In you have a permission like GenericAll on an OU, you will have a path to all descendant objects with the Contains edge:
You - [GenericAll] -> OU - [Contains] -> Descendant
You - [GenericAll] -> OU - [Contains] -> Descendant(Sub-OU) - [Contains] -> Descendant
etc.
A path like this is a false positive if inheritance is disabled either on the leaf object or on a sub-OU.
Example:
Here, Enterprise Admins have inheritance disabled.
Disabling inheritance is not used often, but Protected Accounts and Groups have inheritance disabled by default, and they are common targets.
This issue was also present in 4.0, but it has gotten worse in 4.1, as group objects now also have a Contains edge to their parent OU.
The issue is also present for Container objects, and not only OUs.
Suggested solution
Removing the Contains edge for objects with disabled inheritance is not a good quick-fix, because you will then remove GPO paths, which also rely on Contains edges.
I think the best solution is remove Contains edges altogether, and implement these changes:
Create GPLink edges directly from the GPO to the Computer and Users objects. This will ensure GPO paths are not removed.
Create a new edge “WriteDACLParent” between attacker object and victim object, if attacker has WriteDACL, GenericWrite, or GenericAll with “This object only” on an OU/Container AND the victim object is located under the OU/Container AND inheritance is enabled on the victim object AND inheritance is enabled on any sub-OU/Container between the victim and the OU/Container where the attacker has the permission. This will ensure this kind of path: #433.
I think it makes sense to remove these false positives, as long as it does not remove any legit paths.
I can create a pull request if you would like me to do so 😊
Thanks for opening this issue with this level of detail and recommended fix. We will work on our side to come up with a solution as soon as we can and I'll update this issue at that time
In you have a permission like GenericAll on an OU, you will have a path to all descendant objects with the Contains edge: You - [GenericAll] -> OU - [Contains] -> Descendant You - [GenericAll] -> OU - [Contains] -> Descendant(Sub-OU) - [Contains] -> Descendant etc. A path like this is a false positive if inheritance is disabled either on the leaf object or on a sub-OU. Example:
Here, Enterprise Admins have inheritance disabled.
Disabling inheritance is not used often, but Protected Accounts and Groups have inheritance disabled by default, and they are common targets.
This issue was also present in 4.0, but it has gotten worse in 4.1, as group objects now also have a Contains edge to their parent OU. The issue is also present for Container objects, and not only OUs.
Suggested solution
Removing the Contains edge for objects with disabled inheritance is not a good quick-fix, because you will then remove GPO paths, which also rely on Contains edges.
I think the best solution is remove Contains edges altogether, and implement these changes:
I think it makes sense to remove these false positives, as long as it does not remove any legit paths.
I can create a pull request if you would like me to do so 😊