Skip to content

Commit

Permalink
Changed some logging output, more correlation from GPOs, multi-level …
Browse files Browse the repository at this point in the history
…search function for objects, collector grabs scheduled task information and other goodness
  • Loading branch information
lkarlslund committed Mar 28, 2022
1 parent 298c654 commit 4be4563
Show file tree
Hide file tree
Showing 12 changed files with 1,149 additions and 262 deletions.
66 changes: 36 additions & 30 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -3,41 +3,16 @@ module github.com/lkarlslund/adalanche
go 1.17

require (
github.com/Azure/go-ntlmssp v0.0.0-20211209120228-48547f28849e // indirect
github.com/Microsoft/go-winio v0.5.2
github.com/OneOfOne/xxhash v1.2.8
github.com/Showmax/go-fqdn v1.0.0
github.com/absfs/gofs v0.0.0-20210326223041-415ec8094056
github.com/absfs/osfs v0.0.0-20210816191758-403afc5396f8
github.com/antchfx/xmlquery v1.3.9
github.com/gin-gonic/gin v1.7.7
github.com/go-asn1-ber/asn1-ber v1.5.3
github.com/go-ini/ini v1.66.4
github.com/gobwas/glob v0.2.3
github.com/gofrs/uuid v4.2.0+incompatible
github.com/gorilla/mux v1.8.0
github.com/gravwell/gravwell/v3 v3.8.2 // DONT UPGRADE FROM 3.8.2 - breaks 32-bit builds
github.com/icza/gox v0.0.0-20210726201659-cd40a3f8d324
github.com/json-iterator/go v1.1.12
github.com/lkarlslund/go-win64api v0.0.0-20211005130710-d4f2d07ed091
github.com/lkarlslund/ldap/v3 v3.2.4-0.20210621153959-85555023df29
github.com/lkarlslund/stringdedup v0.2.1
github.com/lkarlslund/time-timespan v0.0.0-20210712111050-6e7c565fa001
github.com/mailru/easyjson v0.7.7
github.com/mattn/go-colorable v0.1.12
github.com/pierrec/lz4/v4 v4.1.14
github.com/pkg/errors v0.9.1
github.com/rs/zerolog v1.26.1
github.com/schollz/progressbar/v3 v3.8.6
github.com/shirou/gopsutil/v3 v3.22.2
github.com/spf13/cobra v1.3.0
github.com/tinylib/msgp v1.1.6
golang.org/x/sys v0.0.0-20220307203707-22a9840ba4d7
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
golang.org/x/text v0.3.7
github.com/Azure/go-ntlmssp v0.0.0-20211209120228-48547f28849e // indirect
github.com/StackExchange/wmi v1.2.1 // indirect
github.com/absfs/absfs v0.0.0-20200602175035-e49edc9fef15 // indirect
github.com/absfs/gofs v0.0.0-20210326223041-415ec8094056
github.com/absfs/osfs v0.0.0-20210816191758-403afc5396f8
github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 // indirect
github.com/antchfx/xmlquery v1.3.9
github.com/antchfx/xpath v1.2.0 // indirect
github.com/asergeyev/nradix v0.0.0-20170505151046-3872ab85bb56 // indirect
github.com/buger/jsonparser v1.1.1 // indirect
Expand All @@ -52,12 +27,17 @@ require (
github.com/elastic/go-ucfg v0.8.4 // indirect
github.com/elastic/go-windows v1.0.0 // indirect
github.com/gin-contrib/sse v0.1.0 // indirect
github.com/gin-gonic/gin v1.7.7
github.com/go-asn1-ber/asn1-ber v1.5.3
github.com/go-ini/ini v1.66.4
github.com/go-ole/go-ole v1.2.6 // indirect
github.com/go-playground/locales v0.14.0 // indirect
github.com/go-playground/universal-translator v0.18.0 // indirect
github.com/go-playground/validator/v10 v10.10.1 // indirect
github.com/go-sourcemap/sourcemap v2.1.3+incompatible // indirect
github.com/gobwas/glob v0.2.3
github.com/gofrs/flock v0.8.1 // indirect
github.com/gofrs/uuid v4.2.0+incompatible
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
