using System; using System.Collections.Generic; using System.IO; using System.Linq; using System.Reflection; using System.Runtime.InteropServices; using System.Text.RegularExpressions; using winPEAS.Helpers; using winPEAS.Helpers.AppLocker; using winPEAS._3rdParty.Watson; using winPEAS.Info.SystemInfo.Printers; using winPEAS.Info.SystemInfo.NamedPipes; using winPEAS.Info.SystemInfo; using winPEAS.Info.SystemInfo.SysMon; using winPEAS.Helpers.Extensions; using winPEAS.Helpers.Registry; using winPEAS.Info.SystemInfo.AuditPolicies; using winPEAS.Info.SystemInfo.DotNet; using winPEAS.Info.SystemInfo.GroupPolicy; using winPEAS.Info.SystemInfo.WindowsDefender; using winPEAS.Info.SystemInfo.PowerShell; using winPEAS.Info.SystemInfo.Ntlm; using winPEAS.Native.Enums; namespace winPEAS.Checks { class SystemInfo : ISystemCheck { static string badUAC = "No prompting|PromptForNonWindowsBinaries"; static string goodUAC = "PromptPermitDenyOnSecureDesktop"; static string badLAPS = "LAPS not installed"; private static readonly Dictionary _asrGuids = new Dictionary { { "01443614-cd74-433a-b99e-2ecdc07bfc25" , "Block executable files from running unless they meet a prevalence, age, or trusted list criteria"}, { "c1db55ab-c21a-4637-bb3f-a12568109d35" , "Use advanced protection against ransomware"}, { "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" , "Block credential stealing from the Windows local security authority subsystem (lsass.exe)"}, { "d1e49aac-8f56-4280-b9ba-993a6d77406c" , "Block process creations originating from PSExec and WMI commands"}, { "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4" , "Block untrusted and unsigned processes that run from USB"}, { "26190899-1602-49e8-8b27-eb1d0a1ce869" , "Block Office communication applications from creating child processes"}, { "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c" , "Block Adobe Reader from creating child processes"}, { "e6db77e5-3df2-4cf1-b95a-636979351e5b" , "Block persistence through WMI event subscription"}, { "d4f940ab-401b-4efc-aadc-ad5f3c50688a" , "Block all Office applications from creating child processes"}, { "5beb7efe-fd9a-4556-801d-275e5ffc04cc" , "Block execution of potentially obfuscated scripts"}, { "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b" , "Block Win32 API calls from Office macro "}, { "3b576869-a4ec-4529-8536-b80a7769e899" , "Block Office applications from creating executable content "}, { "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84" , "Block Office applications from injecting code into other processes"}, { "d3e037e1-3eb8-44c8-a917-57927947596d" , "Block JavaScript or VBScript from launching downloaded executable content"}, { "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" , "Block executable content from email client and webmail"}, }; public void PrintInfo(bool isDebug) { Beaprint.GreatPrint("System Information"); new List { PrintBasicSystemInfo, PrintMicrosoftUpdatesCOM, PrintSystemLastShutdownTime, PrintUserEV, PrintSystemEV, PrintAuditInfo, PrintAuditPoliciesInfo, PrintWEFInfo, PrintLAPSInfo, PrintWdigest, PrintLSAProtection, PrintCredentialGuard, PrintCachedCreds, PrintRegistryCreds, PrintAVInfo, PrintWindowsDefenderInfo, PrintUACInfo, PrintPSInfo, PrintPowerShellSessionSettings, PrintTranscriptPS, PrintInetInfo, PrintDrivesInfo, PrintWSUS, PrintAlwaysInstallElevated, PrintLSAInfo, PrintNtlmSettings, PrintLocalGroupPolicy, AppLockerHelper.PrintAppLockerPolicy, PrintPrintersWMIInfo, PrintNamedPipes, PrintAMSIProviders, PrintSysmon, PrintDotNetVersions }.ForEach(action => CheckRunner.Run(action, isDebug)); } private static void PrintBasicSystemInfo() { try { Beaprint.MainPrint("Basic System Information"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#kernel-exploits", "Check if the Windows versions is vulnerable to some known exploit"); Dictionary basicDictSystem = Info.SystemInfo.SystemInfo.GetBasicOSInfo(); basicDictSystem["Hotfixes"] = Beaprint.ansi_color_good + basicDictSystem["Hotfixes"] + Beaprint.NOCOLOR; Dictionary colorsSI = new Dictionary { { Globals.StrTrue, Beaprint.ansi_color_bad }, }; Beaprint.DictPrint(basicDictSystem, colorsSI, false); System.Console.WriteLine(); Watson.FindVulns(); //To update Watson, update the CVEs and add the new ones and update the main function so it uses new CVEs (becausfull with the Beaprints inside the FindVulns function) //Usually you won't need to do anything with the classes Wmi, Vulnerability and VulnerabilityCollection } catch (Exception ex) { Beaprint.PrintException(ex.Message); } } private static void PrintMicrosoftUpdatesCOM() { try { Beaprint.MainPrint("Showing All Microsoft Updates"); var searcher = Type.GetTypeFromProgID("Microsoft.Update.Searcher"); var searcherObj = Activator.CreateInstance(searcher); // get the total number of updates var count = (int)searcherObj.GetType().InvokeMember("GetTotalHistoryCount", BindingFlags.InvokeMethod, null, searcherObj, new object[] { }); // get the pointer to the update collection var results = searcherObj.GetType().InvokeMember("QueryHistory", BindingFlags.InvokeMethod, null, searcherObj, new object[] { 0, count }); for (int i = 0; i < count; ++i) { // get the actual update item var item = searcherObj.GetType().InvokeMember("Item", BindingFlags.GetProperty, null, results, new object[] { i }); // get our properties // ref - https://docs.microsoft.com/en-us/windows/win32/api/wuapi/nn-wuapi-iupdatehistoryentry var title = searcherObj.GetType().InvokeMember("Title", BindingFlags.GetProperty, null, item, new object[] { })?.ToString() ?? string.Empty; var date = searcherObj.GetType().InvokeMember("Date", BindingFlags.GetProperty, null, item, new object[] { }); var description = searcherObj.GetType().InvokeMember("Description", BindingFlags.GetProperty, null, item, new object[] { }); var clientApplicationID = searcherObj.GetType().InvokeMember("ClientApplicationID", BindingFlags.GetProperty, null, item, new object[] { }); string hotfixId = ""; Regex reg = new Regex(@"KB\d+"); var matches = reg.Matches(title); if (matches.Count > 0) { hotfixId = matches[0].ToString(); } Beaprint.NoColorPrint($" HotFix ID : {hotfixId}\n" + $" Installed At (UTC) : {Convert.ToDateTime(date.ToString()).ToUniversalTime()}\n" + $" Title : {title}\n" + $" Client Application ID : {clientApplicationID}\n" + $" Description : {description}\n"); Beaprint.PrintLineSeparator(); Marshal.ReleaseComObject(item); } Marshal.ReleaseComObject(results); Marshal.ReleaseComObject(searcherObj); } catch (Exception ex) { Beaprint.PrintException(ex.Message); } } static void PrintPSInfo() { try { Dictionary colorsPSI = new Dictionary() { { "PS history file: .+", Beaprint.ansi_color_bad }, { "PS history size: .+", Beaprint.ansi_color_bad } }; Beaprint.MainPrint("PowerShell Settings"); Dictionary PSs = Info.SystemInfo.SystemInfo.GetPowerShellSettings(); Beaprint.DictPrint(PSs, colorsPSI, false); } catch (Exception ex) { Beaprint.PrintException(ex.Message); } } static void PrintTranscriptPS() { try { Beaprint.MainPrint("PS default transcripts history"); Beaprint.InfoPrint("Read the PS history inside these files (if any)"); string drive = Path.GetPathRoot(Environment.SystemDirectory); string transcriptsPath = drive + @"transcripts\"; string usersPath = $"{drive}users"; var users = Directory.EnumerateDirectories(usersPath, "*", SearchOption.TopDirectoryOnly); string powershellTranscriptFilter = "powershell_transcript*"; var colors = new Dictionary() { { "^.