NetExec icon indicating copy to clipboard operation
NetExec copied to clipboard

Published 20 hours ago verified publisher icon Pennyw0rth

New SMB/WMI Module BitLocker

Open termanix opened this issue 9 months ago • 11 comments

Checking BitLocker status on all drives.

image

termanix avatar May 01 '24 14:05 termanix

Would it perhaps be better to run this via WMI? Seems slightly more op-sec safe.

I haven't tested, but it seems possible: https://4sysops.com/archives/check-the-bitlocker-status-of-all-pcs-in-the-network/#rtoc-3

Adamkadaban avatar May 01 '24 18:05 Adamkadaban

Would it perhaps be better to run this via WMI? Seems slightly more op-sec safe.

I haven't tested, but it seems possible: https://4sysops.com/archives/check-the-bitlocker-status-of-all-pcs-in-the-network/#rtoc-3

Test's an great idea, I'm testing now, I will share results manually. Thank you.

termanix avatar May 01 '24 19:05 termanix

It works @Adamkadaban I can also adapt it to this method. Let me edit it.

image

termanix avatar May 01 '24 19:05 termanix

@termanix Sorry, I should've been clearer. I meant through the WMI protocol rather than through powershell

Just checked with wmiquery and it seems to work. Also produces less security events

I think this should work for doing it through WMI:

iInterface = dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login,wmi.IID_IWbemLevel1Login)
iWbemLevel1Login = wmi.IWbemLevel1Login(iInterface)

bitlockerNamespace = "root\\CIMv2\\Security\\MicrosoftVolumeEncryption"
try:
    iWbemServices= iWbemLevel1Login.NTLMLogin(bitlockerNamespace, NULL, NULL)
except Exception as e:
    if str(e).find("WBEM_E_INVALID_NAMESPACE") >= 0:
        iWbemLevel1Login.RemRelease()
        dcom.disconnect()
    else:
        nxc_logger.debug(str(e))

iWbemServices.get_dce_rpc().set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)

classQuery = "SELECT DriveLetter, ConversionStatus, ProtectionStatus, EncryptionMethod FROM Win32_EncryptableVolume"

try:
    iEnumWbemClassObject = iWbemServices.ExecQuery(classQuery)
    iWbemClassObject = iEnumWbemClassObject.Next(0xffffffff,1)[0]
    queryResult = iWbemClassObject.getProperties()
    # parse and print data from here
    iEnumWbemClassObject.RemRelease()
except Exception as e:
    if str(e).find("WBEM_E_INVALID_CLASS") >= 0:
        iWbemLevel1Login.RemRelease()
        iWbemServices.RemRelease()
        dcom.disconnect()
    print(str(e))
    nxc_logger.debug(str(e))

iWbemLevel1Login.RemRelease()
iWbemServices.RemRelease()
dcom.disconnect()

Adamkadaban avatar May 01 '24 19:05 Adamkadaban

@termanix Sorry, I should've been clearer. I meant through the WMI protocol rather than through powershell

Just checked with wmiquery and it seems to work. Also produces less security events

I think this should work for doing it through WMI:

iInterface = dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login,wmi.IID_IWbemLevel1Login)
iWbemLevel1Login = wmi.IWbemLevel1Login(iInterface)

bitlockerNamespace = "root\\CIMv2\\Security\\MicrosoftVolumeEncryption"
try:
    iWbemServices= iWbemLevel1Login.NTLMLogin(bitlockerNamespace, NULL, NULL)
except Exception as e:
    if str(e).find("WBEM_E_INVALID_NAMESPACE") >= 0:
        iWbemLevel1Login.RemRelease()
        dcom.disconnect()
    else:
        nxc_logger.debug(str(e))

iWbemServices.get_dce_rpc().set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)

classQuery = "SELECT DriveLetter, ConversionStatus, ProtectionStatus, EncryptionMethod FROM Win32_EncryptableVolume"

try:
    iEnumWbemClassObject = iWbemServices.ExecQuery(classQuery)
    iWbemClassObject = iEnumWbemClassObject.Next(0xffffffff,1)[0]
    queryResult = iWbemClassObject.getProperties()
    # parse and print data from here
    iEnumWbemClassObject.RemRelease()
except Exception as e:
    if str(e).find("WBEM_E_INVALID_CLASS") >= 0:
        iWbemLevel1Login.RemRelease()
        iWbemServices.RemRelease()
        dcom.disconnect()
    print(str(e))
    nxc_logger.debug(str(e))

iWbemLevel1Login.RemRelease()
iWbemServices.RemRelease()
dcom.disconnect()

Oh okay, I didn't test it with wmi protocol yet. I was just be quick for get result.

