From 1fa7b3da1b8b4d8f273785e64e28d2995e10b402 Mon Sep 17 00:00:00 2001 From: Lars Karlslund Date: Mon, 11 Apr 2022 18:02:29 +0200 Subject: [PATCH] Add SERVICES group and other minor adjustments to localmachine import --- .../localmachine/analyze/analyzer.go | 16 ++++++++++++++-- modules/windowssecurity/wellknown.go | 4 ++++ 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/modules/integrations/localmachine/analyze/analyzer.go b/modules/integrations/localmachine/analyze/analyzer.go index 2e777b4..f568b66 100644 --- a/modules/integrations/localmachine/analyze/analyzer.go +++ b/modules/integrations/localmachine/analyze/analyzer.go @@ -49,7 +49,7 @@ var ( PwnSeAssignPrimaryToken = engine.NewPwn("SeAssignPrimaryToken") PwnSeCreateToken = engine.NewPwn("SeCreateToken") PwnSeDebug = engine.NewPwn("SeDebug") - PwnSeImpersonate = engine.NewPwn("SeImpersonate") + PwnSeImpersonate = engine.NewPwn("SeImpersonate").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability { return 20 }) PwnSeLoadDriver = engine.NewPwn("SeLoadDriver") PwnSeManageVolume = engine.NewPwn("SeManageVolume") PwnSeTakeOwnership = engine.NewPwn("SeTakeOwnership") @@ -402,6 +402,12 @@ func (ld *LocalMachineLoader) ImportCollectorInfo(cinfo localmachine.Info) error ld.ao.Add(servicescontainer) servicescontainer.ChildOf(computerobject) + localservicesgroup := ld.ao.AddNew( + activedirectory.ObjectSid, engine.AttributeValueSID(windowssecurity.LocalServiceSID), + engine.DownLevelLogonName, cinfo.Machine.Name+"\\Services", + engine.UniqueSource, uniquesource, + ) + for _, service := range cinfo.Services { serviceobject := engine.NewObject( engine.IgnoreBlanks, @@ -414,6 +420,7 @@ func (ld *LocalMachineLoader) ImportCollectorInfo(cinfo localmachine.Info) error ) ld.ao.Add(serviceobject) serviceobject.ChildOf(servicescontainer) + serviceobject.Pwns(localservicesgroup, engine.PwnMemberOfGroup) computerobject.Pwns(serviceobject, PwnHosts) if serviceaccountSID, err := windowssecurity.SIDFromString(service.AccountSID); err == nil && serviceaccountSID.Component(2) == 21 { @@ -448,6 +455,11 @@ func (ld *LocalMachineLoader) ImportCollectorInfo(cinfo localmachine.Info) error for _, entry := range sd.Entries { entrysid := entry.SID if entry.Type == engine.ACETYPE_ACCESS_ALLOWED { + if entrysid == windowssecurity.AdministratorsSID || entrysid == windowssecurity.SystemSID { + // if we have local admin it's already game over so don't map this + continue + } + o := ld.ao.AddNew( activedirectory.ObjectSid, engine.AttributeValueSID(entrysid), ) @@ -569,7 +581,7 @@ func (ld *LocalMachineLoader) ImportCollectorInfo(cinfo localmachine.Info) error } // Only domain users for now - if sid.Component(2) != 21 { + if sid.Component(2) != 21 && sid != windowssecurity.LocalServiceSID && sid != windowssecurity.NetworkServiceSID && sid != windowssecurity.ServicesSID { continue } diff --git a/modules/windowssecurity/wellknown.go b/modules/windowssecurity/wellknown.go index 58034c6..5c94a6a 100644 --- a/modules/windowssecurity/wellknown.go +++ b/modules/windowssecurity/wellknown.go @@ -90,6 +90,10 @@ var ( SelfSID, _ = SIDFromString("S-1-5-10") AuthenticatedUsersSID, _ = SIDFromString("S-1-5-11") EveryoneSID, _ = SIDFromString("S-1-1-0") + AdministratorsSID, _ = SIDFromString("S-1-5-32-544") + ServicesSID, _ = SIDFromString("S-1-5-6") + NetworkServiceSID, _ = SIDFromString("S-1-5-19") + LocalServiceSID, _ = SIDFromString("S-1-5-20") AccountOperatorsSID, _ = SIDFromString("S-1-5-32-548") )