Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GenericWrite ACL not collected on OU #38

Open
sploutchy opened this issue Sep 6, 2022 · 2 comments
Open

GenericWrite ACL not collected on OU #38

sploutchy opened this issue Sep 6, 2022 · 2 comments

Comments

@sploutchy
Copy link

sploutchy commented Sep 6, 2022
edited
Loading

The ACL Processor collects GenericAll, WriteDACL and WriteOwner ACLs on all object types.

For GenericWrite and WriteProperty, it collects the ACLs only for User, Group and Computer (and to some extent GPOs):

SharpHoundCommon/src/CommonLib/Processors/ACLProcessor.cs

Lines 338 to 392 in a2cc6c1

//GenericWrite encapsulates WriteProperty, so process them in tandem to avoid duplicate edges
if (aceRights.HasFlag(ActiveDirectoryRights.GenericWrite) ||
aceRights.HasFlag(ActiveDirectoryRights.WriteProperty))
{
if (objectType is Label.User or Label.Group or Label.Computer or Label.GPO)
if (aceType is ACEGuids.AllGuid or "")
yield return new ACE
{
PrincipalType = resolvedPrincipal.ObjectType,
PrincipalSID = resolvedPrincipal.ObjectIdentifier,
IsInherited = inherited,
RightName = EdgeNames.GenericWrite
};
if (objectType == Label.User && aceType == ACEGuids.WriteSPN)
yield return new ACE
{
PrincipalType = resolvedPrincipal.ObjectType,
PrincipalSID = resolvedPrincipal.ObjectIdentifier,
IsInherited = inherited,
RightName = EdgeNames.WriteSPN
};
else if (objectType == Label.Computer && aceType == ACEGuids.WriteAllowedToAct)
yield return new ACE
{
PrincipalType = resolvedPrincipal.ObjectType,
PrincipalSID = resolvedPrincipal.ObjectIdentifier,
IsInherited = inherited,
RightName = EdgeNames.AddAllowedToAct
};
else if (objectType == Label.Computer && aceType == ACEGuids.UserAccountRestrictions && !resolvedPrincipal.ObjectIdentifier.EndsWith("-512"))
yield return new ACE
{
PrincipalType = resolvedPrincipal.ObjectType,
PrincipalSID = resolvedPrincipal.ObjectIdentifier,
IsInherited = inherited,
RightName = EdgeNames.WriteAccountRestrictions
};
else if (objectType == Label.Group && aceType == ACEGuids.WriteMember)
yield return new ACE
{
PrincipalType = resolvedPrincipal.ObjectType,
PrincipalSID = resolvedPrincipal.ObjectIdentifier,
IsInherited = inherited,
RightName = EdgeNames.AddMember
};
else if (objectType is Label.User or Label.Computer && aceType == ACEGuids.AddKeyPrincipal)
yield return new ACE
{
PrincipalType = resolvedPrincipal.ObjectType,
PrincipalSID = resolvedPrincipal.ObjectIdentifier,
IsInherited = inherited,
RightName = EdgeNames.AddKeyCredentialLink
};
}

I just stumbled upon a case where an Everyone has GenericWrite on an OU, this can be exploited as shown in the following articles:

I think this edge should also be collected on OUs. What do you think?

Thanks a lot for your great work!
@hubert3
Copy link

hubert3 commented Nov 29, 2022

Agree this should be collected on OUs as well if possible

@rvazarkar
Copy link
Contributor

I think historically, we've resisted adding this edge because the exploitation of this primitive is very complex and relies on several factors that are hard to enumerate. Maybe its time we took another look at it, but exploitation is still very complex, relying on ability to add DNS records or new computers for example

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hubert3 @sploutchy @rvazarkar