fix: paths to Operators groups (#110)

* Bug fix operators * Fix variables to merge with commit ae01477 --------- Co-authored-by: Jean-Michel Besnard <33101987+jmbesnard@users.noreply.github.com>
Mazars-Tech · Dec 20, 2023 · 239cada · 239cada
1 parent 652102f
commit 239cada
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 4 deletions.
diff --git a/ad_miner/sources/modules/neo4j_class.py b/ad_miner/sources/modules/neo4j_class.py
@@ -138,7 +138,7 @@ def __init__(self, arguments, extract_date_int, boolean_azure):
         self.password_renewal = int(arguments.renewal_password)
 
         properties = "MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct|SQLAdmin|ReadGMSAPassword|HasSIDHistory|CanPSRemote|AddSelf|WriteSPN|AddKeyCredentialLink|SyncLAPSPassword|CanExtractDCSecrets|CanLoadCode|CanLogOnLocallyOnDC|UnconstrainedDelegations|WriteAccountRestrictions|DumpSMSAPassword|Synced"
-        path_to_group_operators_props = properties.replace('|CanExtractDCSecrets','')
+        path_to_group_operators_props = properties.replace('|CanExtractDCSecrets|CanLoadCode|CanLogOnLocallyOnDC','')
 
         if boolean_azure:
             properties += "|AZAKSContributor|AZAddMembers|AZAddOwner|AZAddSecret|AZAutomationContributor|AZAvereContributor|AZCloudAppAdmin|AZContains|AZContributor|AZExecuteCommand|AZGetCertificates|AZGetKeys|AZGetSecrets|AZGlobalAdmin|AZHasRole|AZKeyVaultContributor|AZLogicAppContributor|AZMGAddMember|AZMGAddOwner|AZMGAddSecret|AZMGAppRoleAssignment_ReadWrite_All|AZMGApplication_ReadWrite_All|AZMGDirectory_ReadWrite_All|AZMGGrantAppRoles|AZMGGrantRole|AZMGGroupMember_ReadWrite_All|AZMGGroup_ReadWrite_All|AZMGRoleManagement_ReadWrite_Directory|AZMGServicePrincipalEndpoint_ReadWrite_All|AZManagedIdentity|AZMemberOf|AZNodeResourceGroup|AZOwner|AZOwns|AZPrivilegedAuthAdmin|AZPrivilegedRoleAdmin|AZResetPassword|AZRunAs|AZScopedTo|AZUserAccessAdministrator|AZVMAdminLogin|AZVMContributor|AZWebsiteContributor"

diff --git a/ad_miner/sources/modules/requests.json b/ad_miner/sources/modules/requests.json
@@ -608,14 +608,14 @@
     },
     "objects_to_operators_member": {
         "name": "Unprivileged users with path to an Operator Member",
-        "request": "MATCH (m:User{path_candidate:true}) WHERE NOT m.name CONTAINS \"MSOL_\" WITH m ORDER BY m.name SKIP PARAM1 LIMIT PARAM2 MATCH p = shortestPath((m)-[r:$path_to_group_operators_props$*1..$recursive_level$]->(o:User{is_operator_member:true})) WHERE m<>o AND NOT m.name CONTAINS \"MSOL_\" AND ((o.is_da=true AND o.domain<>m.domain) OR (o.is_da=false AND o.domain=m.domain)) RETURN DISTINCT(p) as p",
+        "request": "MATCH (m:User{path_candidate:true}) WHERE NOT m.name CONTAINS \"MSOL_\" WITH m ORDER BY m.name SKIP PARAM1 LIMIT PARAM2 MATCH p = shortestPath((m)-[r:$path_to_group_operators_props$*1..$recursive_level$]->(o:User{is_operator_member:true})) WHERE m<>o AND NOT m.name CONTAINS \"MSOL_\" AND ((o.is_da=true AND o.domain<>m.domain) OR (o.is_da=false)) RETURN DISTINCT(p) as p",
         "output_type": "Graph", 
         "scope_query": "MATCH (m:User{path_candidate:true}) WHERE NOT m.name CONTAINS 'MSOL_' RETURN count(m)",
         "_comment": "TODO: table with type, account name, is_da (star) and the number of path towards it"
     },
     "objects_to_operators_groups": {
         "name": "Operator Member path to Operators Groups",
-        "request": "MATCH (m:User{is_operator_member:true}) WITH m ORDER BY m.name SKIP PARAM1 LIMIT PARAM2 MATCH p = shortestPath((m)-[r:MemberOf*1..$recursive_level$]->(o:Group{is_group_operator:true})) WHERE NOT m.name CONTAINS \"MSOL_\" AND ((m.is_da=true AND o.domain<>m.domain) OR (m.is_da=false AND o.domain=m.domain)) RETURN DISTINCT(p) as p",
+        "request": "MATCH (m:User{is_operator_member:true}) WITH m ORDER BY m.name SKIP PARAM1 LIMIT PARAM2 MATCH p = shortestPath((m)-[r:MemberOf*1..$recursive_level$]->(o:Group{is_group_operator:true})) WHERE NOT m.name CONTAINS \"MSOL_\" AND ((m.is_da=true AND o.domain<>m.domain) OR (m.is_da=false)) RETURN DISTINCT(p) as p",
         "output_type": "Graph", 
         "scope_query": "MATCH (m:User{is_operator_member:true}) WHERE NOT m.name CONTAINS 'MSOL_' RETURN count(m)",
         "_comment": "TODO: table with type, account name, is_da (star) and the number of path towards it"

diff --git a/ad_miner/sources/modules/users.py b/ad_miner/sources/modules/users.py
@@ -1260,7 +1260,16 @@ def generatePathToOperatorsMember(self, domain):
                 }
         # print(data)
         for path in self.objects_to_operators_member: 
-            data[path.nodes[-1].name]["paths"].append(path)
+            try:
+                data[path.nodes[-1].name]["paths"].append(path)
+            except KeyError: # Really **should not** happen, but to prevent crash in case of corrupted cache/db 
+                data[path.nodes[-1].name] = {
+                    "domain": '<i class="bi bi-globe2"></i> ' + path.nodes[-1].domain,
+                    "name": '<i class="bi bi-people-fill"></i> ' + path.nodes[-1].name,
+                    "link": quote(str(path.nodes[-1].name)),
+                    "target": [""],
+                    "paths": [path]
+                }
 
         # Build grid data
         grid_data = []