github.com/golang/protobuf v1.5.2 // indirect
github.com/golang/snappy v0.0.4 // indirect
Expand All @@ -71,19 +51,29 @@ require (
github.com/google/renameio v0.1.0 // indirect; DONT CHANGE FROM v0.1.0
github.com/google/subcommands v1.2.0 // indirect
github.com/google/uuid v1.3.0 // indirect
github.com/gorilla/mux v1.8.0
github.com/gravwell/gcfg v1.2.9-0.20210818172109-3d05a45a2665 // indirect
github.com/gravwell/gravwell/v3 v3.8.2 // DONT UPGRADE FROM 3.8.2 - breaks 32-bit builds
github.com/gravwell/ipfix v1.4.3 // indirect
github.com/h2non/filetype v1.0.10 // indirect
github.com/iamacarpet/go-win64api v0.0.0-20210311141720-fe38760bed28 // indirect
github.com/icza/gox v0.0.0-20210726201659-cd40a3f8d324
github.com/inconshreveable/mousetrap v1.0.0 // indirect
github.com/inhies/go-bytesize v0.0.0-20210819104631-275770b98743 // indirect
github.com/joeshaw/multierror v0.0.0-20140124173710-69b34d4ec901 // indirect
github.com/josharian/intern v1.0.0 // indirect
github.com/json-iterator/go v1.1.12
github.com/jstemmer/go-junit-report v0.9.1 // indirect
github.com/k-sone/ipmigo v0.0.0-20190922011749-b22c7a70e949 // indirect
github.com/klauspost/compress v1.15.0 // indirect
github.com/leodido/go-urn v1.2.1 // indirect
github.com/lkarlslund/go-win64api v0.0.0-20211005130710-d4f2d07ed091
github.com/lkarlslund/ldap/v3 v3.2.4-0.20210621153959-85555023df29
github.com/lkarlslund/stringdedup v0.2.1
github.com/lkarlslund/time-timespan v0.0.0-20210712111050-6e7c565fa001
github.com/magefile/mage v1.12.1 // indirect
github.com/mailru/easyjson v0.7.7
github.com/mattn/go-colorable v0.1.12
github.com/mattn/go-isatty v0.0.14 // indirect
github.com/mattn/go-runewidth v0.0.13 // indirect
github.com/miekg/dns v1.1.43 // indirect
Expand All @@ -96,13 +86,20 @@ require (
github.com/open-networks/go-msgraph v0.0.0-20200217121338-a7bf31e9c1f2 // indirect
github.com/open2b/scriggo v0.52.2 // indirect
github.com/philhofer/fwd v1.1.1 // indirect
github.com/pierrec/lz4/v4 v4.1.14
github.com/pkg/errors v0.9.1
github.com/prometheus/procfs v0.0.8 // indirect
github.com/rcrowley/go-metrics v0.0.0-20190826022208-cac0b30c2563 // indirect
github.com/rivo/uniseg v0.2.0 // indirect
github.com/robfig/cron/v3 v3.0.1 // indirect
github.com/rs/zerolog v1.26.1
github.com/schollz/progressbar/v3 v3.8.6
github.com/scjalliance/comshim v0.0.0-20190308082608-cf06d2532c4e // indirect
github.com/shirou/gopsutil/v3 v3.22.2
github.com/spf13/cobra v1.3.0
github.com/spf13/pflag v1.0.5 // indirect
github.com/tealeg/xlsx v1.0.5 // indirect
github.com/tinylib/msgp v1.1.6
github.com/tklauser/go-sysconf v0.3.10 // indirect
github.com/tklauser/numcpus v0.4.0 // indirect
github.com/ugorji/go/codec v1.2.7 // indirect
Expand All @@ -112,6 +109,9 @@ require (
golang.org/x/crypto v0.0.0-20220307211146-efcb8507fb70 // indirect
golang.org/x/mod v0.5.0 // indirect
golang.org/x/net v0.0.0-20220225172249-27dd8689420f // indirect
golang.org/x/sys v0.0.0-20220307203707-22a9840ba4d7
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
golang.org/x/text v0.3.7
golang.org/x/time v0.0.0-20220224211638-0e9765cccd65 // indirect
golang.org/x/tools v0.1.7 // indirect
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
Expand All @@ -125,4 +125,10 @@ require (
howett.net/plist v0.0.0-20181124034731-591f970eefbb // indirect
)

