WindowsEventForwarding, WindowsFirewall
+        
 
    "Seatbelt.exe -group=misc" runs the following commands:
 
-        ChromiumBookmarks, ChromiumHistory, ExplicitLogonEvents, FileInfo, FirefoxHistory,
-        InstalledProducts, InterestingFiles, LogonEvents, LOLBAS,
-        McAfeeSiteList, MicrosoftUpdates, OutlookDownloads, PowerShellEvents,
-        Printers, ProcessCreationEvents, ProcessOwners, RecycleBin,
-        reg, RPCMappedEndpoints, ScheduledTasks, SearchIndex,
+        ChromiumBookmarks, ChromiumHistory, ExplicitLogonEvents, FileInfo, FirefoxHistory, 
+        InstalledProducts, InterestingFiles, LogonEvents, LOLBAS, 
+        McAfeeSiteList, MicrosoftUpdates, OutlookDownloads, PowerShellEvents, 
+        Printers, ProcessCreationEvents, ProcessOwners, RecycleBin, 
+        reg, RPCMappedEndpoints, ScheduledTasks, SearchIndex, 
         SecurityPackages, SysmonEvents
 
 
@@ -247,8 +250,6 @@ Examples:
 
 **Note:** searches that target users will run for the current user if not-elevated and for ALL users if elevated.
 
-**A more detailed wiki is coming...**
-
 
 ## Command Groups
 

Seatbelt/Commands/Windows/AzureADCmd.cs

@@ -0,0 +1,224 @@
+using System;
+using System.Collections.Generic;
+using System.Runtime.InteropServices;
+using System.Security.Cryptography.X509Certificates;
+using System.Text;
+using Microsoft.Win32;
+using Seatbelt.Output.Formatters;
+using Seatbelt.Output.TextWriters;
+using static Seatbelt.Interop.Netapi32;
+
+namespace Seatbelt.Commands.Windows
+{
+    internal class AzureADCommand : CommandBase
+    {
+        public override string Command => "azuread";
+        public override string Description => "Return AzureAD info";
+        public override CommandGroup[] Group => new[] { CommandGroup.User };
+        public override bool SupportRemote => false;
+        public Runtime ThisRunTime;
+
+        public AzureADCommand(Runtime runtime) : base(runtime)
+        {
+            ThisRunTime = runtime;
+        }
+
+        public override IEnumerable<CommandDTOBase?> Execute(string[] args)
+        {
+            bool? sssoDomainTrusted = null;
+            var sssoDomainTrustedValue = ThisRunTime.GetDwordValue(RegistryHive.CurrentUser, @"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\microsoftazuread-sso.com\autologon", "https");
+
+            if (sssoDomainTrustedValue != null)
+            {
+                switch (sssoDomainTrustedValue)
+                {
+                    case 0:
+                        sssoDomainTrusted = false;
+                        break;
+                    case 1:
+                        sssoDomainTrusted = true;
+                        break;
+                    default:
+                        sssoDomainTrusted = false;
+                        break;
+                }
+            }
+
+            var netAadJoinInfo = GetNetAadInfo();
+
+
+            yield return new AzureADDTO(
+                netAadJoinInfo,
+                sssoDomainTrusted
+               );
+        }
+
+
+        private NetAadJoinInfo? GetNetAadInfo()
+        {
+            //original code from https://github.com/ThomasKur/WPNinjas.Dsregcmd/blob/2cff7b273ad4d3fc705744f76c4bd0701b2c36f0/WPNinjas.Dsregcmd/DsRegCmd.cs
+
+            var tenantId = "";
+            var retValue = NetGetAadJoinInformation(tenantId, out var ptrJoinInfo);
+            if (retValue == 0)
+            {
+                var joinInfo = (DSREG_JOIN_INFO)Marshal.PtrToStructure(ptrJoinInfo, typeof(DSREG_JOIN_INFO));
+                var JType = (NetAadJoinInfo.JoinType)joinInfo.joinType;
+                var did = new Guid(joinInfo.DeviceId);
+                var tid = new Guid(joinInfo.TenantId);
+
+                var data = Convert.FromBase64String(joinInfo.UserSettingSyncUrl);
+                var UserSettingSyncUrl = Encoding.ASCII.GetString(data);
+                var ptrUserInfo = joinInfo.pUserInfo;
+
+                DSREG_USER_INFO? userInfo = null;
+                var cresult = new List<X509Certificate2>();
+                Guid? uid = null;
+
+                if (ptrUserInfo != IntPtr.Zero)
+                {
+                    userInfo = (DSREG_USER_INFO)Marshal.PtrToStructure(ptrUserInfo, typeof(DSREG_USER_INFO));
+                    uid = new Guid(userInfo?.UserKeyId);
+                    var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
+                    store.Open(OpenFlags.ReadOnly);
+
+                    foreach (var certificate in store.Certificates)
+                    {
+                        if (certificate.Subject.Equals($"CN={did}"))
+                        {
+                            cresult.Add(certificate);
+                        }
+                    }
+
+                    Marshal.Release(ptrUserInfo);
+                }
+
+                Marshal.Release(ptrJoinInfo);
+                NetFreeAadJoinInformation(ptrJoinInfo);
+
+                return new NetAadJoinInfo(
+                    JType,
+                    did,
+                    joinInfo.IdpDomain,
+                    tid,
+                    joinInfo.JoinUserEmail,
+                    joinInfo.TenantDisplayName,
