Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BED-4965 - Owns/Owner Rework #176

Open
wants to merge 6 commits into
base: v4
Choose a base branch
from
Open

BED-4965 - Owns/Owner Rework #176

wants to merge 6 commits into from

Conversation

Mayyhem
Copy link

@Mayyhem Mayyhem commented Dec 2, 2024

Description

Updated SharpHound to collect two new properties for every domain object:

  • DoesAnyAceGrantOwnerRights
  • DoesAnyInheritedAceGrantOwnerRights

Motivation and Context

https://specterops.atlassian.net/browse/BED-4965

During ingest, BloodHound will use this information to determine whether any benign, non-abusable ACEs granted permissions to the OWNER RIGHTS SID (S-1-3-4), and whether or not any such ACEs were inherited. These properties allow ingest to determine whether any Owns and WriteOwner permissions granted are abusable or not.

How Has This Been Tested?

Please refer to https://specterops.atlassian.net/wiki/spaces/BE/pages/750157858/Owns+WriteOwner for detailed testing information.

Screenshots (if appropriate):

Types of changes

  • Chore (a change that does not modify the application functionality)
  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • Documentation updates are needed, and have been made accordingly.
  • I have added and/or updated tests to cover my changes.
  • All new and existing tests passed.
  • My changes include a database migration.

@Mayyhem Mayyhem mentioned this pull request Dec 2, 2024
Open
3 tasks
rvazarkar
rvazarkar reviewed Dec 4, 2024
View reviewed changes
src/CommonLib/Processors/ACLProcessor.cs
}
}

public async Task<(ACE[], bool, bool)> ProcessACL(byte[] ntSecurityDescriptor, string objectDomain,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we move the optional parameter to a non-optional one? Currently, the overload is actually only used if you manually specify the bool, since the other ProcessACL function has the same number of arguments. Let's make it explicit what we're asking for

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Its actually not going to build on CI either

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the review, Rohan!

Can we move the optional parameter to a non-optional one? Currently, the overload is actually only used if you manually specify the bool, since the other ProcessACL function has the same number of arguments. Let's make it explicit what we're asking for

I made checkForOwnerRights optional because objectName was already optional in the latest v4, and I couldn't add a required parameter after an optional one. Would you like me to make objectName required as well or split it into two methods, one for each signature?

Its actually not going to build on CI either

What do I need to do to address this?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, just move checkForOwnerRights before objectName, since this is a new function it shouldn't matter

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rvazarkar rvazarkar rvazarkar left review comments

@definitelynotagoblin definitelynotagoblin definitelynotagoblin approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Mayyhem @rvazarkar @definitelynotagoblin