require github.com/yusufpapurcu/wmi v1.2.2 // indirect
require (
github.com/amidaware/taskmaster v0.0.0-20220111015025-c9cd178bbbf2 // indirect
github.com/capnspacehook/taskmaster v0.0.0-20210519235353-1629df7c85e9 // indirect
github.com/rickb777/date v1.14.2 // indirect
github.com/rickb777/plural v1.2.2 // indirect
github.com/yusufpapurcu/wmi v1.2.2 // indirect
)
5 changes: 5 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,8 @@ github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRF
github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 h1:Kk6a4nehpJ3UuJRqlA3JxYxBZEqCeOmATOvrbT4p9RA=
github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
github.com/amidaware/taskmaster v0.0.0-20220111015025-c9cd178bbbf2 h1:1K03qwtvgdJRXJr0nE1qvzFPOmbWHBnnnbeblU7+Bg8=
github.com/amidaware/taskmaster v0.0.0-20220111015025-c9cd178bbbf2/go.mod h1:5UVBogOiPFWC2F6fKT/Kb9qD4NCsp2y+dCj+pvXnDQE=
github.com/antchfx/xmlquery v1.3.7 h1:0hc7OU2rFIu8MMKT5kknruaTKsoCybkUaUFMnB1LOO4=
github.com/antchfx/xmlquery v1.3.7/go.mod h1:wojC/BxjEkjJt6dPiAqUzoXO5nIMWtxHS8PD8TmN4ks=
github.com/antchfx/xmlquery v1.3.9 h1:Y+zyMdiUZ4fasTQTkDb3DflOXP7+obcYEh80SISBmnQ=
Expand All @@ -113,6 +115,7 @@ github.com/buger/jsonparser v0.0.0-20191004114745-ee4c978eae7e/go.mod h1:errmMKH
github.com/buger/jsonparser v1.1.1 h1:2PnMjfWD7wBILjqQbt530v576A/cAbQvEW9gGIpYMUs=
github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx27UK13J/0=
github.com/bxcodec/faker/v3 v3.3.1/go.mod h1:gF31YgnMSMKgkvl+fyEo1xuSMbEuieyqfeslGYFjneM=
github.com/capnspacehook/taskmaster v0.0.0-20210519235353-1629df7c85e9 h1:5jmtWADt5DzD8NnPxcqd1FzbFNZNfbJGNeDb+WKjoJ0=
github.com/capnspacehook/taskmaster v0.0.0-20210519235353-1629df7c85e9/go.mod h1:257CYs3Wd/CTlLQ3c72jKv+fFE2MV3WPNnV5jiroYUU=
github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
github.com/census-instrumentation/opencensus-proto v0.3.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
Expand Down Expand Up @@ -589,7 +592,9 @@ github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+Gx
github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
github.com/rcrowley/go-metrics v0.0.0-20190826022208-cac0b30c2563 h1:dY6ETXrvDG7Sa4vE8ZQG4yqWg6UnOcbqTAahkV813vQ=
github.com/rcrowley/go-metrics v0.0.0-20190826022208-cac0b30c2563/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
github.com/rickb777/date v1.14.2 h1:PCme7ZL/cniZmDgS9Pyn5fHmu5A6lz12Ibfd33FmDiw=
github.com/rickb777/date v1.14.2/go.mod h1:swmf05C+hN+m8/Xh7gEq3uB6QJDNc5pQBWojKdHetOs=
github.com/rickb777/plural v1.2.2 h1:4CU5NiUqXSM++2+7JCrX+oguXd2D7RY5O1YisMw1yCI=
github.com/rickb777/plural v1.2.2/go.mod h1:xyHbelv4YvJE51gjMnHvk+U2e9zIysg6lTnSQK8XUYA=
github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY=
github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
Expand Down
2 changes: 1 addition & 1 deletion modules/engine/loaders.go
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@ func Load(path string, cb ProgressCallbackFunc) ([]loaderobjects, error) {
return files[i].size > files[j].size
})

log.Info().Msg("Processing files with the biggest files first")
log.Debug().Msg("Processing files with the biggest files first")

cb(0, len(files))

Expand Down
31 changes: 18 additions & 13 deletions modules/engine/objects.go
Original file line number Diff line number Diff line change
Expand Up @@ -389,26 +389,31 @@ func (os *Objects) Find(attribute Attribute, value AttributeValue) (o *Object, f
return v[0], found
}

func (os *Objects) FindMulti(attribute Attribute, value AttributeValue) (o []*Object, found bool) {
os.lock()
defer os.unlock()
return os.find(attribute, value)
}

func (os *Objects) FindTwo(attribute Attribute, value AttributeValue, attribute2 Attribute, value2 AttributeValue) (o *Object, found bool) {
results, found := os.FindTwoMulti(attribute, value, attribute2, value2)
if !found {
return nil, false
}
return results[0], len(results) == 1
}

