Open pkb1s opened 5 years ago
Hey @pkb1s, thanks a lot for this PR! Looks very cool and of course your recent blog post about this was very interesting as well. Here's my request before we merge this in: can you create and post a video showing the attack in action, from beginning to end? Showing the specific permissions on the GPO, setting up your dummy domain controller, serving an evil schedule task, and showing that evil scheduled task running?
Hi @andyrobbins, apologies for the delay. I have included the video you requested below: https://www.youtube.com/watch?v=3QSRTUGEzEA
Excellent, thank you for making that vid, @pkb1s. Very straight forward. We are going to test a few things on our side to confirm but you should expect to see this edge start showing up in the next release.
SharpHound currently does not detect Edit Settings permissions on a GPO. However, this level of access can be used as part of an attack path.
The current version of SharpHound generates the following:
After the changes the graph includes the 2 more users:
I hope this helps.
Thanks