Skip to content

Instantly share code, notes, and snippets.

@p0w3rsh3ll

p0w3rsh3ll/DCOM-Hardening.ps1 Secret

Created April 9, 2023 20:19
Show Gist options
  • Save p0w3rsh3ll/310c5a44333be8ab71fd9f7ded67bbf0 to your computer and use it in GitHub Desktop.
Save p0w3rsh3ll/310c5a44333be8ab71fd9f7ded67bbf0 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
DCOM-Hardening.ps1
#Requires -RunAsAdmin
<#
.SYNOPSIS
Help evaluation the DCOM hardening status introduced by KB5004442
.DESCRIPTION
Help evaluation the DCOM hardening status introduced by KB5004442
.PARAMETER Enable
Switch to modify the registry and enable explictly the RequireIntegrityActivationAuthenticationLevel value
.PARAMETER OnlyShowLowAuthDcomApp
Switch to only get the list of low Authentication DCOM Applications from the WMI repository
.EXAMPLE
.\DCOM-Hardening.ps1 -Verbose
VERBOSE: Evaluating DCOM Hardening status
VERBOSE: RequireIntegrityActivationAuthenticationLevel value is: 1
VERBOSE: Hardening is enabled explicitly
VERBOSE: Value is already enabled for RequireIntegrityActivationAuthenticationLevel - no change is required
VERBOSE: Hardening raise value not present
VERBOSE: Hardening is enabled and raise value not present
.EXAMPLE
.\DCOM-Hardening.ps1 -Verbose -Enable
VERBOSE: Require value changed to 1 successfully
VERBOSE: Raise value RaiseActivationAuthenticationLevel deleted successfully
.EXAMPLE
.\DCOM-Hardening.ps1 -OnlyShowLowAuthDcomApp
Caption AppID AuthenticationLevel
------- ----- -------------------
{42CBFAA7-A4A7-47BB-B422-BD10E9D02700} 2
UPnPContainer {6d8ff8e0-730d-11d4-bf42-00b0d0118b56} 0
UPnPContainer64 {6d8ff8e8-730d-11d4-bf42-00b0d0118b56} 0
AccStore Class {DE5DBCDC-104A-4cbc-A4D5-0C2104A142C5} 1
.NOTES
https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c"
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/dcom-authentication-hardening-what-you-need-to-know/ba-p/3657154
DCOM client-side patch on November 8, 2022
This update will automatically raise authentication level for all non-anonymous activation requests from DCOM clients to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY at a minimum.
With this change, most Windows DCOM clients will automatically work with DCOM hardening changes on the server side without any further modification to the DCOM client.
This update will be activated by default but can be deactivated by setting its registry key to 1.
This patch is disabled by default for Windows 10, versions 1809 and 1607 and Windows Server 2016.
To enable it, set the registry key value for RaiseActivationAuthenticationLevel to 2
Inspired from https://github.com/otoriocyber/DCOM-HardeningTool/blob/main/DisableDcomHardening.ps1
#>
[CmdletBinding(DefaultParameterSetName='__AllParameterSets')]
Param (
[Parameter(ParameterSetName='Set')]
[Switch]$Enable,
[Parameter(ParameterSetName='WMI')]
[Switch]$OnlyShowLowAuthDcomApp
)
Begin {
$RequireValueName ='RequireIntegrityActivationAuthenticationLevel'
$RaiseValueName = 'RaiseActivationAuthenticationLevel'
$HT = @{
Path = 'HKLM:\SOFTWARE\Microsoft\Ole\AppCompat'
ErrorAction = 'Stop'
}
}
Process {}
End {
Switch ($PSCmdlet.ParameterSetName) {
WMI {
# Getting all low Authentication DCOM applications from WMI
try {
Get-CimInstance -Query 'SELECT * FROM Win32_DCOMApplicationSetting where AuthenticationLevel<5' -ErrorAction Stop -Verbose:$false|
Select-Object -Property Caption, AppID, AuthenticationLevel
} catch {
Write-Warning -Message "Failed to read WMI because $($_.Exception.Message)"
}
break
}
Set {
#region Enable
try {
# 1. Explicitly set Enable value
$null = New-ItemProperty -Name $RequireValueName -Value 1 -Type DWord -Force @HT
Write-Verbose -Message "Require value changed to 1 successfully"
# 2. Remove Raise value
$null = Remove-ItemProperty -Name $RaiseValueName -Force -ErrorAction SilentlyContinue -Path 'HKLM:\SOFTWARE\Microsoft\Ole\AppCompat'
Write-Verbose -Message "Raise value $($RaiseValueName) deleted successfully"
} catch {
Write-Warning -Message "Failed to set value because $($_.Exception.Message)"
}
#endregion
break
}
default {
Write-Verbose -Message 'Evaluating DCOM Hardening status'
#region RequireIntegrityActivationAuthenticationLevel
try{
$result = (Get-ItemProperty @HT -Name $RequireValueName).($RequireValueName)
} catch {
Write-Warning -Message "Failed to read value $($RequireValueName) because $($_.Exception.Message)"
}
if ($result) {
Write-Verbose -Message "$($RequireValueName) value is: $($result)"
Switch ($result) {
0 {
Write-Verbose -Message 'Hardening is disabled explicitly, value is ignored'
break
}
1 {
Write-Verbose -Message 'Hardening is enabled explicitly'
Write-Verbose -Message "Value is already enabled for $($RequireValueName) - no change is required"
break
}
default {
Write-Warning -Message "Unexpected result for $($RequireValueName) found $($result)"
}
}
} else {
Write-Verbose -Message 'Hardening value not present'
if ((Get-Date) -gt (Get-Date -Year 2023 -Month 3 -Day 14)) {
# Absent value means, hardening enabled by default
Write-Verbose -Message 'Hardening is enabled with value not present'
}
}
#endregion
#region Raise
$result = $null
$result = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Ole\AppCompat' -Name $RaiseValueName -ErrorAction SilentlyContinue).($RaiseValueName)
if ($result) {
Write-Verbose -Message "$($RaiseValueName) value is: $($result)"
Switch ($result) {
2 {
Write-Verbose -Message 'Activation Authentication Level is raised'
break
}
1 {
Write-Verbose -Message 'Activation Authentication Level is Default'
break
}
default {
Write-Warning -Message "Unexpected raise value found $($result)"
}
}
} else {
Write-Verbose -Message 'Hardening raise value not present'
if ((Get-Date) -gt (Get-Date -Year 2023 -Month 3 -Day 14)) {
# Absent value means, hardening enabled by default
Write-Verbose -Message 'Hardening is enabled and raise value not present'
}
}
#endregion
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment