PingCastle 2.10.1.1

Author: vletoux

Healthcheck/HealthcheckAnalyzer.cs

@@ -10,9 +10,9 @@
 namespace PingCastle.Healthcheck.Rules
 {
     [RuleModel("P-DNSAdmin", RiskRuleCategory.PrivilegedAccounts, RiskModelCategory.ACLCheck)]
-    [RuleComputation(RuleComputationType.TriggerOnPresence, 5)]
+    [RuleComputation(RuleComputationType.TriggerOnPresence, 0)]
     [RuleIntroducedIn(2, 9)]
-    [RuleDurANSSI(1, "dnsadmins", "DnsAdmins group members")]
+    [RuleDurANSSI(4, "dnsadmins", "DnsAdmins group members")]
     [RuleMitreAttackMitigation(MitreAttackMitigation.PrivilegedAccountManagement)]
     public class HeatlcheckRulePrivilegedDNSAdmin : RuleBase<HealthcheckData>
     {

Healthcheck/Rules/HeatlcheckRulePrivilegedDNSAdmin.cs

@@ -248,7 +248,17 @@ To change it you can edit the owner of an object using <a href="https://docs.
     <value>The purpose is to ensure that every account having an SID History is part of an active migration.</value>
   </data>
   <data name="T_SIDHistoryUnknownDomain_Solution" xml:space="preserve">
-    <value>Each security descriptor of the domain (including file shares for example) should be reviewed to be rewritten with the new SID of the account. Then the SID History attribute should be removed. Please note that once the SID History has been removed, it cannot be added back again without doing a real migration. Hopefully hacking tools such as mimikatz can be used to undo a deletion with for example the lsadump::dcshadow attack.</value>
+    <value>Each security descriptor of the domain (including file shares for example) should be reviewed to be rewritten with the new SID of the account. Then the SID History attribute should be removed. 
+    
+    Please note that once the SID History has been removed, it cannot be added back again without doing a real migration. Hopefully hacking tools such as mimikatz can be used to undo a deletion with for example the lsadump::dcshadow attack.
+  
+To remove the SIDHistory from a user account, run:
+&lt;i&gt;Get-ADUser USERNAME -properties sidhistory | foreach {Set-ADUser $_ -remove @{sidhistory=$_.sidhistory.value}}&lt;/i&gt;
+For a group, run:
+&lt;i&gt;Get-ADGroup GROUPNAME -properties sidhistory | foreach {Set-ADGroup $_ -remove @{sidhistory=$_.sidhistory.value}}&lt;/i&gt;
+For all users in a OU:
+&lt;i&gt;Get-ADUser -SearchBase "OU=Accounts,DC=mydomain,DC=com" -Filter {sidhistory -like '*'} -properties sidhistory | foreach {Set-ADUser $_ -remove @{sidhistory=$_.sidhistory.value}}&lt;/i&gt;
+    </value>
   </data>
   <data name="T_SIDHistoryUnknownDomain_Rationale" xml:space="preserve">
     <value>{count} unknown domain(s) used in SIDHistory</value>
@@ -260,7 +270,15 @@ To change it you can edit the owner of an object using &lt;a href="https://docs.
     <value>The purpose is to ensure that accounts are not linked for more privileged accounts in the same domain</value>
   </data>
   <data name="T_SIDHistorySameDomain_Solution" xml:space="preserve">
-    <value>It is not possible to have this occurrence except if a user from domain A has been migrated to domain B and then migrated again to domain A. This should be strongly investigated as it may be linked to a compromise of the domain.</value>
+    <value>It is not possible to have this occurrence except if a user from domain A has been migrated to domain B and then migrated again to domain A. This should be strongly investigated as it may be linked to a compromise of the domain.
+    
+To remove the SIDHistory from a user account, run:
+&lt;i&gt;Get-ADUser USERNAME -properties sidhistory | foreach {Set-ADUser $_ -remove @{sidhistory=$_.sidhistory.value}}&lt;/i&gt;
+For a group, run:
+&lt;i&gt;Get-ADGroup GROUPNAME -properties sidhistory | foreach {Set-ADGroup $_ -remove @{sidhistory=$_.sidhistory.value}}&lt;/i&gt;
+For all users in a OU:
+&lt;i&gt;Get-ADUser -SearchBase "OU=Accounts,DC=mydomain,DC=com" -Filter {sidhistory -like '*'} -properties sidhistory | foreach {Set-ADUser $_ -remove @{sidhistory=$_.sidhistory.value}}&lt;/i&gt;
+    </value>
   </data>
   <data name="T_SIDHistorySameDomain_Rationale" xml:space="preserve">
     <value>Account(s) with SID History matching the domain = {count}</value>
@@ -883,7 +901,17 @@ Do not apply /quarantine on a forest trust: you will break the transitivity of t
   </data>
   <data name="S_SIDHistory_Solution" xml:space="preserve">
     <value>To solve the security issue, you should remove all the SIDHistory attributes. To do so, you can list the objects having an SIDHistory attribute using the command: &lt;i&gt;get-ADObject -ldapfilter "(sidhistory=*)" -properties sidhistory&lt;/i&gt;. 
