Adding abuse guidance from UNIX-like hosts

[ShutdownRepo]

Adding abuse guidance from UNIX-like systems for many edges referring to the progress that has been made these last few years to support AD attacks from linux (e.g. mindmap at https://www.thehacker.recipes/ad/movement/dacl for the DACL abuse).

[github-actions]

CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅

[ShutdownRepo]

I have read the CLA Document and I hereby sign the CLA

[rvazarkar]

This is an insane PR. We'll need to review this, but thanks for doing all this work

[ShutdownRepo]

This is an insane PR. We'll need to review this, but thanks for doing all this work

Sure, feel free to ping if there's anything I can do
BloodHound is an awesome tool, and given the time I spend using it, it's only normal I contribute to it whoever I can

[andyrobbins]

This is stunning work, Charlie, thank you so much for this PR.

[eladshamir]

The abuse for AllowedToAct is similar to AllowedToDelegate - creating a computer account is irrelevant

[eladshamir]

In DCSync, GetChanges, and GetChangesAll abuse, change secretsdump to secretsdump.py

[eladshamir]

GenericAll, GenericWrite, Owns, WriteOwner, and WriteDacl are missing the rbcd.py step in the RBCD section for computer nodes

[eladshamir]

The syntax for laps.py seems to be incorrect. The --action argument is not recognized.

[eladshamir]

Nice work @ShutdownRepo!
I started reviewing the code and suggested some minor changes (see above).

[eladshamir]

Opening the help modal for the following edges results in a blank screen:

• AddAllowedToAct
• AllExtendedRights to a Group node
• AllExtendedRights to an OU node
• GenericWrite to an OU node
• WriteSPN

[ShutdownRepo]

Fixed #625 (review), #625 (review), #625 (review), #625 (review)

Regarding the issue below:

Opening the help modal for the following edges results in a blank screen:

* AddAllowedToAct

* AllExtendedRights to a Group node

* AllExtendedRights to an OU node

* GenericWrite to an OU node

* WriteSPN

Do you know what's causing it? I could try to fix it right away if you do. If not, I should be able to take a look this weekend or next week.

[eladshamir]

Fixed #625 (review), #625 (review), #625 (review), #625 (review)

Regarding the issue below:

Opening the help modal for the following edges results in a blank screen:

* AddAllowedToAct

* AllExtendedRights to a Group node

* AllExtendedRights to an OU node

* GenericWrite to an OU node

* WriteSPN

Do you know what's causing it? I could try to fix it right away if you do. If not, I should be able to take a look this weekend or next week.

I'm not sure why that happens.
@rvazarkar @andyrobbins Do you have any idea?

[andyrobbins]

Yup, I believe I know how to fix this. I'm going to try to fix this within the PR this week.

[andyrobbins]

Part of the issue is that when we click an edge and create the help text modal, the abuse text is dynamically created based on the target node type. We don't want to show you the "GenericWrite" info for a group if the edge is against a user. for example.

If you look at https://github.com/BloodHoundAD/BloodHound/blob/master/src/components/Modals/HelpTexts/AllExtendedRights/Abuse.jsx you'll see that there is no logic in the case statement for when the target node type is a Group or OU. This is why the application crashes, there's no graceful way we handle when the target node isn't part of the case statement.

The fix will be to modify the relevant Abuse.jsx (LinuxAbuse.jsx and WindowsAbuse.jsx) files to include these target node label types, with information about how the edge is abusable against those particular objects.

AllExtendedRights I'm 99% sure grants you the ability to add members to groups, but I want to validate that.

@ShutdownRepo @eladshamir questions for y'all:
AllExtendedRights against an OU -- what is the abuse there? How do you take control of a child object (User or Computer) under such an OU when you have AllExtendedRights against the OU and NOT against the child objects? If the answer is to modify the gplink attribute to have a new evil GPO apply to those objects, is there practical tooling out there for this abuse that doesn't break group policy in such a way that the legit group policies no longer apply to these objects?

Same question for GenericWrite against an OU.

I'm not quite sure what's causing the crash with WriteSPN and AddAllowedToAct, will build from this PR and try to investigate that as soon as possible.

[ShutdownRepo]

AllExtendedRights I'm 99% sure grants you the ability to add members to groups, but I want to validate that.

As far as I know, yes it does

@ShutdownRepo @eladshamir questions for y'all: AllExtendedRights against an OU -- what is the abuse there? How do you take control of a child object (User or Computer) under such an OU when you have AllExtendedRights against the OU and NOT against the child objects? If the answer is to modify the gplink attribute to have a new evil GPO apply to those objects, is there practical tooling out there for this abuse that doesn't break group policy in such a way that the legit group policies no longer apply to these objects?

Same question for GenericWrite against an OU.

The only attacks I know abusing ACEs targeting OUs and Containers are limited to WriteDACL allowing to edit the child objects' DACL when inheritance is set. I didn't test the scenarios you're mentioning.

[JonasBK]

Hey y’all,

I have tested AllExtendedRights against a Group node. When you assign the privilege in Users and Computers, the add member privilege is NOT added, unlike when you grant full control, etc.. I verified by testing that I could not add members.

SharpHound will not create the AllExtendedRights edge to Groups - only to Users, Computers, and Domains: https://github.com/BloodHoundAD/SharpHoundCommon/blob/main/src/CommonLib/Processors/ACLProcessor.cs#L256. However, the docs for AllExtendedRights do include Group but not Domain: https://bloodhound.readthedocs.io/en/latest/data-analysis/edges.html#allextendedrights. I will fix that in a separate commit.

We should not have AllExtendedRights and GenericWrite against OUs, as the GPO attack primitive requires that the principal also have the privilege to create GPOs or modify existing ones. So AllExtendedRights and GenericWrite against OUs will create false positives unless there is another attack primitive. SharpHound and the docs are correct regarding these two. Someday, we should find a way to show if a principal has all the privileges required to perform the GPO attack.

The AddAllowedToAct issue is not related to this PR. I have fixed that in a new 4.3.1 branch: 5f1452a

I have changed the PR to be merged into the new 4.3.1 branch and accepted the PR.

The WriteSPN issue was a simple bug now fixed with this commit: 6aefe2c.

Thanks again for your contribution @ShutdownRepo!

[JonasBK]

I just learned that it is also possible to abuse AllExtendedRights and GenericWrite against an OU if you can edit DNS records and create computer accounts: https://labs.withsecure.com/publications/ou-having-a-laugh.

That makes it a bit more likely that the privilege is abusable, but I still believe the right approach is to collect the information we need and create a new edge type with post-processing logic