SharpHound2 icon indicating copy to clipboard operation
SharpHound2 copied to clipboard

Published 20 hours ago verified publisher icon BloodHoundAD

Added GenericWrite edge for GPOs

Open pkb1s opened this issue 6 years ago • 3 comments

SharpHound currently does not detect Edit Settings permissions on a GPO. However, this level of access can be used as part of an attack path.

image

The current version of SharpHound generates the following:

before_genericwrite

After the changes the graph includes the 2 more users:

after_genericwrite

I hope this helps.

Thanks

pkb1s avatar Jul 30 '19 10:07 pkb1s

Hey @pkb1s, thanks a lot for this PR! Looks very cool and of course your recent blog post about this was very interesting as well. Here's my request before we merge this in: can you create and post a video showing the attack in action, from beginning to end? Showing the specific permissions on the GPO, setting up your dummy domain controller, serving an evil schedule task, and showing that evil scheduled task running?

andyrobbins avatar Nov 07 '19 21:11 andyrobbins

Hi @andyrobbins, apologies for the delay. I have included the video you requested below: https://www.youtube.com/watch?v=3QSRTUGEzEA

pkb1s avatar Dec 19 '19 13:12 pkb1s

Excellent, thank you for making that vid, @pkb1s. Very straight forward. We are going to test a few things on our side to confirm but you should expect to see this edge start showing up in the next release.

andyrobbins avatar Dec 19 '19 21:12 andyrobbins