From 4b4310e83833d7318d84c48c6d1c7a4bc1e273bf Mon Sep 17 00:00:00 2001 From: Lars Karlslund Date: Tue, 11 Oct 2022 23:08:35 +0200 Subject: [PATCH] Improved probability calculation for RDP when INTERACTIVE gives admin rights, other fixes --- .../activedirectory/attributes.go | 2 ++ .../localmachine/analyze/analyzer.go | 28 +++++++++++++++++-- .../localmachine/analyze/import.go | 10 ++++++- modules/windowssecurity/wellknown.go | 3 ++ 4 files changed, 40 insertions(+), 3 deletions(-) diff --git a/modules/integrations/activedirectory/attributes.go b/modules/integrations/activedirectory/attributes.go index 41436c4..47d8bfb 100644 --- a/modules/integrations/activedirectory/attributes.go +++ b/modules/integrations/activedirectory/attributes.go @@ -46,6 +46,8 @@ var ( GPCFileSysPath = engine.NewAttribute("gPCFileSysPath").Tag("AD").Merge() SchemaIDGUID = engine.NewAttribute("schemaIDGUID").Tag("AD").Type(engine.AttributeTypeGUID) PossSuperiors = engine.NewAttribute("possSuperiors") + SystemPossSuperiors = engine.NewAttribute("possSuperiors") + SubClassOf = engine.NewAttribute("subClassOf").Tag("AD") SystemMayContain = engine.NewAttribute("systemMayContain") SystemMustContain = engine.NewAttribute("systemMustContain") ServicePrincipalName = engine.NewAttribute("servicePrincipalName").Tag("AD") diff --git a/modules/integrations/localmachine/analyze/analyzer.go b/modules/integrations/localmachine/analyze/analyzer.go index 44c24c4..50454cb 100644 --- a/modules/integrations/localmachine/analyze/analyzer.go +++ b/modules/integrations/localmachine/analyze/analyzer.go @@ -13,8 +13,25 @@ var ( ServiceStart = engine.NewAttribute("serviceStart") ServiceType = engine.NewAttribute("serviceType") - EdgeLocalAdminRights = engine.NewEdge("AdminRights") - EdgeLocalRDPRights = engine.NewEdge("RDPRights").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability { return 30 }) + EdgeLocalAdminRights = engine.NewEdge("AdminRights") + EdgeLocalRDPRights = engine.NewEdge("RDPRights").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability { + var probability engine.Probability + target.EdgeIterator(engine.In, func(potential *engine.Object, edge engine.EdgeBitmap) bool { + sid := potential.SID() + if sid.IsBlank() { + return true // continue + } + if sid == windowssecurity.InteractiveSID || sid == windowssecurity.RemoteInteractiveSID || sid == windowssecurity.AuthenticatedUsersSID || sid == windowssecurity.EveryoneSID { + probability = edge.MaxProbability(potential, target) + return false // break + } + return true + }) + if probability < 30 { + probability = 30 + } + return probability + }) EdgeLocalDCOMRights = engine.NewEdge("DCOMRights").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability { return 50 }) EdgeLocalSMSAdmins = engine.NewEdge("SMSAdmins").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability { return 50 }) EdgeLocalSessionLastDay = engine.NewEdge("SessionLastDay").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability { return 80 }) @@ -47,6 +64,13 @@ var ( EdgeSeTrustedCredManAccess = engine.NewEdge("SeTrustedCredManAccess") EdgeSeTcb = engine.NewEdge("SeTcb") + EdgeSeNetworkLogonRight = engine.NewEdge("SeNetworkLogonRight").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability { return 10 }) + // RDPRight used ... EdgeSeRemoteInteractiveLogonRight = engine.NewEdge("SeRemoteInteractiveLogonRight").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability { return 10 }) + + // SeDenyNetworkLogonRight + // SeDenyInteractiveLogonRight + // SeDenyRemoteInteractiveLogonRight + EdgeSIDCollision = engine.NewEdge("SIDCollision") DNSHostname = engine.NewAttribute("dnsHostName") diff --git a/modules/integrations/localmachine/analyze/import.go b/modules/integrations/localmachine/analyze/import.go index 7babd04..fc5369c 100644 --- a/modules/integrations/localmachine/analyze/import.go +++ b/modules/integrations/localmachine/analyze/import.go @@ -140,10 +140,14 @@ func ImportCollectorInfo(ao *engine.Objects, cinfo localmachine.Info) (*engine.O everyone, _, _ := ri.GetSIDObject(windowssecurity.EveryoneSID, Auto) everyone.SetFlex(engine.ObjectCategorySimple, "Group") // This could go wrong + everyone.ChildOf(machine) + authenticatedusers, _, _ := ri.GetSIDObject(windowssecurity.AuthenticatedUsersSID, Auto) authenticatedusers.SetFlex(engine.ObjectCategorySimple, "Group") // This could go wrong authenticatedusers.EdgeTo(everyone, activedirectory.EdgeMemberOfGroup) + authenticatedusers.ChildOf(machine) + if cinfo.Machine.IsDomainJoined { domainauthenticatedusers, _, _ := ri.GetSIDObject(windowssecurity.EveryoneSID, Domain) domainauthenticatedusers.EdgeTo(authenticatedusers, activedirectory.EdgeMemberOfGroup) @@ -189,6 +193,8 @@ func ImportCollectorInfo(ao *engine.Objects, cinfo localmachine.Info) (*engine.O for _, pi := range cinfo.Privileges { var pwn engine.Edge switch pi.Name { + case "SeNetworkLogonRight": + pwn = EdgeSeNetworkLogonRight case "SeRemoteInteractiveLogonRight": pwn = EdgeLocalRDPRights rdprightshandled = true @@ -280,6 +286,7 @@ func ImportCollectorInfo(ao *engine.Objects, cinfo localmachine.Info) (*engine.O engine.ObjectCategorySimple, "Group", engine.DataSource, uniquesource, ) + groupobject.ChildOf(groupscontainer) if err != nil && group.Name != "SMS Admins" { ui.Warn().Msgf("Can't convert local group SID %v: %v", group.SID, err) @@ -452,6 +459,7 @@ func ImportCollectorInfo(ao *engine.Objects, cinfo localmachine.Info) (*engine.O engine.DownLevelLogonName, cinfo.Machine.Name+"\\Services", engine.DataSource, cinfo.Machine.Name, ) + localservicesgroup.ChildOf(machine) for _, service := range cinfo.Services { serviceobject := engine.NewObject( @@ -504,7 +512,7 @@ func ImportCollectorInfo(ao *engine.Objects, cinfo localmachine.Info) (*engine.O engine.DownLevelLogonName, service.Account, ) } - + svcaccount.ChildOf(serviceobject) } if serviceaccountSID.Component(2) < 21 { svcaccount.SetFlex(activedirectory.ObjectCategorySimple, "Group") diff --git a/modules/windowssecurity/wellknown.go b/modules/windowssecurity/wellknown.go index fc922df..e2eecc7 100644 --- a/modules/windowssecurity/wellknown.go +++ b/modules/windowssecurity/wellknown.go @@ -92,6 +92,9 @@ var ( ServicesSID, _ = ParseStringSID("S-1-5-6") + InteractiveSID, _ = ParseStringSID("S-1-5-4") + RemoteInteractiveSID, _ = ParseStringSID("S-1-5-14") + SystemSID, _ = ParseStringSID("S-1-5-18") LocalServiceSID, _ = ParseStringSID("S-1-5-19") NetworkServiceSID, _ = ParseStringSID("S-1-5-20")