feat: new neo4j requests

Mazars-Tech · Nov 8, 2023 · a902de9 · a902de9
1 parent 0c1da89
commit a902de9
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 6 deletions.
diff --git a/ad_miner/sources/modules/config.json b/ad_miner/sources/modules/config.json
@@ -102,7 +102,8 @@
         "objects_to_operators_member": "true",
         "vuln_permissions_adminsdholder": "true",
         "da_to_da": "true",
-        "group_anomaly_acl": "true",
+        "group_anomaly_acl_1": "true",
+        "group_anomaly_acl_2": "true",
         "get_empty_groups": "true",
         "get_empty_ous": "true",
         "has_sid_history": "true",

diff --git a/ad_miner/sources/modules/requests.json b/ad_miner/sources/modules/requests.json
@@ -597,9 +597,14 @@
         "request": "MATCH p=allShortestPaths((g:Group{is_dag:true})-[r:$properties*1..$recursive_level]->(gg:Group{is_dag:true})) WHERE g<>gg AND g.domain <> gg.domain RETURN p",
         "output_type": "Graph"
     },
-    "group_anomaly_acl": {
-        "name": "group_anomaly_acl",
-        "request": "MATCH (gg:Group) WHERE EXISTS(gg.members_count) with gg as g order by gg.members_count DESC LIMIT 10000 MATCH (g)-[r2{isacl:true}]->(n) RETURN g.members_count,n.name,g.name, type(r2) order by g.members_count DESC",
+    "group_anomaly_acl_1": {
+        "name": "group_anomaly_acl_1",
+        "request": "MATCH (gg) WHERE NOT gg:Group with gg as g MATCH (g)-[r2{isacl:true}]->(n) WHERE ((g.is_da IS NULL OR g.is_da=FALSE) AND (g.is_dc IS NULL OR g.is_dc=FALSE)) OR (NOT n.domain CONTAINS '.' + g.domain AND n.domain <> g.domain) RETURN n.name,g.name, type(r2)",
+        "output_type": "dict"
+    },
+    "group_anomaly_acl_2": {
+        "name": "group_anomaly_acl_2",
+        "request": "MATCH (gg:Group) WHERE EXISTS(gg.members_count) with gg as g order by gg.members_count DESC MATCH (g)-[r2{isacl:true}]->(n) WHERE ((g.is_da IS NULL OR g.is_da=FALSE) AND (g.is_dc IS NULL OR g.is_dc=FALSE)) OR (NOT n.domain CONTAINS '.' + g.domain AND n.domain <> g.domain) RETURN g.members_count,n.name,g.name, type(r2) order by g.members_count DESC",
         "output_type": "dict"
     },
     "get_empty_groups": {

diff --git a/ad_miner/sources/modules/users.py b/ad_miner/sources/modules/users.py
@@ -84,7 +84,8 @@ def __init__(self, arguments, neo4j, domain):
         else:
             self.users_dc_impersonation_count=0
 
-        self.group_anomaly_acl = neo4j.all_requests["group_anomaly_acl"]["result"]
+        self.group_anomaly_acl_1 = neo4j.all_requests["group_anomaly_acl_1"]["result"]
+        self.group_anomaly_acl_2 = neo4j.all_requests["group_anomaly_acl_2"]["result"]
 
         # users_can_impersonate_to_count = generic_computing.getCountValueFromKey(self.users_dc_impersonation, 'name')
         # self.users_can_impersonate_count = len(users_can_impersonate_to_count) if self.users_dc_impersonation is not None else None
@@ -1452,20 +1453,27 @@ def generatePasswordNotRequiredPage(self):
 
     def genGroupAnomalyAcl(self, domain):
 
-        if self.group_anomaly_acl is None:
+        if self.group_anomaly_acl_1 is None and self.group_anomaly_acl_2 is None:
             page = Page(
             self.arguments.cache_prefix, "group_anomaly_acl", "Group Anomaly ACL", "group_anomaly_acl"
         )
             page.render()
             return 0
 
+        for each in range(len(self.group_anomaly_acl_1)):
+            self.group_anomaly_acl_1[each]['g.members_count'] = '-'
+
+        self.group_anomaly_acl = self.group_anomaly_acl_1 + self.group_anomaly_acl_2
+
         formated_data_details = []
         formated_data = {}
         group_anomaly_acl_extract = []
 
         for k in range(len(self.group_anomaly_acl)):
             if formated_data.get(self.group_anomaly_acl[k]["g.name"]) and formated_data[self.group_anomaly_acl[k]["g.name"]]["type"] == self.group_anomaly_acl[k]["type(r2)"]:
                 formated_data[self.group_anomaly_acl[k]["g.name"]]["targets"].append(self.group_anomaly_acl[k]["n.name"])
+            elif formated_data.get(self.group_anomaly_acl[k]["g.name"]) and formated_data[self.group_anomaly_acl[k]["g.name"]]["targets"] == [self.group_anomaly_acl[k]["n.name"]] and self.group_anomaly_acl[k]["type(r2)"] not in formated_data[self.group_anomaly_acl[k]["g.name"]]["type"] :
+                formated_data[self.group_anomaly_acl[k]["g.name"]]["type"] += f" | {self.group_anomaly_acl[k]['type(r2)']}"
             else:
                 formated_data[self.group_anomaly_acl[k]["g.name"]] = {
                     "name": self.group_anomaly_acl[k]["g.name"],