WSUS host server collection from localmachine and added edge "patches…

…" for attack path analysis
lkarlslund · May 6, 2022 · 699e656 · 699e656
1 parent d877dcb
commit 699e656
Show file tree

Hide file tree

Showing 4 changed files with 52 additions and 1 deletion.
diff --git a/modules/integrations/localmachine/analyze/analyzer.go b/modules/integrations/localmachine/analyze/analyzer.go
@@ -2,6 +2,7 @@ package analyze
 
 import (
 	"fmt"
+	"net/url"
 	"path/filepath"
 	"strings"
 
@@ -56,6 +57,9 @@ var (
 	PwnSeTcb                = engine.NewPwn("SeTcb")
 
 	PwnSIDCollision = engine.NewPwn("SIDCollision")
+
+	DNSHostname = engine.NewAttribute("dnsHostName")
+	PwnPatches  = engine.NewPwn("Patches")
 )
 
 func MapSID(original, new, input windowssecurity.SID) windowssecurity.SID {
@@ -90,10 +94,20 @@ func (ld *LocalMachineLoader) ImportCollectorInfo(cinfo localmachine.Info) error
 		computerobject = ld.ao.AddNew()
 	}
 
-	computerobject.SetValues(
+	computerobject.SetFlex(
+		engine.IgnoreBlanks,
 		activedirectory.SAMAccountName, engine.AttributeValueString(strings.ToUpper(cinfo.Machine.Name)+"$"),
 	)
 
+	if cinfo.Machine.WUServer != "" {
+		if u, err := url.Parse(cinfo.Machine.WUServer); err == nil {
+			wsusserver, _ := ld.ao.FindOrAdd(
+				DNSHostname, engine.AttributeValueString(u.Host),
+			)
+			wsusserver.Pwns(computerobject, PwnPatches)
+		}
+	}
+
 	var isdomaincontroller bool
 	if cinfo.Machine.ProductType != "" {
 		// New way of detecting domain controller

diff --git a/modules/integrations/localmachine/collect/main.go b/modules/integrations/localmachine/collect/main.go
@@ -195,6 +195,16 @@ func Collect(outputpath string) error {
 		machineinfo.SCCMLastValidMP, _, _ = ccmsetup_key.GetStringValue(`LastValidMP`)
 	}
 
+	// WSUS SETTINGS
+	wu_key, err := registry.OpenKey(registry.LOCAL_MACHINE,
+		`SOFTWARE\Policies\Microsoft\Windows\WindupsUpdate`,
+		registry.READ|registry.ENUMERATE_SUB_KEYS|registry.WOW64_64KEY)
+	if err == nil {
+		defer wu_key.Close()
+		machineinfo.WUServer, _, _ = wu_key.GetStringValue(`WUServer`)
+		machineinfo.WUStatusServer, _, _ = wu_key.GetStringValue(`WUStatusServer`)
+	}
+
 	// UAC SETTINGS
 	polsys_key, err := registry.OpenKey(registry.LOCAL_MACHINE,
 		`SOFTWARE\Microsoft\Windows NT\CurrentVersion\Policies\System`,

diff --git a/modules/integrations/localmachine/structs.go b/modules/integrations/localmachine/structs.go
@@ -61,6 +61,9 @@ type Machine struct {
 
 	SCCMLastValidMP string `json:",omitempty"`
 
+	WUServer       string `json:",omitempty"`
+	WUStatusServer string `json:",omitempty"`
+
 	UACConsentPromptBehaviorAdmin    uint64 `json:",omitempty"`
 	UACEnableLUA                     uint64 `json:",omitempty"`
 	UACLocalAccountTokenFilterPolicy uint64 `json:",omitempty"`

diff --git a/modules/integrations/localmachine/structs_easyjson.go b/modules/integrations/localmachine/structs_easyjson.go