public static string[] GetRegSubkeys(string hive, string path)
{
// returns an array of the subkeys names under the specified path in the specified hive (HKLM/HKCU/HKU)
try
{
Microsoft.Win32.RegistryKey myKey = null;
if (hive == "HKLM")
{
myKey = Registry.LocalMachine.OpenSubKey(path);
}
else if (hive == "HKU")
{
myKey = Registry.Users.OpenSubKey(path);
}
else
{
myKey = Registry.CurrentUser.OpenSubKey(path);
}
String[] subkeyNames = myKey.GetSubKeyNames();
return(myKey.GetSubKeyNames());
}
catch (Exception)
{
PrintUtils.Debug(String.Format(@"Registry {0}\{1} was not found", hive, path));
return(new string[0]);
}
}
public static Dictionary <string, string> GetPasswordComplexityPolicy()
{
/*
* public uint usrmod0_min_passwd_len;
* public uint usrmod0_max_passwd_age;
* public uint usrmod0_min_passwd_age;
* public uint usrmod0_force_logoff;
* public uint usrmod0_password_hist_len;
*/
Dictionary <string, string> results = new Dictionary <string, string>();
try
{
USER_MODALS_INFO_0 objUserModalsInfo0 = new USER_MODALS_INFO_0();
IntPtr bufPtr;
uint lngReturn = NetUserModalsGet(@"\\" + Environment.MachineName, 0, out bufPtr);
if (lngReturn == 0)
{
objUserModalsInfo0 = (USER_MODALS_INFO_0)Marshal.PtrToStructure(bufPtr, typeof(USER_MODALS_INFO_0));
}
results.Add("Minimum Password Length", objUserModalsInfo0.usrmod0_min_passwd_len.ToString());
results.Add("Max Password Age", objUserModalsInfo0.usrmod0_max_passwd_age.ToString());
results.Add("Min Password Age", objUserModalsInfo0.usrmod0_min_passwd_age.ToString());
results.Add("Force Logoff", objUserModalsInfo0.usrmod0_force_logoff.ToString());
results.Add("Password History Length", objUserModalsInfo0.usrmod0_password_hist_len.ToString());
//NetApiBufferFree(bufPtr);
bufPtr = IntPtr.Zero;
}
catch (Exception ex)
{
PrintUtils.Debug(ex.StackTrace);
}
return(results);
}
public static Dictionary <string, string> GetLockoutPolicy()
{
Dictionary <string, string> results = new Dictionary <string, string>();
try
{
USER_MODALS_INFO_3 objUserModalsInfo3 = new USER_MODALS_INFO_3();
IntPtr bufPtr;
uint lngReturn = NetUserModalsGet(@"\\" + Environment.MachineName, 3, out bufPtr);
if (lngReturn == 0)
{
objUserModalsInfo3 = (USER_MODALS_INFO_3)Marshal.PtrToStructure(bufPtr, typeof(USER_MODALS_INFO_3));
}
results.Add("Lockout duration", String.Format("{0}", objUserModalsInfo3.usrmod3_lockout_duration));
results.Add("Lockout Obversation Window", String.Format("{0}", objUserModalsInfo3.usrmod3_lockout_observation_window));
results.Add("Lockout Threshold", String.Format("{0}", objUserModalsInfo3.usrmod3_lockout_threshold));
//NetApiBufferFree(bufPtr);
bufPtr = IntPtr.Zero;
}
catch (Exception ex)
{
PrintUtils.Debug(ex.StackTrace);
}
return(results);
}
public static bool IsDomainJoined()
{
// returns Compuer Domain if the system is inside an AD (an nothing if it is not)
try
{
Win32.NetJoinStatus status = Win32.NetJoinStatus.NetSetupUnknownStatus;
IntPtr pDomain = IntPtr.Zero;
int result = Win32.NetGetJoinInformation(null, out pDomain, out status);
if (pDomain != IntPtr.Zero)
{
Win32.NetApiBufferFree(pDomain);
}
if (result == Win32.ErrorSuccess)
{
// If in domain, return domain name, if not, return empty
if (status == Win32.NetJoinStatus.NetSetupDomainName)
{
return(true);
}
return(false);
}
}
catch (Exception ex)
{
PrintUtils.Debug(ex.StackTrace);
IsDomainJoinedWmi();
}
return(false);
}
/// From winpeas
public static string PermInt2Str(int current_perm, bool only_write_or_equivalent = false, bool is_service = false)
{
Dictionary <string, int> interesting_perms = new Dictionary <string, int>()
{
// This isn't an exhaustive list of possible permissions. Just the interesting ones.
{ "AllAccess", 0xf01ff },
{ "GenericAll", 0x10000000 },
{ "FullControl", (int)FileSystemRights.FullControl },
{ "TakeOwnership", (int)FileSystemRights.TakeOwnership },
{ "GenericWrite", 0x40000000 },
{ "WriteData/CreateFiles", (int)FileSystemRights.WriteData },
{ "Modify", (int)FileSystemRights.Modify },
{ "Write", (int)FileSystemRights.Write },
{ "ChangePermissions", (int)FileSystemRights.ChangePermissions },
{ "Delete", (int)FileSystemRights.Delete },
{ "DeleteSubdirectoriesAndFiles", (int)FileSystemRights.DeleteSubdirectoriesAndFiles },
{ "AppendData/CreateDirectories", (int)FileSystemRights.AppendData },
{ "WriteAttributes", (int)FileSystemRights.WriteAttributes },
{ "WriteExtendedAttributes", (int)FileSystemRights.WriteExtendedAttributes },
};
if (only_write_or_equivalent)
{
interesting_perms = new Dictionary <string, int>()
{
{ "AllAccess", 0xf01ff },
{ "GenericAll", 0x10000000 },
{ "FullControl", (int)FileSystemRights.FullControl }, //0x1f01ff
{ "TakeOwnership", (int)FileSystemRights.TakeOwnership }, //0x80000
{ "GenericWrite", 0x40000000 },
{ "WriteData/CreateFiles", (int)FileSystemRights.WriteData }, //0x2
{ "Modify", (int)FileSystemRights.Modify }, //0x301bf
{ "Write", (int)FileSystemRights.Write }, //0x116
{ "ChangePermissions", (int)FileSystemRights.ChangePermissions }, //0x40000
};
}
if (is_service)
{
interesting_perms["Start"] = 0x00000010;
interesting_perms["Stop"] = 0x00000020;
}
try
{
foreach (KeyValuePair <string, int> entry in interesting_perms)
{
if ((entry.Value & current_perm) == entry.Value)
{
return(entry.Key);
}
}
}
catch (Exception ex)
{
PrintUtils.TestError("Error in PermInt2Str: " + ex);
}
return("");
}
public AttackCTI(string Url)
{
CTIRoot AllAttack;
string json;
if (String.IsNullOrEmpty(Program.Arguments.AttackPath))
{
using (var w = new WebClient())
{
try
{
// Need to find a way to switch to MITRE TAXII server instead of the json file
PrintUtils.Warning("Pulling latest ATT&CK matrix data from github.com/mitre/cti");
json = w.DownloadString(Url);
}
catch
{
throw new Exception("Unable to obtain latest Mitre Att&CK information. Please ensure that the device is connected to the internet. Consider using the -AttackPath flag to point to the file on disk");
}
}
}
else
{
try
{
PrintUtils.Warning($"Pulling latest ATT&CK matrix data from {Program.Arguments.AttackPath}");
json = File.ReadAllText(Program.Arguments.AttackPath);
}
catch (Exception ex)
{
throw new Exception($"Unable to read {Program.Arguments.AttackPath} due to: {ex.Message}");
}
}
try
{
var JSON = new JavaScriptSerializer();
JSON.MaxJsonLength = int.MaxValue;
AllAttack = JSON.Deserialize <CTIRoot>(json);
}
catch (Exception ex)
{
throw new Exception("ATT&CK Json deserialiazation failed");
}
Technique[] items = AllAttack.objects;
// Filtering all techniques
var AllTechniques = items.Where(o => o.type == "attack-pattern" && o.revoked == false);
// Getting all win techniques
WindowsTechniques = AllTechniques.Where(o => o.x_mitre_platforms.Contains("Windows"));
// Getting all windows mitigations
MitigationRelationships = items.Where(o => o.type == "relationship" && o.relationship_type == "mitigates");
Mitigations = items.Where(o => o.type == "course-of-action");
AllAttack = null;
items = null;
}
public static Dictionary <string, bool> GetBITSConfigInfo()
{
Dictionary <string, bool> info = new Dictionary <string, bool>();
var regKeys = GetBITSJobLifetime();
info["Job Inactivity Timeout < 90 days"] = false;
info["Max Download Time < 54000 seconds"] = false;
if (string.IsNullOrEmpty(regKeys["JobInactivityTimeout"]))
{
info["Job Inactivity Timeout < 90 days"] = false;
}
else
{
try
{
int timeout = int.Parse(regKeys["JobInactivityTimeout"]);
if (timeout < 90)
{
info["Job Inactivity Timeout < 90 days"] = true;
}
}
catch (Exception ex)
{
PrintUtils.Debug(ex.StackTrace);
}
}
if (regKeys["MaxDownloadTime"] == null)
{
info["Max Download Time < 54000 seconds"] = false;
}
else
{
try
{
int timeout = int.Parse(regKeys["MaxDownloadTime"]);
if (timeout < 54000)
{
info["Max Download Time < 54000 seconds"] = true;
}
}
catch (Exception ex)
{
PrintUtils.Debug(ex.StackTrace);
}
}
return(info);
}