func (os *Objects) FindTwoMulti(attribute Attribute, value AttributeValue, attribute2 Attribute, value2 AttributeValue) (o []*Object, found bool) {
os.lock()
defer os.unlock()
v, found := os.find(attribute, value)
var result *Object
var results []*Object
for _, o := range v {
if o.HasAttrValue(attribute2, value2) {
if result != nil {
return nil, false
}
result = o
results = append(results, o)
}
}
return result, result != nil
}

func (os *Objects) FindMulti(attribute Attribute, value AttributeValue) (o []*Object, found bool) {
os.lock()
defer os.unlock()
return os.find(attribute, value)
return results, len(results) > 0
}

func (os *Objects) find(attribute Attribute, value AttributeValue) ([]*Object, bool) {
Expand Down Expand Up @@ -458,7 +463,7 @@ func (os *Objects) DistinguishedParent(o *Object) (*Object, bool) {

// Use object chaining if possible
directparent := o.Parent()
if directparent != nil && directparent.OneAttrString(DistinguishedName) == dn {
if directparent != nil && strings.EqualFold(directparent.OneAttrString(DistinguishedName), dn) {
return directparent, true
}

Expand Down
4 changes: 2 additions & 2 deletions modules/engine/objecttype.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,8 @@ var (
ObjectTypeControlAccessRight = NewObjectType("ControlAccessRight", "Control-Access-Right")
ObjectTypeCertificateTemplate = NewObjectType("CertificateTemplate", "PKI-Certificate-Template")
ObjectTypePKIEnrollmentService = NewObjectType("PKIEnrollmentService", "PKI-Enrollment-Service")
ObjectTypeService = NewObjectType("Service", "Service")
ObjectTypeExecutable = NewObjectType("Executable", "Executable")
ObjectTypeService = NewObjectType("Service", "Service").SetDefault(Last, false)
ObjectTypeExecutable = NewObjectType("Executable", "Executable").SetDefault(Last, false)
ObjectTypeDirectory = NewObjectType("Directory", "Directory").SetDefault(Last, false)
ObjectTypeFile = NewObjectType("File", "File").SetDefault(Last, false)
)
Expand Down
11 changes: 7 additions & 4 deletions modules/integrations/activedirectory/analyze/adloader.go
Original file line number Diff line number Diff line change
Expand Up @@ -68,10 +68,13 @@ func (ld *ADLoader) Init() error {
if !ld.importcnf && strings.Contains(o.DN(), "\\0ACNF:") {
continue // skip conflict object
}
// Here's a quirky workaround that will bite me later
// Legacy well known objects in ForeignSecurityPrincipals gives us trouble with duplicate SIDs - skip them
if strings.Count(o.OneAttrString(engine.ObjectSid), "-") == 3 && strings.Contains(o.OneAttrString(engine.DistinguishedName), "CN=ForeignSecurityPrincipals") {
continue

if !o.HasAttr(engine.ObjectClass) {
if strings.Contains(o.DN(), ",CN=MicrosoftDNS,") {
log.Debug().Msgf("Hardened DNS object without objectclass detected: %v", o.DN())
} else {
log.Warn().Msgf("Hardened object without objectclass detected: %v. This *might* affect your analysis, depending on object.", o.DN())
}
}

item.ao.Add(o)
Expand Down
76 changes: 49 additions & 27 deletions modules/integrations/activedirectory/analyze/analyze-ad.go
Original file line number Diff line number Diff line change
Expand Up @@ -882,27 +882,10 @@ func init() {
},
)

type domaininfo struct {
suffix string
name string
}
var domains []domaininfo

Loader.AddProcessor(func(ao *engine.Objects) {
// Ensure everyone has a family
for _, o := range ao.Slice() {

if o.Type() == engine.ObjectTypeDomainDNS {
// Store domain -> netbios name in array for later
dn := o.DN()
if len(dn) > 3 && strings.EqualFold("dc=", dn[:3]) {
domains = append(domains, domaininfo{
suffix: dn,
name: strings.ToUpper(o.OneAttrString(engine.Name)),
})
}
}

if o.Parent() != nil {
continue
}
Expand All @@ -925,9 +908,34 @@ func init() {
}
},
"applying parent/child relationships",
engine.BeforeMerge)
engine.BeforeMergeHigh)

