Optimize away SID string comparisons, and fix registry permission checks

lkarlslund · Apr 5, 2022 · e2306bd · e2306bd
1 parent e68af07
commit e2306bd
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 7 deletions.
diff --git a/modules/integrations/activedirectory/analyze/gpoimport.go b/modules/integrations/activedirectory/analyze/gpoimport.go
@@ -106,7 +106,7 @@ func ImportGPOInfo(ginfo activedirectory.GPOdump, ao *engine.Objects) error {
 			for _, entry := range dacl.Entries {
 				entrysidobject, _ := ao.FindOrAdd(activedirectory.ObjectSid, engine.AttributeValueSID(entry.SID))
 
-				if entry.Type == engine.ACETYPE_ACCESS_ALLOWED && (entry.SID.Component(2) == 21 || entry.SID.String() == "S-1-1-0" || entry.SID.String() == "S-1-5-11") {
+				if entry.Type == engine.ACETYPE_ACCESS_ALLOWED && (entry.SID.Component(2) == 21 || entry.SID == windowssecurity.EveryoneSID || entry.SID == windowssecurity.AuthenticatedUsersSID) {
 					if item.IsDir && entry.Mask&engine.FILE_ADD_FILE != 0 {
 						entrysidobject.Pwns(itemobject, PwnFileCreate)
 					}
@@ -184,7 +184,7 @@ func ImportGPOInfo(ginfo activedirectory.GPOdump, ao *engine.Objects) error {
 				for _, entry := range dacl.Entries {
 					entrysidobject, _ := ao.FindOrAdd(activedirectory.ObjectSid, engine.AttributeValueSID(entry.SID))
 
-					if entry.Type == engine.ACETYPE_ACCESS_ALLOWED && (entry.SID.Component(2) == 21 || entry.SID.String() == "S-1-1-0" || entry.SID.String() == "S-1-5-11") {
+					if entry.Type == engine.ACETYPE_ACCESS_ALLOWED && (entry.SID.Component(2) == 21 || entry.SID == windowssecurity.EveryoneSID || entry.SID == windowssecurity.AuthenticatedUsersSID) {
 						if entry.Mask&engine.FILE_READ_DATA != 0 {
 							entrysidobject.Pwns(expobj, PwnReadSensitiveData)
 						}

diff --git a/modules/integrations/localmachine/analyze/analyzer.go b/modules/integrations/localmachine/analyze/analyzer.go
@@ -267,7 +267,7 @@ func (ld *LocalMachineLoader) ImportCollectorInfo(cinfo localmachine.Info) error
 					engine.DownLevelLogonName, member.Name,
 				)
 
-				if membersid.StripRID() == localsid || (membersid.Component(2) != 21 && membersid.String() != "S-1-1-0" && membersid.String() != "S-1-5-11") {
+				if membersid.StripRID() == localsid || (membersid.Component(2) != 21 && membersid != windowssecurity.EveryoneSID && membersid != windowssecurity.AuthenticatedUsersSID) {
 					memberobject.SetFlex(
 						engine.UniqueSource, uniquesource,
 					)
@@ -452,17 +452,17 @@ func (ld *LocalMachineLoader) ImportCollectorInfo(cinfo localmachine.Info) error
 						activedirectory.ObjectSid, engine.AttributeValueSID(entrysid),
 					)
 
-					if entrysid.String() != "S-1-1-0" && (entrysid.StripRID() == localsid || entrysid.Component(2) != 21) {
+					if entrysid != windowssecurity.EveryoneSID && (entrysid.StripRID() == localsid || entrysid.Component(2) != 21) {
 						o.SetFlex(
 							engine.UniqueSource, uniquesource,
 						)
 					}
 
-					if entry.Mask&engine.KEY_SET_VALUE != engine.KEY_SET_VALUE {
+					if entry.Mask&engine.KEY_SET_VALUE == engine.KEY_SET_VALUE {
 						o.Pwns(serviceobject, PwnRegistryWrite)
 					}
 
-					if entry.Mask&engine.RIGHT_WRITE_DACL != engine.RIGHT_WRITE_DACL {
+					if entry.Mask&engine.RIGHT_WRITE_DACL == engine.RIGHT_WRITE_DACL {
 						o.Pwns(serviceobject, PwnRegistryModifyDACL)
 					}
 				}
@@ -497,7 +497,7 @@ func (ld *LocalMachineLoader) ImportCollectorInfo(cinfo localmachine.Info) error
 		if sd, err := engine.ParseACL(service.ImageExecutableDACL); err == nil {
 			for _, entry := range sd.Entries {
 				entrysid := entry.SID
-				if entry.Type == engine.ACETYPE_ACCESS_ALLOWED && (entrysid.Component(2) == 21 || entry.SID.String() == "S-1-1-0" || entry.SID.String() == "S-1-5-11") {
+				if entry.Type == engine.ACETYPE_ACCESS_ALLOWED && (entrysid.Component(2) == 21 || entry.SID == windowssecurity.EveryoneSID || entry.SID == windowssecurity.AuthenticatedUsersSID) {
 					o := ld.ao.AddNew(
 						activedirectory.ObjectSid, engine.AttributeValueSID(entrysid),
 					)