2018-02-27 00:26:43 +08:00
|
|
|
import os
|
2017-12-31 19:46:07 +08:00
|
|
|
import logging
|
2018-02-27 00:26:43 +08:00
|
|
|
import traceback
|
2017-12-31 19:46:07 +08:00
|
|
|
|
2018-02-27 22:43:40 +08:00
|
|
|
import sys
|
|
|
|
sys.coinit_flags = 0 # needed for proper destruction of the wmi python module
|
|
|
|
import wmi
|
2018-05-08 20:40:38 +08:00
|
|
|
import win32com
|
2018-02-27 00:26:43 +08:00
|
|
|
import _winreg
|
2018-02-27 22:43:40 +08:00
|
|
|
|
|
|
|
from mimikatz_collector import MimikatzCollector
|
2017-12-31 19:46:07 +08:00
|
|
|
from . import InfoCollector
|
|
|
|
|
|
|
|
LOG = logging.getLogger(__name__)
|
|
|
|
|
2015-11-30 21:29:30 +08:00
|
|
|
__author__ = 'uri'
|
|
|
|
|
2018-07-22 02:00:13 +08:00
|
|
|
WMI_CLASSES = {"Win32_OperatingSystem", "Win32_ComputerSystem", "Win32_LoggedOnUser", "Win32_UserAccount",
|
|
|
|
"Win32_UserProfile", "Win32_Group", "Win32_GroupUser", "Win32_Product", "Win32_Service",
|
|
|
|
"Win32_OptionalFeature"}
|
2018-02-27 22:43:40 +08:00
|
|
|
|
2018-05-08 20:44:05 +08:00
|
|
|
# These wmi queries are able to return data about all the users & machines in the domain.
|
|
|
|
# For these queries to work, the monkey shohuld be run on a domain machine and
|
|
|
|
#
|
|
|
|
# monkey should run as *** SYSTEM *** !!!
|
|
|
|
#
|
2018-05-08 20:40:38 +08:00
|
|
|
WMI_LDAP_CLASSES = {"ds_user": ("DS_sAMAccountName", "DS_userPrincipalName",
|
|
|
|
"DS_sAMAccountType", "ADSIPath", "DS_userAccountControl",
|
|
|
|
"DS_objectSid", "DS_objectClass", "DS_memberOf",
|
|
|
|
"DS_primaryGroupID", "DS_pwdLastSet", "DS_badPasswordTime",
|
|
|
|
"DS_badPwdCount", "DS_lastLogon", "DS_lastLogonTimestamp",
|
|
|
|
"DS_lastLogoff", "DS_logonCount", "DS_accountExpires"),
|
|
|
|
|
|
|
|
"ds_group": ("DS_whenChanged", "DS_whenCreated", "DS_sAMAccountName",
|
|
|
|
"DS_sAMAccountType", "DS_objectSid", "DS_objectClass",
|
|
|
|
"DS_name", "DS_memberOf", "DS_member", "DS_instanceType",
|
|
|
|
"DS_cn", "DS_description", "DS_distinguishedName", "ADSIPath"),
|
|
|
|
|
2018-05-08 21:12:51 +08:00
|
|
|
"ds_computer": ("DS_dNSHostName", "ADSIPath", "DS_accountExpires",
|
2018-05-08 20:40:38 +08:00
|
|
|
"DS_adminDisplayName", "DS_badPasswordTime",
|
|
|
|
"DS_badPwdCount", "DS_cn", "DS_distinguishedName",
|
|
|
|
"DS_instanceType", "DS_lastLogoff", "DS_lastLogon",
|
|
|
|
"DS_lastLogonTimestamp", "DS_logonCount", "DS_objectClass",
|
|
|
|
"DS_objectSid", "DS_operatingSystem", "DS_operatingSystemVersion",
|
|
|
|
"DS_primaryGroupID", "DS_pwdLastSet", "DS_sAMAccountName",
|
|
|
|
"DS_sAMAccountType", "DS_servicePrincipalName", "DS_userAccountControl",
|
|
|
|
"DS_whenChanged", "DS_whenCreated"),
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2018-02-27 22:43:40 +08:00
|
|
|
def fix_obj_for_mongo(o):
|
|
|
|
if type(o) == dict:
|
|
|
|
return dict([(k, fix_obj_for_mongo(v)) for k, v in o.iteritems()])
|
|
|
|
|
|
|
|
elif type(o) in (list, tuple):
|
|
|
|
return [fix_obj_for_mongo(i) for i in o]
|
|
|
|
|
|
|
|
elif type(o) in (int, float, bool):
|
|
|
|
return o
|
|
|
|
|
|
|
|
elif type(o) in (str, unicode):
|
|
|
|
# mongo dosn't like unprintable chars, so we use repr :/
|
|
|
|
return repr(o)
|
|
|
|
|
2018-02-27 23:38:54 +08:00
|
|
|
elif hasattr(o, "__class__") and o.__class__ == wmi._wmi_object:
|
|
|
|
return fix_wmi_obj_for_mongo(o)
|
2018-05-08 20:40:38 +08:00
|
|
|
|
|
|
|
elif hasattr(o, "__class__") and o.__class__ == win32com.client.CDispatch:
|
|
|
|
try:
|
|
|
|
# objectSid property of ds_user is problematic and need thie special treatment.
|
|
|
|
# ISWbemObjectEx interface. Class Uint8Array ?
|
|
|
|
if str(o._oleobj_.GetTypeInfo().GetTypeAttr().iid) == "{269AD56A-8A67-4129-BC8C-0506DCFE9880}":
|
|
|
|
return o.Value
|
|
|
|
except:
|
|
|
|
pass
|
|
|
|
|
|
|
|
try:
|
|
|
|
return o.GetObjectText_()
|
|
|
|
except:
|
|
|
|
pass
|
2018-02-27 22:43:40 +08:00
|
|
|
|
2018-05-08 20:40:38 +08:00
|
|
|
return repr(o)
|
|
|
|
|
2018-02-27 22:43:40 +08:00
|
|
|
else:
|
|
|
|
return repr(o)
|
|
|
|
|
|
|
|
def fix_wmi_obj_for_mongo(o):
|
2018-02-27 23:38:54 +08:00
|
|
|
row = {}
|
2018-02-27 22:43:40 +08:00
|
|
|
|
2018-02-27 23:38:54 +08:00
|
|
|
for prop in o.properties:
|
|
|
|
try:
|
|
|
|
value = getattr(o, prop)
|
|
|
|
except wmi.x_wmi:
|
2018-05-08 22:05:33 +08:00
|
|
|
# This happens in Win32_GroupUser when the user is a domain user.
|
|
|
|
# For some reason, the wmi query for PartComponent fails. This table
|
|
|
|
# is actually contains references to Win32_UserAccount and Win32_Group.
|
|
|
|
# so instead of reading the content to the Win32_UserAccount, we store
|
|
|
|
# only the id of the row in that table, and get all the other information
|
|
|
|
# from that table while analyzing the data.
|
|
|
|
value = o.properties[prop].value
|
2018-02-27 22:43:40 +08:00
|
|
|
|
2018-02-27 23:38:54 +08:00
|
|
|
row[prop] = fix_obj_for_mongo(value)
|
2018-02-27 22:43:40 +08:00
|
|
|
|
2018-02-27 23:38:54 +08:00
|
|
|
for method_name in o.methods:
|
|
|
|
if not method_name.startswith("GetOwner"):
|
|
|
|
continue
|
2018-02-27 22:43:40 +08:00
|
|
|
|
2018-02-27 23:38:54 +08:00
|
|
|
method = getattr(o, method_name)
|
2018-02-27 00:26:43 +08:00
|
|
|
|
2018-02-27 23:38:54 +08:00
|
|
|
try:
|
|
|
|
value = method()
|
|
|
|
value = fix_obj_for_mongo(value)
|
|
|
|
row[method_name[3:]] = value
|
|
|
|
|
|
|
|
except wmi.x_wmi:
|
|
|
|
#LOG.error("Error running wmi method '%s'" % (method_name, ))
|
|
|
|
#LOG.error(traceback.format_exc())
|
|
|
|
continue
|
|
|
|
|
|
|
|
return row
|
2015-11-30 21:29:30 +08:00
|
|
|
|
2015-12-09 22:33:44 +08:00
|
|
|
class WindowsInfoCollector(InfoCollector):
|
2015-11-30 21:29:30 +08:00
|
|
|
"""
|
|
|
|
System information collecting module for Windows operating systems
|
|
|
|
"""
|
|
|
|
|
|
|
|
def __init__(self):
|
2015-12-09 22:33:44 +08:00
|
|
|
super(WindowsInfoCollector, self).__init__()
|
2015-11-30 21:29:30 +08:00
|
|
|
|
|
|
|
def get_info(self):
|
2017-12-31 19:46:07 +08:00
|
|
|
"""
|
|
|
|
Collect Windows system information
|
|
|
|
Hostname, process list and network subnets
|
|
|
|
Tries to read credential secrets using mimikatz
|
|
|
|
:return: Dict of system information
|
|
|
|
"""
|
|
|
|