*", Beaprint.ansi_color_bad }, }; var results = new List(); var dict = new Dictionary() { // check \\transcripts\ folder {transcriptsPath, "*"}, }; foreach (var user in users) { // check the users directories dict.Add($"{user}\\Documents", powershellTranscriptFilter); } foreach (var kvp in dict) { var path = kvp.Key; var filter = kvp.Value; if (Directory.Exists(path)) { try { var files = Directory.EnumerateFiles(path, filter, SearchOption.TopDirectoryOnly).ToList(); foreach (var file in files) { var fileInfo = new FileInfo(file); var humanReadableSize = MyUtils.ConvertBytesToHumanReadable(fileInfo.Length); var item = $"[{humanReadableSize}] - {file}"; results.Add(item); } } catch (UnauthorizedAccessException) { } catch (PathTooLongException) { } catch (DirectoryNotFoundException) { } } } if (results.Count > 0) { Beaprint.ListPrint(results, colors); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } } private static void PrintAuditInfo() { try { Beaprint.MainPrint("Audit Settings"); Beaprint.LinkPrint("", "Check what is being logged"); Dictionary auditDict = Info.SystemInfo.SystemInfo.GetAuditSettings(); Beaprint.DictPrint(auditDict, false); } catch (Exception ex) { Beaprint.PrintException(ex.Message); } } private static void PrintAuditPoliciesInfo() { try { Beaprint.MainPrint("Audit Policy Settings - Classic & Advanced"); var policies = AuditPolicies.GetAuditPoliciesInfos(); foreach (var policy in policies) { Beaprint.NoColorPrint($" Domain : {policy.Domain}\n" + $" GPO : {policy.GPO}\n" + $" Type : {policy.Type}\n"); foreach (var entry in policy.Settings) { Beaprint.NoColorPrint($" {entry.Subcategory,50} : {entry.AuditType}"); } Beaprint.PrintLineSeparator(); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } } static void PrintWEFInfo() { try { Beaprint.MainPrint("WEF Settings"); Beaprint.LinkPrint("", "Windows Event Forwarding, is interesting to know were are sent the logs"); Dictionary weftDict = Info.SystemInfo.SystemInfo.GetWEFSettings(); Beaprint.DictPrint(weftDict, false); } catch (Exception ex) { Beaprint.PrintException(ex.Message); } } void PrintLAPSInfo() { try { Beaprint.MainPrint("LAPS Settings"); Beaprint.LinkPrint("", "If installed, local administrator password is changed frequently and is restricted by ACL"); Dictionary lapsDict = Info.SystemInfo.SystemInfo.GetLapsSettings(); Dictionary colorsSI = new Dictionary() { { badLAPS, Beaprint.ansi_color_bad } }; Beaprint.DictPrint(lapsDict, colorsSI, false); } catch (Exception ex) { Beaprint.PrintException(ex.Message); } } static void PrintWdigest() { Beaprint.MainPrint("Wdigest"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#wdigest", "If enabled, plain-text crds could be stored in LSASS"); string useLogonCredential = RegistryHelper.GetRegValue("HKLM", @"SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest", "UseLogonCredential"); if (useLogonCredential == "1") Beaprint.BadPrint(" Wdigest is active"); else Beaprint.GoodPrint(" Wdigest is not enabled"); } static void PrintLSAProtection() { Beaprint.MainPrint("LSA Protection"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#lsa-protection", "If enabled, a driver is needed to read LSASS memory (If Secure Boot or UEFI, RunAsPPL cannot be disabled by deleting the registry key)"); string useLogonCredential = RegistryHelper.GetRegValue("HKLM", @"SYSTEM\CurrentControlSet\Control\LSA", "RunAsPPL"); if (useLogonCredential == "1") Beaprint.GoodPrint(" LSA Protection is active"); else Beaprint.BadPrint(" LSA Protection is not enabled"); } static void PrintCredentialGuard() { Beaprint.MainPrint("Credentials Guard"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#credential-guard", "If enabled, a driver is needed to read LSASS memory"); string lsaCfgFlags = RegistryHelper.GetRegValue("HKLM", @"System\CurrentControlSet\Control\LSA", "LsaCfgFlags"); if (lsaCfgFlags == "1") { System.Console.WriteLine(" Please, note that this only checks the LsaCfgFlags key value. This is not enough to enable Credentials Guard (but it's a strong indicator)."); Beaprint.GoodPrint(" CredentialGuard is active with UEFI lock"); } else if (lsaCfgFlags == "2") { System.Console.WriteLine(" Please, note that this only checks the LsaCfgFlags key value. This is not enough to enable Credentials Guard (but it's a strong indicator)."); Beaprint.GoodPrint(" CredentialGuard is active without UEFI lock"); } else { Beaprint.BadPrint(" CredentialGuard is not enabled"); } CredentialGuard.PrintInfo(); } static void PrintCachedCreds() { Beaprint.MainPrint("Cached Creds"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/stealing-credentials/credentials-protections#cached-credentials", "If > 0, credentials will be cached in the registry and accessible by SYSTEM user"); string cachedlogonscount = RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "CACHEDLOGONSCOUNT"); if (!string.IsNullOrEmpty(cachedlogonscount)) { int clc = Int16.Parse(cachedlogonscount); if (clc > 0) { Beaprint.BadPrint(" cachedlogonscount is " + cachedlogonscount); } else { Beaprint.BadPrint(" cachedlogonscount is " + cachedlogonscount); } } } static void PrintUserEV() { try { Beaprint.MainPrint("User Environment Variables"); Beaprint.LinkPrint("", "Check for some passwords or keys in the env variables"); Dictionary userEnvDict = Info.SystemInfo.SystemInfo.GetUserEnvVariables(); Dictionary colorsSI = new Dictionary() { { Globals.PrintCredStringsLimited, Beaprint.ansi_color_bad } }; Beaprint.DictPrint(userEnvDict, colorsSI, false); } catch (Exception ex) { Beaprint.PrintException(ex.Message); } } static void PrintSystemEV() { try { Beaprint.MainPrint("System Environment Variables"); Beaprint.LinkPrint("", "Check for some passwords or keys in the env variables"); Dictionary sysEnvDict = Info.SystemInfo.SystemInfo.GetSystemEnvVariables(); Dictionary colorsSI = new Dictionary() { { Globals.PrintCredStringsLimited, Beaprint.ansi_color_bad } }; Beaprint.DictPrint(sysEnvDict, colorsSI, false); } catch (Exception ex) { Beaprint.PrintException(ex.Message); } } static void PrintInetInfo() { try { Dictionary colorsSI = new Dictionary() { { "ProxyServer.*", Beaprint.ansi_color_bad } }; Beaprint.MainPrint("HKCU Internet Settings"); Dictionary HKCUDict = Info.SystemInfo.SystemInfo.GetInternetSettings("HKCU"); Beaprint.DictPrint(HKCUDict, colorsSI, true); Beaprint.MainPrint("HKLM Internet Settings"); Dictionary HKMLDict = Info.SystemInfo.SystemInfo.GetInternetSettings("HKLM"); Beaprint.DictPrint(HKMLDict, colorsSI, true); } catch (Exception ex) { Beaprint.PrintException(ex.Message); } } static void PrintDrivesInfo() { try { Beaprint.MainPrint("Drives Information"); Beaprint.LinkPrint("", "Remember that you should search more info inside the other drives"); Dictionary colorsSI = new Dictionary() { { "Permissions.*", Beaprint.ansi_color_bad} }; foreach (Dictionary drive in Info.SystemInfo.SystemInfo.GetDrivesInfo()) { string drive_permissions = string.Join(", ", PermissionsHelper.GetPermissionsFolder(drive["Name"], Checks.CurrentUserSiDs)); string dToPrint = string.Format(" {0} (Type: {1})", drive["Name"], drive["Type"]); if (!string.IsNullOrEmpty(drive["Volume label"])) dToPrint += "(Volume label: " + drive["Volume label"] + ")"; if (!string.IsNullOrEmpty(drive["Filesystem"])) dToPrint += "(Filesystem: " + drive["Filesystem"] + ")"; if (!string.IsNullOrEmpty(drive["Available space"])) dToPrint += "(Available space: " + (((Int64.Parse(drive["Available space"]) / 1024) / 1024) / 1024).ToString() + " GB)"; if (drive_permissions.Length > 0) dToPrint += "(Permissions: " + drive_permissions + ")"; Beaprint.AnsiPrint(dToPrint, colorsSI); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } } static void PrintAVInfo() { try { Beaprint.MainPrint("AV Information"); Dictionary AVInfo = Info.SystemInfo.SystemInfo.GetAVInfo(); if (AVInfo.ContainsKey("Name") && AVInfo["Name"].Length > 0) Beaprint.GoodPrint(" Some AV was detected, search for bypasses"); else Beaprint.BadPrint(" No AV was detected!!"); Beaprint.DictPrint(AVInfo, true); } catch (Exception ex) { Beaprint.PrintException(ex.Message); } } static void PrintUACInfo() { try { Beaprint.MainPrint("UAC Status"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access", "If you are in the Administrators group check how to bypass the UAC"); Dictionary uacDict = Info.SystemInfo.SystemInfo.GetUACSystemPolicies(); Dictionary colorsSI = new Dictionary() { { badUAC, Beaprint.ansi_color_bad }, { goodUAC, Beaprint.ansi_color_good } }; Beaprint.DictPrint(uacDict, colorsSI, false); if ((uacDict["EnableLUA"] == "") || (uacDict["EnableLUA"] == "0")) Beaprint.BadPrint(" [*] EnableLUA != 1, UAC policies disabled.