Using WMI is your idea and I don't want to steal your idea :D I can add it for WMI if it's okay to you.

termanix avatar May 01 '24 19:05 termanix

I can add it for WMI if it's okay to you.

Yes, feel free. Add me as a co-author to the commit if you so please ;)

Adamkadaban avatar May 01 '24 19:05 Adamkadaban

You could check exec-method and do SMB if it's smbexec, or WMI if it's wmiexec, and also add this to the WMI protocol and run it straight through WMI.

Marshall-Hallenbeck avatar May 01 '24 19:05 Marshall-Hallenbeck

I can add it for WMI if it's okay to you.

Yes, feel free. Add me as a co-author to the commit if you so please ;)

Ofc. I will add it for WMI too then. If you joined discord can you contact me? We can implement it together.

termanix avatar May 01 '24 20:05 termanix

It can be review now. I just cant pwned on Win 11 machine while using WMI protocol. But SMB works. image

termanix avatar May 03 '24 14:05 termanix

@termanix can you add this module to the e2e tests file?

Marshall-Hallenbeck avatar May 08 '24 16:05 Marshall-Hallenbeck

Updated @Marshall-Hallenbeck , It can be review.

termanix avatar May 15 '24 16:05 termanix

First of all, very nice module!
Win10/11 is okay. However, Windows Server 2008 DC will raise an error on SMB: image

My approach is to check services instead of calling functions, for AV and Legacy. I have been using this method for a long time, and I like it. Ensure error handling (on endpoint) for this sneaky approach ... -EA SilentlyContinue ... . Example: image

quahac avatar May 16 '24 10:05 quahac

First of all, very nice module! Win10/11 is okay. However, Windows Server 2008 DC will raise an error on SMB: image

My approach is to check services instead of calling functions, for AV and Legacy. I have been using this method for a long time, and I like it. Ensure error handling (on endpoint) for this sneaky approach ... -EA SilentlyContinue ... . Example: image

Hi, firstly thank you for your good comment ^^, I actually did it on older NetExec powershell. Now I fixed it again, i forgot it, thank you for reminding. Also thank you for suggestion. I added -EA SilentlyContinue for now, let's se how does it work.

termanix avatar May 16 '24 11:05 termanix

@termanix , I see you're coding now. My mistake; I told you to use the -ErrorAction SilentlyContinue approach in my situation. However, since the function doesn't exist yet, you cannot call -EA, as it will also raise an error. You have to try the function and catch the error: try{Get-BitLockerVolume | Select-Object MountPoint, EncryptionMethod, ProtectionStatus}catch{}

image

quahac avatar May 16 '24 12:05 quahac

@termanix , I see you're coding now. My mistake; I told you to use the -ErrorAction SilentlyContinue approach in my situation. However, since the function doesn't exist yet, you cannot call -EA, as it will also raise an error. You have to try the function and catch the error: try{Get-BitLockerVolume | Select-Object MountPoint, EncryptionMethod, ProtectionStatus}catch{}

image

Oh okay got it. But about try catch, I just want to show it on NetExec output if system has not get-bitlocker. Code checks it in output. But I got it what you mean.

termanix avatar May 16 '24 13:05 termanix

Can't test wmi on my notebook as it is not domain joined, but the negative detectin on the dc seems to work: image

@Marshall-Hallenbeck also saw your command regarding ps_execute. Changed it for now cause it fails on my most of the time and also is flagged pretty often by AVs (for example even win defender yelled at me lol). If that's fine for you please also approve (you have a pending change request)

NeffIsBack avatar Jun 23 '24 22:06 NeffIsBack

Great! I'll merge🚀

NeffIsBack avatar Jun 24 '24 22:06 NeffIsBack