-
Notifications
You must be signed in to change notification settings - Fork 130
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Inaccurate Attack Path created when ObjectType specified in ACE #613
Comments
Hey @lbrauns, Thanks for reporting this. I have Exchange configured in the AD split model in my lab, but I do not have the EXCHANGE RECIPIENT ADMINISTRATORS group at all. I guess it depends on the Exchange version. Is it possible for you to send a screenshot of the ACE(s) the group has on the domain? Potentially from ldp.exe. Then I will try to create it manually in my lab. |
Oh, you added the ACE. never mind! |
I just confirmed in my lab that these edges are being generated when creating the given ACE granted to a user, and the user is not able to modify the DACL or change the owner. When I remove the object type, then I can do those things. So it seems we should confirm that object type is not set before creating WriteDacl and WriteOwner edges. Do you agree @lbrauns? |
Just confirmed that a clean WriteDacl ACE does not work when object type is set. |
I am not sure if it is sufficient to check for the presence of an object type. The GUID map of the directory contains abusable object types as well, for example |
Yes, you are right. We should only avoid creating WriteDacl and WriteOwner if an object type is set. Maybe also GenericAll - I need to test that. We should still create edges like WriteAccountRestrictions that depends on the object type to be set 👍 |
Description:
In the domain i am analyzing (BHE) the EXCHANGE RECIPIENT ADMINISTRATORS are shown with a lot of WriteDacl and WriteOwner edges. Even to the Domain Root Object:
The only existing ACL that could produce this edge are ACL on the domain root object where the EXCHANGE RECIPIENT ADMINISTRATORS receive
CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, ExtendedRight, Delete, WriteDacl, WriteOwner
on the object typems-Exch-Dynamic-Distribution-List
.Full ACL:
In this case the EXCHANGE RECIPIENT ADMINISTRATORS comes from a parent domain and the privileges are present on the child domain root object, this might be relevant.
This is a false positive and creates a LOT of unnecessary edges.
Component(s) Affected:
Steps to Reproduce:
Expected Behavior:
Edges should not be created as permissions on the object type
ms-Exch-Dynamic-Distribution-List
are not abusable.Actual Behavior:
EXCHANGE RECIPIENT ADMINISTRATORS show outbound control over all objects in the domain.
Screenshots/Code Snippets/Sample Files:
If applicable, add screenshots, relevant code snippets, or sample files that help illustrate the issue.
Environment Information:
BloodHound: Bloodhound Enterprise
Collector: Sharphound 2.3.10.0
Contributor Checklist:
The text was updated successfully, but these errors were encountered: