//From Seatbelt public static Dictionary <string, string> GetLapsSettings() { Dictionary <string, string> results = new Dictionary <string, string>(); try { string AdmPwdEnabled = MyUtils.GetRegValue("HKLM", "Software\\Policies\\Microsoft Services\\AdmPwd", "AdmPwdEnabled"); if (AdmPwdEnabled != "") { results["LAPS Enabled"] = AdmPwdEnabled; results["LAPS Admin Account Name"] = MyUtils.GetRegValue("HKLM", "Software\\Policies\\Microsoft Services\\AdmPwd", "AdminAccountName"); results["LAPS Password Complexity"] = MyUtils.GetRegValue("HKLM", "Software\\Policies\\Microsoft Services\\AdmPwd", "PasswordComplexity"); results["LAPS Password Length"] = MyUtils.GetRegValue("HKLM", "Software\\Policies\\Microsoft Services\\AdmPwd", "PasswordLength"); results["LAPS Expiration Protection Enabled"] = MyUtils.GetRegValue("HKLM", "Software\\Policies\\Microsoft Services\\AdmPwd", "PwdExpirationProtectionEnabled"); } else { results["LAPS Enabled"] = "LAPS not installed"; } } catch (Exception ex) { Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message)); } return(results); }
//From Seatbelt public static Dictionary <string, string> GetPowerShellSettings() { Dictionary <string, string> results = new Dictionary <string, string>(); try { results["PowerShell v2 Version"] = MyUtils.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\PowerShell\\1\\PowerShellEngine", "PowerShellVersion"); results["PowerShell v5 Version"] = MyUtils.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\PowerShell\\3\\PowerShellEngine", "PowerShellVersion"); results["Transcription Settings"] = ""; results["Module Logging Settings"] = ""; results["Scriptblock Logging Settings"] = ""; Dictionary <string, object> transcriptionSettings = MyUtils.GetRegValues("HKLM", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription"); if ((transcriptionSettings == null) || (transcriptionSettings.Count == 0)) { transcriptionSettings = MyUtils.GetRegValues("HKLM", @"HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\Transcription"); } if ((transcriptionSettings != null) && (transcriptionSettings.Count != 0)) { foreach (KeyValuePair <string, object> kvp in transcriptionSettings) { results["Transcription Settings"] += String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value); } } Dictionary <string, object> moduleLoggingSettings = MyUtils.GetRegValues("HKLM", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging"); if ((moduleLoggingSettings == null) || (moduleLoggingSettings.Count == 0)) { moduleLoggingSettings = MyUtils.GetRegValues("HKLM", @"SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging"); } if ((moduleLoggingSettings != null) && (moduleLoggingSettings.Count != 0)) { foreach (KeyValuePair <string, object> kvp in moduleLoggingSettings) { results["Module Logging Settings"] += String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value); } } Dictionary <string, object> scriptBlockSettings = MyUtils.GetRegValues("HKLM", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging"); if ((scriptBlockSettings == null) || (scriptBlockSettings.Count == 0)) { scriptBlockSettings = MyUtils.GetRegValues("HKLM", @"SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging"); } if ((scriptBlockSettings != null) && (scriptBlockSettings.Count != 0)) { foreach (KeyValuePair <string, object> kvp in scriptBlockSettings) { results["Scriptblock Logging Settings"] = String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value); } } } catch (Exception ex) { Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message)); } return(results); }
////////////////////////////////////// //////// PATH DLL Hijacking ///////// ////////////////////////////////////// /// Look for write or equivalent permissions on ay folder in PATH public static Dictionary <string, string> GetPathDLLHijacking() { Dictionary <string, string> results = new Dictionary <string, string>(); try { // grabbed from the registry instead of System.Environment.GetEnvironmentVariable to prevent false positives string path = MyUtils.GetRegValue("HKLM", "SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment", "Path"); if (String.IsNullOrEmpty(path)) { path = Environment.GetEnvironmentVariable("PATH"); } List <string> folders = path.Split(';').ToList(); foreach (string folder in folders) { results[folder] = String.Join(", ", MyUtils.GetPermissionsFolder(folder, Program.currentUserSIDs)); } } catch (Exception ex) { Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message)); } return(results); }
//From Seatbelt public static Dictionary <string, string> GetUACSystemPolicies() { Dictionary <string, string> results = new Dictionary <string, string>(); try { string ConsentPromptBehaviorAdmin = MyUtils.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", "ConsentPromptBehaviorAdmin"); switch (ConsentPromptBehaviorAdmin) { case "0": results["ConsentPromptBehaviorAdmin"] = String.Format("{0} - No prompting", ConsentPromptBehaviorAdmin); break; case "1": results["ConsentPromptBehaviorAdmin"] = String.Format("{0} - PromptOnSecureDesktop", ConsentPromptBehaviorAdmin); break; case "2": results["ConsentPromptBehaviorAdmin"] = String.Format("{0} - PromptPermitDenyOnSecureDesktop", ConsentPromptBehaviorAdmin); break; case "3": results["ConsentPromptBehaviorAdmin"] = String.Format("{0} - PromptForCredsNotOnSecureDesktop", ConsentPromptBehaviorAdmin); break; case "4": results["ConsentPromptBehaviorAdmin"] = String.Format("{0} - PromptForPermitDenyNotOnSecureDesktop", ConsentPromptBehaviorAdmin); break; case "5": results["ConsentPromptBehaviorAdmin"] = String.Format("{0} - PromptForNonWindowsBinaries", ConsentPromptBehaviorAdmin); break; default: results["ConsentPromptBehaviorAdmin"] = String.Format("{0} - PromptForNonWindowsBinaries", ConsentPromptBehaviorAdmin); break; } string EnableLUA = MyUtils.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", "EnableLUA"); results["EnableLUA"] = EnableLUA; string LocalAccountTokenFilterPolicy = MyUtils.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", "LocalAccountTokenFilterPolicy"); results["LocalAccountTokenFilterPolicy"] = LocalAccountTokenFilterPolicy; string FilterAdministratorToken = MyUtils.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", "FilterAdministratorToken"); results["FilterAdministratorToken"] = FilterAdministratorToken; } catch (Exception ex) { Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message)); } return(results); }
public static Dictionary <string, string> GetAutoLogon() { Dictionary <string, string> results = new Dictionary <string, string>(); results["DefaultDomainName"] = MyUtils.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "DefaultDomainName"); results["DefaultUserName"] = MyUtils.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "DefaultUserName"); results["DefaultPassword"] = MyUtils.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "DefaultPassword"); results["AltDefaultDomainName"] = MyUtils.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "AltDefaultDomainName"); results["AltDefaultUserName"] = MyUtils.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "AltDefaultUserName"); results["AltDefaultPassword"] = MyUtils.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "AltDefaultPassword"); return(results); }
//From Seatbelt public static Dictionary <string, string> GetPowerShellSettings() { Dictionary <string, string> results = new Dictionary <string, string>(); try { results["PowerShell v2 Version"] = MyUtils.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\PowerShell\\1\\PowerShellEngine", "PowerShellVersion"); results["PowerShell v5 Version"] = MyUtils.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\PowerShell\\3\\PowerShellEngine", "PowerShellVersion"); results["Transcription Settings"] = ""; results["Module Logging Settings"] = ""; results["Scriptblock Logging Settings"] = ""; Dictionary <string, object> transcriptionSettings = MyUtils.GetRegValues("HKLM", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription"); if ((transcriptionSettings != null) && (transcriptionSettings.Count != 0)) { foreach (KeyValuePair <string, object> kvp in transcriptionSettings) { results["Transcription Settings"] += String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value); } } Dictionary <string, object> moduleLoggingSettings = MyUtils.GetRegValues("HKLM", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging"); if ((moduleLoggingSettings != null) && (moduleLoggingSettings.Count != 0)) { foreach (KeyValuePair <string, object> kvp in moduleLoggingSettings) { results["Module Logging Settings"] += String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value); } } Dictionary <string, object> scriptBlockSettings = MyUtils.GetRegValues("HKLM", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging"); if ((scriptBlockSettings != null) && (scriptBlockSettings.Count != 0)) { foreach (KeyValuePair <string, object> kvp in scriptBlockSettings) { results["Scriptblock Logging Settings"] = String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value); } } } catch (Exception ex) { Console.WriteLine(ex); } return(results); }
