private static void PrintFilePublisherRules(AppLockerPolicyRuleCollection rule) { if (rule?.FilePublisherRule == null) { return; } foreach (var filePublisherRule in rule.FilePublisherRule) { Beaprint.GoodPrint($" File Publisher Rule\n"); Beaprint.NoColorPrint($" Rule Type: {rule.Type}\n" + $" Enforcement Mode: {rule.EnforcementMode}\n" + $" Name: {filePublisherRule.Name}\n" + $" Description: {filePublisherRule.Description}\n" + $" Action: {filePublisherRule.Action}"); var color = GetColorBySid(filePublisherRule.UserOrGroupSid); Beaprint.ColorPrint($" User Or Group Sid: {filePublisherRule.UserOrGroupSid}\n", color); Beaprint.GoodPrint($" Conditions"); foreach (var condition in filePublisherRule.Conditions) { Beaprint.NoColorPrint( $" Binary Name: {condition.BinaryName}\n" + $" Binary Version Range: ({condition.BinaryVersionRange.LowSection} - {condition.BinaryVersionRange.HighSection})\n" + $" Product Name: {condition.ProductName}\n" + $" Publisher Name: {condition.PublisherName}\n"); } Beaprint.PrintLineSeparator(); } }
private static void PrintFileHashRules(AppLockerPolicyRuleCollection rule) { if (rule?.FileHashRule == null) { return; } foreach (var fileHashRule in rule.FileHashRule) { Beaprint.GoodPrint($" File Hash Rule\n"); Beaprint.NoColorPrint( $" Rule Type: {rule.Type}\n" + $" Enforcement Mode: {rule.EnforcementMode}\n" + $" Name: {fileHashRule.Name}\n" + $" Description: {fileHashRule.Description}\n" + $" Action: {fileHashRule.Action}"); var color = GetColorBySid(fileHashRule.UserOrGroupSid); Beaprint.ColorPrint( $" User Or Group Sid: {fileHashRule.UserOrGroupSid}\n", color); Beaprint.GoodPrint($" Conditions"); foreach (var condition in fileHashRule.Conditions) { Beaprint.NoColorPrint( $" Source File Name: {condition.FileHash.SourceFileName}\n" + $" Data: {condition.FileHash.Data}\n" + $" Source File Length: {condition.FileHash.SourceFileLength}\n" + $" Type: {condition.FileHash.Type}\n"); } Beaprint.PrintLineSeparator(); } }
private static void PrintFilePathRules(AppLockerPolicyRuleCollection rule) { if (rule?.FilePathRule == null) { return; } foreach (var filePathRule in rule.FilePathRule) { Beaprint.GoodPrint($" File Path Rule\n"); var normalizedName = NormalizePath(filePathRule.Name); Beaprint.NoColorPrint($" Rule Type: {rule.Type}\n" + $" Enforcement Mode: {rule.EnforcementMode}\n" + $" Name: {filePathRule.Name}\n" + $" Translated Name: {normalizedName}\n" + $" Description: {filePathRule.Description}\n" + $" Action: {filePathRule.Action}"); var color = GetColorBySid(filePathRule.UserOrGroupSid); Beaprint.ColorPrint($" User Or Group Sid: {filePathRule.UserOrGroupSid}\n", color); Beaprint.GoodPrint($" Conditions"); foreach (var condition in filePathRule.Conditions) { // print wildcards as red and continue if (condition.Path == "*" || condition.Path == "*.*") { Beaprint.ColorPrint( $" Path: {condition.Path}", Beaprint.ansi_color_bad); continue; } Beaprint.NoColorPrint( $" Path: {condition.Path}"); // TODO // cache permissions in a dictionary var normalizedPath = NormalizePath(condition.Path); // it's a file rule if (IsFilePath(normalizedPath)) { // TODO // load permissions from cache // check file CheckFileWriteAccess(normalizedPath); // check directories string directory = Path.GetDirectoryName(normalizedPath); CheckDirectoryAndParentsWriteAccess(directory); } // it's a directory rule else { // TODO // load permissions from cache // does the directory exists? if (Directory.Exists(normalizedPath)) { // can we write to the directory ? var folderPermissions = PermissionsHelper.GetPermissionsFolder(normalizedPath, Checks.Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT); // we can write if (folderPermissions.Count > 0) { Beaprint.BadPrint($" Directory \"{normalizedPath}\" Permissions: " + string.Join(",", folderPermissions)); } // we cannot write to the folder else { // first check well known AppLocker bypass locations if (_appLockerByPassDirectoriesByPath.ContainsKey(normalizedPath)) { // iterate over applocker bypass directories and check them foreach (var subfolders in _appLockerByPassDirectoriesByPath[normalizedPath]) { var subfolderPermissions = PermissionsHelper.GetPermissionsFolder(subfolders, Checks.Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT); // we can write if (subfolderPermissions.Count > 0) { Beaprint.BadPrint($" Directory \"{subfolders}\" Permissions: " + string.Join(",", subfolderPermissions)); break; } } } // the well-known bypass location does not contain the folder // check file / subfolder write permissions else { // start with the current directory bool isFileOrSubfolderWriteAccess = CheckFilesAndSubfolders(normalizedPath, rule.Type, 0); if (!isFileOrSubfolderWriteAccess) { Beaprint.ColorPrint($" No potential bypass found while recursively checking files/subfolders " + $"for write or equivalent permissions with depth: {FolderCheckMaxDepth}\n" + $" Check permissions manually.", Beaprint.YELLOW); } } } } else { // do we have write access recursively for the parent folder(s)? CheckDirectoryAndParentsWriteAccess(normalizedPath); } // TODO // save to cache for faster next search } Beaprint.GoodPrint(""); } Beaprint.PrintLineSeparator(); } }