1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27 """
28 @author: AAron Walters and Brendan Dolan-Gavitt
29 @license: GNU General Public License 2.0 or later
30 @contact: awalters@volatilesystems.com,bdolangavitt@wesleyan.edu
31 @organization: Volatile Systems
32 """
33
34
35 import re
36 from rekall.plugins.windows import common
37
38
39 -class GetSIDs(common.WinProcessFilter):
40 """Print the SIDs owning each process token."""
41
42 __name = "tokens"
43
44 well_known_sid_re = [
45 (re.compile(r'S-1-5-[0-9-]+-500'), 'Administrator'),
46 (re.compile(r'S-1-5-[0-9-]+-501'), 'Guest'),
47 (re.compile(r'S-1-5-[0-9-]+-502'), 'KRBTGT'),
48 (re.compile(r'S-1-5-[0-9-]+-512'), 'Domain Admins'),
49 (re.compile(r'S-1-5-[0-9-]+-513'), 'Domain Users'),
50 (re.compile(r'S-1-5-[0-9-]+-514'), 'Domain Guests'),
51 (re.compile(r'S-1-5-[0-9-]+-515'), 'Domain Computers'),
52 (re.compile(r'S-1-5-[0-9-]+-516'), 'Domain Controllers'),
53 (re.compile(r'S-1-5-[0-9-]+-517'), 'Cert Publishers'),
54 (re.compile(r'S-1-5-[0-9-]+-520'), 'Group Policy Creator Owners'),
55 (re.compile(r'S-1-5-[0-9-]+-533'), 'RAS and IAS Servers'),
56 (re.compile(r'S-1-5-5-[0-9]+-[0-9]+'), 'Logon Session'),
57 (re.compile(r'S-1-5-21-[0-9-]+-518'), 'Schema Admins'),
58 (re.compile(r'S-1-5-21-[0-9-]+-519'), 'Enterprise Admins'),
59 (re.compile(r'S-1-5-21-[0-9-]+-553'), 'RAS Servers'),
60 ]
61
62 well_known_sids = {
63 'S-1-0': 'Null Authority',
64 'S-1-0-0': 'Nobody',
65 'S-1-1': 'World Authority',
66 'S-1-1-0': 'Everyone',
67 'S-1-2': 'Local Authority',
68 'S-1-2-0': 'Local (Users with the ability to log in locally)',
69 'S-1-2-1': ('Console Logon (Users who are logged onto the physical '
70 'console)'),
71 'S-1-3': 'Creator Authority',
72 'S-1-3-0': 'Creator Owner',
73 'S-1-3-1': 'Creator Group',
74 'S-1-3-2': 'Creator Owner Server',
75 'S-1-3-3': 'Creator Group Server',
76 'S-1-3-4': 'Owner Rights',
77 'S-1-4': 'Non-unique Authority',
78 'S-1-5': 'NT Authority',
79 'S-1-5-1': 'Dialup',
80 'S-1-5-2': 'Network',
81 'S-1-5-3': 'Batch',
82 'S-1-5-4': 'Interactive',
83 'S-1-5-6': 'Service',
84 'S-1-5-7': 'Anonymous',
85 'S-1-5-8': 'Proxy',
86 'S-1-5-9': 'Enterprise Domain Controllers',
87 'S-1-5-10': 'Principal Self',
88 'S-1-5-11': 'Authenticated Users',
89 'S-1-5-12': 'Restricted Code',
90 'S-1-5-13': 'Terminal Server Users',
91 'S-1-5-14': 'Remote Interactive Logon',
92 'S-1-5-15': 'This Organization',
93 'S-1-5-17': 'This Organization (Used by the default IIS user)',
94 'S-1-5-18': 'Local System',
95 'S-1-5-19': 'NT Authority',
96 'S-1-5-20': 'NT Authority',
97 'S-1-5-32-544': 'Administrators',
98 'S-1-5-32-545': 'Users',
99 'S-1-5-32-546': 'Guests',
100 'S-1-5-32-547': 'Power Users',
101 'S-1-5-32-548': 'Account Operators',
102 'S-1-5-32-549': 'Server Operators',
103 'S-1-5-32-550': 'Print Operators',
104 'S-1-5-32-551': 'Backup Operators',
105 'S-1-5-32-552': 'Replicators',
106 'S-1-5-32-554': 'BUILTIN\\Pre-Windows 2000 Compatible Access',
107 'S-1-5-32-555': 'BUILTIN\\Remote Desktop Users',
108 'S-1-5-32-556': 'BUILTIN\\Network Configuration Operators',
109 'S-1-5-32-557': 'BUILTIN\\Incoming Forest Trust Builders',
110 'S-1-5-32-558': 'BUILTIN\\Performance Monitor Users',
111 'S-1-5-32-559': 'BUILTIN\\Performance Log Users',
112 'S-1-5-32-560': 'BUILTIN\\Windows Authorization Access Group',
113 'S-1-5-32-561': 'BUILTIN\\Terminal Server License Servers',
114 'S-1-5-32-562': 'BUILTIN\\Distributed COM Users',
115 'S-1-5-32-568': 'BUILTIN\\IIS IUSRS',
116 'S-1-5-32-569': 'Cryptographic Operators',
117 'S-1-5-32-573': 'BUILTIN\\Event Log Readers',
118 'S-1-5-32-574': 'BUILTIN\\Certificate Service DCOM Access',
119 'S-1-5-33': 'Write Restricted',
120 'S-1-5-64-10': 'NTLM Authentication',
121 'S-1-5-64-14': 'SChannel Authentication',
122 'S-1-5-64-21': 'Digest Authentication',
123 'S-1-5-80': 'NT Service',
124 'S-1-5-86-1544737700-199408000-2549878335-3519669259-381336952': (
125 'WMI (Local Service)'),
126 'S-1-5-86-615999462-62705297-2911207457-59056572-3668589837': (
127 'WMI (Network Service)'),
128 'S-1-5-1000': 'Other Organization',
129 'S-1-16-0': 'Untrusted Mandatory Level',
130 'S-1-16-4096': 'Low Mandatory Level',
131 'S-1-16-8192': 'Medium Mandatory Level',
132 'S-1-16-8448': 'Medium Plus Mandatory Level',
133 'S-1-16-12288': 'High Mandatory Level',
134 'S-1-16-16384': 'System Mandatory Level',
135 'S-1-16-20480': 'Protected Process Mandatory Level',
136 'S-1-16-28672': 'Secure Process Mandatory Level',
137 }
138
139 table_header = [
140 dict(name="Process", width=40),
141 dict(name="Sid", width=50),
142 dict(name="Comment")
143 ]
144
151
156
158
159 users = {}
160 for _, v, f in self.session.plugins.users().GenerateUsers():
161 users[f.Rid] = v.UserName.Value
162
163 for task in self.filter_processes():
164 for sa in task.Token.UserAndGroups:
165
166 rid = sa.Sid.SubAuthority[sa.Sid.SubAuthorityCount-1]
167 sid_name = ""
168 username = users.get(rid)
169 if username:
170 sid_name = "User: %s" % username
171
172 sid_string = unicode(sa.Sid.deref())
173 if sid_string in self.well_known_sids:
174 sid_name = self.well_known_sids[sid_string]
175 else:
176 sid_name_re = self.find_sid_re(sid_string)
177 if sid_name_re:
178 sid_name = sid_name_re
179
180 yield(task, sid_string, sid_name)
181