From 0007eaf2e8b120b2f4d135902f029b4e18ea2f84 Mon Sep 17 00:00:00 2001 From: q-roland <115217858+q-roland@users.noreply.github.com> Date: Mon, 26 Aug 2024 17:29:06 +0200 Subject: [PATCH] Additional Organizational Units ACLs (#118) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Adding Organizational Units GenericWrite and ManageGPLink permissions * Renaming ManageGPLink permission to WriteGPLink * fix: gPLink guid * feat: add GenericWrite and WriteGPLink for Domain --------- Co-authored-by: Jonas Bülow Knudsen <12843299+JonasBK@users.noreply.github.com> Co-authored-by: Rohan Vazarkar --- src/CommonLib/Enums/EdgeNames.cs | 1 + src/CommonLib/Processors/ACEGuids.cs | 4 +++- src/CommonLib/Processors/ACLProcessor.cs | 30 ++++++++++++++++-------- 3 files changed, 24 insertions(+), 11 deletions(-) diff --git a/src/CommonLib/Enums/EdgeNames.cs b/src/CommonLib/Enums/EdgeNames.cs index b7e3b5a8..3cd34672 100644 --- a/src/CommonLib/Enums/EdgeNames.cs +++ b/src/CommonLib/Enums/EdgeNames.cs @@ -21,6 +21,7 @@ public static class EdgeNames public const string AddKeyCredentialLink = "AddKeyCredentialLink"; public const string SQLAdmin = "SQLAdmin"; public const string WriteAccountRestrictions = "WriteAccountRestrictions"; + public const string WriteGPLink = "WriteGPLink"; //CertAbuse edges public const string WritePKIEnrollmentFlag = "WritePKIEnrollmentFlag"; diff --git a/src/CommonLib/Processors/ACEGuids.cs b/src/CommonLib/Processors/ACEGuids.cs index b4224f85..d3545a91 100644 --- a/src/CommonLib/Processors/ACEGuids.cs +++ b/src/CommonLib/Processors/ACEGuids.cs @@ -12,6 +12,8 @@ public class ACEGuids public const string WriteSPN = "f3a64788-5306-11d1-a9c5-0000f80367c1"; public const string AddKeyPrincipal = "5b47d60f-6090-40b2-9f37-2a4de88f3063"; public const string UserAccountRestrictions = "4c164200-20c0-11d0-a768-00aa006e0529"; + public const string WriteGPLink = "f30e3bbe-9ff0-11d1-b603-0000f80367c1"; + //Cert abuse ACEs public const string PKINameFlag = "ea1dddc4-60ff-416e-8cc0-17cee534bce7"; @@ -19,4 +21,4 @@ public class ACEGuids public const string Enroll = "0e10c968-78fb-11d2-90d4-00c04f79dc55"; public const string AutoEnroll = "a05b8cc2-17bc-4802-a710-e7c15ab866a2"; //TODO: Add this if it becomes abusable } -} \ No newline at end of file +} diff --git a/src/CommonLib/Processors/ACLProcessor.cs b/src/CommonLib/Processors/ACLProcessor.cs index 9eb72744..c56d11f4 100644 --- a/src/CommonLib/Processors/ACLProcessor.cs +++ b/src/CommonLib/Processors/ACLProcessor.cs @@ -434,15 +434,17 @@ public async IAsyncEnumerable ProcessACL(byte[] ntSecurityDescriptor, strin //GenericWrite encapsulates WriteProperty, so process them in tandem to avoid duplicate edges if (aceRights.HasFlag(ActiveDirectoryRights.GenericWrite) || aceRights.HasFlag(ActiveDirectoryRights.WriteProperty)) { - if (objectType is Label.User - or Label.Group - or Label.Computer - or Label.GPO - or Label.CertTemplate - or Label.RootCA - or Label.EnterpriseCA - or Label.AIACA - or Label.NTAuthStore + if (objectType is Label.User + or Label.Group + or Label.Computer + or Label.GPO + or Label.OU + or Label.Domain + or Label.CertTemplate + or Label.RootCA + or Label.EnterpriseCA + or Label.AIACA + or Label.NTAuthStore or Label.IssuancePolicy) if (aceType is ACEGuids.AllGuid or "") yield return new ACE { @@ -477,6 +479,14 @@ or Label.NTAuthStore RightName = EdgeNames.WriteAccountRestrictions, InheritanceHash = aceInheritanceHash }; + else if (objectType is Label.OU or Label.Domain && aceType == ACEGuids.WriteGPLink) + yield return new ACE + { + PrincipalType = resolvedPrincipal.ObjectType, + PrincipalSID = resolvedPrincipal.ObjectIdentifier, + IsInherited = inherited, + RightName = EdgeNames.WriteGPLink + }; else if (objectType == Label.Group && aceType == ACEGuids.WriteMember) yield return new ACE { PrincipalType = resolvedPrincipal.ObjectType, @@ -634,4 +644,4 @@ public async IAsyncEnumerable ProcessGMSAReaders(byte[] groupMSAMembership, } } } -} \ No newline at end of file +}