Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add computer SID for Windows systems #824

Merged
merged 7 commits into from
Nov 1, 2024
Merged

Add computer SID for Windows systems #824

merged 7 commits into from
Nov 1, 2024

Conversation

fox-evv
Copy link
Contributor

@fox-evv fox-evv commented Aug 15, 2024

This addition to the generic Windows plugin exports the machine and domain SIDs
of the target. If the system is not joined to a domain, it uses only the/
SAM hive, but if the system is domain joined, it will all so use
the Security Policy.

fox-evv added 3 commits August 15, 2024 15:23
@fox-evv
Added sid function for windows OS plugin
ffcb70d 
It returns the machine SID found in the SAM hive.
@fox-evv
Revert "Added sid function for windows OS plugin"
8ca3f66 
This reverts commit 9c214a1.
@fox-evv
This returns the SID(s) of a computer.
b425e95 
- The machine SID from the SAM hive
- The domain SID from the security policy
@Schamper Schamper mentioned this pull request Aug 19, 2024
Closed
@codecov Codecov
Copy link

codecov bot commented Sep 3, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 76.47059% with 4 lines in your changes missing coverage. Please review.

Project coverage is 77.02%. Comparing base (35f64ff) to head (d73b0f5).
Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
dissect/target/plugins/os/windows/generic.py 76.47% 4 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #824      +/-   ##
==========================================
- Coverage   77.02%   77.02%   -0.01%     
==========================================
  Files         322      322              
  Lines       27566    27582      +16     
==========================================
+ Hits        21232    21244      +12     
- Misses       6334     6338       +4
Flag Coverage Δ
unittests 77.02% <76.47%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@Horofic
Copy link
Contributor

Horofic commented Sep 3, 2024

@fox-evv I've suggested some changes and also added some test with this commit. One thing I could not verify myself is whether there can be multiple Machine / Domain SIDs. The initial implementation kind of seemed to suggest this. Do you encounter this scenario yourself? I left it out of this implementation because it seemed illogical to me.

Horofic
Horofic requested changes Sep 3, 2024
View reviewed changes
dissect/target/plugins/os/windows/generic.py
"""Return the machine- and optional domain SID of the system."""

try:
key = self.target.registry.key("HKLM\\SAM\\SAM\\Domains\\Account")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can there be multiple Machine- and Domain SIDS associated with one system?

@Horofic Horofic self-assigned this Sep 9, 2024
@Horofic Horofic merged commit ab014f0 into fox-it:main Nov 1, 2024
17 of 20 checks passed
Schamper
Schamper reviewed Nov 1, 2024
View reviewed changes
Copy link
Member

@Schamper Schamper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Horofic can you fix these notes or create a ticket for them?

tests/plugins/os/windows/test_generic.py
currentversion_key_name = "Software\\Microsoft\\Windows NT\\CurrentVersion"
currentversion_key = VirtualKey(hive_hklm, currentversion_key_name)
currentversion_key.add_value("InstallDate", VirtualValue(hive_hklm, "InstallDate", 0))
hive_hklm.map_key(currentversion_key_name, currentversion_key)
target_win_users.add_plugin(GenericPlugin)

assert target_win_users.install_date == from_unix(0)


def test_windows_generic_sid(target_win: Target, hive_hklm: VirtualHive):
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing return type hint

tests/plugins/os/windows/test_generic.py


def test_windows_generic_install_date(target_win_users, fs_win, hive_hklm):
def test_windows_generic_install_date(target_win_users: Target, hive_hklm: VirtualHive):
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing return type hint

dissect/target/plugins/os/windows/generic.py
"windows/sid/computer",
[
("datetime", "ts"),
("string", "sidtype"),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be type and not sidtype.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Schamper Schamper Schamper left review comments

@Horofic Horofic Horofic approved these changes

Assignees

@Horofic Horofic

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@fox-evv @Horofic @Schamper