//From Seatbelt public static Dictionary <string, string> GetBasicOSInfo() { Dictionary <string, string> results = new Dictionary <string, string>(); try { string ProductName = MyUtils.GetRegValue("HKLM", "Software\\Microsoft\\Windows NT\\CurrentVersion", "ProductName"); string EditionID = MyUtils.GetRegValue("HKLM", "Software\\Microsoft\\Windows NT\\CurrentVersion", "EditionID"); string ReleaseId = MyUtils.GetRegValue("HKLM", "Software\\Microsoft\\Windows NT\\CurrentVersion", "ReleaseId"); string BuildBranch = MyUtils.GetRegValue("HKLM", "Software\\Microsoft\\Windows NT\\CurrentVersion", "BuildBranch"); string CurrentMajorVersionNumber = MyUtils.GetRegValue("HKLM", "Software\\Microsoft\\Windows NT\\CurrentVersion", "CurrentMajorVersionNumber"); string CurrentVersion = MyUtils.GetRegValue("HKLM", "Software\\Microsoft\\Windows NT\\CurrentVersion", "CurrentVersion"); bool isHighIntegrity = MyUtils.IsHighIntegrity(); CultureInfo ci = CultureInfo.InstalledUICulture; string systemLang = ci.Name; var timeZone = TimeZoneInfo.Local; InputLanguage myCurrentLanguage = InputLanguage.CurrentInputLanguage; string arch = Environment.GetEnvironmentVariable("PROCESSOR_ARCHITECTURE"); string userName = Environment.GetEnvironmentVariable("USERNAME"); string ProcessorCount = Environment.ProcessorCount.ToString(); bool isVM = IsVirtualMachine(); DateTime now = DateTime.Now; String strHostName = Dns.GetHostName(); IPGlobalProperties properties = IPGlobalProperties.GetIPGlobalProperties(); string dnsDomain = properties.DomainName; const string query = "SELECT HotFixID FROM Win32_QuickFixEngineering"; var search = new ManagementObjectSearcher(query); var collection = search.Get(); string hotfixes = ""; foreach (ManagementObject quickFix in collection) { hotfixes += quickFix["HotFixID"].ToString() + ", "; } results.Add("Hostname", strHostName); if (dnsDomain.Length > 1) { results.Add("Domain Name", dnsDomain); } results.Add("ProductName", ProductName); results.Add("EditionID", EditionID); results.Add("ReleaseId", ReleaseId); results.Add("BuildBranch", BuildBranch); results.Add("CurrentMajorVersionNumber", CurrentMajorVersionNumber); results.Add("CurrentVersion", CurrentVersion); results.Add("Architecture", arch); results.Add("ProcessorCount", ProcessorCount); results.Add("SystemLang", systemLang); results.Add("KeyboardLang", myCurrentLanguage.Culture.EnglishName); results.Add("TimeZone", timeZone.DisplayName); results.Add("IsVirtualMachine", isVM.ToString()); results.Add("Current Time", now.ToString()); results.Add("HighIntegrity", isHighIntegrity.ToString()); results.Add("PartOfDomain", Program.partofdomain.ToString()); results.Add("Hotfixes", hotfixes); } catch (Exception ex) { Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message)); } return(results); }
//From Seatbelt public static Dictionary <string, string> GetPowerShellSettings() { Dictionary <string, string> results = new Dictionary <string, string>(); try { results["PowerShell v2 Version"] = MyUtils.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\PowerShell\\1\\PowerShellEngine", "PowerShellVersion"); results["PowerShell v5 Version"] = MyUtils.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\PowerShell\\3\\PowerShellEngine", "PowerShellVersion"); results["Transcription Settings"] = ""; results["Module Logging Settings"] = ""; results["Scriptblock Logging Settings"] = ""; results["PS history file"] = ""; results["PS history size"] = ""; Dictionary <string, object> transcriptionSettingsCU = MyUtils.GetRegValues("HKCU", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription"); if ((transcriptionSettingsCU == null) || (transcriptionSettingsCU.Count == 0)) { transcriptionSettingsCU = MyUtils.GetRegValues("HKCU", @"HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\Transcription"); } if ((transcriptionSettingsCU != null) && (transcriptionSettingsCU.Count != 0)) { foreach (KeyValuePair <string, object> kvp in transcriptionSettingsCU) { results["Transcription Settings CU"] += String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value); } } Dictionary <string, object> transcriptionSettingsLM = MyUtils.GetRegValues("HKLM", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription"); if ((transcriptionSettingsLM == null) || (transcriptionSettingsLM.Count == 0)) { transcriptionSettingsLM = MyUtils.GetRegValues("HKLM", @"HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\Transcription"); } if ((transcriptionSettingsLM != null) && (transcriptionSettingsLM.Count != 0)) { foreach (KeyValuePair <string, object> kvp in transcriptionSettingsLM) { results["Transcription Settings LM"] += String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value); } } Dictionary <string, object> moduleLoggingSettingsLM = MyUtils.GetRegValues("HKLM", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging"); if ((moduleLoggingSettingsLM == null) || (moduleLoggingSettingsLM.Count == 0)) { moduleLoggingSettingsLM = MyUtils.GetRegValues("HKLM", @"SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging"); } if ((moduleLoggingSettingsLM != null) && (moduleLoggingSettingsLM.Count != 0)) { foreach (KeyValuePair <string, object> kvp in moduleLoggingSettingsLM) { results["Module Logging Settings"] += String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value); } } Dictionary <string, object> moduleLoggingSettingsCU = MyUtils.GetRegValues("HKCU", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging"); if ((moduleLoggingSettingsCU == null) || (moduleLoggingSettingsCU.Count == 0)) { moduleLoggingSettingsCU = MyUtils.GetRegValues("HKCU", @"SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging"); } if ((moduleLoggingSettingsCU != null) && (moduleLoggingSettingsCU.Count != 0)) { foreach (KeyValuePair <string, object> kvp in moduleLoggingSettingsCU) { results["Module Logging Settings CU"] += String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value); } } Dictionary <string, object> scriptBlockSettingsLM = MyUtils.GetRegValues("HKLM", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging"); if ((scriptBlockSettingsLM == null) || (scriptBlockSettingsLM.Count == 0)) { scriptBlockSettingsLM = MyUtils.GetRegValues("HKLM", @"SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging"); } if ((scriptBlockSettingsLM != null) && (scriptBlockSettingsLM.Count != 0)) { foreach (KeyValuePair <string, object> kvp in scriptBlockSettingsLM) { results["Scriptblock Logging Settings LM"] = String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value); } } Dictionary <string, object> scriptBlockSettingsCU = MyUtils.GetRegValues("HKCU", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging"); if ((scriptBlockSettingsCU == null) || (scriptBlockSettingsCU.Count == 0)) { scriptBlockSettingsCU = MyUtils.GetRegValues("HKCU", @"SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging"); } if ((scriptBlockSettingsCU != null) && (scriptBlockSettingsCU.Count != 0)) { foreach (KeyValuePair <string, object> kvp in scriptBlockSettingsCU) { results["Scriptblock Logging Settings CU"] = String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value); } } string ps_history_path = Environment.ExpandEnvironmentVariables(@"%APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt"); string ps_history_path2 = String.Format("{0}\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt", Environment.GetEnvironmentVariable("USERPROFILE")); ps_history_path = File.Exists(ps_history_path) ? ps_history_path : ps_history_path2; if (File.Exists(ps_history_path)) { FileInfo fi = new FileInfo(ps_history_path); long size = fi.Length; results["PS history file"] = ps_history_path; results["PS history size"] = size.ToString() + "B"; } } catch (Exception ex) { Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message)); } return(results); }
public static SortedDictionary <string, Dictionary <string, string> > GetInstalledAppsPerms() { //Get from Program Files SortedDictionary <string, Dictionary <string, string> > results = GetInstalledAppsPermsPath(@Path.GetPathRoot(Environment.SystemDirectory) + "Program Files"); SortedDictionary <string, Dictionary <string, string> > results2 = GetInstalledAppsPermsPath(@Path.GetPathRoot(Environment.SystemDirectory) + "Program Files (x86)"); results.Concat(results2).ToDictionary(kvp => kvp.Key, kvp => kvp.Value); //Get from Uninstall string[] subkeys = MyUtils.GetRegSubkeys("HKLM", @"SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"); if (subkeys != null) { foreach (string app in subkeys) { string installLocation = MyUtils.GetRegValue("HKLM", String.Format(@"SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0}", app), "InstallLocation"); if (String.IsNullOrEmpty(installLocation)) { continue; } installLocation = installLocation.Replace("\"", ""); if (installLocation.EndsWith(@"\")) { installLocation = installLocation.Substring(0, installLocation.Length - 1); } if (!results.ContainsKey(installLocation) && Directory.Exists(installLocation)) { bool already = false; foreach (string path in results.Keys) { if (installLocation.IndexOf(path) != -1) //Check for subfoldres of already found folders { already = true; break; } } if (!already) { results[installLocation] = MyUtils.GetRecursivePrivs(installLocation); } } } } subkeys = MyUtils.GetRegSubkeys("HKLM", @"SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall"); if (subkeys != null) { foreach (string app in subkeys) { string installLocation = MyUtils.GetRegValue("HKLM", String.Format(@"SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0}", app), "InstallLocation"); if (String.IsNullOrEmpty(installLocation)) { continue; } installLocation = installLocation.Replace("\"", ""); if (installLocation.EndsWith(@"\")) { installLocation = installLocation.Substring(0, installLocation.Length - 1); } if (!results.ContainsKey(installLocation) && Directory.Exists(installLocation)) { bool already = false; foreach (string path in results.Keys) { if (installLocation.IndexOf(path) != -1) //Check for subfoldres of already found folders { already = true; break; } } if (!already) { results[installLocation] = MyUtils.GetRecursivePrivs(installLocation); } } } } return(results); }