diff --git a/README.md b/README.md index d16fcaf..29d5ec0 100644 --- a/README.md +++ b/README.md @@ -35,7 +35,7 @@ dotnet build # CLI Arguments The listing below details the CLI arguments SharpHound supports. Additional details about these options can be found in the [BloodHound CE Collection documentation](https://bloodhound.specterops.io/collect-data/ce-collection/sharphound-flags). ``` - -c, --collectionmethods (Default: Default) Collection Methods: Container, Group, LocalGroup, GPOLocalGroup, + -c, --collectionmethods (Default: Default) Collection Methods: Container, Group, LocalGroup, GPOLocalGroup, GPOUserRights Session, LoggedOn, ObjectProps, ACL, ComputerOnly, Trusts, Default, RDP, DCOM, DCOnly, UserRights, CARegistry, DCRegistry, CertServices, WebClientService, NTLMRegistry,SMBInfo,LdapServices diff --git a/src/Client/Enums.cs b/src/Client/Enums.cs index 665ce5d..2c220c5 100644 --- a/src/Client/Enums.cs +++ b/src/Client/Enums.cs @@ -19,6 +19,7 @@ public enum CollectionMethodOptions SPNTargets, Container, GPOLocalGroup, + GPOUserRights, LocalGroup, UserRights, Default, diff --git a/src/Options.cs b/src/Options.cs index e560b02..d4f920b 100644 --- a/src/Options.cs +++ b/src/Options.cs @@ -14,7 +14,7 @@ public class Options // Options that affect what is collected [Option('c', "collectionmethods", Default = new[] { "Default" }, HelpText = - "Collection Methods: Group, LocalGroup, LocalAdmin, RDP, DCOM, PSRemote, Session, Trusts, ACL, Container, ComputerOnly, GPOLocalGroup, LoggedOn, ObjectProps, SPNTargets, UserRights, Default, DCOnly, CARegistry, DCRegistry, CertServices, WebClientService, LdapServices, SmbInfo, NTLMRegistry, All")] + "Collection Methods: Group, LocalGroup, LocalAdmin, RDP, DCOM, PSRemote, Session, Trusts, ACL, Container, ComputerOnly, GPOLocalGroup, GPOUserRights, LoggedOn, ObjectProps, SPNTargets, UserRights, Default, DCOnly, CARegistry, DCRegistry, CertServices, WebClientService, LdapServices, SmbInfo, NTLMRegistry, All")] public IEnumerable CollectionMethods { get; set; } [Option('d', "domain", Default = null, HelpText = "Specify domain to enumerate")] @@ -196,6 +196,7 @@ internal bool ResolveCollectionMethods(ILogger logger, out CollectionMethod reso CollectionMethodOptions.SPNTargets => CollectionMethod.SPNTargets, CollectionMethodOptions.Container => CollectionMethod.Container, CollectionMethodOptions.GPOLocalGroup => CollectionMethod.GPOLocalGroup, + CollectionMethodOptions.GPOUserRights => CollectionMethod.GPOUserRights, CollectionMethodOptions.LocalGroup => CollectionMethod.LocalGroups, CollectionMethodOptions.UserRights => CollectionMethod.UserRights, CollectionMethodOptions.Default => CollectionMethod.Default, diff --git a/src/PowerShell/Template.ps1 b/src/PowerShell/Template.ps1 index f19d7bb..f281c18 100644 --- a/src/PowerShell/Template.ps1 +++ b/src/PowerShell/Template.ps1 @@ -27,6 +27,7 @@ Container - Collect GPO/OU Data ComputerOnly - Collect Local Group, Session data, User Rights, CA Registry, and DC Registry GPOLocalGroup - Collect Local Group information using GPO (Group Policy Objects) + GPOUserRights - Collect Local User Rights information using GPO (Group Policy Objects) LoggedOn - Collect session information using privileged methods (needs admin!) ObjectProps - Collect node property information for users and computers SPNTargets - Collect SPN targets (currently only MSSQL) diff --git a/src/Runtime/ObjectProcessors.cs b/src/Runtime/ObjectProcessors.cs index f5571af..e18c32b 100644 --- a/src/Runtime/ObjectProcessors.cs +++ b/src/Runtime/ObjectProcessors.cs @@ -32,6 +32,7 @@ public class ObjectProcessors { private readonly GroupProcessor _groupProcessor; private readonly LdapPropertyProcessor _ldapPropertyProcessor; private readonly GPOLocalGroupProcessor _gpoLocalGroupProcessor; + private readonly GPOUserRightsAssignmentProcessor _gpoUserRightsAssignmentProcessor; private readonly UserRightsAssignmentProcessor _userRightsAssignmentProcessor; private readonly LocalGroupProcessor _localGroupProcessor; private readonly ILogger _log; @@ -56,6 +57,7 @@ public ObjectProcessors(IContext context, ILogger log) { _groupProcessor = new GroupProcessor(context.LDAPUtils); _containerProcessor = new ContainerProcessor(context.LDAPUtils); _gpoLocalGroupProcessor = new GPOLocalGroupProcessor(context.LDAPUtils); + _gpoUserRightsAssignmentProcessor = new GPOUserRightsAssignmentProcessor(context.LDAPUtils); _userRightsAssignmentProcessor = new UserRightsAssignmentProcessor(context.LDAPUtils); _localGroupProcessor = new LocalGroupProcessor(context.LDAPUtils); _webClientProcessor = new WebClientServiceProcessor(log); @@ -360,6 +362,7 @@ await compStatusChannel.Writer.WriteAsync(new CSVComputerStatus { if (_methods.HasFlag(CollectionMethod.SmbInfo)) { ret.SmbInfo = await _smbProcessor.Scan(apiName, resolvedSearchResult.DomainSid); + //ret.SmbInfo = await _smbProcessor.Scan(apiName); } // Re-introduce this when we're ready for Event Log collection @@ -425,6 +428,16 @@ private async void ProcessDomainController(ResolvedSearchResult resolvedSearchRe if (ldapServices.IsSigningRequired.Collected) { ret.Properties.Add("ldapsigning", ldapServices.IsSigningRequired.Result); } + //var ldapServices = await dcLdapProcessor.Scan(resolvedSearchResult.DisplayName); + //ret.Properties.Add("ldapavailable", ldapServices.HasLdap); + //ret.Properties.Add("ldapsavailable", ldapServices.HasLdaps); + //if (ldapServices.IsChannelBindingDisabled.Collected) { + // ret.Properties.Add("ldapsepa", !ldapServices.IsChannelBindingDisabled.Result); + //} + + //if (ldapServices.IsSigningRequired.Collected) { + // ret.Properties.Add("ldapsigning", ldapServices.IsSigningRequired.Result); + //} } } @@ -599,6 +612,9 @@ private async Task ProcessOUObject(IDirectoryObject entry, ret.GPOChanges = await _gpoLocalGroupProcessor.ReadGPOLocalGroups(entry); } + if (_methods.HasFlag(CollectionMethod.GPOUserRights)) { + ret.GPOUserRights = await _gpoUserRightsAssignmentProcessor.ReadGPOUserRights(entry); + } return ret; } @@ -927,4 +943,4 @@ private async Task ProcessIssuancePolicy(IDirectoryObject entry, return ret; } } -} \ No newline at end of file +}