From 6169b365d0c925d7e08bb320af0fa890145788d9 Mon Sep 17 00:00:00 2001
From: N7WEra <59871507+N7WEra@users.noreply.github.com>
Date: Thu, 11 Feb 2021 09:54:47 +0000
Subject: [PATCH 1/5] Added a table to visualise the differences in collection
 methods

---
 docs/data-collection/sharphound-all-flags.rst | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/docs/data-collection/sharphound-all-flags.rst b/docs/data-collection/sharphound-all-flags.rst
index 387509d86..9fce3c0ef 100644
--- a/docs/data-collection/sharphound-all-flags.rst
+++ b/docs/data-collection/sharphound-all-flags.rst
@@ -56,6 +56,30 @@ Here are the less common CollectionMethods and what they do:
 * **ObjectProps** - Performs Object Properties collection for properties 
   such as LastLogon or PwdLastSet
 
+Table to demonstrate the differences
+------------------------------------
+
+|                                                                    | Default | All | DCOnly | ComputerOnly | Session | LoggedOn** | Group | ACL | GPOLocalGroup | Trusts | Container | LocalGroup | LocalAdmin | RDP | DCOM | PSRemote | ObjectProps |
+|:------------------------------------------------------------------:|:-------:|:---:|:------:|:------------:|:-------:|:----------:|:-----:|:---:|:-------------:|:------:|:---------:|:----------:|:----------:|:---:|:----:|:--------:|:-----------:|
+|                      Security group membership                     |    X    |  X  |    X   |              |         |      X     |   X   |     |               |        |           |            |            |     |      |          |             |
+|                            Domain Trusts                           |    X    |  X  |    X   |              |         |      X     |       |     |               |    X   |           |            |            |     |      |          |             |
+|                 abusable permissions on AD objects                 |    X    |  X  |    X   |              |         |      X     |       |  X  |               |        |           |            |            |     |      |          |             |
+|                          OU tree structure                         |    X    |  X  |    X   |              |         |      X     |       |     |               |        |     X     |            |            |     |      |          |             |
+|                         Group Policy links                         |    X    |  X  |    X   |              |         |      X     |       |     |               |        |     X     |            |            |     |      |          |             |
+|                        AD object properties                        |    X    |  X  |    X   |              |         |      X     |       |     |               |        |           |            |            |     |      |          |             |
+| Correlate Group Policy-enforced local groups to affected computers |    X    |     |    X   |              |         |            |       |     |       X       |        |           |            |            |     |      |          |             |
+|                            Local Groups                            |    X    |  X  |        |       X      |         |      X     |       |     |               |        |           |            |            |     |      |          |             |
+|                            User Session                            |    X    |  X  |        |       X      |    X    |      X     |       |     |               |        |           |            |            |     |      |          |             |
+|                            Local Admins                            |    X    |  X  |        |              |         |            |       |     |               |        |           |      X     |      X     |     |      |          |             |
+|                        RDP group membership                        |         |  X  |        |              |         |            |       |     |               |        |           |      X     |            |  X  |      |          |             |
+|                        DCOM group membership                       |         |  X  |        |              |         |            |       |     |               |        |           |      X     |            |     |   X  |          |             |
+|                      PSRemote group membership                     |         |  X  |        |              |         |            |       |     |               |        |           |      X     |            |     |      |     X    |             |
+|                            ObjectProps**                           |         |  X  |        |              |         |            |       |     |               |        |           |            |            |     |      |          |      X      |
+
+*Does session collection using the privileged collection method. Use this if you are running as a user with local admin rights on lots of systems for the best user session data.
+*ObjectProps - Performs Object Properties collection for properties such as LastLogon or PwdLastSet
+
+
 Domain
 ------
 

From f29c430aa6d2da0cc0083eba788781a7db015682 Mon Sep 17 00:00:00 2001
From: Nicolas CARPi <nico-git@deltablot.email>
Date: Wed, 3 Mar 2021 14:33:06 +0100
Subject: [PATCH 2/5] Remove .DS_Store and add it to git ignored files

---
 .DS_Store  | Bin 6148 -> 0 bytes
 .gitignore |   1 +
 2 files changed, 1 insertion(+)
 delete mode 100644 .DS_Store

diff --git a/.DS_Store b/.DS_Store
deleted file mode 100644
index 5008ddfcf53c02e82d7eee2e57c38e5672ef89f6..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 6148
zcmeH~Jr2S!425mzP>H1@V-^m;4Wg<&0T*E43hX&L&p$$qDprKhvt+--jT7}7np#A3
zem<@ulZcFPQ@L2!n>{z**<q8>++&mCkOWA81W14cNZ<zv;LbK1Poaz?KmsK2CSc!(
z0ynLxE!0092;Krf2c+FF_Fe*7ECH>lEfg7;MkzE(HCqgga^y>{tEnwC%0;vJ&^%eQ
zLs35+`xjp>T0<F0fCPF1$Cyrb|F7^5{eNG?83~ZUUlGt@xh*qZDeu<Z%US-OSsOPv
j)R!Z4KLME7ReXlK;d!wEw5GODWMKRea10D2@KpjYNUI8I

diff --git a/.gitignore b/.gitignore
index fe562ab74..2b4c06d38 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,4 @@ npm-debug.log
 *.bin
 *.csv
 graph.json
+.DS_Store

