Skip to content

Instantly share code, notes, and snippets.

@nullbind

nullbind/Get-WmiNamespaceDacl.ps1

Last active August 27, 2019 15:08
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save nullbind/97ab32109eaf661d888c5517d417cc73 to your computer and use it in GitHub Desktop.
Save nullbind/97ab32109eaf661d888c5517d417cc73 to your computer and use it in GitHub Desktop.
Download ZIP
Get-WmiNamespaceDacl.ps1
Raw
Get-WmiNamespaceDacl.ps1
<# Questions / todo
#check for namespace privs
#check for reg key privs
#check for dll hijacking due to missing quotes
#check for dll file privs
#check for impersonation - named pipe, token duplication, scheduled task,other?
#identify managed vs unmanaged; native vs custom
# what else?
References
https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-providers
https://docs.microsoft.com/en-us/windows/win32/wmisdk/access-to-wmi-namespaces
https://docs.microsoft.com/en-us/windows/win32/wmisdk/access-to-wmi-namespaces#default-permissions-on-wmi-namespaces
https://docs.microsoft.com/en-us/windows/win32/wmisdk/namespace-access-rights-constants
https://docs.microsoft.com/en-us/windows/win32/wmisdk/swbemsecurity-impersonationlevel
https://docs.microsoft.com/en-us/windows/win32/wmisdk/setting-the-default-process-security-level-using-vbscript
https://flylib.com/books/en/2.679.1.10/1/
https://raw.githubusercontent.com/gbragante/WMI-Scripts/ae870a9c366b920809cd4b9efc6d32fd50201a21/WMI-Report/WMI-Report.ps1
https://github.com/SonamVerma9/ansible_aws_backup/blob/e0fb39aa495513922d6767fb2263a2f34f2b93a6/S3files/windows/Set-WmiNamespaceSecurity.ps1
#>
# Source: https://github.com/KurtDeGreeff/PlayPowershell/blob/41de33a16d49e7d2e2df802697129ffd1dc965c2/Get-WmiNamespaceSecurity.ps1
function Get-WmiNamespaceDacl
{
Param ( [parameter(Mandatory=$true,Position=0)][string] $namespace,
[string] $computer = ".",
[System.Management.Automation.PSCredential] $credential = $null)
Process {
$ErrorActionPreference = "Stop"
Function Get-PermissionFromAccessMask($accessMask) {
$WBEM_ENABLE = 1
$WBEM_METHOD_EXECUTE = 2
$WBEM_FULL_WRITE_REP = 4
$WBEM_PARTIAL_WRITE_REP = 8
$WBEM_WRITE_PROVIDER = 0x10
$WBEM_REMOTE_ACCESS = 0x20
$READ_CONTROL = 0x20000
$WRITE_DAC = 0x40000
$WBEM_RIGHTS_FLAGS = $WBEM_ENABLE,$WBEM_METHOD_EXECUTE,$WBEM_FULL_WRITE_REP,`
$WBEM_PARTIAL_WRITE_REP,$WBEM_WRITE_PROVIDER,$WBEM_REMOTE_ACCESS,`
$WBEM_RIGHT_SUBSCRIBE,$WBEM_RIGHT_PUBLISH,$READ_CONTROL,$WRITE_DAC
$WBEM_RIGHTS_STRINGS = "Enable","MethodExecute","FullWrite","PartialWrite",`
"ProviderWrite","RemoteAccess","Subscribe","Publish","ReadSecurity","WriteSecurity"
$permission = @()
for ($i = 0; $i -lt $WBEM_RIGHTS_FLAGS.Length; $i++) {
if (($accessMask -band $WBEM_RIGHTS_FLAGS[$i]) -gt 0) {
$permission += $WBEM_RIGHTS_STRINGS[$i]
}
}
$permission
}
$INHERITED_ACE_FLAG = 0x10
$invokeparams = @{Namespace=$namespace;Path="__systemsecurity=@";Name="GetSecurityDescriptor";ComputerName=$computer}
if ($credential -eq $null) {
$credparams = @{}
} else {
$credparams = @{Credential=$credential}
}
$output = Invoke-WmiMethod @invokeparams @credparams
if ($output.ReturnValue -ne 0) {
throw "GetSecurityDescriptor failed: $($output.ReturnValue)"
}
$acl = $output.Descriptor
foreach ($ace in $acl.DACL) {
$user = New-Object System.Management.Automation.PSObject
$user | Add-Member -MemberType NoteProperty -Name "Name" `
-Value "$($ace.Trustee.Domain)\$($ace.Trustee.Name)"
$user | Add-Member -MemberType NoteProperty -Name "Permission" `
-Value (Get-PermissionFromAccessMask($ace.AccessMask))
$user | Add-Member -MemberType NoteProperty -Name "Inherited" `
-Value (($ace.AceFlags -band $INHERITED_ACE_FLAG) -gt 0)
$user
}
}}
Get-WmiObject -NameSpace $ns -Class __Win32Provider | select Name,__PATH, __NAMESPACE, CLSID, AssemblyPath, ImpersonationLevel |
ForEach-Object {
# Get dll path
$CLSID = $_.CLSID
if($CLSID){
$CLISD_KEY = "HKCR:\CLSID\$CLSID\InprocServer32\"
$CLSID_DLL = Get-ItemProperty "HKCR:\CLSID\$CLSID\InprocServer32\" | Select-Object "(default)" -ExpandProperty "(default)"
}
# Set other things
$ProviderName = $_.Name
$ProviderPath = $_.__PATH
$ProviderNamespace = $_.__NAMESPACE
$ProviderCLSID = $_.CLSID
$ProviderAssemblyPath = $_.AssemblyPath
$ProviderImpersonationLevel = $_.ImpersonationLevel
# Get DACLs
$computer = $env:COMPUTERNAME
$computerpath = '\\' + $computer + '\'
$wmiproviderpath = $_.__PATH.replace("$computerpath","")
$results = get-wminamespacedacl -namespace $wmiproviderpath
$results |
ForEach-Object{
$DACL_Name = $_.name
$DACL_Inherited = $_.Inherited
$_.permission |
ForEach-Object{
# get non standard user privs
if($DACL_Name -like "NT AUTHORITY\Authenticated Users" -and (($_ -notlike "Enable") -and ($_ -notlike "MethodExecute") -and ($_ -notlike "ProviderWrite")))
{
$NonDefault = "1"
}else{
$NonDefault = "0"
}
# Create object
$Object = New-Object PSObject
$Object | add-member Noteproperty Name $ProviderName
$Object | add-member Noteproperty __PATH $ProviderPath
$Object | add-member Noteproperty __NAMESPACE $ProviderNamespace
$Object | add-member Noteproperty CLSID $ProviderCLSID
$Object | add-member Noteproperty CLSID_Key $CLISD_KEY
$Object | add-member Noteproperty CLSID_DLL $CLSID_DLL
$Object | add-member Noteproperty AssemblyPath $ProviderAssemblyPath
$Object | add-member Noteproperty ImpersonationLevel $ProviderImpersonationLevel
$Object | add-member Noteproperty Principal $DACL_Name
$Object | add-member Noteproperty Permission $_
$Object | add-member Noteproperty Inherited $DACL_Inherited
$Object | add-member Noteproperty NonDefault $NonDefault
$Object
}
}
}
# List classes
# List methods
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment