update install_elevated module to catch login cleanup and fix formatting
Marshall Hallenbeck
parent
84e239c139
commit
89cd804e10
|
|
@ -1,59 +1,59 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
import logging
|
||||
|
||||
from impacket.dcerpc.v5.rpcrt import DCERPCException
|
||||
from impacket.dcerpc.v5.scmr import DCERPCSessionError
|
||||
from impacket.dcerpc.v5 import rrp
|
||||
from impacket.examples.secretsdump import RemoteOperations
|
||||
|
||||
|
||||
class CMEModule:
|
||||
|
||||
name = 'install_elevated'
|
||||
name = "install_elevated"
|
||||
description = "Checks for AlwaysInstallElevated"
|
||||
supported_protocols = ['smb']
|
||||
supported_protocols = ["smb"]
|
||||
opsec_safe = True
|
||||
multiple_hosts = True
|
||||
|
||||
def options(self, context, module_options):
|
||||
'''
|
||||
'''
|
||||
"""
|
||||
"""
|
||||
|
||||
def on_admin_login(self, context, connection):
|
||||
try:
|
||||
remoteOps = RemoteOperations(connection.conn, False)
|
||||
remoteOps.enableRegistry()
|
||||
remote_ops = RemoteOperations(connection.conn, False)
|
||||
remote_ops.enableRegistry()
|
||||
|
||||
try:
|
||||
ans_machine = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)
|
||||
regHandle = ans_machine['phKey']
|
||||
ans_machine = rrp.hBaseRegOpenKey(remoteOps._RemoteOperations__rrp, regHandle, 'SOFTWARE\\Policies\\Microsoft\\Windows\\Installer')
|
||||
keyHandle = ans_machine['phkResult']
|
||||
dataType, aie_machine_value = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, 'AlwaysInstallElevated')
|
||||
rrp.hBaseRegCloseKey(remoteOps._RemoteOperations__rrp, keyHandle)
|
||||
ans_machine = rrp.hOpenLocalMachine(remote_ops._RemoteOperations__rrp)
|
||||
reg_handle = ans_machine['phKey']
|
||||
ans_machine = rrp.hBaseRegOpenKey(remote_ops._RemoteOperations__rrp, reg_handle, 'SOFTWARE\\Policies\\Microsoft\\Windows\\Installer')
|
||||
key_handle = ans_machine['phkResult']
|
||||
data_type, aie_machine_value = rrp.hBaseRegQueryValue(remote_ops._RemoteOperations__rrp, key_handle, 'AlwaysInstallElevated')
|
||||
rrp.hBaseRegCloseKey(remote_ops._RemoteOperations__rrp, key_handle)
|
||||
|
||||
if aie_machine_value == 0:
|
||||
context.log.highlight('AlwaysInstallElevated Status: 0 (Disabled)')
|
||||
return
|
||||
|
||||
except rrp.DCERPCSessionError:
|
||||
context.log.highlight('AlwaysInstallElevated Status: 0 (Disabled)')
|
||||
return
|
||||
|
||||
|
||||
try:
|
||||
ans_user = rrp.hOpenCurrentUser(remoteOps._RemoteOperations__rrp)
|
||||
regHandle = ans_user['phKey']
|
||||
ans_user = rrp.hBaseRegOpenKey(remoteOps._RemoteOperations__rrp, regHandle, 'SOFTWARE\\Policies\\Microsoft\\Windows\\Installer')
|
||||
keyHandle = ans_user['phkResult']
|
||||
dataType, aie_user_value = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, 'AlwaysInstallElevated')
|
||||
rrp.hBaseRegCloseKey(remoteOps._RemoteOperations__rrp, keyHandle)
|
||||
|
||||
ans_user = rrp.hOpenCurrentUser(remote_ops._RemoteOperations__rrp)
|
||||
reg_handle = ans_user['phKey']
|
||||
ans_user = rrp.hBaseRegOpenKey(remote_ops._RemoteOperations__rrp, reg_handle, 'SOFTWARE\\Policies\\Microsoft\\Windows\\Installer')
|
||||
key_handle = ans_user['phkResult']
|
||||
data_type, aie_user_value = rrp.hBaseRegQueryValue(remote_ops._RemoteOperations__rrp, key_handle, 'AlwaysInstallElevated')
|
||||
rrp.hBaseRegCloseKey(remote_ops._RemoteOperations__rrp, key_handle)
|
||||
except rrp.DCERPCSessionError:
|
||||
context.log.highlight('AlwaysInstallElevated Status: 1 (Enabled: Computer Only)')
|
||||
return
|
||||
|
||||
if aie_user_value == 0:
|
||||
context.log.highlight('AlwaysInstallElevated Status: 1 (Enabled: Computer Only)')
|
||||
else:
|
||||
context.log.highlight('AlwaysInstallElevated Status: 1 (Enabled)')
|
||||
finally:
|
||||
remoteOps.finish()
|
||||
try:
|
||||
remote_ops.finish()
|
||||
except DCERPCSessionError as e:
|
||||
logging.debug(f"Received error while attempting to clean up logins: {e}")
|
||||
|
|
|
|||
Loading…
Reference in New Issue