Additional Organizational Units ACLs (#118)

* Adding Organizational Units GenericWrite and ManageGPLink permissions

* Renaming ManageGPLink permission to WriteGPLink

* fix: gPLink guid

* feat: add GenericWrite and WriteGPLink for Domain

---------

Co-authored-by: Jonas Bülow Knudsen <[email protected]>
Co-authored-by: Rohan Vazarkar <[email protected]>

src/CommonLib/EdgeNames.cs

@@ -21,6 +21,7 @@ public static class EdgeNames
         public const string AddKeyCredentialLink = "AddKeyCredentialLink";
         public const string SQLAdmin = "SQLAdmin";
         public const string WriteAccountRestrictions = "WriteAccountRestrictions";
+        public const string WriteGPLink = "WriteGPLink";
 
         //CertAbuse edges
         public const string WritePKIEnrollmentFlag = "WritePKIEnrollmentFlag";

src/CommonLib/Processors/ACEGuids.cs

@@ -12,11 +12,13 @@ public class ACEGuids
         public const string WriteSPN = "f3a64788-5306-11d1-a9c5-0000f80367c1";
         public const string AddKeyPrincipal = "5b47d60f-6090-40b2-9f37-2a4de88f3063";
         public const string UserAccountRestrictions = "4c164200-20c0-11d0-a768-00aa006e0529";
+        public const string WriteGPLink = "f30e3bbe-9ff0-11d1-b603-0000f80367c1";
+
 
         //Cert abuse ACEs
         public const string PKINameFlag = "ea1dddc4-60ff-416e-8cc0-17cee534bce7";
         public const string PKIEnrollmentFlag = "d15ef7d8-f226-46db-ae79-b34e560bd12c";
         public const string Enroll = "0e10c968-78fb-11d2-90d4-00c04f79dc55";
         public const string AutoEnroll = "a05b8cc2-17bc-4802-a710-e7c15ab866a2"; //TODO: Add this if it becomes abusable
     }
-}
+}

src/CommonLib/Processors/ACLProcessor.cs

@@ -380,6 +380,8 @@ public IEnumerable<ACE> ProcessACL(byte[] ntSecurityDescriptor, string objectDom
                         or Label.Group 
                         or Label.Computer 
                         or Label.GPO 
+                        or Label.OU 
+                        or Label.Domain
                         or Label.CertTemplate 
                         or Label.RootCA 
                         or Label.EnterpriseCA 
@@ -419,6 +421,14 @@ or Label.NTAuthStore
                             IsInherited = inherited,
                             RightName = EdgeNames.WriteAccountRestrictions
                         };
+                    else if (objectType is Label.OU or Label.Domain && aceType == ACEGuids.WriteGPLink)
+                        yield return new ACE
+                        {
+                            PrincipalType = resolvedPrincipal.ObjectType,
+                            PrincipalSID = resolvedPrincipal.ObjectIdentifier,
+                            IsInherited = inherited,
+                            RightName = EdgeNames.WriteGPLink
+                        };
                     else if (objectType == Label.Group && aceType == ACEGuids.WriteMember)
                         yield return new ACE
                         {
@@ -593,4 +603,4 @@ public IEnumerable<ACE> ProcessGMSAReaders(byte[] groupMSAMembership, string obj
             }
         }
     }
-}
+}