GenericWrite ACL not collected on OU

[sploutchy]

The ACL Processor collects GenericAll, WriteDACL and WriteOwner ACLs on all object types.

For GenericWrite and WriteProperty, it collects the ACLs only for User, Group and Computer (and to some extent GPOs):

https://github.com/BloodHoundAD/SharpHoundCommon/blob/a2cc6c1bff4e3879c9329e89822d7e82e6806911/src/CommonLib/Processors/ACLProcessor.cs#L338-L392

I just stumbled upon a case where an Everyone has GenericWrite on an OU, this can be exploited as shown in the following articles:

• https://labs.withsecure.com/blog/ou-having-a-laugh/
• https://markgamache.blogspot.com/2020/07/exploiting-ad-gplink-for-good-or-evil.html

I think this edge should also be collected on OUs. What do you think?

Thanks a lot for your great work!

[hubert3]

Agree this should be collected on OUs as well if possible

[rvazarkar]

I think historically, we've resisted adding this edge because the exploitation of this primitive is very complex and relies on several factors that are hard to enumerate. Maybe its time we took another look at it, but exploitation is still very complex, relying on ability to add DNS records or new computers for example