Revert "Additional Organizational Units ACLs (#118)"

This reverts commit d61b8f7.
SpecterOps · Aug 26, 2024 · 2bff9ec · 2bff9ec
1 parent d61b8f7
commit 2bff9ec
Show file tree

Hide file tree

Showing 3 changed files with 2 additions and 15 deletions.
diff --git a/src/CommonLib/EdgeNames.cs b/src/CommonLib/EdgeNames.cs
@@ -21,7 +21,6 @@ public static class EdgeNames
         public const string AddKeyCredentialLink = "AddKeyCredentialLink";
         public const string SQLAdmin = "SQLAdmin";
         public const string WriteAccountRestrictions = "WriteAccountRestrictions";
-        public const string WriteGPLink = "WriteGPLink";
 
         //CertAbuse edges
         public const string WritePKIEnrollmentFlag = "WritePKIEnrollmentFlag";

diff --git a/src/CommonLib/Processors/ACEGuids.cs b/src/CommonLib/Processors/ACEGuids.cs
@@ -12,13 +12,11 @@ public class ACEGuids
         public const string WriteSPN = "f3a64788-5306-11d1-a9c5-0000f80367c1";
         public const string AddKeyPrincipal = "5b47d60f-6090-40b2-9f37-2a4de88f3063";
         public const string UserAccountRestrictions = "4c164200-20c0-11d0-a768-00aa006e0529";
-        public const string WriteGPLink = "f30e3bbe-9ff0-11d1-b603-0000f80367c1";
-
 
         //Cert abuse ACEs
         public const string PKINameFlag = "ea1dddc4-60ff-416e-8cc0-17cee534bce7";
         public const string PKIEnrollmentFlag = "d15ef7d8-f226-46db-ae79-b34e560bd12c";
         public const string Enroll = "0e10c968-78fb-11d2-90d4-00c04f79dc55";
         public const string AutoEnroll = "a05b8cc2-17bc-4802-a710-e7c15ab866a2"; //TODO: Add this if it becomes abusable
     }
-}
+}
diff --git a/src/CommonLib/Processors/ACLProcessor.cs b/src/CommonLib/Processors/ACLProcessor.cs
@@ -380,8 +380,6 @@ public IEnumerable<ACE> ProcessACL(byte[] ntSecurityDescriptor, string objectDom
                         or Label.Group 
                         or Label.Computer 
                         or Label.GPO 
-                        or Label.OU 
-                        or Label.Domain
                         or Label.CertTemplate 
                         or Label.RootCA 
                         or Label.EnterpriseCA 
@@ -421,14 +419,6 @@ or Label.NTAuthStore
                             IsInherited = inherited,
                             RightName = EdgeNames.WriteAccountRestrictions
                         };
-                    else if (objectType is Label.OU or Label.Domain && aceType == ACEGuids.WriteGPLink)
-                        yield return new ACE
-                        {
-                            PrincipalType = resolvedPrincipal.ObjectType,
-                            PrincipalSID = resolvedPrincipal.ObjectIdentifier,
-                            IsInherited = inherited,
-                            RightName = EdgeNames.WriteGPLink
-                        };
                     else if (objectType == Label.Group && aceType == ACEGuids.WriteMember)
                         yield return new ACE
                         {
@@ -603,4 +593,4 @@ public IEnumerable<ACE> ProcessGMSAReaders(byte[] groupMSAMembership, string obj
             }
         }
     }
-}
+}