From 1054777ce34e21b4cc7dc759f7463ccd3336257f Mon Sep 17 00:00:00 2001 From: User Date: Thu, 18 Apr 2024 16:01:39 -0700 Subject: [PATCH 1/4] Adding Organizational Units GenericWrite and ManageGPLink permissions --- src/CommonLib/EdgeNames.cs | 1 + src/CommonLib/Processors/ACEGuids.cs | 2 ++ src/CommonLib/Processors/ACLProcessor.cs | 9 +++++++++ 3 files changed, 12 insertions(+) diff --git a/src/CommonLib/EdgeNames.cs b/src/CommonLib/EdgeNames.cs index 276d5b00..d2b2c05a 100644 --- a/src/CommonLib/EdgeNames.cs +++ b/src/CommonLib/EdgeNames.cs @@ -21,6 +21,7 @@ public static class EdgeNames public const string AddKeyCredentialLink = "AddKeyCredentialLink"; public const string SQLAdmin = "SQLAdmin"; public const string WriteAccountRestrictions = "WriteAccountRestrictions"; + public const string ManageGPLink = "ManageGPLink"; //CertAbuse edges public const string WritePKIEnrollmentFlag = "WritePKIEnrollmentFlag"; diff --git a/src/CommonLib/Processors/ACEGuids.cs b/src/CommonLib/Processors/ACEGuids.cs index b4224f85..7018e06a 100644 --- a/src/CommonLib/Processors/ACEGuids.cs +++ b/src/CommonLib/Processors/ACEGuids.cs @@ -12,6 +12,8 @@ public class ACEGuids public const string WriteSPN = "f3a64788-5306-11d1-a9c5-0000f80367c1"; public const string AddKeyPrincipal = "5b47d60f-6090-40b2-9f37-2a4de88f3063"; public const string UserAccountRestrictions = "4c164200-20c0-11d0-a768-00aa006e0529"; + public const string ManageGPLink = "f30e3bbf-9ff0-11d1-b603-0000f80367c1"; + //Cert abuse ACEs public const string PKINameFlag = "ea1dddc4-60ff-416e-8cc0-17cee534bce7"; diff --git a/src/CommonLib/Processors/ACLProcessor.cs b/src/CommonLib/Processors/ACLProcessor.cs index dd6fb5ae..6a7e5b90 100644 --- a/src/CommonLib/Processors/ACLProcessor.cs +++ b/src/CommonLib/Processors/ACLProcessor.cs @@ -379,6 +379,7 @@ public IEnumerable ProcessACL(byte[] ntSecurityDescriptor, string objectDom or Label.Group or Label.Computer or Label.GPO + or Label.OU or Label.CertTemplate or Label.RootCA or Label.EnterpriseCA @@ -418,6 +419,14 @@ or Label.NTAuthStore IsInherited = inherited, RightName = EdgeNames.WriteAccountRestrictions }; + else if (objectType == Label.OU && aceType == ACEGuids.ManageGPLink) + yield return new ACE + { + PrincipalType = resolvedPrincipal.ObjectType, + PrincipalSID = resolvedPrincipal.ObjectIdentifier, + IsInherited = inherited, + RightName = EdgeNames.ManageGPLink + }; else if (objectType == Label.Group && aceType == ACEGuids.WriteMember) yield return new ACE { From 1f2d509ef675ef99668fafad1c9ffa0047d5aeff Mon Sep 17 00:00:00 2001 From: User Date: Wed, 8 May 2024 08:45:36 -0700 Subject: [PATCH 2/4] Renaming ManageGPLink permission to WriteGPLink --- src/CommonLib/EdgeNames.cs | 2 +- src/CommonLib/Processors/ACEGuids.cs | 2 +- src/CommonLib/Processors/ACLProcessor.cs | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/CommonLib/EdgeNames.cs b/src/CommonLib/EdgeNames.cs index d2b2c05a..a574c3d5 100644 --- a/src/CommonLib/EdgeNames.cs +++ b/src/CommonLib/EdgeNames.cs @@ -21,7 +21,7 @@ public static class EdgeNames public const string AddKeyCredentialLink = "AddKeyCredentialLink"; public const string SQLAdmin = "SQLAdmin"; public const string WriteAccountRestrictions = "WriteAccountRestrictions"; - public const string ManageGPLink = "ManageGPLink"; + public const string WriteGPLink = "WriteGPLink"; //CertAbuse edges public const string WritePKIEnrollmentFlag = "WritePKIEnrollmentFlag"; diff --git a/src/CommonLib/Processors/ACEGuids.cs b/src/CommonLib/Processors/ACEGuids.cs index 7018e06a..eb37349c 100644 --- a/src/CommonLib/Processors/ACEGuids.cs +++ b/src/CommonLib/Processors/ACEGuids.cs @@ -12,7 +12,7 @@ public