public static string GetFirewallProfiles()
{
string result = "";
try
{
Type tNetFwPolicy2 = Type.GetTypeFromProgID("HNetCfg.FwPolicy2");
INetFwPolicy2 fwPolicy2 = (INetFwPolicy2)Activator.CreateInstance(tNetFwPolicy2);
var types = fwPolicy2.CurrentProfileTypes.ToString();
result = String.Format("{0}", (FirewallProfiles)Int32.Parse(types.ToString()));
}
catch (Exception ex)
{
PrintUtils.TestError(ex.Message);
}
return(result);
}
public static bool IsDomainJoinedWmi()
{
try
{
ManagementObject ComputerSystem;
using (ComputerSystem = new ManagementObject(String.Format("Win32_ComputerSystem.Name='{0}'", Environment.MachineName)))
{
ComputerSystem.Get();
object Result = ComputerSystem["PartOfDomain"];
return(Result != null && (bool)Result);
}
}
catch (Exception ex)
{
PrintUtils.Debug(ex.StackTrace);
}
//By default local
return(false);
}
public static bool CheckForRestrictions(string ExecPath, string UserName)
{
if (String.IsNullOrEmpty(ExecPath))
{
throw new ArgumentNullException();
}
if (String.IsNullOrEmpty(UserName))
{
throw new ArgumentNullException();
}
if (!File.Exists(ExecPath))
{
PrintUtils.Debug($"File '{ExecPath}' was not found");
return(true);
}
// Check 1: AppLocker
if (SystemUtils.IsAppLockerEnabled())
{
if (!SystemUtils.IsAppLockerRunning())
{
throw new Exception("AppLocker SVC is not running");
}
if (CheckApplockerPolicyforDenied(ExecPath, UserName))
{
return(true);
}
}
// Check 2: SRP
// TODO
// Check 3: WDAG
// TODO
return(false);
}
public static void Main(string[] args)
{
/////////////////////
/// Initial setup ///
/////////////////////
PrintUtils.DisableConsoleQuickEdit();
Console.OutputEncoding = System.Text.Encoding.UTF8;
// Arg Parsing
try
{
Arguments = new MitigateArgumentParser(args);
}
catch (Exception ex)
{
PrintUtils.Error(ex.Message);
MitigateArgumentParser.PrintUsage();
Environment.Exit(1);
}
PrintUtils.PrintBanner();
PrintUtils.PrintInit(version);
PrintUtils.PrintLegend();
IsDomainJoined = SystemUtils.IsDomainJoined();
// Check if it's running as admin
if (!UserUtils.IsItRunningAsAdmin())
{
PrintUtils.Warning("Mitigate is not running as an administrator." +
" This might restrict its ability to perform the necessary checks");
}
AttackCTI ATTCK = null;
Navigator navigator = null;
// Pulling ATT&CK json from GitHub
try
{
ATTCK = new AttackCTI(AttackUrl);
navigator = new Navigator();
}
catch (Exception ex)
{
PrintUtils.Error(ex.Message);
Environment.Exit(1);
}
// Getting some user info and deciding the user for least priv checks
PrintUtils.Warning("Collecting some machine information. This might take some time...");
if (!string.IsNullOrEmpty(Arguments.Username))
{
try
{
UserToCheck = UserUtils.GetUser(Arguments.Username);
SIDsToCheck = UserUtils.GetGroups(UserToCheck);
}
catch (Exception ex)
{
PrintUtils.Error(ex.Message);
Environment.Exit(1);
}
}
else
{
try
{
UserToCheck = UserUtils.GetLastLoggedInUser();
SIDsToCheck = UserUtils.GetGroups(UserToCheck);
}
catch (Exception ex)
{
PrintUtils.Error(ex.Message);
Environment.Exit(1);
}
}
PrintUtils.Warning($"Least privilege checks will be performed for user {UserToCheck.SamAccountName}");
/////////////////
/// Main Loop ///
/////////////////
// Keeping track on tested techniques to stop from testing twice
HashSet <string> TestedTechniques = new HashSet <string>();
// For all tactics
foreach (string tactic in ATTCK.GetAllTactics())
{
PrintUtils.PrintTactic(tactic);
// For all techniques
foreach (Technique technique in ATTCK.GetRootTechniquesByTactic(tactic))
{
// Check if the technique has been already tested
if (TestedTechniques.Contains(technique.GetID()))
{
// If it has:
continue;
}
TestedTechniques.Add(technique.GetID());
var subtechniques = ATTCK.GetSubTechniquesByTechnique(technique);
// Does it have subtechniques?
if (subtechniques.Count() > 0)
{
// Subtechniques found. Handle them
Tests.Execute(technique, subtechniques, navigator, ATTCK);
}
else
{
// No subtechniques. Just handle root technique
Tests.Execute(technique, navigator, ATTCK);
}
}
}
// Exporting the file for the navigator
navigator.ToJSON(Arguments.OutFile);
if (Arguments.ExportCoverage)
{
navigator.ExportCoverage("Coverage.json");
}
}
