Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Missing Collection of Group Add/Remove Self As Member #70

Open
godylockz opened this issue Sep 11, 2023 · 3 comments
Open

Missing Collection of Group Add/Remove Self As Member #70

godylockz opened this issue Sep 11, 2023 · 3 comments

Comments

@godylockz
Copy link

https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/acl-persistence-abuse#self-self-membership-on-group
Self (Self-Membership) - ability to add yourself to a group

In Security Settings:
Permission: Add/remove self as member
Permission: All validated writes

This could be hidden privilege as a "member of a privileged group" and be missed in BloodHound path tracing.

In dsacls.exe, it comes up as:
SPECIAL ACCESS
WRITE SELF

@JonasBK
Copy link
Collaborator

JonasBK commented Sep 11, 2023

Hi!

We do have an AddSelf edge which should cover that: https://support.bloodhoundenterprise.io/hc/en-us/articles/17358095502363-AddSelf
Have you experienced that the edge is not created when this permission is granted?

@godylockz
Copy link
Author

godylockz commented Sep 11, 2023

Hi!

We do have an AddSelf edge which should cover that: https://support.bloodhoundenterprise.io/hc/en-us/articles/17358095502363-AddSelf Have you experienced that the edge is not created when this permission is granted?

The permission is not captured in any SharpHound collector agent.
I have tried bloodhound-python, multiple SharpHound versions, and crackmapexec as well.

Any help is appreciated debugging the problem.

@JonasBK
Copy link
Collaborator

JonasBK commented Sep 12, 2023

@godylockz provided details about the environment in a private chat. Thanks a lot @godylockz!

The AddSelf edge is created when a principal is granted the "Add/remove self as member" privilege. That ACE looks like this:

ObjectDN              : CN=T0_Admins,OU=Groups,OU=Tier0,DC=dumpster,DC=fire
InheritedObject       : 
Object                : Member
ActiveDirectoryRights : Self
InheritanceType       : None
ObjectType            : bf9679c0-0de6-11d0-a285-00aa003049e2
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : ObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     : DUMPSTER\addself
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None

When selecting "All validated writes" in the UI, the "Add/remove self as member" is automatically selected as well. However, no entry in the Aces list in the SharpHound output is created for the principal and therefore no AddSelf edge (or any other edges).
image

I have confirmed that this "All validated writes" permission indeed allows the principal to add themselves to the group, and does not allow you to add any other members. The ACE looks the same except that the member attribute is not specified:

ObjectDN              : CN=T0_Admins,OU=Groups,OU=Tier0,DC=dumpster,DC=fire
InheritedObject       : 
Object                : 
ActiveDirectoryRights : Self
InheritanceType       : None
ObjectType            : 00000000-0000-0000-0000-000000000000
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : None
AccessControlType     : Allow
IdentityReference     : DUMPSTER\addself
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None

I think we should create a new edge as the ACE is different. Also, we should investigate what else this ACE allows you to do on other objects. Here is some more documentation: https://learn.microsoft.com/en-us/windows/win32/adschema/validated-writes

godylockz added a commit to godylockz/SharpHoundCommon that referenced this issue Sep 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants