Skip to content

Commit

Permalink
Fixed LAPS attributes (#167)
Browse files Browse the repository at this point in the history 
* Update LDAPProperties.cs

Updated LAPS password attributes

* Update ACLProcessor.cs

Updated logic to create ReadLAPSPassword edges based on updated LAPS password attributes

* Update ACLProcessor.cs

Updated logic to pull GUIDs for new LAPS password attributes

* Update LDAPProperties.cs

Corrected new LAPS password expiry attribute

* Fixed ReadLAPSPassword Logic

---------

Co-authored-by: Rohan Vazarkar <[email protected]>
  • Loading branch information
@spyr0-sec @rvazarkar
spyr0-sec and rvazarkar authored Oct 18, 2024
1 parent 2343b28 commit 1d9e9c0
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 12 deletions.
3 changes: 2 additions & 1 deletion src/CommonLib/Enums/LDAPProperties.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,8 @@ public static class LDAPProperties
public const string ServicePack = "operatingsystemservicepack";
public const string DNSHostName = "dnshostname";
public const string LAPSExpirationTime = "mslaps-passwordexpirationtime";
public const string LAPSPassword = "mslaps-password";
public const string LAPSPlaintextPassword = "ms-laps-password";
public const string LAPSEncryptedPassword = "ms-laps-encryptedpassword";
public const string LegacyLAPSExpirationTime = "ms-mcs-admpwdexpirationtime";
public const string LegacyLAPSPassword = "ms-mcs-admpwd";
public const string Members = "member";
Expand Down
30 changes: 19 additions & 11 deletions src/CommonLib/Processors/ACLProcessor.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,7 @@ private async Task BuildGuidCache(string domain) {
}

name = name.ToLower();

string guid;
try
{
Expand All @@ -74,7 +75,7 @@ private async Task BuildGuidCache(string domain) {
continue;
}

if (name is LDAPProperties.LAPSPassword or LDAPProperties.LegacyLAPSPassword) {
if (name is LDAPProperties.LAPSPlaintextPassword or LDAPProperties.LAPSEncryptedPassword or LDAPProperties.LegacyLAPSPassword) {
_log.LogInformation("Found GUID for ACL Right {Name}: {Guid} in domain {Domain}", name, guid, domain);
_guidMap.TryAdd(guid, name);
}
Expand Down Expand Up @@ -309,8 +310,6 @@ public async IAsyncEnumerable<ACE> ProcessACL(byte[] ntSecurityDescriptor, strin
aceInheritanceHash = CalculateInheritanceHash(ir, aceRights, aceType, ace.InheritedObjectType());
}

_guidMap.TryGetValue(aceType, out var mappedGuid);

_log.LogTrace("Processing ACE with rights {Rights} and guid {GUID} on object {Name}", aceRights,
aceType, objectName);

Expand Down Expand Up @@ -423,14 +422,23 @@ public async IAsyncEnumerable<ACE> ProcessACL(byte[] ntSecurityDescriptor, strin
RightName = EdgeNames.AllExtendedRights,
InheritanceHash = aceInheritanceHash
};
else if (mappedGuid is LDAPProperties.LegacyLAPSPassword or LDAPProperties.LAPSPassword)
yield return new ACE {
PrincipalType = resolvedPrincipal.ObjectType,
PrincipalSID = resolvedPrincipal.ObjectIdentifier,
IsInherited = inherited,
RightName = EdgeNames.ReadLAPSPassword,
InheritanceHash = aceInheritanceHash
};
else if (_guidMap.TryGetValue(aceType, out var lapsAttribute))
{
// Compare the retrieved attribute name against LDAPProperties values
if (lapsAttribute == LDAPProperties.LegacyLAPSPassword ||
lapsAttribute == LDAPProperties.LAPSPlaintextPassword ||
lapsAttribute == LDAPProperties.LAPSEncryptedPassword)
{
yield return new ACE
{
PrincipalType = resolvedPrincipal.ObjectType,
PrincipalSID = resolvedPrincipal.ObjectIdentifier,
IsInherited = inherited,
RightName = EdgeNames.ReadLAPSPassword,
InheritanceHash = aceInheritanceHash
};
}
}
}
} else if (objectType == Label.CertTemplate) {
if (aceType is ACEGuids.AllGuid or "")
Expand Down

0 comments on commit 1d9e9c0

Please sign in to comment.