+                    joinInfo.MdmEnrollmentUrl,
+                    joinInfo.MdmTermsOfUseUrl,
+                    joinInfo.MdmComplianceUrl,
+                    UserSettingSyncUrl,
+                    cresult,
+                    userInfo?.UserEmail,
+                    uid,
+                    userInfo?.UserKeyName
+                );
+            }
+
+            return null;
+        }
+    }
+
+    internal class AzureADDTO : CommandDTOBase
+    {
+        public AzureADDTO(NetAadJoinInfo? netAadJoinInfo, bool? seamlessSignOnDomainTrusted)
+        {
+            SeamlessSignOnDomainTrusted = seamlessSignOnDomainTrusted;
+            NetAadJoinInfo = netAadJoinInfo;
+        }
+
+        public bool? SeamlessSignOnDomainTrusted { get; }
+        public NetAadJoinInfo? NetAadJoinInfo { get;  }
+    }
+
+    internal class NetAadJoinInfo
+    {
+        public NetAadJoinInfo(JoinType jType, Guid deviceId, string idpDomain, Guid tenantId, string joinUserEmail, string tenantDisplayName, string mdmEnrollmentUrl, string mdmTermsOfUseUrl,
+               string mdmComplianceUrl, string userSettingSyncUrl, List<X509Certificate2> certInfo, string? userEmail, Guid? userKeyId, string? userKeyname)
+        {
+            JType = jType;
+            DeviceId = deviceId;
+            IdpDomain = idpDomain;
+            TenantId = tenantId;
+            JoinUserEmail = joinUserEmail;
+            TenantDisplayName = tenantDisplayName;
+            MdmEnrollmentUrl = mdmEnrollmentUrl;
+            MdmTermsOfUseUrl = mdmTermsOfUseUrl;
+            MdmComplianceUrl = mdmComplianceUrl;
+            UserSettingSyncUrl = userSettingSyncUrl;
+            CertInfo = certInfo;
+            UserEmail = userEmail;
+            UserKeyId = userKeyId;
+            UserKeyname = userKeyname;
+        }
+        public enum JoinType
+        {
+            DSREG_UNKNOWN_JOIN,
+            DSREG_DEVICE_JOIN,
+            DSREG_WORKPLACE_JOIN,
+            DSREG_NO_JOIN
+        }
+        public JoinType JType { get; }
+        public Guid DeviceId { get; }
+        public string IdpDomain { get; }
+        public Guid TenantId { get; }
+        public string JoinUserEmail { get; }
+        public string TenantDisplayName { get; }
+        public string MdmEnrollmentUrl { get; }
+        public string MdmTermsOfUseUrl { get; }
+        public string MdmComplianceUrl { get; }
+        public string UserSettingSyncUrl { get; }
+        public List<X509Certificate2> CertInfo { get; }
+        public string? UserEmail { get; }
+        public Guid? UserKeyId { get; }
+        public string? UserKeyname { get; }
+    }
+
+    [CommandOutputType(typeof(AzureADDTO))]
+    internal class AzureADFormatter : TextFormatterBase
+    {
+        public AzureADFormatter(ITextWriter writer) : base(writer)
+        {
+            // nothing goes here
+        }
+        public override void FormatResult(CommandBase? command, CommandDTOBase result, bool filterResults)
+        {
+            var dto = (AzureADDTO)result;
+            var netAadInfo = dto.NetAadJoinInfo;
+
+            if (netAadInfo == null)
+                WriteLine("    Could not enumerate NetAadJoinInfo");
+            else
+            {
+                WriteLine($"    TenantDisplayName           : {netAadInfo.TenantDisplayName}");
+                WriteLine($"    TenantId                    : {netAadInfo.TenantId}");
+                WriteLine($"    IdpDomain                   : {netAadInfo.IdpDomain}");
+                WriteLine($"    MdmEnrollmentUrl            : {netAadInfo.MdmEnrollmentUrl}");
+                WriteLine($"    MdmTermsOfUseUrl            : {netAadInfo.MdmTermsOfUseUrl}");
+                WriteLine($"    MdmComplianceUrl            : {netAadInfo.MdmComplianceUrl}");
+                WriteLine($"    UserSettingSyncUrl          : {netAadInfo.UserSettingSyncUrl}");
+                WriteLine($"    DeviceId                    : {netAadInfo.DeviceId}");
+                WriteLine($"    JoinType                    : {netAadInfo.JType}");
+                WriteLine($"    JoinUserEmail               : {netAadInfo.JoinUserEmail}");
+                WriteLine($"    UserKeyId                   : {netAadInfo.UserKeyId}");
+                WriteLine($"    UserEmail                   : {netAadInfo.UserEmail}");
+                WriteLine($"    UserKeyname                 : {netAadInfo.UserKeyname}\n");
+
+                foreach (var cert in netAadInfo.CertInfo)
+                {
+                    WriteLine($"    Thumbprint  : {cert.Thumbprint}");
+                    WriteLine($"    Subject     : {cert.Subject}");
+                    WriteLine($"    Issuer      : {cert.Issuer}");
+                    WriteLine($"    Expiration  : {cert.GetExpirationDateString()}");
+                }
+            }
+
+            var sssoMsg = "";
+            if (dto.SeamlessSignOnDomainTrusted == true)
+                sssoMsg = "(AzureAD Seamless Sign-on may be enabled!)";
+            else
+                sssoMsg = "(not configured)";
+
+            WriteLine($"    SeamlessSignOnDomainTrusted : {dto.SeamlessSignOnDomainTrusted}{sssoMsg}");
+        }
+    }
+}