SharpHoundCommon icon indicating copy to clipboard operation
SharpHoundCommon copied to clipboard

Published 20 hours ago verified publisher icon BloodHoundAD

GenericWrite ACL not collected on OU

Open sploutchy opened this issue 2 years ago • 2 comments

The ACL Processor collects GenericAll, WriteDACL and WriteOwner ACLs on all object types.

For GenericWrite and WriteProperty, it collects the ACLs only for User, Group and Computer (and to some extent GPOs):

https://github.com/BloodHoundAD/SharpHoundCommon/blob/a2cc6c1bff4e3879c9329e89822d7e82e6806911/src/CommonLib/Processors/ACLProcessor.cs#L338-L392

I just stumbled upon a case where an Everyone has GenericWrite on an OU, this can be exploited as shown in the following articles:

  • https://labs.withsecure.com/blog/ou-having-a-laugh/
  • https://markgamache.blogspot.com/2020/07/exploiting-ad-gplink-for-good-or-evil.html

I think this edge should also be collected on OUs. What do you think?

Thanks a lot for your great work!

sploutchy avatar Sep 06 '22 11:09 sploutchy

Agree this should be collected on OUs as well if possible

hubert3 avatar Nov 29 '22 16:11 hubert3

I think historically, we've resisted adding this edge because the exploitation of this primitive is very complex and relies on several factors that are hard to enumerate. Maybe its time we took another look at it, but exploitation is still very complex, relying on ability to add DNS records or new computers for example

rvazarkar avatar Mar 20 '23 19:03 rvazarkar