JonasBK
commented
1 year ago This is super cool - I have never heard about Owner Rights before.
Using the edge filter to filter out Owns edges for the user is pretty simple. But the user may be like me, utterly unaware of Owner Rights. It would make sense to make SharpHound collect Owner Rights and let BloodHound post-processing calculate the correct edges. However, since Owner Rights is not a commonly used feature, other projects will be prioritized over implementing this.
However, if you are interested (or anyone else is) in making a pull request, we would appreciate the contribution and be happy to accept the new feature!
It appears that Bloodhound returns false positives for domains which implement "Owner Rights" ACEs to override the default WRITE_DAC permissions.
If the Owner Rights ACE does not contain risky permissions, "Owns" edges should likely be excluded, as they're not a real path for attack.
AD DS Owner Rights: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd125370(v=ws.10)?redirectedfrom=MSDN