Loader.AddProcessor(func(ao *engine.Objects) {
type domaininfo struct {
suffix string
name string
}
var domains []domaininfo

results, found := ao.FindTwoMulti(engine.ObjectClass, engine.AttributeValueString("domainDNS"),
engine.IsCriticalSystemObject, engine.AttributeValueString("true"))

if !found {
log.Error().Msg("No domainDNS object found, can't apply DownLevelLogonName to objects")
return
}

for _, o := range results {
// Store domain -> netbios name in array for later
dn := o.DN()
if len(dn) > 3 && strings.EqualFold("dc=", dn[:3]) {
domains = append(domains, domaininfo{
suffix: dn,
name: strings.ToUpper(o.OneAttrString(engine.Name)),
})
}
}

// Sort the domains so we match on longest first
sort.Slice(domains, func(i, j int) bool {
// Less is More - so we sort in reverse order
Expand Down Expand Up @@ -1163,14 +1171,25 @@ func init() {
for _, memberof := range object.Attr(activedirectory.MemberOf).Slice() {
group, found := ao.Find(engine.DistinguishedName, memberof)
if !found {
var sid engine.AttributeValueSID
if stringsid, _, found := strings.Cut(memberof.String(), ",CN=ForeignSecurityPrincipals,"); found {
// We can figure out what the SID is
if c, err := windowssecurity.SIDFromString(stringsid); err == nil {
sid = engine.AttributeValueSID(c)
}
log.Info().Msgf("Missing Foreign-Security-Principal: %v is a member of %v, which is not found - adding enhanced synthetic group", object.DN(), memberof)
} else {
log.Warn().Msgf("Possible hardening? %v is a member of %v, which is not found - adding synthetic group. Your analysis will be degraded, try dumping with Domain Admin rights.", object.DN(), memberof)
}
group = engine.NewObject(
engine.DistinguishedName, memberof,
engine.ObjectCategorySimple, engine.AttributeValueString("Group"),
engine.ObjectClass, engine.AttributeValueString("top"), engine.AttributeValueString("group"),
engine.Name, engine.AttributeValueString("Synthetic group "+memberof.String()),
engine.Description, engine.AttributeValueString("Synthetic group"),
engine.ObjectSid, sid,
engine.MetaDataSource, engine.AttributeValueString("Autogenerated"),
)
log.Warn().Msgf("Possible hardening? %v is a member of %v, which is not found - adding synthetic group", object.DN(), memberof)
ao.Add(group)
}
group.AddMember(object)
Expand Down Expand Up @@ -1348,18 +1367,19 @@ func init() {
if ourDomainDN == "" {
return
}

for _, o := range ao.Slice() {
if o.HasAttr(engine.ObjectSid) && o.SID().Component(2) == 21 && !o.HasAttr(engine.DistinguishedName) {
// An unknown SID, is it ours or from another domain?
if o.SID().StripRID() == ourDomainSid {
// log.Debug().Msgf("Found a 'lost' local SID object %v", o.StringNoACL())
log.Warn().Msgf("Found a 'lost' local SID object %v, but not taking action (don't know where to place it). This will affect your analysis results, try dumping as Domain Admin!", o.SID())
} else {
// log.Debug().Msgf("Found a 'lost' foreign SID object %v", o.StringNoACL())
log.Debug().Msgf("Found a 'lost' foreign SID object %v, adding it as a synthetic Foreign-Security-Principal", o.SID())
o.SetFlex(
engine.DistinguishedName, engine.AttributeValueString(o.SID().String()+",CN=SyntheticForeignSecurityPrincipals,"+ourDomainDN),
engine.DistinguishedName, engine.AttributeValueString(o.SID().String()+",CN=ForeignSecurityPrincipals,"+ourDomainDN),
engine.ObjectCategorySimple, "Foreign-Security-Principal",
engine.MetaDataSource, "Autogenerated",
)

}
}
}
Expand Down Expand Up @@ -1403,10 +1423,12 @@ func init() {
log.Error().Msgf("Found a foreign security principal with no SID %v", foreign.Label())
continue
}
if sources, found := ao.FindMulti(engine.ObjectSid, engine.AttributeValueSID(sid)); found {
for _, source := range sources {
if source.Type() != engine.ObjectTypeForeignSecurityPrincipal {
source.PwnsEx(foreign, activedirectory.PwnForeignIdentity, true)
if sid.Component(2) == 21 {
if sources, found := ao.FindMulti(engine.ObjectSid, engine.AttributeValueSID(sid)); found {
for _, source := range sources {
if source.Type() != engine.ObjectTypeForeignSecurityPrincipal {
source.PwnsEx(foreign, activedirectory.PwnForeignIdentity, true)
}
}
}
}
Expand Down
Loading

0 comments on commit 4be4563

Please sign in to comment.