🚀 Launch Week Day 3:Introducing Supply Chain Attack Campaigns Tracking.Learn More →

Book a Demo Install Sign in

rbct.it/ntparser

Package Overview

Advanced tools

Install Socket

Detect and block malicious and high-risk dependencies

Install

rbct.it/ntparser

Go Modules

Version: v0.0.0-20240210195401-3cfc2427972c

Version published: 2 years ago

Created: 2 years ago

Source

Read me

Usage

Usage of ./out/ntparser:
  -file string
        File containing raw bytes of the ntSecurityDescriptor to parse

Example

Send the following commands:

tmpFile=$(mktemp)
echo 0100049c34010000500100000000000014000000040020010700000005003800300100000100000068c9100efb78d21190d400c04f79dc55010500000000000515000000897285c6d42f0d4fddbfae250002000005003800300100000100000068c9100efb78d21190d400c04f79dc55010500000000000515000000897285c6d42f0d4fddbfae250702000005002800000100000100000068c9100efb78d21190d400c04f79dc5501010000000000050b00000000002400ff000f00010500000000000515000000897285c6d42f0d4fddbfae250002000000002400ff000f00010500000000000515000000897285c6d42f0d4fddbfae250702000000002400ff000f00010500000000000515000000897285c6d42f0d4fddbfae25f4010000000014009400020001010000000000050b000000010500000000000515000000897285c6d42f0d4fddbfae25f4010000010500000000000515000000897285c6d42f0d4fddbfae2507020000 | xxd -r -p > $tmpFile

./out/ntparser -file $tmpFile

You should receive the following output:

[+] List of ACEs in the DACL:
[0]:
        Type: AccessAllowedObjectAceType (0x05)
        ACE Size: 56 bytes
        ACE Header Flags: 0x05
                - ObjectInheritAce (0x01)
                - NoPropagateInheritAce (0x04)
        ACE Flags: 1
                - AceObjectTypePresent (0x01)
        Mask: 00000130
                - AdsRightDsReadProp (0x10)
                - AdsRightDsWriteProp (0x20)
                - AdsRightDsControlAccess (0x100)
        Object type GUID: 0e10c968-78fb-11d2-90d4-00c04f79dc55 (Certificate-Enrollment)
        SID: S-1-5-21-3330634377-1326264276-632209373-512
[1]:
        Type: AccessAllowedObjectAceType (0x05)
        ACE Size: 56 bytes
        ACE Header Flags: 0x05
                - NoPropagateInheritAce (0x04)
                - ObjectInheritAce (0x01)
        ACE Flags: 1
                - AceObjectTypePresent (0x01)
        Mask: 00000130
                - AdsRightDsReadProp (0x10)
                - AdsRightDsWriteProp (0x20)
                - AdsRightDsControlAccess (0x100)
        Object type GUID: 0e10c968-78fb-11d2-90d4-00c04f79dc55 (Certificate-Enrollment)
        SID: S-1-5-21-3330634377-1326264276-632209373-512
[2]:
        Type: AccessAllowedObjectAceType (0x05)
        ACE Size: 56 bytes
        ACE Header Flags: 0x05
                - NoPropagateInheritAce (0x04)
                - ObjectInheritAce (0x01)
        ACE Flags: 1
                - AceObjectTypePresent (0x01)
        Mask: 00000130
                - AdsRightDsControlAccess (0x100)
                - AdsRightDsReadProp (0x10)
                - AdsRightDsWriteProp (0x20)
        Object type GUID: 0e10c968-78fb-11d2-90d4-00c04f79dc55 (Certificate-Enrollment)
        SID: S-1-5-21-3330634377-1326264276-632209373-512
[3]:
        Type: AccessAllowedObjectAceType (0x05)
        ACE Size: 56 bytes
        ACE Header Flags: 0x05
                - ObjectInheritAce (0x01)
                - NoPropagateInheritAce (0x04)
        ACE Flags: 1
                - AceObjectTypePresent (0x01)
        Mask: 00000130
                - AdsRightDsWriteProp (0x20)
                - AdsRightDsControlAccess (0x100)
                - AdsRightDsReadProp (0x10)
        Object type GUID: 0e10c968-78fb-11d2-90d4-00c04f79dc55 (Certificate-Enrollment)
        SID: S-1-5-21-3330634377-1326264276-632209373-512
[4]:
        Type: AccessAllowedObjectAceType (0x05)
        ACE Size: 56 bytes
        ACE Header Flags: 0x05
                - NoPropagateInheritAce (0x04)
                - ObjectInheritAce (0x01)
        ACE Flags: 1
                - AceObjectTypePresent (0x01)
        Mask: 00000130
                - AdsRightDsWriteProp (0x20)
                - AdsRightDsControlAccess (0x100)
                - AdsRightDsReadProp (0x10)
        Object type GUID: 0e10c968-78fb-11d2-90d4-00c04f79dc55 (Certificate-Enrollment)
        SID: S-1-5-21-3330634377-1326264276-632209373-512
[5]:
        Type: AccessAllowedObjectAceType (0x05)
        ACE Size: 56 bytes
        ACE Header Flags: 0x05
                - NoPropagateInheritAce (0x04)
                - ObjectInheritAce (0x01)
        ACE Flags: 1
                - AceObjectTypePresent (0x01)
        Mask: 00000130
                - AdsRightDsReadProp (0x10)
                - AdsRightDsWriteProp (0x20)
                - AdsRightDsControlAccess (0x100)
        Object type GUID: 0e10c968-78fb-11d2-90d4-00c04f79dc55 (Certificate-Enrollment)
        SID: S-1-5-21-3330634377-1326264276-632209373-512
[6]:
        Type: AccessAllowedObjectAceType (0x05)
        ACE Size: 56 bytes
        ACE Header Flags: 0x05
                - NoPropagateInheritAce (0x04)
                - ObjectInheritAce (0x01)
        ACE Flags: 1
                - AceObjectTypePresent (0x01)
        Mask: 00000130
                - AdsRightDsWriteProp (0x20)
                - AdsRightDsControlAccess (0x100)
                - AdsRightDsReadProp (0x10)
        Object type GUID: 0e10c968-78fb-11d2-90d4-00c04f79dc55 (Certificate-Enrollment)
        SID: S-1-5-21-3330634377-1326264276-632209373-512

References

Mainly these:

Author

Robert C. Raducioiu (rbct)

FAQs

What is rbct.it/ntparser?

Package last updated on 10 Feb 2024

Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

rbct.it/ntparser

Read me

Usage

Example

References

Author

Related posts

PyPI Package Impersonates SymPy to Deliver Cryptomining Malware

Node.js 25.4.0 Ships with Stable require(esm)