-Each security descriptor of the domain (including file shares for example) should be reviewed to be rewritten with the new SID of the account. Then, the attribute can be removed of these accounts using the migration tool or a PowerShell snippet &lt;i&gt;Remove-SIDHistory&lt;/i&gt; once the migration is completed. Please note that once the SID History has been removed, it cannot be added back again without doing a real migration. Hopefully hacking tools such as mimikatz can be used to undo a deletion with for example the lsadump::dcshadow attack.</value>
+Each security descriptor of the domain (including file shares for example) should be reviewed to be rewritten with the new SID of the account. Then, the attribute can be removed of these accounts using the migration tool or a PowerShell snippet &lt;i&gt;Remove-SIDHistory&lt;/i&gt; once the migration is completed.
+
+Please note that once the SID History has been removed, it cannot be added back again without doing a real migration. Hopefully hacking tools such as mimikatz can be used to undo a deletion with for example the lsadump::dcshadow attack.
+
+To remove the SIDHistory from a user account, run:
+&lt;i&gt;Get-ADUser USERNAME -properties sidhistory | foreach {Set-ADUser $_ -remove @{sidhistory=$_.sidhistory.value}}&lt;/i&gt;
+For a group, run:
+&lt;i&gt;Get-ADGroup GROUPNAME -properties sidhistory | foreach {Set-ADGroup $_ -remove @{sidhistory=$_.sidhistory.value}}&lt;/i&gt;
+For all users in a OU:
+&lt;i&gt;Get-ADUser -SearchBase "OU=Accounts,DC=mydomain,DC=com" -Filter {sidhistory -like '*'} -properties sidhistory | foreach {Set-ADUser $_ -remove @{sidhistory=$_.sidhistory.value}}&lt;/i&gt;
+</value>
   </data>
   <data name="S_SIDHistory_Rationale" xml:space="preserve">
     <value>{count} domain(s) used in SIDHistory</value>
@@ -1980,7 +2008,7 @@ SeManageVolumePrivilege can be used to reset the security descriptor on the C vo
   <data name="T_SIDFiltering_ReportLocation" xml:space="preserve">
     <value>The detail can be found in &lt;a href="#discovereddomains"&gt;Trusts section&lt;/a&gt;</value>
   </data>
-  <data name="T_SIDHistorySameDomain" xml:space="preserve">
+  <data name="T_SIDHistorySameDomain_ReportLocation" xml:space="preserve">
     <value>The SIDHistory detail can be found in &lt;a href="#useraccountanalysis"&gt;User information&lt;/a&gt; and &lt;a href="#computeraccountanalysis"&gt;Computer information&lt;/a&gt; and a quick summary in &lt;a href="#sidhistory"&gt;SID History&lt;/a&gt;</value>
   </data>
   <data name="T_SIDHistoryUnknownDomain_ReportLocation" xml:space="preserve">
@@ -3179,6 +3207,13 @@ Please note that at the time of writing, Microsoft supports it until Windows 202
   <data name="T_SIDHistoryDangerous_Solution" xml:space="preserve">
     <value>
       Identify the account, computer or group having these dangerous SID set in SID History, then clean it up by editing directly the SIDHistory attribute of the underlying AD object.
+      
+To remove the SIDHistory from a user account, run:
+&lt;i&gt;Get-ADUser USERNAME -properties sidhistory | foreach {Set-ADUser $_ -remove @{sidhistory=$_.sidhistory.value}}&lt;/i&gt;
+For a group, run:
+&lt;i&gt;Get-ADGroup GROUPNAME -properties sidhistory | foreach {Set-ADGroup $_ -remove @{sidhistory=$_.sidhistory.value}}&lt;/i&gt;
+For all users in a OU:
+&lt;i&gt;Get-ADUser -SearchBase "OU=Accounts,DC=mydomain,DC=com" -Filter {sidhistory -like '*'} -properties sidhistory | foreach {Set-ADUser $_ -remove @{sidhistory=$_.sidhistory.value}}&lt;/i&gt;
     </value>
   </data>
   <data name="T_SIDHistoryDangerous_TechnicalExplanation" xml:space="preserve">
@@ -3554,7 +3589,13 @@ https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dnsp/007efcd2-29
     <value>The detail can be found in &lt;a href="#admingroups"&gt;Admin Groups&lt;/a&gt;</value>
   </data>
   <data name="P_DNSAdmin_Solution" xml:space="preserve">
-    <value>You should remove the members of the DNS admin group and do a proper delegation to the specific DNS Zones.
+    <value>Rule update:
+The Path Tuesday of October 2021 fixed this vulnerability and assigned it the identifier CVE-2021-40469.
+If the patch has been applied, there is no additional mitigation to perform.
+
+This rule is transformed into an informative rule in PingCastle 2.10.1 and will be removed in future version of PingCastle.
+
+You should remove the members of the DNS admin group and do a proper delegation to the specific DNS Zones.
 
 First, grant only "Read Property", "List", "List object" and "Read permssions" to CN=MicrosoftDNS,CN=System to enable access to the RPC service.
 

