public void GetACL(string targetDn = null)
{
IDisplay displayer = new DisplayDACL();
DACLResult result = new DACLResult();
if (targetDn == null)
{
displayer.DisplayTitle("Interesting ACL on the Domain Object");
var domainAcl = DACL.GetInterestingACLOnObject(Searcher.LdapInfo.RootDN);
result.Result = new List <DACL> {
domainAcl
};
displayer.DisplayResult(result);
displayer.DisplayTitle("Interesting ACL on Group Policy Objects");
var gposDN = GPO.GetAllGPODNList();
result.Result = AsyncCollection.GetInterestingACLAsync(gposDN).Result;
displayer.DisplayResult(result);
displayer.DisplayTitle("LAPS Password View Access");
result.Result = DACL.GetLAPSACL();
displayer.DisplayResult(result);
}
else
{
displayer.DisplayTitle($"DACL on {targetDn.ToUpper()}");
result.Result = new List <DACL> {
DACL.GetACLOnObject(targetDn)
};
displayer.DisplayResult(result);
}
}
public static async Task <List <DACL> > GetACLAsync(List <string> targetDnList)
{
var tasks = new List <Task <DACL> >();
foreach (string targetDn in targetDnList)
{
tasks.Add(Task.Run(() => DACL.GetACLOnObject(targetDn)));
}
var aclList = (await Task.WhenAll(tasks)).ToList();
return(aclList);
}
public bool IsDeniedPolicy(string sAMAccountName, string gpoDn)
{
_logger.Debug($"Checking if ({gpoDn}) is denied by security filtering");
var rules = DACL.GetAuthorizationRules(gpoDn, out _);
bool isDenied = true;
foreach (ActiveDirectoryAccessRule rule in rules)
{
//Security Filtering
//Apply-Group-Policy: edacfd8f-ffb3-11d1-b41d-00a0c968f939
if ((rule.ActiveDirectoryRights.ToString().ToLower() == "extendedright") &&
(rule.ObjectType.ToString().ToUpper() == "EDACFD8F-FFB3-11D1-B41D-00A0C968F939"))
{
string groupSID = rule.IdentityReference.Translate(typeof(SecurityIdentifier)).ToString().ToUpper();
try
{
//If the target GPO applys to the current user's security groups
var userNestedGSID = CollectNestedGroupMembership.UserSIDNameDictionary[sAMAccountName.ToUpper()];
if (userNestedGSID.ContainsKey(groupSID))
{
isDenied = false;
}
}
catch (Exception e)
{
_logger.Error(e.Message);
}
}
}
string deny = isDenied ? string.Empty : " not";
_logger.Debug($"({gpoDn}) is{deny} denied");
return(isDenied);
}
public void InvokeACLScan(string user)
{
if (user == null)
{
return;
}
var displayer = new DisplayDACL();
displayer.DisplayTitle($"Interesting ACL for {user.ToUpper()}");
DACLResult result = new DACLResult();
var groups = new CollectNestedGroupMembership();
groups.Collect(new NestedGMSearchString {
SAMAccountName = user
});
var groupSIDs = CollectNestedGroupMembership.UserSIDNameDictionary[user.ToUpper()].Keys.ToList();
result.Result = DACL.ACLScan(user, groupSIDs);
displayer.DisplayResult(result);
}