\r\n [+] Any local account can be used for lateral movement."); if ((uacDict["EnableLUA"] == "1") && (uacDict["LocalAccountTokenFilterPolicy"] == "1")) Beaprint.BadPrint(" [*] LocalAccountTokenFilterPolicy set to 1.\r\n [+] Any local account can be used for lateral movement."); if ((uacDict["EnableLUA"] == "1") && (uacDict["LocalAccountTokenFilterPolicy"] != "1") && (uacDict["FilterAdministratorToken"] != "1")) Beaprint.GoodPrint(" [*] LocalAccountTokenFilterPolicy set to 0 and FilterAdministratorToken != 1.\r\n [-] Only the RID-500 local admin account can be used for lateral movement."); if ((uacDict["EnableLUA"] == "1") && (uacDict["LocalAccountTokenFilterPolicy"] != "1") && (uacDict["FilterAdministratorToken"] == "1")) Beaprint.GoodPrint(" [*] LocalAccountTokenFilterPolicy set to 0 and FilterAdministratorToken == 1.\r\n [-] No local accounts can be used for lateral movement."); } catch (Exception ex) { Beaprint.PrintException(ex.Message); } } static void PrintWSUS() { try { Beaprint.MainPrint("Checking WSUS"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#wsus"); string path = "Software\\Policies\\Microsoft\\Windows\\WindowsUpdate"; string path2 = "Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU"; string HKLM_WSUS = RegistryHelper.GetRegValue("HKLM", path, "WUServer"); string using_HKLM_WSUS = RegistryHelper.GetRegValue("HKLM", path2, "UseWUServer"); if (HKLM_WSUS.Contains("http://")) { Beaprint.BadPrint(" WSUS is using http: " + HKLM_WSUS); Beaprint.InfoPrint("You can test https://github.com/pimps/wsuxploit to escalate privileges"); if (using_HKLM_WSUS == "1") Beaprint.BadPrint(" And UseWUServer is equals to 1, so it is vulnerable!"); else if (using_HKLM_WSUS == "0") Beaprint.GoodPrint(" But UseWUServer is equals to 0, so it is not vulnerable!"); else System.Console.WriteLine(" But UseWUServer is equals to " + using_HKLM_WSUS + ", so it may work or not"); } else { if (string.IsNullOrEmpty(HKLM_WSUS)) Beaprint.NotFoundPrint(); else Beaprint.GoodPrint(" WSUS value: " + HKLM_WSUS); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } } static void PrintAlwaysInstallElevated() { try { Beaprint.MainPrint("Checking AlwaysInstallElevated"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated"); string path = "Software\\Policies\\Microsoft\\Windows\\Installer"; string HKLM_AIE = RegistryHelper.GetRegValue("HKLM", path, "AlwaysInstallElevated"); string HKCU_AIE = RegistryHelper.GetRegValue("HKCU", path, "AlwaysInstallElevated"); if (HKLM_AIE == "1") { Beaprint.BadPrint(" AlwaysInstallElevated set to 1 in HKLM!"); } if (HKCU_AIE == "1") { Beaprint.BadPrint(" AlwaysInstallElevated set to 1 in HKCU!"); } if (HKLM_AIE != "1" && HKCU_AIE != "1") { Beaprint.GoodPrint(" AlwaysInstallElevated isn't available"); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } } private static void PrintNtlmSettings() { Beaprint.MainPrint($"Enumerating NTLM Settings"); try { var info = Ntlm.GetNtlmSettingsInfo(); string lmCompatibilityLevelColor = info.LanmanCompatibilityLevel >= 3 ? Beaprint.ansi_color_good : Beaprint.ansi_color_bad; Beaprint.ColorPrint($" LanmanCompatibilityLevel : {info.LanmanCompatibilityLevel} ({info.LanmanCompatibilityLevelString})\n", lmCompatibilityLevelColor); var ntlmSettingsColors = new Dictionary { { "True", Beaprint.ansi_color_good }, { "False", Beaprint.ansi_color_bad }, { "No signing", Beaprint.ansi_color_bad}, { "null", Beaprint.ansi_color_bad}, { "Require Signing", Beaprint.ansi_color_good}, { "Negotiate signing", Beaprint.ansi_color_yellow}, { "Unknown", Beaprint.ansi_color_bad}, }; Beaprint.ColorPrint("\n NTLM Signing Settings", Beaprint.LBLUE); Beaprint.AnsiPrint($" ClientRequireSigning : {info.ClientRequireSigning}\n" + $" ClientNegotiateSigning : {info.ClientNegotiateSigning}\n" + $" ServerRequireSigning : {info.ServerRequireSigning}\n" + $" ServerNegotiateSigning : {info.ServerNegotiateSigning}\n" + $" LdapSigning : {(info.LdapSigning != null ? info.LdapSigningString : "null")} ({info.LdapSigningString})", ntlmSettingsColors); Beaprint.ColorPrint("\n Session