From 6169b365d0c925d7e08bb320af0fa890145788d9 Mon Sep 17 00:00:00 2001 From: N7WEra <59871507+N7WEra@users.noreply.github.com> Date: Thu, 11 Feb 2021 09:54:47 +0000 Subject: [PATCH 1/5] Added a table to visualise the differences in collection methods --- docs/data-collection/sharphound-all-flags.rst | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/docs/data-collection/sharphound-all-flags.rst b/docs/data-collection/sharphound-all-flags.rst index 387509d86..9fce3c0ef 100644 --- a/docs/data-collection/sharphound-all-flags.rst +++ b/docs/data-collection/sharphound-all-flags.rst @@ -56,6 +56,30 @@ Here are the less common CollectionMethods and what they do: * **ObjectProps** - Performs Object Properties collection for properties such as LastLogon or PwdLastSet +Table to demonstrate the differences +------------------------------------ + +| | Default | All | DCOnly | ComputerOnly | Session | LoggedOn** | Group | ACL | GPOLocalGroup | Trusts | Container | LocalGroup | LocalAdmin | RDP | DCOM | PSRemote | ObjectProps | +|:------------------------------------------------------------------:|:-------:|:---:|:------:|:------------:|:-------:|:----------:|:-----:|:---:|:-------------:|:------:|:---------:|:----------:|:----------:|:---:|:----:|:--------:|:-----------:| +| Security group membership | X | X | X | | | X | X | | | | | | | | | | | +| Domain Trusts | X | X | X | | | X | | | | X | | | | | | | | +| abusable permissions on AD objects | X | X | X | | | X | | X | | | | | | | | | | +| OU tree structure | X | X | X | | | X | | | | | X | | | | | | | +| Group Policy links | X | X | X | | | X | | | | | X | | | | | | | +| AD object properties | X | X | X | | | X | | | | | | | | | | | | +| Correlate Group Policy-enforced local groups to affected computers | X | | X | | | | | | X | | | | | | | | | +| Local Groups | X | X | | X | | X | | | | | | | | | | | | +| User Session | X | X | | X | X | X | | | | | | | | | | | | +| Local Admins | X | X | | | | | | | | | | X | X | | | | | +| RDP group membership | | X | | | | | | | | | | X | | X | | | | +| DCOM group membership | | X | | | | | | | | | | X | | | X | | | +| PSRemote group membership | | X | | | | | | | | | | X | | | | X | | +| ObjectProps** | | X | | | | | | | | | | | | | | | X | + +*Does session collection using the privileged collection method. Use this if you are running as a user with local admin rights on lots of systems for the best user session data. +*ObjectProps - Performs Object Properties collection for properties such as LastLogon or PwdLastSet + + Domain ------ From f29c430aa6d2da0cc0083eba788781a7db015682 Mon Sep 17 00:00:00 2001 From: Nicolas CARPi Date: Wed, 3 Mar 2021 14:33:06 +0100 Subject: [PATCH 2/5] Remove .DS_Store and add it to git ignored files --- .DS_Store | Bin 6148 -> 0 bytes .gitignore | 1 + 2 files changed, 1 insertion(+) delete mode 100644 .DS_Store diff --git a/.DS_Store b/.DS_Store deleted file mode 100644 index 5008ddfcf53c02e82d7eee2e57c38e5672ef89f6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6148 zcmeH~Jr2S!425mzP>H1@V-^m;4Wg<&0T*E43hX&L&p$$qDprKhvt+--jT7}7np#A3 zem<@ulZcFPQ@L2!n>{z**++&mCkOWA81W14cNZlEfg7;MkzE(HCqgga^y>{tEnwC%0;vJ&^%eQ zLs35+`xjp>T0 Date: Fri, 2 Apr 2021 21:13:19 +0200 Subject: [PATCH 3/5] Fix missing pipe --- src/components/SearchContainer/Tabs/AZServicePrincipal.jsx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/components/SearchContainer/Tabs/AZServicePrincipal.jsx b/src/components/SearchContainer/Tabs/AZServicePrincipal.jsx