LOG.debug("Running Windows collector")
|
2015-12-09 22:33:44 +08:00
|
|
|
self.get_hostname()
|
|
|
|
self.get_process_list()
|
2017-09-10 18:11:51 +08:00
|
|
|
self.get_network_info()
|
2018-03-22 22:44:56 +08:00
|
|
|
self.get_azure_info()
|
2018-02-27 00:26:43 +08:00
|
|
|
|
|
|
|
self.get_wmi_info()
|
|
|
|
self.get_reg_key(r"SYSTEM\CurrentControlSet\Control\Lsa")
|
|
|
|
self.get_installed_packages()
|
|
|
|
|
2018-02-27 22:43:40 +08:00
|
|
|
mimikatz_collector = MimikatzCollector()
|
2018-03-22 22:44:56 +08:00
|
|
|
mimikatz_info = mimikatz_collector.get_logon_info()
|
|
|
|
self.info["credentials"].update(mimikatz_info)
|
2018-02-27 22:43:40 +08:00
|
|
|
self.info["mimikatz"] = mimikatz_collector.get_mimikatz_text()
|
2018-02-27 00:26:43 +08:00
|
|
|
|
2015-11-30 21:29:30 +08:00
|
|
|
return self.info
|
2018-02-27 00:26:43 +08:00
|
|
|
|
|
|
|
def get_installed_packages(self):
|
|
|
|
self.info["installed_packages"] = os.popen("dism /online /get-packages").read()
|
|
|
|
self.info["installed_features"] = os.popen("dism /online /get-features").read()
|
|
|
|
|
|
|
|
def get_wmi_info(self):
|
|
|
|
for wmi_class_name in WMI_CLASSES:
|
2018-02-27 23:38:54 +08:00
|
|
|
self.info[wmi_class_name] = self.get_wmi_class(wmi_class_name)
|
2018-02-27 00:26:43 +08:00
|
|
|
|
2018-05-08 20:40:38 +08:00
|
|
|
for wmi_class_name, props in WMI_LDAP_CLASSES.iteritems():
|
|
|
|
self.info[wmi_class_name] = self.get_wmi_class(wmi_class_name, "//./root/directory/ldap", props)
|
|
|
|
|
2018-05-08 20:48:53 +08:00
|
|
|
def get_wmi_class(self, class_name, moniker="//./root/cimv2", properties=None):
|
2018-05-08 20:40:38 +08:00
|
|
|
_wmi = wmi.WMI(moniker=moniker)
|
2018-02-27 00:26:43 +08:00
|
|
|
|
|
|
|
try:
|
2018-05-08 20:40:38 +08:00
|
|
|
if not properties:
|
|
|
|
wmi_class = getattr(_wmi, class_name)()
|
|
|
|
else:
|
|
|
|
wmi_class = getattr(_wmi, class_name)(properties)
|
|
|
|
|
2018-02-27 22:43:40 +08:00
|
|
|
except wmi.x_wmi:
|
|
|
|
#LOG.error("Error getting wmi class '%s'" % (class_name, ))
|
|
|
|
#LOG.error(traceback.format_exc())
|
2018-02-27 00:26:43 +08:00
|
|
|
return
|
|
|
|
|
2018-02-27 23:38:54 +08:00
|
|
|
return fix_obj_for_mongo(wmi_class)
|
2018-02-27 00:26:43 +08:00
|
|
|
|
|
|
|
def get_reg_key(self, subkey_path, store=_winreg.HKEY_LOCAL_MACHINE):
|
|
|
|
key = _winreg.ConnectRegistry(None, store)
|
|
|
|
subkey = _winreg.OpenKey(key, subkey_path)
|
|
|
|
|
2018-04-10 22:51:18 +08:00
|
|
|
d = dict([_winreg.EnumValue(subkey, i)[:2] for i in xrange(_winreg.QueryInfoKey(subkey)[0])])
|
2018-02-27 22:43:40 +08:00
|
|
|
d = fix_obj_for_mongo(d)
|
|
|
|
|
|
|
|
self.info[subkey_path] = d
|
2018-02-27 00:26:43 +08:00
|
|
|
|
|
|
|
subkey.Close()
|
|
|
|
key.Close()
|