Skip to content

Commit

Permalink
Merge remote-tracking branch 'origin/master'
Browse files Browse the repository at this point in the history
  • Loading branch information
@rvazarkar
rvazarkar committed Jul 15, 2021
2 parents 0579c1a + dad4449 commit b54c418
Show file tree
Hide file tree
Showing 5 changed files with 31 additions and 6 deletions.
Binary file removed .DS_Store
View file
Binary file not shown.
1 change: 1 addition & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,3 +5,4 @@ npm-debug.log
*.bin
*.csv
graph.json
.DS_Store
24 changes: 24 additions & 0 deletions docs/data-collection/sharphound-all-flags.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,30 @@ Here are the less common CollectionMethods and what they do:
* **ObjectProps** - Performs Object Properties collection for properties
such as LastLogon or PwdLastSet

Table to demonstrate the differences
------------------------------------

| | Default | All | DCOnly | ComputerOnly | Session | LoggedOn** | Group | ACL | GPOLocalGroup | Trusts | Container | LocalGroup | LocalAdmin | RDP | DCOM | PSRemote | ObjectProps |
|:------------------------------------------------------------------:|:-------:|:---:|:------:|:------------:|:-------:|:----------:|:-----:|:---:|:-------------:|:------:|:---------:|:----------:|:----------:|:---:|:----:|:--------:|:-----------:|
| Security group membership | X | X | X | | | X | X | | | | | | | | | | |
| Domain Trusts | X | X | X | | | X | | | | X | | | | | | | |
| abusable permissions on AD objects | X | X | X | | | X | | X | | | | | | | | | |
| OU tree structure | X | X | X | | | X | | | | | X | | | | | | |
| Group Policy links | X | X | X | | | X | | | | | X | | | | | | |
| AD object properties | X | X | X | | | X | | | | | | | | | | | |
| Correlate Group Policy-enforced local groups to affected computers | X | | X | | | | | | X | | | | | | | | |
| Local Groups | X | X | | X | | X | | | | | | | | | | | |
| User Session | X | X | | X | X | X | | | | | | | | | | | |
| Local Admins | X | X | | | | | | | | | | X | X | | | | |
| RDP group membership | | X | | | | | | | | | | X | | X | | | |
| DCOM group membership | | X | | | | | | | | | | X | | | X | | |
| PSRemote group membership | | X | | | | | | | | | | X | | | | X | |
| ObjectProps** | | X | | | | | | | | | | | | | | | X |
*Does session collection using the privileged collection method. Use this if you are running as a user with local admin rights on lots of systems for the best user session data.
*ObjectProps - Performs Object Properties collection for properties such as LastLogon or PwdLastSet

Domain
------

Expand Down
6 changes: 3 additions & 3 deletions src/components/SearchContainer/Tabs/AZServicePrincipal.jsx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -149,7 +149,7 @@ const AZServicePrincipalNodeData = () => {
property='First Degree Object Control'
target={objectid}
baseQuery={
'MATCH p = (g:AZServicePrincipal {objectid: $objectid})-[r:AZResetPassword|AZAddMembers|AZOwnsAZAvereContributor|AZVMContributor|AZContributor]->(n)'
'MATCH p = (g:AZServicePrincipal {objectid: $objectid})-[r:AZResetPassword|AZAddMembers|AZOwns|AZAvereContributor|AZVMContributor|AZContributor]->(n)'
}
start={label}
distinct
Expand All @@ -158,7 +158,7 @@ const AZServicePrincipalNodeData = () => {
property='Group Delegated Object Control'
target={objectid}
baseQuery={
'MATCH p = (g1:AZServicePrincipal {objectid: $objectid})-[r1:MemberOf*1..]->(g2)-[r2:AZResetPassword|AZAddMembers|AZOwnsAZAvereContributor|AZVMContributor|AZContributor]->(n)'
'MATCH p = (g1:AZServicePrincipal {objectid: $objectid})-[r1:MemberOf*1..]->(g2)-[r2:AZResetPassword|AZAddMembers|AZOwns|AZAvereContributor|AZVMContributor|AZContributor]->(n)'
}
start={label}
distinct
Expand All @@ -167,7 +167,7 @@ const AZServicePrincipalNodeData = () => {
property='Transitive Object Control'
target={objectid}
baseQuery={
'MATCH (n) WHERE NOT n.objectid=$objectid WITH n MATCH p = shortestPath((g:AZServicePrincipal {objectid: $objectid})-[r:AZMemberOf|AZResetPassword|AZAddMembers|AZOwnsAZAvereContributor|AZVMContributor|AZContributor*1..]->(n))'
'MATCH (n) WHERE NOT n.objectid=$objectid WITH n MATCH p = shortestPath((g:AZServicePrincipal {objectid: $objectid})-[r:AZMemberOf|AZResetPassword|AZAddMembers|AZOwns|AZAvereContributor|AZVMContributor|AZContributor*1..]->(n))'
}
start={label}
distinct
Expand Down
6 changes: 3 additions & 3 deletions src/js/newingestion.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -693,7 +693,7 @@ export function buildAzureDevices(chunk) {
name: row.DeviceDisplayname.toUpperCase(),
});

if (row.OwnerID !== null) {
if (row.OwnerID !== null && row.OwnerOnPremID == null) {
format[0] = 'AZUser';
insertNew(queries, format, {
source: row.OwnerID.toUpperCase(),
Expand Down Expand Up @@ -1147,7 +1147,7 @@ export function buildAzureGroupMembers(chunk) {
let type = row.MemberType.toUpperCase();
if (row.GroupOnPremID === null) {
if (type === 'GROUP') {
if (row.GroupOnPremID === null) {
if (row.MemberOnPremID === null) {
format[0] = 'AZGroup';
format[1] = 'AZGroup';
insertNew(queries, format, {
Expand All @@ -1163,7 +1163,7 @@ export function buildAzureGroupMembers(chunk) {
});
}
} else if (type === 'USER') {
if (row.GroupOnPremID === null) {
if (row.MemberOnPremID === null) {
format[0] = 'AZUser';
format[1] = 'AZGroup';
insertNew(queries, format, {
Expand Down

0 comments on commit b54c418

Please sign in to comment.