2022-10-07 20:25:56 +00:00
|
|
|
#!/usr/bin/env python3
|
|
|
|
# -*- coding: utf-8 -*-
|
|
|
|
|
|
|
|
from impacket.dcerpc.v5 import rrp
|
2023-04-07 17:12:56 +00:00
|
|
|
from impacket.dcerpc.v5 import scmr
|
2022-10-07 20:25:56 +00:00
|
|
|
from impacket.examples.secretsdump import RemoteOperations
|
|
|
|
|
2023-03-24 03:21:16 +00:00
|
|
|
|
2023-09-17 20:20:40 +00:00
|
|
|
class NXCModule:
|
2023-03-24 03:21:16 +00:00
|
|
|
name = "install_elevated"
|
2022-10-07 19:55:58 +00:00
|
|
|
description = "Checks for AlwaysInstallElevated"
|
2023-03-24 03:21:16 +00:00
|
|
|
supported_protocols = ["smb"]
|
2022-10-07 19:55:58 +00:00
|
|
|
opsec_safe = True
|
|
|
|
multiple_hosts = True
|
|
|
|
|
|
|
|
def options(self, context, module_options):
|
2023-05-02 15:17:59 +00:00
|
|
|
""" """
|
2022-10-07 19:55:58 +00:00
|
|
|
|
|
|
|
def on_admin_login(self, context, connection):
|
|
|
|
try:
|
2023-03-24 03:21:16 +00:00
|
|
|
remote_ops = RemoteOperations(connection.conn, False)
|
|
|
|
remote_ops.enableRegistry()
|
2022-10-07 20:25:56 +00:00
|
|
|
|
|
|
|
try:
|
2023-03-24 03:21:16 +00:00
|
|
|
ans_machine = rrp.hOpenLocalMachine(remote_ops._RemoteOperations__rrp)
|
2023-05-02 15:17:59 +00:00
|
|
|
reg_handle = ans_machine["phKey"]
|
|
|
|
ans_machine = rrp.hBaseRegOpenKey(
|
|
|
|
remote_ops._RemoteOperations__rrp,
|
|
|
|
reg_handle,
|
|
|
|
"SOFTWARE\\Policies\\Microsoft\\Windows\\Installer",
|
|
|
|
)
|
|
|
|
key_handle = ans_machine["phkResult"]
|
|
|
|
data_type, aie_machine_value = rrp.hBaseRegQueryValue(
|
|
|
|
remote_ops._RemoteOperations__rrp,
|
|
|
|
key_handle,
|
|
|
|
"AlwaysInstallElevated",
|
|
|
|
)
|
2023-03-24 03:21:16 +00:00
|
|
|
rrp.hBaseRegCloseKey(remote_ops._RemoteOperations__rrp, key_handle)
|
2022-10-07 20:25:56 +00:00
|
|
|
|
|
|
|
if aie_machine_value == 0:
|
2023-05-02 15:17:59 +00:00
|
|
|
context.log.highlight("AlwaysInstallElevated Status: 0 (Disabled)")
|
2022-10-07 20:25:56 +00:00
|
|
|
return
|
|
|
|
except rrp.DCERPCSessionError:
|
2023-05-02 15:17:59 +00:00
|
|
|
context.log.highlight("AlwaysInstallElevated Status: 0 (Disabled)")
|
2022-10-07 20:25:56 +00:00
|
|
|
return
|
|
|
|
try:
|
2023-03-24 03:21:16 +00:00
|
|
|
ans_user = rrp.hOpenCurrentUser(remote_ops._RemoteOperations__rrp)
|
2023-05-02 15:17:59 +00:00
|
|
|
reg_handle = ans_user["phKey"]
|
|
|
|
ans_user = rrp.hBaseRegOpenKey(
|
|
|
|
remote_ops._RemoteOperations__rrp,
|
|
|
|
reg_handle,
|
|
|
|
"SOFTWARE\\Policies\\Microsoft\\Windows\\Installer",
|
|
|
|
)
|
|
|
|
key_handle = ans_user["phkResult"]
|
|
|
|
data_type, aie_user_value = rrp.hBaseRegQueryValue(
|
|
|
|
remote_ops._RemoteOperations__rrp,
|
|
|
|
key_handle,
|
|
|
|
"AlwaysInstallElevated",
|
|
|
|
)
|
2023-03-24 03:21:16 +00:00
|
|
|
rrp.hBaseRegCloseKey(remote_ops._RemoteOperations__rrp, key_handle)
|
2022-10-07 20:25:56 +00:00
|
|
|
except rrp.DCERPCSessionError:
|
2023-05-08 18:39:36 +00:00
|
|
|
context.log.highlight("AlwaysInstallElevated Status: 1 (Enabled: Computer Only)")
|
2022-10-07 20:25:56 +00:00
|
|
|
return
|
|
|
|
if aie_user_value == 0:
|
2023-05-08 18:39:36 +00:00
|
|
|
context.log.highlight("AlwaysInstallElevated Status: 1 (Enabled: Computer Only)")
|
2022-10-07 20:25:56 +00:00
|
|
|
else:
|
2023-05-02 15:17:59 +00:00
|
|
|
context.log.highlight("AlwaysInstallElevated Status: 1 (Enabled)")
|
2022-10-07 20:25:56 +00:00
|
|
|
finally:
|
2023-03-24 03:21:16 +00:00
|
|
|
try:
|
|
|
|
remote_ops.finish()
|
2023-03-24 20:34:23 +00:00
|
|
|
except scmr.DCERPCSessionError as e:
|
2023-05-08 18:39:36 +00:00
|
|
|
context.log.debug(f"Received SessionError while attempting to clean up logins: {e}")
|
2023-03-24 20:34:23 +00:00
|
|
|
except Exception as e:
|
2023-05-08 18:39:36 +00:00
|
|
|
context.log.debug(f"Received general exception while attempting to clean up logins: {e}")
|