diff --git a/.DS_Store b/.DS_Store deleted file mode 100644 index 5008ddfcf..000000000 Binary files a/.DS_Store and /dev/null differ diff --git a/.gitignore b/.gitignore index fe562ab74..2b4c06d38 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,4 @@ npm-debug.log *.bin *.csv graph.json +.DS_Store diff --git a/docs/data-collection/sharphound-all-flags.rst b/docs/data-collection/sharphound-all-flags.rst index 387509d86..9fce3c0ef 100644 --- a/docs/data-collection/sharphound-all-flags.rst +++ b/docs/data-collection/sharphound-all-flags.rst @@ -56,6 +56,30 @@ Here are the less common CollectionMethods and what they do: * **ObjectProps** - Performs Object Properties collection for properties such as LastLogon or PwdLastSet +Table to demonstrate the differences +------------------------------------ + +| | Default | All | DCOnly | ComputerOnly | Session | LoggedOn** | Group | ACL | GPOLocalGroup | Trusts | Container | LocalGroup | LocalAdmin | RDP | DCOM | PSRemote | ObjectProps | +|:------------------------------------------------------------------:|:-------:|:---:|:------:|:------------:|:-------:|:----------:|:-----:|:---:|:-------------:|:------:|:---------:|:----------:|:----------:|:---:|:----:|:--------:|:-----------:| +| Security group membership | X | X | X | | | X | X | | | | | | | | | | | +| Domain Trusts | X | X | X | | | X | | | | X | | | | | | | | +| abusable permissions on AD objects | X | X | X | | | X | | X | | | | | | | | | | +| OU tree structure | X | X | X | | | X | | | | | X | | | | | | | +| Group Policy links | X | X | X | | | X | | | | | X | | | | | | | +| AD object properties | X | X | X | | | X | | | | | | | | | | | | +| Correlate Group Policy-enforced local groups to affected computers | X | | X | | | | | | X | | | | | | | | | +| Local Groups | X | X | | X | | X | | | | | | | | | | | | +| User Session | X | X | | X | X | X | | | | | | | | | | | | +| Local Admins | X | X | | | | | | | | | | X | X | | | | | +| RDP group membership | | X | | | | | | | | | | X | | X | | | | +| DCOM group membership | | X | | | | | | | | | | X | | | X | | | +| PSRemote group membership | | X | | | | | | | | | | X | | | | X | | +| ObjectProps** | | X | | | | | | | | | | | | | | | X | + +*Does session collection using the privileged collection method. Use this if you are running as a user with local admin rights on lots of systems for the best user session data. +*ObjectProps - Performs Object Properties collection for properties such as LastLogon or PwdLastSet + + Domain ------ diff --git a/src/components/SearchContainer/Tabs/AZServicePrincipal.jsx b/src/components/SearchContainer/Tabs/AZServicePrincipal.jsx index f167267a2..397cc0bd9 100644 --- a/src/components/SearchContainer/Tabs/AZServicePrincipal.jsx +++ b/src/components/SearchContainer/Tabs/AZServicePrincipal.jsx @@ -149,7 +149,7 @@ const AZServicePrincipalNodeData = () => { property='First Degree Object Control' target={objectid} baseQuery={ - 'MATCH p = (g:AZServicePrincipal {objectid: $objectid})-[r:AZResetPassword|AZAddMembers|AZOwnsAZAvereContributor|AZVMContributor|AZContributor]->(n)' + 'MATCH p = (g:AZServicePrincipal {objectid: $objectid})-[r:AZResetPassword|AZAddMembers|AZOwns|AZAvereContributor|AZVMContributor|AZContributor]->(n)' } start={label} distinct @@ -158,7 +158,7 @@ const AZServicePrincipalNodeData = () => { property='Group Delegated Object Control' target={objectid} baseQuery={ - 'MATCH p = (g1:AZServicePrincipal {objectid: $objectid})-[r1:MemberOf*1..]->(g2)-[r2:AZResetPassword|AZAddMembers|AZOwnsAZAvereContributor|AZVMContributor|AZContributor]->(n)' + 'MATCH p = (g1:AZServicePrincipal {objectid: $objectid})-[r1:MemberOf*1..]->(g2)-[r2:AZResetPassword|AZAddMembers|AZOwns|AZAvereContributor|AZVMContributor|AZContributor]->(n)' } start={label} distinct @@ -167,7 +167,7 @@ const AZServicePrincipalNodeData = () => { property='Transitive Object Control' target={objectid} baseQuery={ - 'MATCH (n) WHERE NOT n.objectid=$objectid WITH n MATCH p = shortestPath((g:AZServicePrincipal {objectid: $objectid})-[r:AZMemberOf|AZResetPassword|AZAddMembers|AZOwnsAZAvereContributor|AZVMContributor|AZContributor*1..]->(n))' + 'MATCH (n) WHERE NOT n.objectid=$objectid WITH n MATCH p = shortestPath((g:AZServicePrincipal {objectid: $objectid})-[r:AZMemberOf|AZResetPassword|AZAddMembers|AZOwns|AZAvereContributor|AZVMContributor|AZContributor*1..]->(n))' } start={label} distinct diff --git a/src/js/newingestion.js b/src/js/newingestion.js index 8ecdf9d02..e18a9b366 100644 --- a/src/js/newingestion.js +++ b/src/js/newingestion.js @@ -693,7 +693,7 @@ export function buildAzureDevices(chunk) { name: row.DeviceDisplayname.toUpperCase(), }); - if (row.OwnerID !== null) { + if (row.OwnerID !== null && row.OwnerOnPremID == null) { format[0] = 'AZUser'; insertNew(queries, format, { source: row.OwnerID.toUpperCase(), @@ -1147,7 +1147,7 @@ export function buildAzureGroupMembers(chunk) { let type = row.MemberType.toUpperCase(); if (row.GroupOnPremID === null) { if (type === 'GROUP') { - if (row.GroupOnPremID === null) { + if (row.MemberOnPremID === null) { format[0] = 'AZGroup'; format[1] = 'AZGroup'; insertNew(queries, format, { @@ -1163,7 +1163,7 @@ export function buildAzureGroupMembers(chunk) { }); } } else if (type === 'USER') { - if (row.GroupOnPremID === null) { + if (row.MemberOnPremID === null) { format[0] = 'AZUser'; format[1] = 'AZGroup'; insertNew(queries, format, {