Added pwns to Domain Controllers for members of Administrators, Remot…

…e Desktop Users and Distributed DCOM Users
lkarlslund · Dec 30, 2021 · 10966c7 · 10966c7
1 parent cdaa735
commit 10966c7
Showing 1 changed file with 24 additions and 4 deletions.
diff --git a/modules/integrations/activedirectory/analyze/analyze-ad.go b/modules/integrations/activedirectory/analyze/analyze-ad.go
@@ -985,13 +985,27 @@ func init() {
 			log.Fatal().Msgf("Could not locate Authenticated Users, aborting - this should at least have been added during earlier preprocessing")
 		}
 
-		for _, object := range ao.Slice() {
+		administratorssid, _ := windowssecurity.SIDFromString("S-1-5-32-544")
+		administrators, ok := ao.Find(engine.ObjectSid, engine.AttributeValueSID(administratorssid))
+		if !ok {
+			log.Fatal().Msgf("Could not locate Administrators, aborting - this should at least have been added during earlier preprocessing")
+		}
 
-			processbar.Add(1)
+		remotedesktopuserssid, _ := windowssecurity.SIDFromString("S-1-5-32-555")
+		remotedesktopusers, ok := ao.Find(engine.ObjectSid, engine.AttributeValueSID(remotedesktopuserssid))
+		if !ok {
+			log.Fatal().Msgf("Could not locate Remote Desktop Users, aborting - this should at least have been added during earlier preprocessing")
+		}
+
+		distributeddcomuserssid, _ := windowssecurity.SIDFromString("S-1-5-32-562")
+		distributeddcomusers, ok := ao.Find(engine.ObjectSid, engine.AttributeValueSID(distributeddcomuserssid))
+		if !ok {
+			log.Fatal().Msgf("Could not locate Distributed COM Users, aborting - this should at least have been added during earlier preprocessing")
+		}
 
-			if object.Type() == engine.ObjectTypeDomainDNS {
+		for _, object := range ao.Slice() {
 
-			}
+			processbar.Add(1)
 
 			// We'll put the ObjectClass UUIDs in a synthetic attribute, so we can look it up later quickly (and without access to Objects)
 			objectclasses := object.Attr(engine.ObjectClass).Slice()
@@ -1106,6 +1120,12 @@ func init() {
 				if uac&engine.UAC_PASSWD_NOTREQD != 0 {
 					object.SetValues(engine.MetaPasswordNotRequired, engine.AttributeValueInt(1))
 				}
+				if uac&engine.UAC_SERVER_TRUST_ACCOUNT != 0 {
+					// Domain Controller
+					administrators.Pwns(object, activedirectory.PwnLocalAdminRights)
+					remotedesktopusers.Pwns(object, activedirectory.PwnLocalRDPRights)
+					distributeddcomusers.Pwns(object, activedirectory.PwnLocalDCOMRights)
+				}
 			}
 
 			if object.Type() == engine.ObjectTypeTrust {