-
Notifications
You must be signed in to change notification settings - Fork 1
/
Get-DCOMSec.ps1
97 lines (61 loc) · 3.43 KB
/
Get-DCOMSec.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
function Get-DCOMSecurity{
<#
.SYNOPSIS
Enumerate DCOM Security Settings
Author: Matt Pichelmayer
.DESCRIPTION
This script is used to enumerate security settings based on WMI information from the Win32_DCOMApplication,
Win32_DCOMApplicationAccessAllowedSetting, and Win32_DCOMApplicationLaunchAllowedSetting for detecting
lateral movement avenues. For more information on DCOM-based lateral movement concept, refer to the
following article: https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
.PARAMETER ComputerName
If using this script locally, you can direct it to run against a remote workstation using the ComputerName
argument. If omitted, the local workstation is assumed.
.EXAMPLE
PS C:\> Get-DCOMSecurity
Enumerates DCOM security settings on the local computer
.EXAMPLE
PS C:\> Get-DCOMSecurity -ComputerName <hostname>
Enumerates DCOM security settings on a remote computer
#>
[CmdletBinding()]
param([parameter(Mandatory=$false)][string]$ComputerName='.')
function Get-UserFromSID($SIDstr){
$sid_obj = New-Object System.Security.Principal.SecurityIdentifier($SIDstr)
return ($sid_obj.translate([System.Security.Principal.NTAccount])).Value
}
$dcom_apps = ([wmiclass]"\\$ComputerName\ROOT\CIMV2:win32_dcomapplication").GetInstances()
$dcom_accesssettings = ([wmiclass]"\\$ComputerName\ROOT\CIMV2:Win32_DCOMApplicationAccessAllowedSetting").GetInstances()
$dcom_launchsettings = ([wmiclass]"\\$ComputerName\ROOT\CIMV2:Win32_DCOMApplicationLaunchAllowedSetting").GetInstances()
foreach($app in $dcom_apps){
$access_principal = "Unknown"
$access_table_entry = "Not Set"
$launch_table_entry = "Not Set"
$dcom_appid = $app.appid
$dcom_appname = $app.name
#resolve AccessAllowedSetting sids
foreach($access in $dcom_accesssettings){
if((($access.element).split("=")[1].replace("`"","")) -eq $dcom_appid){
$access_sid = (($access.setting).split("=")[1]).replace("`"","")
try { $access_principal = Get-UserFromSID($access_sid) }
catch { }
$access_table_entry = "$access_sid ($access_principal)"
}
}
#resolve LaunchAllowedSetting sids
foreach($launch in $dcom_launchsettings){
if((($launch.element).split("=")[1].replace("`"","")) -eq $dcom_appid){
$launch_sid = (($launch.setting).split("=")[1]).replace("`"","")
try { $launch_principal = Get-UserFromSID($launch_sid) }
catch { }
$launch_table_entry = "$launch_sid ($launch_principal)"
}
}
$dcomsec = New-Object PSObject
$dcomsec | Add-Member -Name "AppName" -MemberType NoteProperty -Value $dcom_appname
$dcomsec | Add-Member -Name "AppID" -MemberType NoteProperty -Value $dcom_appid
$dcomsec | Add-Member -Name "LaunchAllowedPrincipal" -MemberType NoteProperty -Value $access_table_entry
$dcomsec | Add-Member -Name "AccessAllowedPrincipal" -MemberType NoteProperty -Value $launch_table_entry
[array]$dcomsec
}
}