From 3dd0f7b6bdb49fd1af1f80529f37b9ed8c6f8bc7 Mon Sep 17 00:00:00 2001 From: Lars Karlslund Date: Wed, 4 May 2022 08:10:54 +0200 Subject: [PATCH] Naming conventions fix for well known SIDs --- modules/integrations/localmachine/analyze/analyzer.go | 8 ++++---- modules/windowssecurity/wellknown.go | 9 ++++----- 2 files changed, 8 insertions(+), 9 deletions(-) diff --git a/modules/integrations/localmachine/analyze/analyzer.go b/modules/integrations/localmachine/analyze/analyzer.go index 5058506..405afbd 100644 --- a/modules/integrations/localmachine/analyze/analyzer.go +++ b/modules/integrations/localmachine/analyze/analyzer.go @@ -156,7 +156,7 @@ func (ld *LocalMachineLoader) ImportCollectorInfo(cinfo localmachine.Info) error computerobject.SetValues(localmachine.MACAddress, macaddrs...) } - ld.ao.ReindexObject(computerobject) // We changed stuff after adding it + ld.ao.ReindexObject(computerobject, false) // We changed stuff after adding it // Add local accounts as synthetic objects userscontainer := engine.NewObject(activedirectory.Name, "Users") @@ -278,11 +278,11 @@ func (ld *LocalMachineLoader) ImportCollectorInfo(cinfo localmachine.Info) error switch { case group.Name == "SMS Admins": memberobject.Pwns(computerobject, PwnLocalSMSAdmins) - case groupsid == windowssecurity.SIDAdministrators: + case groupsid == windowssecurity.AdministratorsSID: memberobject.Pwns(computerobject, PwnLocalAdminRights) - case groupsid == windowssecurity.SIDDCOMUsers: + case groupsid == windowssecurity.DCOMUsersSID: memberobject.Pwns(computerobject, PwnLocalDCOMRights) - case groupsid == windowssecurity.SIDRemoteDesktopUsers: + case groupsid == windowssecurity.RemoteDesktopUsersSID: memberobject.Pwns(computerobject, PwnLocalRDPRights) } diff --git a/modules/windowssecurity/wellknown.go b/modules/windowssecurity/wellknown.go index 5c94a6a..ebb5a73 100644 --- a/modules/windowssecurity/wellknown.go +++ b/modules/windowssecurity/wellknown.go @@ -33,7 +33,7 @@ var ( "S-1-5-15": "This Organization", "S-1-5-17": "This Organization", "S-1-5-18": "Local System", - "S-1-5-19": "NT Authority", + "S-1-5-19": "Local Service", "S-1-5-2": "Network", "S-1-5-20": "NT Authority", "S-1-5-3": "Batch", @@ -80,9 +80,9 @@ var ( "S-1-5-90-0": "Windows Manager - Windows Manager Group", } - SIDAdministrators, _ = SIDFromString("S-1-5-32-544") - SIDRemoteDesktopUsers, _ = SIDFromString("S-1-5-32-555") - SIDDCOMUsers, _ = SIDFromString("S-1-5-32-562") + AdministratorsSID, _ = SIDFromString("S-1-5-32-544") + RemoteDesktopUsersSID, _ = SIDFromString("S-1-5-32-555") + DCOMUsersSID, _ = SIDFromString("S-1-5-32-562") OwnerSID, _ = SIDFromString("S-1-3-4") SystemSID, _ = SIDFromString("S-1-5-18") @@ -90,7 +90,6 @@ var ( SelfSID, _ = SIDFromString("S-1-5-10") AuthenticatedUsersSID, _ = SIDFromString("S-1-5-11") EveryoneSID, _ = SIDFromString("S-1-1-0") - AdministratorsSID, _ = SIDFromString("S-1-5-32-544") ServicesSID, _ = SIDFromString("S-1-5-6") NetworkServiceSID, _ = SIDFromString("S-1-5-19") LocalServiceSID, _ = SIDFromString("S-1-5-20")