Healthcheck/Rules/RuleDescription.resx

@@ -28,5 +28,5 @@
 //      Numéro de build
 //      Révision
 //
-[assembly: AssemblyVersion("2.10.1.0")]
-[assembly: AssemblyFileVersion("2.10.1.0")]
+[assembly: AssemblyVersion("2.10.1.1")]
+[assembly: AssemblyFileVersion("2.10.1.1")]

Properties/AssemblyInfo.cs

@@ -22,7 +22,7 @@ internal class NativeMethods
 
         [DllImport("Rpcrt4.dll", EntryPoint = "NdrClientCall2", CallingConvention = CallingConvention.Cdecl,
            CharSet = CharSet.Unicode, SetLastError = false)]
-        internal static extern IntPtr NdrClientCall2x64(IntPtr pMIDL_STUB_DESC, IntPtr formatString, IntPtr intptrServer, int flag, ref PingCastle.RPC.nrpc.NETLOGON_TRUSTED_DOMAIN_ARRAY output);
+        internal static extern IntPtr NdrClientCall2x64(IntPtr pMIDL_STUB_DESC, IntPtr formatString, IntPtr intptrServer, int flag, ref PingCastle.RPC.nrpc2.NETLOGON_TRUSTED_DOMAIN_ARRAY output);
 
         [DllImport("Rpcrt4.dll", EntryPoint = "NdrClientCall2", CallingConvention = CallingConvention.Cdecl,
            CharSet = CharSet.Unicode, SetLastError = false)]

RPC/nativemethods.cs

@@ -38,7 +38,7 @@ public enum TrustedDomainFlag
         DS_DOMAIN_DIRECT_INBOUND = 32,
     }
 
-    public class nrpc : rpcapi
+    public class nrpc2 : rpcapi
     {
 
         private static byte[] MIDL_ProcFormatStringx86 = new byte[] {
@@ -90,7 +90,7 @@ private struct DS_DOMAIN_TRUSTSW
         }
 
         [SecurityPermission(SecurityAction.LinkDemand, Flags = SecurityPermissionFlag.UnmanagedCode)]
-        public nrpc(bool WillUseNullSession = true)
+        public nrpc2(bool WillUseNullSession = true)
         {
             Guid interfaceId = new Guid(magic(8) + "-" + magic(4) + "-ABCD-EF00-01234567CFFB");
             if (IntPtr.Size == 8)
@@ -105,7 +105,7 @@ public nrpc(bool WillUseNullSession = true)
         }
 
         [SecurityPermission(SecurityAction.Demand, Flags = SecurityPermissionFlag.UnmanagedCode)]
-        ~nrpc()
+        ~nrpc2()
         {
             freeStub();
         }

RPC/nrpc.cs

@@ -40,7 +40,7 @@ public Program.DisplayState QueryForAdditionalParameterInInteractiveMode()
         public void Export(string filename)
         {
             DisplayAdvancement("Starting");
-            nrpc session = new nrpc(); ;
+            nrpc2 session = new nrpc2(); ;
             DisplayAdvancement("Trusts obtained via null session");
             List<TrustedDomain> domains;
             int res = session.DsrEnumerateDomainTrusts(Server, 0x3F, out domains);

Scanners/nullsessionTrustScanner.cs

@@ -234,6 +234,11 @@ public bool GenerateFakeReport()
                         {
                             var enduserReportGenerator = PingCastleFactory.GetEndUserReportGenerator<HealthcheckData>();
                             enduserReportGenerator.GenerateReportFile(pingCastleReport, License, pingCastleReport.GetHumanReadableFileName());
+                            DisplayAdvancement("Export level is " + ExportLevel);
+                            if (ExportLevel != PingCastleReportDataExportLevel.Full)
+                            {
+                                DisplayAdvancement("Personal data will NOT be included in the .xml file (add --level Full to add it)");
+                            }
                             pingCastleReport.SetExportLevel(ExportLevel);
                             DataHelper<HealthcheckData>.SaveAsXml(pingCastleReport, pingCastleReport.GetMachineReadableFileName(), EncryptReport);
 
@@ -413,6 +418,11 @@ T PerformTheAnalysis<T>(string server) where T : IPingCastleReport
                     var enduserReportGenerator = PingCastleFactory.GetEndUserReportGenerator<T>();
                     htmlreports[domain] = enduserReportGenerator.GenerateReportFile(pingCastleReport, License, pingCastleReport.GetHumanReadableFileName());
                     DisplayAdvancement("Generating xml file for consolidation report" + (EncryptReport ? " (encrypted)" : ""));
+                    DisplayAdvancement("Export level is " + ExportLevel);
+                    if (ExportLevel != PingCastleReportDataExportLevel.Full)
+                    {
+                        DisplayAdvancement("Personal data will NOT be included in the .xml file (add --level Full to add it)");
+                    }
                     pingCastleReport.SetExportLevel(ExportLevel);
                     xmlreports[domain] = DataHelper<T>.SaveAsXml(pingCastleReport, pingCastleReport.GetMachineReadableFileName(), EncryptReport);
                     DisplayAdvancement("Done");