NetExec/nxc/modules/install_elevated.py

from impacket.dcerpc.v5 import rrp
from impacket.dcerpc.v5 import scmr
from impacket.examples.secretsdump import RemoteOperations


class NXCModule:
    name = "install_elevated"
    description = "Checks for AlwaysInstallElevated"
    supported_protocols = ["smb"]
    opsec_safe = True
    multiple_hosts = True

    def options(self, context, module_options):
        """ """

    def on_admin_login(self, context, connection):
        try:
            remote_ops = RemoteOperations(connection.conn, False)
            remote_ops.enableRegistry()

            try:
                ans_machine = rrp.hOpenLocalMachine(remote_ops._RemoteOperations__rrp)
                reg_handle = ans_machine["phKey"]
                ans_machine = rrp.hBaseRegOpenKey(
                    remote_ops._RemoteOperations__rrp,
                    reg_handle,
                    "SOFTWARE\\Policies\\Microsoft\\Windows\\Installer",
                )
                key_handle = ans_machine["phkResult"]
                data_type, aie_machine_value = rrp.hBaseRegQueryValue(
                    remote_ops._RemoteOperations__rrp,
                    key_handle,
                    "AlwaysInstallElevated",
                )
                rrp.hBaseRegCloseKey(remote_ops._RemoteOperations__rrp, key_handle)

                if aie_machine_value == 0:
                    context.log.highlight("AlwaysInstallElevated Status: 0 (Disabled)")
                    return
            except rrp.DCERPCSessionError:
                context.log.highlight("AlwaysInstallElevated Status: 0 (Disabled)")
                return
            try:
                ans_user = rrp.hOpenCurrentUser(remote_ops._RemoteOperations__rrp)
                reg_handle = ans_user["phKey"]
                ans_user = rrp.hBaseRegOpenKey(
                    remote_ops._RemoteOperations__rrp,
                    reg_handle,
                    "SOFTWARE\\Policies\\Microsoft\\Windows\\Installer",
                )
                key_handle = ans_user["phkResult"]
                data_type, aie_user_value = rrp.hBaseRegQueryValue(
                    remote_ops._RemoteOperations__rrp,
                    key_handle,
                    "AlwaysInstallElevated",
                )
                rrp.hBaseRegCloseKey(remote_ops._RemoteOperations__rrp, key_handle)
            except rrp.DCERPCSessionError:
                context.log.highlight("AlwaysInstallElevated Status: 1 (Enabled: Computer Only)")
                return
            if aie_user_value == 0:
                context.log.highlight("AlwaysInstallElevated Status: 1 (Enabled: Computer Only)")
            else:
                context.log.highlight("AlwaysInstallElevated Status: 1 (Enabled)")
        finally:
            try:
                remote_ops.finish()
            except scmr.DCERPCSessionError as e:
                context.log.debug(f"Received SessionError while attempting to clean up logins: {e}")
            except Exception as e:
                context.log.debug(f"Received general exception while attempting to clean up logins: {e}")
Update install_elevated.py Updated to display enabled when only the entry in HKLM is enabled as low privilege users can modify the HKCU and grant themselves permission. Note that once the per-machine policy for AlwaysInstallElevated is enabled, any user can set their per-user setting. https://learn.microsoft.com/en-us/windows/win32/msi/alwaysinstallelevated 2022-10-07 20:25:56 +00:00			`from impacket.dcerpc.v5 import rrp`
clean up imports 2023-04-07 17:12:56 +00:00			`from impacket.dcerpc.v5 import scmr`
Update install_elevated.py Updated to display enabled when only the entry in HKLM is enabled as low privilege users can modify the HKCU and grant themselves permission. Note that once the per-machine policy for AlwaysInstallElevated is enabled, any user can set their per-user setting. https://learn.microsoft.com/en-us/windows/win32/msi/alwaysinstallelevated 2022-10-07 20:25:56 +00:00			`from impacket.examples.secretsdump import RemoteOperations`

update install_elevated module to catch login cleanup and fix formatting 2023-03-24 03:21:16 +00:00
Rename Module Classname to match python convention 2023-09-17 20:20:40 +00:00			`class NXCModule:`
update install_elevated module to catch login cleanup and fix formatting 2023-03-24 03:21:16 +00:00			`name = "install_elevated"`
Created install_elevated.py This module will check if the computer and the supplied user have AlwaysInstallElevated enabled. 2022-10-07 19:55:58 +00:00			`description = "Checks for AlwaysInstallElevated"`
update install_elevated module to catch login cleanup and fix formatting 2023-03-24 03:21:16 +00:00			`supported_protocols = ["smb"]`
Created install_elevated.py This module will check if the computer and the supplied user have AlwaysInstallElevated enabled. 2022-10-07 19:55:58 +00:00			`opsec_safe = True`
			`multiple_hosts = True`

			`def options(self, context, module_options):`
black formating 2023-05-02 15:17:59 +00:00			`""" """`
Created install_elevated.py This module will check if the computer and the supplied user have AlwaysInstallElevated enabled. 2022-10-07 19:55:58 +00:00
			`def on_admin_login(self, context, connection):`
			`try:`
update install_elevated module to catch login cleanup and fix formatting 2023-03-24 03:21:16 +00:00			`remote_ops = RemoteOperations(connection.conn, False)`
			`remote_ops.enableRegistry()`
Update install_elevated.py Updated to display enabled when only the entry in HKLM is enabled as low privilege users can modify the HKCU and grant themselves permission. Note that once the per-machine policy for AlwaysInstallElevated is enabled, any user can set their per-user setting. https://learn.microsoft.com/en-us/windows/win32/msi/alwaysinstallelevated 2022-10-07 20:25:56 +00:00
			`try:`
update install_elevated module to catch login cleanup and fix formatting 2023-03-24 03:21:16 +00:00			`ans_machine = rrp.hOpenLocalMachine(remote_ops._RemoteOperations__rrp)`
black formating 2023-05-02 15:17:59 +00:00			`reg_handle = ans_machine["phKey"]`
			`ans_machine = rrp.hBaseRegOpenKey(`
			`remote_ops._RemoteOperations__rrp,`
			`reg_handle,`
			`"SOFTWARE\\Policies\\Microsoft\\Windows\\Installer",`
			`)`
			`key_handle = ans_machine["phkResult"]`
			`data_type, aie_machine_value = rrp.hBaseRegQueryValue(`
			`remote_ops._RemoteOperations__rrp,`
			`key_handle,`
			`"AlwaysInstallElevated",`
			`)`
update install_elevated module to catch login cleanup and fix formatting 2023-03-24 03:21:16 +00:00			`rrp.hBaseRegCloseKey(remote_ops._RemoteOperations__rrp, key_handle)`
Update install_elevated.py Updated to display enabled when only the entry in HKLM is enabled as low privilege users can modify the HKCU and grant themselves permission. Note that once the per-machine policy for AlwaysInstallElevated is enabled, any user can set their per-user setting. https://learn.microsoft.com/en-us/windows/win32/msi/alwaysinstallelevated 2022-10-07 20:25:56 +00:00
			`if aie_machine_value == 0:`
black formating 2023-05-02 15:17:59 +00:00			`context.log.highlight("AlwaysInstallElevated Status: 0 (Disabled)")`
Update install_elevated.py Updated to display enabled when only the entry in HKLM is enabled as low privilege users can modify the HKCU and grant themselves permission. Note that once the per-machine policy for AlwaysInstallElevated is enabled, any user can set their per-user setting. https://learn.microsoft.com/en-us/windows/win32/msi/alwaysinstallelevated 2022-10-07 20:25:56 +00:00			`return`
			`except rrp.DCERPCSessionError:`
black formating 2023-05-02 15:17:59 +00:00			`context.log.highlight("AlwaysInstallElevated Status: 0 (Disabled)")`
