Object class logic suggestion #50
Comments
|
Hey Andy |
|
Fixed in defd7f4 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Hey there,
Great job with Certipy! It's making it much easier for people to analyze attack paths that include abusing ADCS configurations.
The logic for determining whether the AD object listed as the Identity Reference on an ACE or the Owner on the DACL is here: https://github.com/ly4k/Certipy/blob/main/certipy/find.py#L566-L581
However, this logic sometimes does not correctly determine whether the object is a Group (screenshot shows output from Certipy, showing the Domain Users SID as being a "User").
This causes the node in the neo4j database to have two labels if the user has also imported data from SharpHound output. Then, queries involving traversing group delegated privilege relationships break, as neo4j doesn't disambiguate between a node being one label or the other.
I might recommend using SAMAccountType instead of objectClass for determining what type of object a SID is associated with. You can see an example for how we do this in SharpHound here: https://github.com/BloodHoundAD/SharpHoundCommon/blob/7e32afd73eccb8656be728c6e3565ea41353e926/test/unit/LDAPFilterTest.cs
Thanks and great work with Certipy!
Andy
The text was updated successfully, but these errors were encountered: