public static JObject AssessRegKeys(JToken regKeys)
{
// These are actually ACLs being set on reg keys using SDDL.
// The first value is inheritance rules:
// 2= replace existing permissions on all subkeys with inheritable permissions
// 1= Do not allow permissions on this key to be replace.
// 0= Propagate inheritable permissions to all subkeys.
JObject regKeysJObject = (JObject) regKeys;
JObject assessedRegKeys = new JObject();
int inc = 0;
foreach (KeyValuePair<string, JToken> regKey in regKeysJObject)
{
inc++;
int interestLevel = 1;
string keyPath = regKey.Key.Trim('"');
JArray keyValues = (JArray) regKey.Value;
string inheritance = keyValues[0].ToString().Trim('"');
string sddl = keyValues[1].ToString().Trim('"');
// turn the inheritance number into a nice string.
string inheritanceString = "";
switch (inheritance)
{
case "0":
inheritanceString = "Propagate inheritable permissions to all subkeys.";
break;
case "1":
inheritanceString = "Do not allow permissions on this key to be replaced.";
break;
case "2":
inheritanceString = "Replace existing permissions on all subkeys with inheritable permissions.";
break;
}
// then assess the results based on interestLevel
JObject assessedSddl = new JObject();
// go parse the SDDL
JObject parsedSddl = ParseSddl.ParseSddlString(sddl, SecurableObjectType.WindowsService);
if (sddl.Length > 4)
{
if (parsedSddl["Owner"] != null)
{
assessedSddl.Add("Owner", parsedSddl["Owner"].ToString());
interestLevel = 4;
}
if (parsedSddl["Group"] != null)
{
assessedSddl.Add("Group", parsedSddl["Group"].ToString());
interestLevel = 4;
}
JObject assessedDacl = new JObject();
if (parsedSddl["DACL"] != null)
{
string[] boringSidEndings = new string[]
{
"-3-0", "-5-9", "5-18", "-512", "-519", "SY", "BA", "DA", "CO", "ED", "PA", "CG", "DD",
"EA", "LA",
};
string[] interestingSidEndings = new string[]
{"DU", "WD", "IU", "BU", "AN", "AU", "BG", "DC", "DG", "LG"};
foreach (JProperty ace in parsedSddl["DACL"].Children())
{
int aceInterestLevel = 0;
string trusteeSid = ace.Value["SID"].ToString();
bool boringUserPresent = false;
foreach (string boringSidEnding in boringSidEndings)
{
if (trusteeSid.EndsWith(boringSidEnding))
{
boringUserPresent = true;
break;
}
}
bool interestingUserPresent = false;
foreach (string interestingSidEnding in interestingSidEndings)
{
if (trusteeSid.EndsWith(interestingSidEnding))
{
interestingUserPresent = true;
break;
}
}
if (interestingUserPresent /* && interestingRightPresent*/)
{
aceInterestLevel = 10;
}
else if (boringUserPresent)
{
aceInterestLevel = 0;
}
if (aceInterestLevel >= GlobalVar.IntLevelToShow)
{
// pass the whole thing on
assessedSddl.Add(ace);
}
}
if ((assessedDacl != null) && assessedDacl.HasValues)
{
assessedSddl.Add("DACL", assessedDacl);
}
}
}
if (interestLevel >= GlobalVar.IntLevelToShow)
{
if (assessedSddl.HasValues)
{
assessedSddl.AddFirst(new JProperty("RegKey", keyPath));
assessedSddl.Add("Inheritance", inheritanceString);
assessedRegKeys.Add(inc.ToString(), assessedSddl);
}
}
}
if (assessedRegKeys.Count <= 0)
{
return null;
}
return assessedRegKeys;
}
public static JObject AssessServiceGenSetting(JToken svcGenSettings)
{
JObject svcGenSettingsJObject = (JObject)svcGenSettings;
JObject assessedSvcGenSettings = new JObject();
int inc = 0;
foreach (KeyValuePair <string, JToken> svcGenSetting in svcGenSettingsJObject)
{
inc++;
int interestLevel = 3;
string serviceName = svcGenSetting.Key.Trim('"', '\\');
JArray svcSettings = (JArray)svcGenSetting.Value;
string startupType = svcSettings[0].ToString().Trim('"', '\\');
string sddl = svcSettings[1].ToString().Trim('"', '\\');
string startupString = "";
switch (startupType)
{
case "2":
startupString = "Automatic";
break;
case "3":
startupString = "Manual";
break;
case "4":
startupString = "Disabled";
break;
}
JObject assessedSddl = new JObject();
// go parse the SDDL
if (sddl.Length > 4)
{
JObject parsedSddl = ParseSddl.ParseSddlString(sddl, SecurableObjectType.WindowsService);
// then assess the results based on interestLevel
if (parsedSddl["Owner"] != null)
{
assessedSddl.Add("Owner", parsedSddl["Owner"].ToString());
interestLevel = 2;
}
if (parsedSddl["Group"] != null)
{
assessedSddl.Add("Group", parsedSddl["Group"].ToString());
interestLevel = 2;
}
if (parsedSddl["DACL"] != null)
{
JObject assessedDacl = new JObject();
string[] boringSidEndings = new string[]
{
"-3-0", "-5-9", "5-18", "-512", "-519", "SY", "BA", "DA", "CO", "ED", "PA", "CG", "DD",
"EA", "LA",
};
string[] interestingSidEndings = new string[]
{ "DU", "WD", "IU", "BU", "AN", "AU", "BG", "DC", "DG", "LG" };
string[] interestingRights = new string[] { "WRITE_PROPERTY", "WRITE_DAC", "WRITE_OWNER" };