Update install_elevated.py Updated to display enabled when only the entry in HKLM is enabled as low privilege users can modify the HKCU and grant themselves permission. Note that once the per-machine policy for AlwaysInstallElevated is enabled, any user can set their per-user setting. https://learn.microsoft.com/en-us/windows/win32/msi/alwaysinstallelevated 2022-10-07 20:25:56 +00:00			`return`
			`try:`
update install_elevated module to catch login cleanup and fix formatting 2023-03-24 03:21:16 +00:00			`ans_user = rrp.hOpenCurrentUser(remote_ops._RemoteOperations__rrp)`
black formating 2023-05-02 15:17:59 +00:00			`reg_handle = ans_user["phKey"]`
			`ans_user = rrp.hBaseRegOpenKey(`
			`remote_ops._RemoteOperations__rrp,`
			`reg_handle,`
			`"SOFTWARE\\Policies\\Microsoft\\Windows\\Installer",`
			`)`
			`key_handle = ans_user["phkResult"]`
			`data_type, aie_user_value = rrp.hBaseRegQueryValue(`
			`remote_ops._RemoteOperations__rrp,`
			`key_handle,`
			`"AlwaysInstallElevated",`
			`)`
update install_elevated module to catch login cleanup and fix formatting 2023-03-24 03:21:16 +00:00			`rrp.hBaseRegCloseKey(remote_ops._RemoteOperations__rrp, key_handle)`
Update install_elevated.py Updated to display enabled when only the entry in HKLM is enabled as low privilege users can modify the HKCU and grant themselves permission. Note that once the per-machine policy for AlwaysInstallElevated is enabled, any user can set their per-user setting. https://learn.microsoft.com/en-us/windows/win32/msi/alwaysinstallelevated 2022-10-07 20:25:56 +00:00			`except rrp.DCERPCSessionError:`
black v2 formating 2023-05-08 18:39:36 +00:00			`context.log.highlight("AlwaysInstallElevated Status: 1 (Enabled: Computer Only)")`
Update install_elevated.py Updated to display enabled when only the entry in HKLM is enabled as low privilege users can modify the HKCU and grant themselves permission. Note that once the per-machine policy for AlwaysInstallElevated is enabled, any user can set their per-user setting. https://learn.microsoft.com/en-us/windows/win32/msi/alwaysinstallelevated 2022-10-07 20:25:56 +00:00			`return`
			`if aie_user_value == 0:`
black v2 formating 2023-05-08 18:39:36 +00:00			`context.log.highlight("AlwaysInstallElevated Status: 1 (Enabled: Computer Only)")`
Update install_elevated.py Updated to display enabled when only the entry in HKLM is enabled as low privilege users can modify the HKCU and grant themselves permission. Note that once the per-machine policy for AlwaysInstallElevated is enabled, any user can set their per-user setting. https://learn.microsoft.com/en-us/windows/win32/msi/alwaysinstallelevated 2022-10-07 20:25:56 +00:00			`else:`
black formating 2023-05-02 15:17:59 +00:00			`context.log.highlight("AlwaysInstallElevated Status: 1 (Enabled)")`
Update install_elevated.py Updated to display enabled when only the entry in HKLM is enabled as low privilege users can modify the HKCU and grant themselves permission. Note that once the per-machine policy for AlwaysInstallElevated is enabled, any user can set their per-user setting. https://learn.microsoft.com/en-us/windows/win32/msi/alwaysinstallelevated 2022-10-07 20:25:56 +00:00			`finally:`
update install_elevated module to catch login cleanup and fix formatting 2023-03-24 03:21:16 +00:00			`try:`
			`remote_ops.finish()`
fix(install_elevated): update error handling 2023-03-24 20:34:23 +00:00			`except scmr.DCERPCSessionError as e:`
black v2 formating 2023-05-08 18:39:36 +00:00			`context.log.debug(f"Received SessionError while attempting to clean up logins: {e}")`
fix(install_elevated): update error handling 2023-03-24 20:34:23 +00:00			`except Exception as e:`
black v2 formating 2023-05-08 18:39:36 +00:00			`context.log.debug(f"Received general exception while attempting to clean up logins: {e}")`