index f167267a2..397cc0bd9 100644 --- a/src/components/SearchContainer/Tabs/AZServicePrincipal.jsx +++ b/src/components/SearchContainer/Tabs/AZServicePrincipal.jsx @@ -149,7 +149,7 @@ const AZServicePrincipalNodeData = () => { property='First Degree Object Control' target={objectid} baseQuery={ - 'MATCH p = (g:AZServicePrincipal {objectid: $objectid})-[r:AZResetPassword|AZAddMembers|AZOwnsAZAvereContributor|AZVMContributor|AZContributor]->(n)' + 'MATCH p = (g:AZServicePrincipal {objectid: $objectid})-[r:AZResetPassword|AZAddMembers|AZOwns|AZAvereContributor|AZVMContributor|AZContributor]->(n)' } start={label} distinct @@ -158,7 +158,7 @@ const AZServicePrincipalNodeData = () => { property='Group Delegated Object Control' target={objectid} baseQuery={ - 'MATCH p = (g1:AZServicePrincipal {objectid: $objectid})-[r1:MemberOf*1..]->(g2)-[r2:AZResetPassword|AZAddMembers|AZOwnsAZAvereContributor|AZVMContributor|AZContributor]->(n)' + 'MATCH p = (g1:AZServicePrincipal {objectid: $objectid})-[r1:MemberOf*1..]->(g2)-[r2:AZResetPassword|AZAddMembers|AZOwns|AZAvereContributor|AZVMContributor|AZContributor]->(n)' } start={label} distinct @@ -167,7 +167,7 @@ const AZServicePrincipalNodeData = () => { property='Transitive Object Control' target={objectid} baseQuery={ - 'MATCH (n) WHERE NOT n.objectid=$objectid WITH n MATCH p = shortestPath((g:AZServicePrincipal {objectid: $objectid})-[r:AZMemberOf|AZResetPassword|AZAddMembers|AZOwnsAZAvereContributor|AZVMContributor|AZContributor*1..]->(n))' + 'MATCH (n) WHERE NOT n.objectid=$objectid WITH n MATCH p = shortestPath((g:AZServicePrincipal {objectid: $objectid})-[r:AZMemberOf|AZResetPassword|AZAddMembers|AZOwns|AZAvereContributor|AZVMContributor|AZContributor*1..]->(n))' } start={label} distinct From cb89d99bf731da0bcf726d72a7849b352f5471ad Mon Sep 17 00:00:00 2001 From: Andy Robbins Date: Thu, 15 Jul 2021 10:55:08 -0700 Subject: [PATCH 4/5] Fix inner if check for group member OnPremID --- src/js/newingestion.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/js/newingestion.js b/src/js/newingestion.js index 8ecdf9d02..63d6cd5b9 100644 --- a/src/js/newingestion.js +++ b/src/js/newingestion.js @@ -1147,7 +1147,7 @@ export function buildAzureGroupMembers(chunk) { let type = row.MemberType.toUpperCase(); if (row.GroupOnPremID === null) { if (type === 'GROUP') { - if (row.GroupOnPremID === null) { + if (row.MemberOnPremID === null) { format[0] = 'AZGroup'; format[1] = 'AZGroup'; insertNew(queries, format, { @@ -1163,7 +1163,7 @@ export function buildAzureGroupMembers(chunk) { }); } } else if (type === 'USER') { - if (row.GroupOnPremID === null) { + if (row.MemberOnPremID === null) { format[0] = 'AZUser'; format[1] = 'AZGroup'; insertNew(queries, format, { From c5e79c6902ad253bf57a26364aa531285bf35e9c Mon Sep 17 00:00:00 2001 From: Andy Robbins Date: Thu, 15 Jul 2021 11:02:38 -0700 Subject: [PATCH 5/5] Fix device owner OnPremID check to avoid making duplicate nodes --- src/js/newingestion.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/js/newingestion.js b/src/js/newingestion.js index 63d6cd5b9..e18a9b366 100644 --- a/src/js/newingestion.js +++ b/src/js/newingestion.js @@ -693,7 +693,7 @@ export function buildAzureDevices(chunk) { name: row.DeviceDisplayname.toUpperCase(), }); - if (row.OwnerID !== null) { + if (row.OwnerID !== null && row.OwnerOnPremID == null) { format[0] = 'AZUser'; insertNew(queries, format, { source: row.OwnerID.toUpperCase(),