Security", Beaprint.LBLUE); if (info.NTLMMinClientSec != null) { var clientSessionSecurity = (SessionSecurity)info.NTLMMinClientSec; var clientSessionSecurityDescription = clientSessionSecurity.GetDescription(); var color = !clientSessionSecurity.HasFlag(SessionSecurity.NTLMv2) && !clientSessionSecurity.HasFlag(SessionSecurity.Require128BitKey) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good; Beaprint.ColorPrint($" NTLMMinClientSec : {info.NTLMMinClientSec} ({clientSessionSecurityDescription})", color); if (info.LanmanCompatibilityLevel < 3 && !clientSessionSecurity.HasFlag(SessionSecurity.NTLMv2)) { Beaprint.BadPrint(" [!] NTLM clients support NTLMv1!"); } } if (info.NTLMMinServerSec != null) { var serverSessionSecurity = (SessionSecurity)info.NTLMMinServerSec; var serverSessionSecurityDescription = serverSessionSecurity.GetDescription(); var color = !serverSessionSecurity.HasFlag(SessionSecurity.NTLMv2) && !serverSessionSecurity.HasFlag(SessionSecurity.Require128BitKey) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good; Beaprint.ColorPrint($" NTLMMinServerSec : {info.NTLMMinServerSec} ({serverSessionSecurityDescription})\n", color); if (info.LanmanCompatibilityLevel < 3 && !serverSessionSecurity.HasFlag(SessionSecurity.NTLMv2)) { Beaprint.BadPrint(" [!] NTLM services on this machine support NTLMv1!"); } } var ntlmOutboundRestrictionsColor = info.OutboundRestrictions == 2 ? Beaprint.ansi_color_good : Beaprint.ansi_color_bad; Beaprint.ColorPrint("\n NTLM Auditing and Restrictions", Beaprint.LBLUE); Beaprint.NoColorPrint($" InboundRestrictions : {info.InboundRestrictions} ({info.InboundRestrictionsString})"); Beaprint.ColorPrint($" OutboundRestrictions : {info.OutboundRestrictions} ({info.OutboundRestrictionsString})", ntlmOutboundRestrictionsColor); Beaprint.NoColorPrint($" InboundAuditing : {info.InboundAuditing} ({info.InboundRestrictionsString})"); Beaprint.NoColorPrint($" OutboundExceptions : {info.OutboundExceptions}"); } catch (Exception ex) { Beaprint.PrintException(ex.Message); } } private static void PrintPrintersWMIInfo() { Beaprint.MainPrint("Enumerating Printers (WMI)"); try { foreach (var printer in Printers.GetPrinterWMIInfos()) { Beaprint.NoColorPrint($" Name: {printer.Name}\n" + $" Status: {printer.Status}\n" + $" Sddl: {printer.Sddl}\n" + $" Is default: {printer.IsDefault}\n" + $" Is network printer: {printer.IsNetworkPrinter}\n"); Beaprint.PrintLineSeparator(); } } catch (Exception ex) { //Beaprint.PrintException(ex.Message); } } private static void PrintNamedPipes() { Beaprint.MainPrint("Enumerating Named Pipes"); try { string formatString = " {0,-100} {1}\n"; Beaprint.NoColorPrint(string.Format($"{formatString}", "Name", "Sddl")); foreach (var namedPipe in NamedPipes.GetNamedPipeInfos()) { Beaprint.BadPrint(string.Format(formatString, namedPipe.Name, namedPipe.Sddl)); } } catch (Exception ex) { //Beaprint.PrintException(ex.Message); } } private void PrintAMSIProviders() { Beaprint.MainPrint("Enumerating AMSI registered providers"); try { var providers = RegistryHelper.GetRegSubkeys("HKLM", @"SOFTWARE\Microsoft\AMSI\Providers") ?? new string[] { }; foreach (var provider in providers) { var providerPath = RegistryHelper.GetRegValue("HKLM", $"SOFTWARE\\Classes\\CLSID\\{provider}\\InprocServer32", ""); Beaprint.NoColorPrint($" Provider: {provider}\n" + $" Path: {providerPath}\n"); Beaprint.PrintLineSeparator(); } } catch (Exception) { } } private void PrintSysmon() { PrintSysmonConfiguration(); PrintSysmonEventLogs(); } private void PrintSysmonConfiguration() { Beaprint.MainPrint("Enumerating Sysmon configuration"); Dictionary colors = new Dictionary { { SysMon.NotDefined, Beaprint.ansi_color_bad }, { "False", Beaprint.ansi_color_bad }, }; try { if (!MyUtils.IsHighIntegrity()) { Beaprint.NoColorPrint(" You must be an administrator to run this check"); return; } foreach (var item in SysMon.GetSysMonInfos()) { Beaprint.AnsiPrint($" Installed: {item.Installed}\n" + $" Hashing Algorithm: {item.HashingAlgorithm.GetDescription()}\n" + $" Options: {item.Options.GetDescription()}\n" + $" Rules: {item.Rules}\n", colors); Beaprint.PrintLineSeparator(); } } catch (Exception) { } } private void PrintSysmonEventLogs() { Beaprint.MainPrint("Enumerating Sysmon process creation logs (1)"); try { if (!MyUtils.IsHighIntegrity()) { Beaprint.NoColorPrint(" You must be an administrator to run this check"); return; } foreach (var item in SysMon.GetSysMonEventInfos()) { Beaprint.BadPrint($" EventID: {item.EventID}\n" + $" User Name: {item.UserName}\n" + $" Time Created: {item.TimeCreated}\n"); Beaprint.PrintLineSeparator(); } } catch (Exception) { } } private static void PrintWindowsDefenderInfo() { Beaprint.MainPrint("Windows Defender configuration"); void DisplayDefenderSettings(WindowsDefenderSettings settings) { var pathExclusions = settings.PathExclusions; var processExclusions = settings.ProcessExclusions; var extensionExclusions = settings.ExtensionExclusions; var asrSettings = settings.AsrSettings; if (pathExclusions.Count != 0) { Beaprint.NoColorPrint("\n Path Exclusions:"); foreach (var path in pathExclusions) { Beaprint.NoColorPrint($" {path}"); } } if (pathExclusions.Count != 0) { Beaprint.NoColorPrint("\n PolicyManagerPathExclusions:"); foreach (var path in pathExclusions) { Beaprint.NoColorPrint($" {path}"); } } if (processExclusions.Count != 0) { Beaprint.NoColorPrint("\n Process Exclusions"); foreach (var process in processExclusions) { Beaprint.NoColorPrint($" {process}"); } } if (extensionExclusions.Count != 0) { Beaprint.NoColorPrint("\n Extension Exclusions"); foreach (var ext in extensionExclusions) { Beaprint.NoColorPrint($" {ext}"); } } if (asrSettings.Enabled) { Beaprint.NoColorPrint("\n Attack Surface Reduction Rules:\n"); Beaprint.NoColorPrint($" {"State",-10} Rule\n"); foreach (var rule in asrSettings.Rules) { string state; if (rule.State == 0) state = "Disabled"; else if (rule.State == 1) state = "Blocked"; else if (rule.State == 2) state = "Audited"; else state = $"{rule.State} - Unknown"; var asrRule = _asrGuids.ContainsKey(rule.Rule.ToString()) ? _asrGuids[rule.Rule.ToString()] : $"{rule.Rule} - Please report this"; Beaprint.NoColorPrint($" {state,-10} {asrRule}"); } if (asrSettings.Exclusions.Count > 0) { Beaprint.NoColorPrint("\n ASR Exclusions:"); foreach (var exclusion in asrSettings.Exclusions) { Beaprint.NoColorPrint($" {exclusion}"); } } } } try { var info = WindowsDefender.GetDefenderSettingsInfo(); Beaprint.ColorPrint(" Local Settings", Beaprint.LBLUE); DisplayDefenderSettings(info.LocalSettings); Beaprint.ColorPrint(" Group Policy Settings", Beaprint.LBLUE); DisplayDefenderSettings(info.GroupPolicySettings); } catch (Exception e) { } } private static void PrintDotNetVersions() { try { Beaprint.MainPrint("Installed .NET versions\n"); var info = DotNet.GetDotNetInfo(); Beaprint.ColorPrint(" CLR Versions", Beaprint.LBLUE); foreach (var version in info.ClrVersions) { Beaprint.NoColorPrint($" {version}"); } Beaprint.ColorPrint("\n .NET Versions", Beaprint.LBLUE); foreach (var version in info.DotNetVersions) { Beaprint.NoColorPrint($" {version}"); } var colors = new Dictionary { { "True", Beaprint.ansi_color_good }, { "False", Beaprint.ansi_color_bad }, }; Beaprint.ColorPrint("\n .NET & AMSI (Anti-Malware Scan Interface) support", Beaprint.LBLUE); Beaprint.AnsiPrint($" .NET version supports AMSI : {info.IsAmsiSupportedByDotNet}\n" + $" OS supports AMSI : {info.IsAmsiSupportedByOs}", colors); var highestVersion = info.HighestVersion; var lowestVersion = info.LowestVersion; if ((highestVersion.Major == DotNetInfo.AmsiSupportedByDotNetMinMajorVersion) && (highestVersion.Minor >= DotNetInfo.AmsiSupportedByDotNetMinMinorVersion)) { Beaprint.NoColorPrint($" [!] The highest .NET version is enrolled in AMSI!"); } if ( info.IsAmsiSupportedByOs && info.IsAmsiSupportedByDotNet && (( (lowestVersion.Major == DotNetInfo.AmsiSupportedByDotNetMinMajorVersion - 1) ) || ((lowestVersion.Major == DotNetInfo.AmsiSupportedByDotNetMinMajorVersion) && (lowestVersion.Minor < DotNetInfo.AmsiSupportedByDotNetMinMinorVersion))) ) { Beaprint.NoColorPrint($" [-] You can invoke .NET version {lowestVersion.Major}.{lowestVersion.Minor} to bypass AMSI."); } } catch (Exception e) { } } private static void PrintSystemLastShutdownTime() { try { Beaprint.MainPrint("System Last Shutdown Date/time (from Registry)\n"); var shutdownBytes = RegistryHelper.GetRegValueBytes("HKLM", "SYSTEM\\ControlSet001\\Control\\Windows", "ShutdownTime"); if (shutdownBytes != null) { var shutdownInt = BitConverter.ToInt64(shutdownBytes, 0); var shutdownTime = DateTime.FromFileTime(shutdownInt); Beaprint.NoColorPrint($" Last Shutdown Date/time : {shutdownTime}"); } } catch (Exception ex) { } } private static void PrintLSAInfo() { try { Beaprint.MainPrint("Enumerate LSA settings - auth packages included\n"); var settings = RegistryHelper.GetRegValues("HKLM", "SYSTEM\\CurrentControlSet\\Control\\Lsa"); if ((settings != null) && (settings.Count != 0)) { foreach (var kvp in settings) { var val = string.Empty; if (kvp.Value.GetType().IsArray && (kvp.Value.GetType().GetElementType().ToString() == "System.String")) { val = string.Join(",", (string[])kvp.Value); } else if (kvp.Value.GetType().IsArray && (kvp.Value.GetType().GetElementType().ToString() == "System.Byte")) { val = System.BitConverter.ToString((byte[])kvp.Value); } else { val = kvp.Value.ToString(); } var key = kvp.Key; Beaprint.NoColorPrint($" {key,-30} : {val}"); if (Regex.IsMatch(key, "Security Packages") && Regex.IsMatch(val, @".*wdigest.*")) { Beaprint.BadPrint(" [!] WDigest is enabled - plaintext password extraction is possible!"); } if (key.Equals("RunAsPPL", System.StringComparison.InvariantCultureIgnoreCase) && val == "1") { Beaprint.BadPrint(" [!] LSASS Protected Mode is enabled! You will not be able to access lsass.exe's memory easily."); } if (key.Equals("DisableRestrictedAdmin", System.StringComparison.InvariantCultureIgnoreCase) && val == "0") { Beaprint.BadPrint(" [!] RDP Restricted Admin Mode is enabled! You can use pass-the-hash to access RDP on this system."); } } } } catch (Exception ex) { } } private static void PrintLocalGroupPolicy() { try { Beaprint.MainPrint("Display Local Group Policy settings - local users/machine" ); var infos = GroupPolicy.GetLocalGroupPolicyInfos(); foreach (var info in infos) { Beaprint.NoColorPrint($" Type : {info.GPOType}\n" + $" Display Name : {info.DisplayName}\n" + $" Name : {info.GPOName}\n" + $" Extensions : {info.Extensions}\n" + $" File Sys Path : {info.FileSysPath}\n" + $" Link : {info.Link}\n" + $" GPO Link : {info.GPOLink.GetDescription()}\n" + $" Options : {info.Options.GetDescription()}\n"); Beaprint.PrintLineSeparator(); } } catch (Exception ex) { } } private static void PrintPowerShellSessionSettings() { try { Beaprint.MainPrint("Enumerating PowerShell Session Settings using the registry"); if (!MyUtils.IsHighIntegrity()) { Beaprint.NoColorPrint(" You must be an administrator to run this check"); return; } var infos = PowerShell.GetPowerShellSessionSettingsInfos(); foreach (var info in infos) { Beaprint.NoColorPrint($" {"Name",-38} {info.Plugin}"); foreach (var access in info.Permissions) { Beaprint.NoColorPrint($" {access.Principal,-35} {access.Permission,-22}"); } Beaprint.PrintLineSeparator(); } } catch (Exception ex) { } } private static void PrintRegistryCreds() { try { Beaprint.MainPrint("Enumerating saved credentials in Registry (CurrentPass)"); string currentPass = "CurrentPass"; var hive = "HKLM"; var path = "System"; var controlSet = "ControlSet"; var colors = new Dictionary { { currentPass, Beaprint.ansi_color_bad } }; var subkeys = RegistryHelper.GetRegSubkeys(hive, path); foreach (var subkey in subkeys.Where(i => i.Contains(controlSet))) { try { var subPath = @$"{path}\{subkey}\Control"; var key = $@"{hive}\{subPath}\{currentPass}"; var value = RegistryHelper.GetRegValue(hive, subPath, currentPass); if (!string.IsNullOrWhiteSpace(value)) { Beaprint.AnsiPrint($@" {key,-60} : {value}", colors); } } catch (Exception) { } } } catch (Exception ex) { } } } }