foreach (JProperty ace in parsedSddl["DACL"].Children())
{
int aceInterestLevel = 0;
string trusteeSid = ace.Value["SID"].ToString();
bool boringUserPresent = false;
bool interestingRightPresent = false;
foreach (string interestingRight in interestingRights)
{
foreach (JToken right in ace.Value["Rights"])
{
if (interestingRight == right.ToString())
{
interestingRightPresent = true;
break;
}
if (interestingRightPresent)
{
break;
}
}
}
foreach (string boringSidEnding in boringSidEndings)
{
if (trusteeSid.EndsWith(boringSidEnding))
{
boringUserPresent = true;
break;
}
}
bool interestingUserPresent = false;
foreach (string interestingSidEnding in interestingSidEndings)
{
if (trusteeSid.EndsWith(interestingSidEnding))
{
interestingUserPresent = true;
break;
}
}
// first look if both match
if (interestingUserPresent && interestingRightPresent)
{
aceInterestLevel = 10;
}
// then skip if they're dumb defaults
else if (interestingRightPresent && boringUserPresent)
{
aceInterestLevel = 0;
}
// then catch all the non-default but high-privs
else if (interestingRightPresent && !interestingUserPresent)
{
aceInterestLevel = 7;
}
// then give them a nudge if they're non-default
else if (interestingUserPresent && !interestingRightPresent)
{
aceInterestLevel = 1;
}
if (aceInterestLevel >= GlobalVar.IntLevelToShow)
{
// pass the whole thing on
assessedSddl.Add(ace);
}
}
if ((assessedDacl != null) && (assessedDacl.HasValues))
{
assessedSddl.Add("DACL", assessedDacl);
}
}
}
if (interestLevel >= GlobalVar.IntLevelToShow)
{
if (assessedSddl.HasValues)
{
assessedSddl.AddFirst(new JProperty("Service", serviceName));
assessedSddl.Add("Startup Type", startupString);
assessedSvcGenSettings.Add(inc.ToString(), assessedSddl);
}
}
}
if (assessedSvcGenSettings.Count <= 0)
{
return(null);
}
return(assessedSvcGenSettings);
}
public static JObject AssessServiceGenSetting(JToken svcGenSettings)
{
JObject svcGenSettingsJObject = (JObject)svcGenSettings;
JObject assessedSvcGenSettings = new JObject();
int inc = 0;
foreach (KeyValuePair <string, JToken> svcGenSetting in svcGenSettingsJObject)
{
inc++;
int interestLevel = 3;
string serviceName = svcGenSetting.Key.Trim('"', '\\');
JArray svcSettings = (JArray)svcGenSetting.Value;
string startupType = svcSettings[0].ToString().Trim('"', '\\');
string sddl = svcSettings[1].ToString().Trim('"', '\\');
string startupString = "";
switch (startupType)
{
case "2":
startupString = "Automatic";
break;
case "3":
startupString = "Manual";
break;
case "4":
startupString = "Disabled";
break;
}
// go parse the SDDL
if (GlobalVar.OnlineChecks)
{
JObject parsedSddl = ParseSddl.ParseSddlString(sddl, SecurableObjectType.WindowsService);
// then assess the results based on interestLevel
JObject assessedSddl = new JObject();
if (parsedSddl["Owner"] != null)
{
assessedSddl.Add("Owner", parsedSddl["Owner"].ToString());
interestLevel = 4;
}
if (parsedSddl["Group"] != null)
{
assessedSddl.Add("Group", parsedSddl["Group"].ToString());
interestLevel = 4;
}
if (parsedSddl["DACL"] != null)
{
JObject assessedDacl = new JObject();
string[] boringSidEndings = new string[]
{ "-3-0", "-5-9", "5-18", "-512", "-519", "SY", "BA", "DA", "CO", "ED", "PA", "CG", "DD", "EA", "LA", };
string[] interestingSidEndings = new string[]
{ "DU", "WD", "IU", "BU", "AN", "AU", "BG", "DC", "DG", "LG" };
foreach (JProperty ace in parsedSddl["DACL"].Children())
{
int aceInterestLevel = 0;
string trusteeSid = ace.Value["SID"].ToString();
bool boringUserPresent = false;
foreach (string boringSidEnding in boringSidEndings)
{
if (trusteeSid.EndsWith(boringSidEnding))
{
boringUserPresent = true;
break;
}
}
bool interestingUserPresent = false;
foreach (string interestingSidEnding in interestingSidEndings)
{
if (trusteeSid.EndsWith(interestingSidEnding))
{
interestingUserPresent = true;
break;
}
}
if (interestingUserPresent /* && interestingRightPresent*/)
{
aceInterestLevel = 10;
}
else if (boringUserPresent)
{
aceInterestLevel = 0;
}
if (aceInterestLevel >= GlobalVar.IntLevelToShow)
{
// pass the whole thing on
assessedSddl.Add(ace);
}
}
if (assessedDacl.HasValues)
{
assessedSddl.Add("DACL", assessedDacl);
}
}
if (assessedSddl.HasValues)
{
assessedSddl.AddFirst(new JProperty("Service", serviceName));
assessedSddl.Add("Startup Type", startupString);
assessedSvcGenSettings.Add(inc.ToString(), assessedSddl);
}
}
else
{
if (interestLevel >= GlobalVar.IntLevelToShow)
{
assessedSvcGenSettings.Add(serviceName, new JObject(
new JProperty("SDDL", sddl),
new JProperty("Startup Type", startupString)
));
}
}
}
if (assessedSvcGenSettings.Count <= 0)
{
return(null);
}
return(assessedSvcGenSettings);
}