class ACEGuids public const string WriteSPN = "f3a64788-5306-11d1-a9c5-0000f80367c1"; public const string AddKeyPrincipal = "5b47d60f-6090-40b2-9f37-2a4de88f3063"; public const string UserAccountRestrictions = "4c164200-20c0-11d0-a768-00aa006e0529"; - public const string ManageGPLink = "f30e3bbf-9ff0-11d1-b603-0000f80367c1"; + public const string WriteGPLink = "f30e3bbf-9ff0-11d1-b603-0000f80367c1"; //Cert abuse ACEs diff --git a/src/CommonLib/Processors/ACLProcessor.cs b/src/CommonLib/Processors/ACLProcessor.cs index 6a7e5b90..433c4d21 100644 --- a/src/CommonLib/Processors/ACLProcessor.cs +++ b/src/CommonLib/Processors/ACLProcessor.cs @@ -419,13 +419,13 @@ or Label.NTAuthStore IsInherited = inherited, RightName = EdgeNames.WriteAccountRestrictions }; - else if (objectType == Label.OU && aceType == ACEGuids.ManageGPLink) + else if (objectType == Label.OU && aceType == ACEGuids.WriteGPLink) yield return new ACE { PrincipalType = resolvedPrincipal.ObjectType, PrincipalSID = resolvedPrincipal.ObjectIdentifier, IsInherited = inherited, - RightName = EdgeNames.ManageGPLink + RightName = EdgeNames.WriteGPLink }; else if (objectType == Label.Group && aceType == ACEGuids.WriteMember) yield return new ACE From 95ca1dea4533952d73f73b206bc3ab6d0c5b2dd9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonas=20B=C3=BClow=20Knudsen?= <12843299+JonasBK@users.noreply.github.com> Date: Wed, 8 May 2024 19:41:46 +0200 Subject: [PATCH 3/4] fix: gPLink guid --- src/CommonLib/Processors/ACEGuids.cs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/CommonLib/Processors/ACEGuids.cs b/src/CommonLib/Processors/ACEGuids.cs index eb37349c..d3545a91 100644 --- a/src/CommonLib/Processors/ACEGuids.cs +++ b/src/CommonLib/Processors/ACEGuids.cs @@ -12,7 +12,7 @@ public class ACEGuids public const string WriteSPN = "f3a64788-5306-11d1-a9c5-0000f80367c1"; public const string AddKeyPrincipal = "5b47d60f-6090-40b2-9f37-2a4de88f3063"; public const string UserAccountRestrictions = "4c164200-20c0-11d0-a768-00aa006e0529"; - public const string WriteGPLink = "f30e3bbf-9ff0-11d1-b603-0000f80367c1"; + public const string WriteGPLink = "f30e3bbe-9ff0-11d1-b603-0000f80367c1"; //Cert abuse ACEs @@ -21,4 +21,4 @@ public class ACEGuids public const string Enroll = "0e10c968-78fb-11d2-90d4-00c04f79dc55"; public const string AutoEnroll = "a05b8cc2-17bc-4802-a710-e7c15ab866a2"; //TODO: Add this if it becomes abusable } -} \ No newline at end of file +} From eb3af9a1c77db2ca0bbdf54ffad060895f427ec4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonas=20B=C3=BClow=20Knudsen?= <12843299+JonasBK@users.noreply.github.com> Date: Mon, 13 May 2024 05:35:58 -0700 Subject: [PATCH 4/4] feat: add GenericWrite and WriteGPLink for Domain --- src/CommonLib/Processors/ACLProcessor.cs | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/CommonLib/Processors/ACLProcessor.cs b/src/CommonLib/Processors/ACLProcessor.cs index 433c4d21..09ed0549 100644 --- a/src/CommonLib/Processors/ACLProcessor.cs +++ b/src/CommonLib/Processors/ACLProcessor.cs @@ -380,6 +380,7 @@ or Label.Group or Label.Computer or Label.GPO or Label.OU + or Label.Domain or Label.CertTemplate or Label.RootCA or Label.EnterpriseCA @@ -419,7 +420,7 @@ or Label.NTAuthStore IsInherited = inherited, RightName = EdgeNames.WriteAccountRestrictions }; - else if (objectType == Label.OU && aceType == ACEGuids.WriteGPLink) + else if (objectType is Label.OU or Label.Domain && aceType == ACEGuids.WriteGPLink) yield return new ACE { PrincipalType = resolvedPrincipal.ObjectType, @@ -601,4 +602,4 @@ public IEnumerable ProcessGMSAReaders(byte[] groupMSAMembership, string obj } } } -} \ No newline at end of file +}