[FeatureRequest] Dumps SMB ACL #24
Description
During an audit, I discovered:
- a GPO folder writable by "Domain Users" located at
\\corp.lo\SYSVOL\corp.lo\Policies\{00D0CA88-64A5-4765-A9C5-7CA0D8C27265}\ - a script in
\\corp.lo\SYSVOL\corp.lo\scripts\xxxxx.vbswritable also by "Domain Users"
It would be a good idea to collect the ACLs of SMB shares. Especially those linked to domain controllers.
However, this idea implies the addition of new objects not referenced by Bloodhound. In my lab, I got around the problem by hand, creating GPOs like for certificates.
I have done this trick via smbclient.py (impacket) and ugly insert directly in neo4j
But ideally I imagine somethings like:
(:Computer{"samaccountname":"MACHINE$"}) -[:Contains]-> (:GPO{"type":"Share", "name":"SYSVOL"}) -[:Contains]-> (:GPO{"type":"folder", "name":"xxxxx","objectid":"42-GUID"}) -[:Contains]-> (:GPO{"type":"file", "name":"toto.vbs", objectid:"42-42-42-42"})
(:Group{"samaccountname":"Everyone"})-[:GenericWrite]->(:GPO{"type":"folder", "name":"xxxxx", objectid:"42-GUID"})
(:Group{"samaccountname":"Everyone"})-[:GenericWrite]->(:GPO{"type":"file", "name":"toto.vbs", objectid:"42-GUID"})