Skip to content

Commit

Permalink
Merge pull request #122 from GhostPack/aadssso
Browse files Browse the repository at this point in the history 
Rename dsregcmd to AzureAD, add SSSO check
  • Loading branch information
@HarmJ0y
HarmJ0y authored Jan 5, 2024
2 parents 917f19d + 75f1f21 commit af5af1d
Show file tree
Hide file tree
Showing 5 changed files with 532 additions and 476 deletions.
97 changes: 49 additions & 48 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,19 +34,19 @@ Seatbelt is licensed under the BSD 3-Clause license.
```
%&&@@@&&
&&&&&&&%%%, #&&@@@@@@%%%%%%###############%
%&&@@@&&
&&&&&&&%%%, #&&@@@@@@%%%%%%###############%
&%& %&%% &////(((&%%%%%#%################//((((###%%%%%%%%%%%%%%%
%%%%%%%%%%%######%%%#%%####% &%%**# @////(((&%%%%%%######################(((((((((((((((((((
#%#%%%%%%%#######%#%%####### %&%,,,,,,,,,,,,,,,, @////(((&%%%%%#%#####################(((((((((((((((((((
#%#%%%%%%#####%%#%#%%####### %%%,,,,,, ,,. ,, @////(((&%%%%%%%######################(#(((#(#((((((((((
#####%%%#################### &%%...... ... .. @////(((&%%%%%%%###############%######((#(#(####((((((((
#######%##########%######### %%%...... ... .. @////(((&%%%%%#########################(#(#######((#####
###%##%%#################### &%%............... @////(((&%%%%%%%%##############%#######(#########((#####
#####%###################### %%%.. @////(((&%%%%%%%################
&%& %%%%% Seatbelt %////(((&%%%%%%%%#############*
&%%&&&%%%%% v1.2.0 ,(((&%%%%%%%%%%%%%%%%%,
#%%%%##,
#####%###################### %%%.. @////(((&%%%%%%%################
&%& %%%%% Seatbelt %////(((&%%%%%%%%#############*
&%%&&&%%%%% v1.2.1 ,(((&%%%%%%%%%%%%%%%%%,
#%%%%##,
Available commands (+ means remote usage is supported):
Expand All @@ -58,8 +58,9 @@ Available commands (+ means remote usage is supported):
AuditPolicies - Enumerates classic and advanced audit policy settings
+ AuditPolicyRegistry - Audit settings via the registry
+ AutoRuns - Auto run executables/scripts/programs
azuread - Return AzureAD info
Certificates - Finds user and machine personal certificate files
CertificateThumbprints - Finds thumbprints for all certificate store certs on the systen
CertificateThumbprints - Finds thumbprints for all certificate store certs on the system
+ ChromiumBookmarks - Parses any found Chrome/Edge/Brave/Opera bookmark files
+ ChromiumHistory - Parses any found Chrome/Edge/Brave/Opera history files
+ ChromiumPresence - Checks if interesting Chrome/Edge/Brave/Opera files exist
Expand All @@ -71,7 +72,6 @@ Available commands (+ means remote usage is supported):
+ DNSCache - DNS cache entries (via WMI)
+ DotNet - DotNet versions
+ DpapiMasterKeys - List DPAPI master keys
Dsregcmd - Return Tenant information - Replacement for Dsregcmd /status
EnvironmentPath - Current environment %PATH$ folders and SDDL information
+ EnvironmentVariables - Current environment variables
+ ExplicitLogonEvents - Explicit Logon events (Event ID 4648) from the security event log. Default of 7 days, argument == last X days.
Expand Down Expand Up @@ -104,6 +104,7 @@ Available commands (+ means remote usage is supported):
McAfeeConfigs - Finds McAfee configuration files
McAfeeSiteList - Decrypt any found McAfee SiteList.xml configuration files.
MicrosoftUpdates - All Microsoft updates (via COM)
MTPuTTY - MTPuTTY configuration files
NamedPipes - Named pipe names, any readable ACL information and associated process information.
+ NetworkProfiles - Windows network profiles
+ NetworkShares - Network shares exposed by the machine (via WMI)
Expand Down Expand Up @@ -136,6 +137,7 @@ Available commands (+ means remote usage is supported):
+ ScheduledTasks - Scheduled tasks (via WMI) that aren't authored by 'Microsoft', "-full" dumps all Scheduled tasks
SearchIndex - Query results from the Windows Search Index, default term of 'passsword'. (argument(s) == <search path> <pattern1,pattern2,...>
SecPackageCreds - Obtains credentials from security packages
+ SecureBoot - Secure Boot configuration
SecurityPackages - Enumerates the security packages currently available using EnumerateSecurityPackagesA()
Services - Services with file info company names that don't contain 'Microsoft', "-full" dumps all processes
+ SlackDownloads - Parses any found 'slack-downloads' files
Expand Down Expand Up @@ -175,32 +177,32 @@ Seatbelt has the following command groups: All, User, System, Slack, Chromium, R
"Seatbelt.exe -group=user" runs the following commands:
Certificates, CertificateThumbprints, ChromiumPresence, CloudCredentials, CloudSyncProviders,
CredEnum, dir, DpapiMasterKeys, Dsregcmd,
ExplorerMRUs, ExplorerRunCommands, FileZilla, FirefoxPresence,
IdleTime, IEFavorites, IETabs, IEUrls,
KeePass, MappedDrives, OfficeMRUs, OneNote,
OracleSQLDeveloper, PowerShellHistory, PuttyHostKeys, PuttySessions,
RDCManFiles, RDPSavedConnections, SecPackageCreds, SlackDownloads,
SlackPresence, SlackWorkspaces, SuperPutty, TokenGroups,
WindowsCredentialFiles, WindowsVault
azuread, Certificates, CertificateThumbprints, ChromiumPresence, CloudCredentials,
CloudSyncProviders, CredEnum, dir, DpapiMasterKeys,
ExplorerMRUs, ExplorerRunCommands, FileZilla, FirefoxPresence,
IdleTime, IEFavorites, IETabs, IEUrls,
KeePass, MappedDrives, MTPuTTY, OfficeMRUs,
OneNote, OracleSQLDeveloper, PowerShellHistory, PuttyHostKeys,
PuttySessions, RDCManFiles, RDPSavedConnections, SecPackageCreds,
SlackDownloads, SlackPresence, SlackWorkspaces, SuperPutty,
TokenGroups, WindowsCredentialFiles, WindowsVault
"Seatbelt.exe -group=system" runs the following commands:
AMSIProviders, AntiVirus, AppLocker, ARPTable, AuditPolicies,
AuditPolicyRegistry, AutoRuns, Certificates, CertificateThumbprints,
CredGuard, DNSCache, DotNet, EnvironmentPath,
EnvironmentVariables, Hotfixes, InterestingProcesses, InternetSettings,
LAPS, LastShutdown, LocalGPOs, LocalGroups,
LocalUsers, LogonSessions, LSASettings, McAfeeConfigs,
NamedPipes, NetworkProfiles, NetworkShares, NTLMSettings,
OptionalFeatures, OSInfo, PoweredOnEvents, PowerShell,
Processes, PSSessionSettings, RDPSessions, RDPsettings,
SCCM, Services, Sysmon, TcpConnections,
TokenPrivileges, UAC, UdpConnections, UserRightAssignments,
WifiProfile, WindowsAutoLogon, WindowsDefender, WindowsEventForwarding,
WindowsFirewall, WMI, WMIEventConsumer, WMIEventFilter,
WMIFilterBinding, WSUS
AMSIProviders, AntiVirus, AppLocker, ARPTable, AuditPolicies,
AuditPolicyRegistry, AutoRuns, Certificates, CertificateThumbprints,
CredGuard, DNSCache, DotNet, EnvironmentPath,
EnvironmentVariables, Hotfixes, InterestingProcesses, InternetSettings,
LAPS, LastShutdown, LocalGPOs, LocalGroups,
LocalUsers, LogonSessions, LSASettings, McAfeeConfigs,
NamedPipes, NetworkProfiles, NetworkShares, NTLMSettings,
OptionalFeatures, OSInfo, PoweredOnEvents, PowerShell,
Processes, PSSessionSettings, RDPSessions, RDPsettings,
SCCM, SecureBoot, Services, Sysmon,
TcpConnections, TokenPrivileges, UAC, UdpConnections,
UserRightAssignments, WifiProfile, WindowsAutoLogon, WindowsDefender,
WindowsEventForwarding, WindowsFirewall, WMI, WMIEventConsumer,
WMIEventFilter, WMIFilterBinding, WSUS
"Seatbelt.exe -group=slack" runs the following commands:
Expand All @@ -212,24 +214,25 @@ Seatbelt has the following command groups: All, User, System, Slack, Chromium, R
"Seatbelt.exe -group=remote" runs the following commands:
AMSIProviders, AntiVirus, AuditPolicyRegistry, ChromiumPresence, CloudCredentials,
DNSCache, DotNet, DpapiMasterKeys, EnvironmentVariables,
ExplicitLogonEvents, ExplorerRunCommands, FileZilla, Hotfixes,
InterestingProcesses, KeePass, LastShutdown, LocalGroups,
LocalUsers, LogonEvents, LogonSessions, LSASettings,
MappedDrives, NetworkProfiles, NetworkShares, NTLMSettings,
OptionalFeatures, OSInfo, PoweredOnEvents, PowerShell,
ProcessOwners, PSSessionSettings, PuttyHostKeys, PuttySessions,
RDPSavedConnections, RDPSessions, RDPsettings, Sysmon,
WindowsDefender, WindowsEventForwarding, WindowsFirewall
AMSIProviders, AntiVirus, AuditPolicyRegistry, ChromiumPresence, CloudCredentials,
DNSCache, DotNet, DpapiMasterKeys, EnvironmentVariables,
ExplicitLogonEvents, ExplorerRunCommands, FileZilla, Hotfixes,
InterestingProcesses, KeePass, LastShutdown, LocalGroups,
LocalUsers, LogonEvents, LogonSessions, LSASettings,
MappedDrives, NetworkProfiles, NetworkShares, NTLMSettings,
OptionalFeatures, OSInfo, PoweredOnEvents, PowerShell,
ProcessOwners, PSSessionSettings, PuttyHostKeys, PuttySessions,
RDPSavedConnections, RDPSessions, RDPsettings, SecureBoot,
Sysmon, WindowsDefender, WindowsEventForwarding, WindowsFirewall
"Seatbelt.exe -group=misc" runs the following commands:
ChromiumBookmarks, ChromiumHistory, ExplicitLogonEvents, FileInfo, FirefoxHistory,
InstalledProducts, InterestingFiles, LogonEvents, LOLBAS,
McAfeeSiteList, MicrosoftUpdates, OutlookDownloads, PowerShellEvents,
Printers, ProcessCreationEvents, ProcessOwners, RecycleBin,
reg, RPCMappedEndpoints, ScheduledTasks, SearchIndex,
ChromiumBookmarks, ChromiumHistory, ExplicitLogonEvents, FileInfo, FirefoxHistory,
InstalledProducts, InterestingFiles, LogonEvents, LOLBAS,
McAfeeSiteList, MicrosoftUpdates, OutlookDownloads, PowerShellEvents,
Printers, ProcessCreationEvents, ProcessOwners, RecycleBin,
reg, RPCMappedEndpoints, ScheduledTasks, SearchIndex,
SecurityPackages, SysmonEvents
Expand All @@ -247,8 +250,6 @@ Examples:

**Note:** searches that target users will run for the current user if not-elevated and for ALL users if elevated.

**A more detailed wiki is coming...**


## Command Groups

Expand Down
224 changes: 224 additions & 0 deletions Seatbelt/Commands/Windows/AzureADCmd.cs
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,224 @@
using System;
using System.Collections.Generic;
using System.Runtime.InteropServices;
using System.Security.Cryptography.X509Certificates;
using System.Text;
using Microsoft.Win32;
using Seatbelt.Output.Formatters;
using Seatbelt.Output.TextWriters;
using static Seatbelt.Interop.Netapi32;

namespace Seatbelt.Commands.Windows
{
internal class AzureADCommand : CommandBase
{
public override string Command => "azuread";
public override string Description => "Return AzureAD info";
public override CommandGroup[] Group => new[] { CommandGroup.User };
public override bool SupportRemote => false;
public Runtime ThisRunTime;

public AzureADCommand(Runtime runtime) : base(runtime)
{
ThisRunTime = runtime;
}

public override IEnumerable<CommandDTOBase?> Execute(string[] args)
{
bool? sssoDomainTrusted = null;
var sssoDomainTrustedValue = ThisRunTime.GetDwordValue(RegistryHive.CurrentUser, @"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\microsoftazuread-sso.com\autologon", "https");

if (sssoDomainTrustedValue != null)
{
switch (sssoDomainTrustedValue)
{
case 0:
sssoDomainTrusted = false;
break;
case 1:
sssoDomainTrusted = true;
break;
default:
sssoDomainTrusted = false;
break;
}
}

var netAadJoinInfo = GetNetAadInfo();


yield return new AzureADDTO(
netAadJoinInfo,
sssoDomainTrusted
);
}


private NetAadJoinInfo? GetNetAadInfo()
{
//original code from https://github.com/ThomasKur/WPNinjas.Dsregcmd/blob/2cff7b273ad4d3fc705744f76c4bd0701b2c36f0/WPNinjas.Dsregcmd/DsRegCmd.cs

var tenantId = "";
var retValue = NetGetAadJoinInformation(tenantId, out var ptrJoinInfo);
if (retValue == 0)
{
var joinInfo = (DSREG_JOIN_INFO)Marshal.PtrToStructure(ptrJoinInfo, typeof(DSREG_JOIN_INFO));
var JType = (NetAadJoinInfo.JoinType)joinInfo.joinType;
var did = new Guid(joinInfo.DeviceId);
var tid = new Guid(joinInfo.TenantId);

var data = Convert.FromBase64String(joinInfo.UserSettingSyncUrl);
var UserSettingSyncUrl = Encoding.ASCII.GetString(data);
var ptrUserInfo = joinInfo.pUserInfo;

DSREG_USER_INFO? userInfo = null;
var cresult = new List<X509Certificate2>();
Guid? uid = null;

if (ptrUserInfo != IntPtr.Zero)
{
userInfo = (DSREG_USER_INFO)Marshal.PtrToStructure(ptrUserInfo, typeof(DSREG_USER_INFO));
uid = new Guid(userInfo?.UserKeyId);
var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);

foreach (var certificate in store.Certificates)
{
if (certificate.Subject.Equals($"CN={did}"))
{
cresult.Add(certificate);
}
}

Marshal.Release(ptrUserInfo);
}

Marshal.Release(ptrJoinInfo);
NetFreeAadJoinInformation(ptrJoinInfo);

return new NetAadJoinInfo(
JType,
did,
joinInfo.IdpDomain,
tid,
joinInfo.JoinUserEmail,
joinInfo.TenantDisplayName,
joinInfo.MdmEnrollmentUrl,
joinInfo.MdmTermsOfUseUrl,
joinInfo.MdmComplianceUrl,
UserSettingSyncUrl,
cresult,
userInfo?.UserEmail,
uid,
userInfo?.UserKeyName
);
}

return null;
}
}

internal class AzureADDTO : CommandDTOBase
{
public AzureADDTO(NetAadJoinInfo? netAadJoinInfo, bool? seamlessSignOnDomainTrusted)
{
SeamlessSignOnDomainTrusted = seamlessSignOnDomainTrusted;
NetAadJoinInfo = netAadJoinInfo;
}

public bool? SeamlessSignOnDomainTrusted { get; }
public NetAadJoinInfo? NetAadJoinInfo { get; }
}

internal class NetAadJoinInfo
{
public NetAadJoinInfo(JoinType jType, Guid deviceId, string idpDomain, Guid tenantId, string joinUserEmail, string tenantDisplayName, string mdmEnrollmentUrl, string mdmTermsOfUseUrl,
string mdmComplianceUrl, string userSettingSyncUrl, List<X509Certificate2> certInfo, string? userEmail, Guid? userKeyId, string? userKeyname)
{
JType = jType;
DeviceId = deviceId;
IdpDomain = idpDomain;
TenantId = tenantId;
JoinUserEmail = joinUserEmail;
TenantDisplayName = tenantDisplayName;
MdmEnrollmentUrl = mdmEnrollmentUrl;
MdmTermsOfUseUrl = mdmTermsOfUseUrl;
MdmComplianceUrl = mdmComplianceUrl;
UserSettingSyncUrl = userSettingSyncUrl;
CertInfo = certInfo;
UserEmail = userEmail;
UserKeyId = userKeyId;
UserKeyname = userKeyname;
}
public enum JoinType
{
DSREG_UNKNOWN_JOIN,
DSREG_DEVICE_JOIN,
DSREG_WORKPLACE_JOIN,
DSREG_NO_JOIN
}
public JoinType JType { get; }
public Guid DeviceId { get; }
public string IdpDomain { get; }
public Guid TenantId { get; }
public string JoinUserEmail { get; }
public string TenantDisplayName { get; }
public string MdmEnrollmentUrl { get; }
public string MdmTermsOfUseUrl { get; }
public string MdmComplianceUrl { get; }
public string UserSettingSyncUrl { get; }
public List<X509Certificate2> CertInfo { get; }
public string? UserEmail { get; }
public Guid? UserKeyId { get; }
public string? UserKeyname { get; }
}

[CommandOutputType(typeof(AzureADDTO))]
internal class AzureADFormatter : TextFormatterBase
{
public AzureADFormatter(ITextWriter writer) : base(writer)
{
// nothing goes here
}
public override void FormatResult(CommandBase? command, CommandDTOBase result, bool filterResults)
{
var dto = (AzureADDTO)result;
var netAadInfo = dto.NetAadJoinInfo;

if (netAadInfo == null)
WriteLine(" Could not enumerate NetAadJoinInfo");
else
{
WriteLine($" TenantDisplayName : {netAadInfo.TenantDisplayName}");
WriteLine($" TenantId : {netAadInfo.TenantId}");
WriteLine($" IdpDomain : {netAadInfo.IdpDomain}");
WriteLine($" MdmEnrollmentUrl : {netAadInfo.MdmEnrollmentUrl}");
WriteLine($" MdmTermsOfUseUrl : {netAadInfo.MdmTermsOfUseUrl}");
WriteLine($" MdmComplianceUrl : {netAadInfo.MdmComplianceUrl}");
WriteLine($" UserSettingSyncUrl : {netAadInfo.UserSettingSyncUrl}");
WriteLine($" DeviceId : {netAadInfo.DeviceId}");
WriteLine($" JoinType : {netAadInfo.JType}");
WriteLine($" JoinUserEmail : {netAadInfo.JoinUserEmail}");
WriteLine($" UserKeyId : {netAadInfo.UserKeyId}");
WriteLine($" UserEmail : {netAadInfo.UserEmail}");
WriteLine($" UserKeyname : {netAadInfo.UserKeyname}\n");

foreach (var cert in netAadInfo.CertInfo)
{
WriteLine($" Thumbprint : {cert.Thumbprint}");
WriteLine($" Subject : {cert.Subject}");
WriteLine($" Issuer : {cert.Issuer}");
WriteLine($" Expiration : {cert.GetExpirationDateString()}");
}
}

var sssoMsg = "";
if (dto.SeamlessSignOnDomainTrusted == true)
sssoMsg = "(AzureAD Seamless Sign-on may be enabled!)";
else
sssoMsg = "(not configured)";

WriteLine($" SeamlessSignOnDomainTrusted : {dto.SeamlessSignOnDomainTrusted}{sssoMsg}");
}
}
}
Loading

0 comments on commit af5af1d

Please sign in to comment.