diff --git a/cme/modules/install_elevated.py b/cme/modules/install_elevated.py index 141651be..4cc98e32 100644 --- a/cme/modules/install_elevated.py +++ b/cme/modules/install_elevated.py @@ -1,59 +1,59 @@ #!/usr/bin/env python3 # -*- coding: utf-8 -*- +import logging -from impacket.dcerpc.v5.rpcrt import DCERPCException +from impacket.dcerpc.v5.scmr import DCERPCSessionError from impacket.dcerpc.v5 import rrp from impacket.examples.secretsdump import RemoteOperations + class CMEModule: - name = 'install_elevated' + name = "install_elevated" description = "Checks for AlwaysInstallElevated" - supported_protocols = ['smb'] + supported_protocols = ["smb"] opsec_safe = True multiple_hosts = True def options(self, context, module_options): - ''' - ''' + """ + """ def on_admin_login(self, context, connection): try: - remoteOps = RemoteOperations(connection.conn, False) - remoteOps.enableRegistry() + remote_ops = RemoteOperations(connection.conn, False) + remote_ops.enableRegistry() try: - ans_machine = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp) - regHandle = ans_machine['phKey'] - ans_machine = rrp.hBaseRegOpenKey(remoteOps._RemoteOperations__rrp, regHandle, 'SOFTWARE\\Policies\\Microsoft\\Windows\\Installer') - keyHandle = ans_machine['phkResult'] - dataType, aie_machine_value = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, 'AlwaysInstallElevated') - rrp.hBaseRegCloseKey(remoteOps._RemoteOperations__rrp, keyHandle) + ans_machine = rrp.hOpenLocalMachine(remote_ops._RemoteOperations__rrp) + reg_handle = ans_machine['phKey'] + ans_machine = rrp.hBaseRegOpenKey(remote_ops._RemoteOperations__rrp, reg_handle, 'SOFTWARE\\Policies\\Microsoft\\Windows\\Installer') + key_handle = ans_machine['phkResult'] + data_type, aie_machine_value = rrp.hBaseRegQueryValue(remote_ops._RemoteOperations__rrp, key_handle, 'AlwaysInstallElevated') + rrp.hBaseRegCloseKey(remote_ops._RemoteOperations__rrp, key_handle) if aie_machine_value == 0: context.log.highlight('AlwaysInstallElevated Status: 0 (Disabled)') return - except rrp.DCERPCSessionError: context.log.highlight('AlwaysInstallElevated Status: 0 (Disabled)') return - - try: - ans_user = rrp.hOpenCurrentUser(remoteOps._RemoteOperations__rrp) - regHandle = ans_user['phKey'] - ans_user = rrp.hBaseRegOpenKey(remoteOps._RemoteOperations__rrp, regHandle, 'SOFTWARE\\Policies\\Microsoft\\Windows\\Installer') - keyHandle = ans_user['phkResult'] - dataType, aie_user_value = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, 'AlwaysInstallElevated') - rrp.hBaseRegCloseKey(remoteOps._RemoteOperations__rrp, keyHandle) - + ans_user = rrp.hOpenCurrentUser(remote_ops._RemoteOperations__rrp) + reg_handle = ans_user['phKey'] + ans_user = rrp.hBaseRegOpenKey(remote_ops._RemoteOperations__rrp, reg_handle, 'SOFTWARE\\Policies\\Microsoft\\Windows\\Installer') + key_handle = ans_user['phkResult'] + data_type, aie_user_value = rrp.hBaseRegQueryValue(remote_ops._RemoteOperations__rrp, key_handle, 'AlwaysInstallElevated') + rrp.hBaseRegCloseKey(remote_ops._RemoteOperations__rrp, key_handle) except rrp.DCERPCSessionError: context.log.highlight('AlwaysInstallElevated Status: 1 (Enabled: Computer Only)') return - if aie_user_value == 0: context.log.highlight('AlwaysInstallElevated Status: 1 (Enabled: Computer Only)') else: context.log.highlight('AlwaysInstallElevated Status: 1 (Enabled)') finally: - remoteOps.finish() + try: + remote_ops.finish() + except DCERPCSessionError as e: + logging.debug(f"Received error while attempting to clean up logins: {e}")