From 98cfb07bcdaa0a960ffd5bb77c65d06e20d8d686 Mon Sep 17 00:00:00 2001
From: Pixis <hackndo@gmail.com>
Date: Fri, 2 Apr 2021 21:13:19 +0200
Subject: [PATCH 3/5] Fix missing pipe

---
 src/components/SearchContainer/Tabs/AZServicePrincipal.jsx | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/components/SearchContainer/Tabs/AZServicePrincipal.jsx b/src/components/SearchContainer/Tabs/AZServicePrincipal.jsx
index f167267a2..397cc0bd9 100644
--- a/src/components/SearchContainer/Tabs/AZServicePrincipal.jsx
+++ b/src/components/SearchContainer/Tabs/AZServicePrincipal.jsx
@@ -149,7 +149,7 @@ const AZServicePrincipalNodeData = () => {
                                     property='First Degree Object Control'
                                     target={objectid}
                                     baseQuery={
-                                        'MATCH p = (g:AZServicePrincipal {objectid: $objectid})-[r:AZResetPassword|AZAddMembers|AZOwnsAZAvereContributor|AZVMContributor|AZContributor]->(n)'
+                                        'MATCH p = (g:AZServicePrincipal {objectid: $objectid})-[r:AZResetPassword|AZAddMembers|AZOwns|AZAvereContributor|AZVMContributor|AZContributor]->(n)'
                                     }
                                     start={label}
                                     distinct
@@ -158,7 +158,7 @@ const AZServicePrincipalNodeData = () => {
                                     property='Group Delegated Object Control'
                                     target={objectid}
                                     baseQuery={
-                                        'MATCH p = (g1:AZServicePrincipal {objectid: $objectid})-[r1:MemberOf*1..]->(g2)-[r2:AZResetPassword|AZAddMembers|AZOwnsAZAvereContributor|AZVMContributor|AZContributor]->(n)'
+                                        'MATCH p = (g1:AZServicePrincipal {objectid: $objectid})-[r1:MemberOf*1..]->(g2)-[r2:AZResetPassword|AZAddMembers|AZOwns|AZAvereContributor|AZVMContributor|AZContributor]->(n)'
                                     }
                                     start={label}
                                     distinct
@@ -167,7 +167,7 @@ const AZServicePrincipalNodeData = () => {
                                     property='Transitive Object Control'
                                     target={objectid}
                                     baseQuery={
-                                        'MATCH (n) WHERE NOT n.objectid=$objectid WITH n MATCH p = shortestPath((g:AZServicePrincipal {objectid: $objectid})-[r:AZMemberOf|AZResetPassword|AZAddMembers|AZOwnsAZAvereContributor|AZVMContributor|AZContributor*1..]->(n))'
+                                        'MATCH (n) WHERE NOT n.objectid=$objectid WITH n MATCH p = shortestPath((g:AZServicePrincipal {objectid: $objectid})-[r:AZMemberOf|AZResetPassword|AZAddMembers|AZOwns|AZAvereContributor|AZVMContributor|AZContributor*1..]->(n))'
                                     }
                                     start={label}
                                     distinct

From cb89d99bf731da0bcf726d72a7849b352f5471ad Mon Sep 17 00:00:00 2001
From: Andy Robbins <robbins.andy@gmail.com>
Date: Thu, 15 Jul 2021 10:55:08 -0700
Subject: [PATCH 4/5] Fix inner if check for group member OnPremID

---
 src/js/newingestion.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/js/newingestion.js b/src/js/newingestion.js
index 8ecdf9d02..63d6cd5b9 100644
--- a/src/js/newingestion.js
+++ b/src/js/newingestion.js
@@ -1147,7 +1147,7 @@ export function buildAzureGroupMembers(chunk) {
             let type = row.MemberType.toUpperCase();
             if (row.GroupOnPremID === null) {
                 if (type === 'GROUP') {
-                    if (row.GroupOnPremID === null) {
+                    if (row.MemberOnPremID === null) {
                         format[0] = 'AZGroup';
                         format[1] = 'AZGroup';
                         insertNew(queries, format, {
@@ -1163,7 +1163,7 @@ export function buildAzureGroupMembers(chunk) {
                         });
                     }
                 } else if (type === 'USER') {
-                    if (row.GroupOnPremID === null) {
+                    if (row.MemberOnPremID === null) {
                         format[0] = 'AZUser';
                         format[1] = 'AZGroup';
                         insertNew(queries, format, {

From c5e79c6902ad253bf57a26364aa531285bf35e9c Mon Sep 17 00:00:00 2001
From: Andy Robbins <robbins.andy@gmail.com>
Date: Thu, 15 Jul 2021 11:02:38 -0700
Subject: [PATCH 5/5] Fix device owner OnPremID check to avoid making duplicate
 nodes

---
 src/js/newingestion.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/js/newingestion.js b/src/js/newingestion.js
index 63d6cd5b9..e18a9b366 100644
--- a/src/js/newingestion.js
+++ b/src/js/newingestion.js
@@ -693,7 +693,7 @@ export function buildAzureDevices(chunk) {
                 name: row.DeviceDisplayname.toUpperCase(),
             });
 
-            if (row.OwnerID !== null) {
+            if (row.OwnerID !== null && row.OwnerOnPremID == null) {
                 format[0] = 'AZUser';
                 insertNew(queries, format, {
                     source: row.OwnerID.toUpperCase(),