Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BED-4965 - Owns/Owner Rework #993

Open
wants to merge 37 commits into
base: main
Choose a base branch
from
Open

BED-4965 - Owns/Owner Rework #993

wants to merge 37 commits into from

Conversation

Mayyhem
Copy link
Collaborator

@Mayyhem Mayyhem commented Dec 2, 2024

Description

This change was made to account for cases where the OWNER RIGHTS SID (S-1-3-4) is explicitly granted permissions on AD objects, which in some cases renders implicit owner rights non-abusable.

  • Display Owner SID in entity panel
  • Create OwnsLimitedRights, OwnsRaw, WriteOwnerLimitedRights, and WriteOwnerRaw edges during ingest
  • Create Owns and WriteOwner edges during post-processing

Please refer to https://specterops.atlassian.net/wiki/spaces/BE/pages/750157858/Owns+WriteOwner for details.

Motivation and Context

This PR addresses: https://specterops.atlassian.net/browse/BED-4965

How Has This Been Tested?

Integration tests were written for post-processed edges. Ingest edges were tested manually.

A test environment including test cases for OWNER RIGHTS permissions was configured using a PowerShell script included in the linked Confluence page. After generating test data for two domains, one where implicit owner rights were blocked and another where they were not, tests included:

... and confirming that expected ingest and post-processed edges were created or removed, where appropriate.

Also ran and passed:

  • just test
  • View > Testing > Go (all tests)
     
    This change does not account for inheritance hashes for ACEs but will require an update after that initiative is complete.

Screenshots (optional):

Types of changes

  • Chore (a change that does not modify the application functionality)
  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Database Migrations

Checklist:

rvazarkar and others added 30 commits October 29, 2024 11:17
@rvazarkar
wip: initial start on owns edge changes
7b64bfb
@rvazarkar
wip: write post operations for writeowner/owns, update ingest
c483187
@rvazarkar
wip: fix return type
7e39e08
@rvazarkar
wip: remove unnecessary bool
403d3c2
@Mayyhem
BED-4965: WIP merge changes to Owns/WriteOwner post-processing (#931)
073bd75 
* Added inheritance condition for WriteOwner abuse, added comments to Owns/WriteOwner logic

* Saving changes to post Owns/WriteOwner
@rvazarkar
Merge branch 'main' into BED-4965
df82766 
# Conflicts:
#	cmd/api/src/analysis/ad/post.go
#	packages/go/graphschema/ad/ad.go
@rvazarkar
wip: fix post
44966c6
@Mayyhem
Updated Owns/WriteOwner logic to check if any non-abusable ACEs grant…
9753ce9 
…ing OWNER RIGHTS are present
@Mayyhem
Updated inherited vs. non-inherited benign ACE logic for WriteOwner
686201c
@Mayyhem
Added Owns/WriteOwner to post-processed edges, deleted commented code
04b7915
@Mayyhem
Return stats for aggregation
6d18b9c
@Mayyhem
Return cursor.Error() instead of nil
9b132d6
@Mayyhem
Updated Owns/WriteOwner[LimitedRights] help text
c6e2175
@Mayyhem
Fallback to add Owns/WriteOwner if fetching dSHeuristics/Admins fails
d5d421b
@Mayyhem
Update docs URL
b64cafa
@Mayyhem
Initial harnesses for Owns/WriteOwner changes
0a01818
@Mayyhem
Remove unused variable
c3f1808
@Mayyhem
Accounted for abusable permissions that are deleted on owner change
5b22a33
@Mayyhem
Update Owns and WriteOwner setup harness
e15faee
@Mayyhem
Confirmed harness data is accurate and is processed as expected by Po…
d5dbb95 
…stOwnsWriteOwner
@Mayyhem
Completed Owns edge tests
6e86f50
@Mayyhem
Completed WriteOwner edge tests
7d06e70
@Mayyhem
Accounted for all abusability and inheritance situations for user and…
ef55a25 
… computer object ownership and WriteOwner permissions
@Mayyhem
Updated command to identify dSHeuristics, minor formatting
c928b2d
@Mayyhem
Added test harness and integration testing for collector versions pri…
06790f2 
…or to change
@Mayyhem
Formatting changes from just generate
e44c9b7
@Mayyhem
Updating schema with DoesAnyInheritedAceGrantOwnerRights
cbb9766
@Mayyhem
Merge branch 'main' into BED-4965
e40bb4a
@Mayyhem
Finished integration tests for post-processing collections from Sharp…
6de74d5 
…Hound versions prior to change
@Mayyhem
Merge remote-tracking branch 'origin/main' into BED-4965
6f5ce5b
rvazarkar
rvazarkar reviewed Dec 4, 2024
View reviewed changes
cmd/api/src/daemons/datapipe/convertors.go Show resolved Hide resolved
packages/go/analysis/ad/owns.go Outdated Show resolved Hide resolved
packages/go/analysis/ad/owns.go Outdated Show resolved Hide resolved
rvazarkar
rvazarkar reviewed Dec 5, 2024
View reviewed changes
packages/go/analysis/ad/owns.go Show resolved Hide resolved
packages/go/analysis/ad/owns.go Outdated Show resolved Hide resolved
packages/go/analysis/ad/owns.go Show resolved Hide resolved
packages/go/analysis/ad/owns.go Show resolved Hide resolved
packages/go/analysis/ad/owns.go Outdated Show resolved Hide resolved
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ClickyFingerz ClickyFingerz ClickyFingerz left review comments

@rvazarkar rvazarkar rvazarkar left review comments

@definitelynotagoblin definitelynotagoblin definitelynotagoblin approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Mayyhem @rvazarkar @definitelynotagoblin @ClickyFingerz