-
Notifications
You must be signed in to change notification settings - Fork 2
/
winrm_consts.py
124 lines (109 loc) · 3.92 KB
/
winrm_consts.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
# File: winrm_consts.py
#
# Copyright (c) 2018-2024 Splunk Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under
# the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
# either express or implied. See the License for the specific language governing permissions
# and limitations under the License.
APPLOCKER_BASE_SCRIPT = """
Import-Module AppLocker
"""
APPLOCKER_GET_POLICIES = "Get-AppLockerPolicy -{0} {1}"
APPLOCKER_CREATE_POLICY = """
$Policy = Get-ChildItem "{0}" | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Path,Hash {1}
foreach($RuleCollection in $Policy.RuleCollections)
{{
foreach($Rule in $RuleCollection)
{{
$Rule.Description = 'Created by Phantom'
}}
}}
Set-AppLockerPolicy -PolicyObject $Policy {2} -Merge
"""
# You can't actually create a blocking rule, so we need to edit that field in our created policy
APPLOCKER_CREATE_POLICY_DENY = """
$Policy = Get-ChildItem "{0}" | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Path,Hash {1}
foreach($RuleCollection in $Policy.RuleCollections)
{{
foreach($Rule in $RuleCollection)
{{
$Rule.Description = 'Created by Phantom'
$Rule.Action = 'Deny'
}}
}}
Set-AppLockerPolicy -PolicyObject $Policy {2} -Merge
"""
APPLOCKER_DELETE_POLICY = """
$tomatch_id = "{0}"
$Policy = {1}
$Passed = $False
foreach($RuleCollection in $Policy.RuleCollections)
{{
foreach($Rule in $RuleCollection)
{{
if ($Rule.Id.Value -eq $tomatch_id)
{{
$RuleCollection.Delete($Rule.Id)
$Passed = $True
break
}}
}}
}}
if ($Passed -eq $False)
{{
throw "No AppLocker Policy with specified ID was found"
}}
Set-AppLockerPolicy -PolicyObject $Policy {2}
"""
SEND_FILE_START = """
$f = @"
{b64string_chunk}
"@
$fp = "{file_path}"
$f {action} $fp
"""
SEND_FILE_END = """
$d = Get-Content $fp
[IO.File]::WriteAllBytes($fp, [Convert]::FromBase64String($d))
"""
GET_FILE = """
$d = "{}"
[Convert]::ToBase64String([IO.File]::ReadAllBytes($d))
"""
WINRM_UNICODE_ERROR_MESSAGE = "Invalid unicode detected"
# Constants relating to '_validate_integer'
WINRM_ERROR_INVALID_INT = 'Please provide a valid {msg} integer value in the "{param}"'
WINRM_ERROR_PARTITION = 'Failed to fetch system volume, Please check the asset configuration and|or "ip hostname" parameter'
WINRM_ERROR_INVALID_VAULT_ID = "Could not retrieve vault file"
# Constants relating to '_get_error_message_from_exception'
WINRM_ERROR_CODE_MESSAGE = "Error code unavailable"
WINRM_ERROR_MESSAGE_UNAVAILABLE = "Error message unavailable. Please check the asset configuration and|or action parameters"
WINRM_PARSE_ERROR_MESSAGE = "Unable to parse the error message. Please check the asset configuration and|or action parameters"
WINRM_TYPE_ERROR_MESSAGE = (
"Error occurred while connecting to the Winrm Server. " "Please check the asset configuration and|or the action parameters"
)
# Constants relating to value_list check
DIRECTION_VALUE_LIST = ["in", "out"]
DIR_VALUE_LIST = ["in", "out"]
ACTION_VALUE_LIST = ["allow", "block", "bypass"]
LOCATION_VALUE_LIST = ["local", "domain", "effective"]
DENY_ALLOW_VALUE_LIST = ["deny", "allow"]
VALUE_LIST_VALIDATION_MESSAGE = "Please provide valid input from {} in '{}' action parameter"
# Config keys
WINRM_CONFIG_ENDPOINT = "endpoint"
WINRM_CONFIG_PROTOCOL = "default_protocol"
WINRM_CONFIG_PORT = "default_port"
WINRM_CONFIG_USERNAME = "username"
WINRM_CONFIG_PASSWORD = "password" # pragma: allowlist secret
WINRM_CONFIG_TRANSPORT = "transport"
WINRM_CONFIG_DOMAIN = "domain"
WINRM_CONFIG_CERT_PEM = "cert_pem_path"
WINRM_CONFIG_CERT_KEY_PEM = "cert_key_pem_path"
WINRM_CONFIG_CA_TRUST = "ca_trust_path"