Checks for overly permissive DACLs on scmanager. Low priv Users with KA - SDDL_KEY_ALL could launch SYSTEM services.
name: Windows.Detection.ScmanagerBackdoor
author: ACEResponder.com
description: |
Checks for overly permissive DACLs on scmanager. Low priv Users with
KA - SDDL_KEY_ALL could launch SYSTEM services.
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
LET ps = '''
$sid_const_json = '{"AA":"SDDL_ACCESS_CONTROL_ASSISTANCE_OPS",
"AC":"SDDL_ALL_APP_PACKAGES",
"AN":"SDDL_ANONYMOUS",
"AO":"SDDL_ACCOUNT_OPERATORS",
"AP":"SDDL_PROTECTED_USERS",
"AU":"SDDL_AUTHENTICATED_USERS",
"BA":"SDDL_BUILTIN_ADMINISTRATORS",
"BG":"SDDL_BUILTIN_GUESTS",
"BO":"SDDL_BACKUP_OPERATORS",
"BU":"SDDL_BUILTIN_USERS",
"CA":"SDDL_CERT_SERV_ADMINISTRATORS",
"CD":"SDDL_CERTSVC_DCOM_ACCESS",
"CG":"SDDL_CREATOR_GROUP",
"CN":"SDDL_CLONEABLE_CONTROLLERS",
"CO":"SDDL_CREATOR_OWNER",
"CY":"SDDL_CRYPTO_OPERATORS",
"DA":"SDDL_DOMAIN_ADMINISTRATORS",
"DC":"SDDL_DOMAIN_COMPUTERS",
"DD":"SDDL_DOMAIN_DOMAIN_CONTROLLERS",
"DG":"SDDL_DOMAIN_GUESTS",
"DU":"SDDL_DOMAIN_USERS",
"EA":"SDDL_ENTERPRISE_ADMINS",
"ED":"SDDL_ENTERPRISE_DOMAIN_CONTROLLERS",
"EK":"SDDL_ENTERPRISE_KEY_ADMINS",
"ER":"SDDL_EVENT_LOG_READERS",
"ES":"SDDL_RDS_ENDPOINT_SERVERS",
"HA":"SDDL_HYPER_V_ADMINS",
"HI":"SDDL_ML_HIGH",
"IS":"SDDL_IIS_USERS",
"IU":"SDDL_INTERACTIVE",
"KA":"SDDL_KEY_ADMINS",
"LA":"SDDL_LOCAL_ADMIN",
"LG":"SDDL_LOCAL_GUEST",
"LS":"SDDL_LOCAL_SERVICE",
"LU":"SDDL_PERFLOG_USERS",
"LW":"SDDL_ML_LOW",
"ME":"SDDL_ML_MEDIUM",
"MP":"SDDL_ML_MEDIUM_PLUS",
"MU":"SDDL_PERFMON_USERS",
"NO":"SDDL_NETWORK_CONFIGURATION_OPS",
"NS":"SDDL_NETWORK_SERVICE",
"NU":"SDDL_NETWORK",
"OW":"SDDL_OWNER_RIGHTS",
"PA":"SDDL_GROUP_POLICY_ADMINS",
"PO":"SDDL_PRINTER_OPERATORS",
"PS":"SDDL_PERSONAL_SELF",
"PU":"SDDL_POWER_USERS",
"RA":"SDDL_RDS_REMOTE_ACCESS_SERVERS",
"RC":"SDDL_RESTRICTED_CODE",
"RD":"SDDL_REMOTE_DESKTOP",
"RE":"SDDL_REPLICATOR",
"RM":"SDDL_RMS__SERVICE_OPERATORS",
"RO":"SDDL_ENTERPRISE_RO_DCs",
"RS":"SDDL_RAS_SERVERS",
"RU":"SDDL_ALIAS_PREW2KCOMPACC",
"SA":"SDDL_SCHEMA_ADMINISTRATORS",
"SI":"SDDL_ML_SYSTEM",
"SO":"SDDL_SERVER_OPERATORS",
"SS":"SDDL_SERVICE_ASSERTED",
"SU":"SDDL_SERVICE",
"SY":"SDDL_LOCAL_SYSTEM",
"UD":"SDDL_USER_MODE_DRIVERS",
"WD":"SDDL_EVERYONE",
"WR":"SDDL_WRITE_RESTRICTED_CODE"}'
$sid_const = ConvertFrom-Json $sid_const_json
$ace = ((& (Get-Command "$($env:SystemRoot)\System32\sc.exe") @('sdshow', 'scmanager'))[1])
$dacl_string = [regex]::match($ace, '.*D:(.*)S:').Groups[1].value
$dacls = [regex]::match($dacl_string, '(?:\(([^\)]*?)\))+').Groups[1].Captures
foreach ($dacl in $dacls) {
$descriptors = $dacl.Value.split(';')
$ace_type = $descriptors[0]
$rights = $descriptors[2] -split '(\w{2})'
$acct_sid = $descriptors[5]
if ($ace_type -eq 'A' -and $rights -contains 'KA' -and $acct_sid -notin $('BA', 'DA', 'EA', 'LA', 'SY')) {
$output = New-Object PSObject -Property @{
dacl = $dacl.Value;
sid = $acct_sid;
message = '';
}
if ($acct_sid.Length -eq 2) {
$output.message = 'Suspicious scmanager DACL identified. Users with ' + ($sid_const | select -ExpandProperty $acct_sid) + ' can start SYSTEM services.'
}
else {
$output.message = 'Suspicious scmanager DACL identified. User with SID ' + $acct_sid + ' can start SYSTEM services.'
}
$output | ConvertTo-Json
}
}
'''
SELECT * FROM execve(argv=["Powershell", "-ExecutionPolicy",
"unrestricted", "-c", ps])