BHCE does not honor on-premise AD deny ACLs #392
Labels
enhancement
New feature or request
ticketed
(automation only) Ticket has been created internally for tracking
Comments
TasteOfSpaghetti
added
enhancement
slokie-so
added
ticketed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Feature Description:
BHCE should honor deny ACLs to combat false attack paths.
Provide a clear and concise description of the feature you're requesting.
It would be great if BHCE ingested and processed deny ACLs, to combat false attack paths.
Current Behavior:
BHCE does not ingest and process deny ACLs from on-premise Active Directory.
Explain how the software behaves currently in relation to the feature you're requesting.
BHCE does currently not honor deny ACLs in on-prem AD, which results in false attack paths. An example is the GenericAll/FullControl ACL on computer objects, that can be abused to perform the Resource Based Constrained Delegation attack. However, if there is a deny ACL for the write permissions on the "msDS-AllowedToActOnBehalfOfOtherIdentity" attribute, this attack is not possible, but BHCE still shows the attack path.
Desired Behavior:
BHCE does ingest and process deny ACLs from on-premise Active Directory.
Describe how you envision the software behaving after the proposed feature is implemented.
BHCE does ingest and process deny ACLs from on-premise Active Directory and therefore removes attack paths based on that.
Use Case:
Explain the context in which this feature would be useful. How will it benefit users or contributors?
Specifically for the RBCD attack path, there might be deny ACLs in place that blocks the write capability to the "msDS-AllowedToActOnBehalfOfOtherIdentity" attribute, which invalidates the attack path.
The text was updated successfully, but these errors were encountered: