Revert "Revert "feat: AdminSDHolder updates - BED-6221 (#165)" (#173)"

Michael Cuomo · web-flow · commit 57aa962ea705 · 2025-09-19T16:15:08.000-04:00
This reverts commit 34b27df.
diff --git a/Sharphound.csproj b/Sharphound.csproj
@@ -44,4 +44,4 @@
         <Message Text="Test" />
         <Exec Command="powershell -ep bypass -c &quot;. '$(ProjectDir)src\Powershell\Out-CompressedDLL.ps1';Out-CompressedDll -FilePath '$(TargetPath)' -TemplatePath '$(ProjectDir)src\\Powershell\Template.ps1' | Out-File -Encoding ASCII '$(TargetDir)$(TargetName).ps1'&quot;" />
     </Target>
-</Project>
+</Project>
diff --git a/src/BaseContext.cs b/src/BaseContext.cs
@@ -29,6 +29,7 @@ public BaseContext(ILogger logger, LdapConfig ldapConfig, Flags flags)
             LDAPUtils = new LdapUtils();
             LDAPUtils.SetLdapConfig(ldapConfig);
             CancellationTokenSource = new CancellationTokenSource();
+            AdminSDHolderHash = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase);
         }
 
         public bool IsFaulted { get; set; }
@@ -122,6 +123,11 @@ public string ResolveFileName(string filename, string extension, bool addTimesta
         public string LocalAdminPassword { get; set; }
         public bool LocalAdminSessionEnum { get; set; }
 
+        /// <summary>
+        /// Dictionary mapping domain names to their AdminSDHolder authoritative security descriptor hash
+        /// </summary>
+        public Dictionary<string, string> AdminSDHolderHash { get; set; }
+
         // // TODO: override finalizer only if 'Dispose(bool disposing)' has code to free unmanaged resources
         // ~Context()
         // {
diff --git a/src/Client/Context.cs b/src/Client/Context.cs
@@ -76,5 +76,10 @@ public interface IContext
         EnumerationDomain[] Domains { get; set; }
         void UpdateLoopTime();
         public HashSet<string> CollectedDomainSids { get; }
+
+        /// <summary>
+        /// Dictionary mapping domain names to their AdminSDHolder authoritative security descriptor hash
+        /// </summary>
+        Dictionary<string, string> AdminSDHolderHash { get; set; }
     }
 }
diff --git a/src/Producers/LdapProducer.cs b/src/Producers/LdapProducer.cs
@@ -7,6 +7,7 @@
 using SharpHoundCommonLib;
 using SharpHoundCommonLib.Enums;
 using SharpHoundCommonLib.OutputTypes;
+using SharpHoundCommonLib.Processors;
 
 namespace Sharphound.Producers
 {
@@ -54,29 +55,101 @@ public override async Task Produce()
 
                 Context.CollectedDomainSids.Add(domain.DomainSid);
 
-                foreach (var filter in ldapData.Filter.GetFilterList()) {
-                    foreach (var partitionedFilter in GetPartitionedFilter(filter)) {
-                        await foreach (var result in Context.LDAPUtils.PagedQuery(new LdapQueryParameters() {
-                                           LDAPFilter = partitionedFilter,
-                                           Attributes = ldapData.Attributes,
-                                           DomainName = domain.Name,
-                                           SearchBase = Context.SearchBase,
-                                           IncludeSecurityDescriptor = Context.ResolvedCollectionMethods.HasFlag(CollectionMethod.ACL)
-                                       }, cancellationToken)){
-                            if (!result.IsSuccess) {
+                // Only collect AdminSDHolder data if ACL collection is enabled
+                if (Context.ResolvedCollectionMethods.HasFlag(CollectionMethod.ACL))
+                {
+                    Context.Logger.LogInformation("Collecting AdminSDHolder data for {Domain}", domain.Name);
+                    if (await Context.LDAPUtils.GetNamingContextPath(domain.Name, NamingContext.Default) is
+                        (true, var domainDN))
+                    {
+                        // Now use the retrieved distinguished name for the search base
+                        var adminSdHolderParameters = new LdapQueryParameters()
+                        {
+                            LDAPFilter = "(objectClass=*)",
+                            Attributes = new[]
+                                { "nTSecurityDescriptor", "distinguishedName", "objectClass", "objectSid" },
+                            DomainName = domain.Name,
+                            SearchBase = $"cn=adminsdholder,cn=system,{domainDN}",
+                            IncludeSecurityDescriptor = true
+                        };
+
+                        // Query and get the first result
+                        var adminSdHolderResult = await Context.LDAPUtils
+                            .Query(adminSdHolderParameters, cancellationToken)
+                            .FirstOrDefaultAsync(LdapResult<IDirectoryObject>.Fail());
+
+
+                        if (adminSdHolderResult.IsSuccess)
+                        {
+                            var searchResult = adminSdHolderResult.Value;
+                            // Don't write AdminSDHolder to the channel as it's only needed for its security descriptor
+                            // await Channel.Writer.WriteAsync(searchResult, cancellationToken);
+
+
+                            // Create the ACL hash using ACLProcessor
+                            if (searchResult.TryGetByteProperty(LDAPProperties.SecurityDescriptor, out var sd))
+                            {
+                                // enable for debugging purposes
+                                //var B64 = Convert.ToBase64String(sd);
+                                //Context.Logger.LogDebug("{Domain} AdminSDHolder SD Bytes: {Bytes}", domain.Name, B64);
+
+                                // Create an instance of ACLProcessor - _aclProcessor from ObjectProcessors isn't in this context
+                                 var aclProcessor = new ACLProcessor(Context.LDAPUtils);
+
+                                // Calculate the authoritative SD based on a hash of the implicit ACLs & AclProtected
+                                var authoritativeSd = aclProcessor.CalculateImplicitACLHash(sd);
+
+                                // Store the hashes in the Context for later use
+                                Context.AdminSDHolderHash[domain.Name] = authoritativeSd;
+
+                                Context.Logger.LogInformation(
+                                    "AdminSDHolder ACL hash {Hash} calculated for {Domain}.", authoritativeSd,
+                                    domain.Name);
+                            }
+
+                            Context.Logger.LogTrace("AdminSDHolder data collected for {Domain}", domain.Name);
+                        }
+                        else
+                        {
+                            Context.Logger.LogWarning("Failed to collect AdminSDHolder data for {Domain}: {Message}",
+                                domain.Name, adminSdHolderResult.Error);
+                        }
+                    }
+                    else
+                    {
+                        Context.Logger.LogWarning("Failed to get distinguished name for domain {Domain}", domain.Name);
+                    }
+                }
+
+                foreach (var filter in ldapData.Filter.GetFilterList())
+                {
+                    foreach (var partitionedFilter in GetPartitionedFilter(filter))
+                    {
+                        await foreach (var result in Context.LDAPUtils.PagedQuery(new LdapQueryParameters()
+                        {
+                            LDAPFilter = partitionedFilter,
+                            Attributes = ldapData.Attributes,
+                            DomainName = domain.Name,
+                            SearchBase = Context.SearchBase,
+                            IncludeSecurityDescriptor = Context.ResolvedCollectionMethods.HasFlag(CollectionMethod.ACL)
+                        }, cancellationToken))
+                        {
+                            if (!result.IsSuccess)
+                            {
                                 Context.Logger.LogError("Error during main ldap query:{Message} ({Code})", result.Error, result.ErrorCode);
                                 break;
                             }
 
                             var searchResult = result.Value;
 
-                            if (searchResult.TryGetDistinguishedName(out var distinguishedName)) {
+                            if (searchResult.TryGetDistinguishedName(out var distinguishedName))
+                            {
                                 var lower = distinguishedName.ToLower();
                                 if (lower.Contains("cn=domainupdates,cn=system"))
                                     continue;
                                 if (lower.Contains("cn=policies,cn=system") && (lower.StartsWith("cn=user") || lower.StartsWith("cn=machine")))
                                     continue;
-                        
+
                                 await Channel.Writer.WriteAsync(searchResult, cancellationToken);
                                 Context.Logger.LogTrace("Producer wrote {DistinguishedName} to channel", distinguishedName);
                             }
@@ -85,7 +158,7 @@ public override async Task Produce()
                 }
             }
         }
-        
+
         private IEnumerable<string> GetPartitionedFilter(string originalFilter) {
             if (Context.Flags.ParititonLdapQueries) {
                 for (var i = 0; i < 256; i++) {
@@ -117,7 +190,7 @@ public override async Task ProduceConfigNC()
                     if (!configurationNCsCollected.Add(path)) {
                         continue;
                     }
-                    
+
                     Context.Logger.LogInformation("Beginning LDAP search for {Domain} Configuration NC", domain.Name);
                     foreach (var filter in configNcData.Filter.GetFilterList()) {
                         await foreach (var result in Context.LDAPUtils.PagedQuery(new LdapQueryParameters() {
diff --git a/src/Runtime/ObjectProcessors.cs b/src/Runtime/ObjectProcessors.cs
@@ -120,10 +120,22 @@ private static Dictionary<string, object> GetCommonProperties(IDirectoryObject e
             return props;
         }
 
+        // Helper method to handle AdminSDHolder processing
+        private string GetAdminSdHolderHash(string domain)
+        {
+            if (_context.AdminSDHolderHash != null &&
+                _context.AdminSDHolderHash.TryGetValue(domain, out var hash))
+            {
+                return hash;
+            }
+            return null;
+        }
 
         private async Task<User> ProcessUserObject(IDirectoryObject entry,
-            ResolvedSearchResult resolvedSearchResult) {
-            var ret = new User {
+            ResolvedSearchResult resolvedSearchResult)
+        {
+            var ret = new User
+            {
                 ObjectIdentifier = resolvedSearchResult.ObjectId
             };
 
@@ -134,7 +146,11 @@ private async Task<User> ProcessUserObject(IDirectoryObject entry,
             if (entry.IsGMSA()) ret.Properties.Add("gmsa", true);
             ret.DomainSID = resolvedSearchResult.DomainSid;
 
-            if (_methods.HasFlag(CollectionMethod.ACL)) {
+            if (_methods.HasFlag(CollectionMethod.ACL))
+            {
+                // AdminSDHolderProtected only on security principal nodes: User, Computer, Group
+                var adminSdHolderHash = GetAdminSdHolderHash(resolvedSearchResult.Domain);
+
                 var aces = await _aclProcessor.ProcessACL(resolvedSearchResult, entry, true)
                     .ToArrayAsync(cancellationToken: _cancellationToken);
                 ret.Properties.Add("doesanyacegrantownerrights", aces.Any(ace => ace.IsPermissionForOwnerRightsSid));
@@ -144,17 +160,25 @@ private async Task<User> ProcessUserObject(IDirectoryObject entry,
                     .ToArrayAsync(cancellationToken: _cancellationToken)).ToArray();
                 ret.IsACLProtected = _aclProcessor.IsACLProtected(entry);
                 ret.Properties.Add("isaclprotected", ret.IsACLProtected);
+                var isAdminSdHolderProtected = _aclProcessor.IsAdminSDHolderProtected(entry, adminSdHolderHash);
+                if (isAdminSdHolderProtected != null)
+                {
+                    ret.Properties.Add("adminsdholderprotected", isAdminSdHolderProtected);
+                }
             }
 
-            if (_methods.HasFlag(CollectionMethod.Group)) {
+            if (_methods.HasFlag(CollectionMethod.Group))
+            {
                 var pg = entry.GetProperty(LDAPProperties.PrimaryGroupID);
                 ret.PrimaryGroupSID = GroupProcessor.GetPrimaryGroupInfo(pg, resolvedSearchResult.ObjectId);
             }
 
-            if (_methods.HasFlag(CollectionMethod.ObjectProps)) {
+            if (_methods.HasFlag(CollectionMethod.ObjectProps))
+            {
                 var userProps = await _ldapPropertyProcessor.ReadUserProperties(entry, resolvedSearchResult);
                 ret.Properties = ContextUtils.Merge(ret.Properties, userProps.Props);
-                if (_context.Flags.CollectAllProperties) {
+                if (_context.Flags.CollectAllProperties)
+                {
                     ret.Properties = ContextUtils.Merge(_ldapPropertyProcessor.ParseAllProperties(entry),
                         ret.Properties);
                 }
@@ -164,14 +188,17 @@ private async Task<User> ProcessUserObject(IDirectoryObject entry,
                 ret.UnconstrainedDelegation = userProps.UnconstrainedDelegation;
             }
 
-            if (_methods.HasFlag(CollectionMethod.SPNTargets)) {
+            if (_methods.HasFlag(CollectionMethod.SPNTargets))
+            {
                 ret.SPNTargets = await _spnProcessor.ReadSPNTargets(resolvedSearchResult, entry)
                     .ToArrayAsync(cancellationToken: _cancellationToken);
             }
 
-            if (_methods.HasFlag(CollectionMethod.Container)) {
+            if (_methods.HasFlag(CollectionMethod.Container))
+            {
                 if (entry.TryGetDistinguishedName(out var dn) &&
-                    await _containerProcessor.GetContainingObject(dn) is (true, var container)) {
+                    await _containerProcessor.GetContainingObject(dn) is (true, var container))
+                {
                     ret.ContainedBy = container;
                 }
             }
@@ -197,14 +224,23 @@ Channel<CSVComputerStatus> compStatusChannel
             ret.IsDC = resolvedSearchResult.IsDomainController;
             ret.DomainSID = resolvedSearchResult.DomainSid;
 
-            if (_methods.HasFlag(CollectionMethod.ACL)) {
+            if (_methods.HasFlag(CollectionMethod.ACL))
+            {
+                // AdminSDHolderProtected only on security principal nodes: User, Computer, Group
+                var adminSdHolderHash = GetAdminSdHolderHash(resolvedSearchResult.Domain);
+
                 var aces = await _aclProcessor.ProcessACL(resolvedSearchResult, entry, true)
                     .ToArrayAsync(cancellationToken: _cancellationToken);
                 ret.Properties.Add("doesanyacegrantownerrights", aces.Any(ace => ace.IsPermissionForOwnerRightsSid));
                 ret.Properties.Add("doesanyinheritedacegrantownerrights", aces.Any(ace => ace.IsInheritedPermissionForOwnerRightsSid));
                 ret.Aces = aces;
                 ret.IsACLProtected = _aclProcessor.IsACLProtected(entry);
                 ret.Properties.Add("isaclprotected", ret.IsACLProtected);
+                var isAdminSdHolderProtected = _aclProcessor.IsAdminSDHolderProtected(entry, adminSdHolderHash);
+                if (isAdminSdHolderProtected != null)
+                {
+                    ret.Properties.Add("adminsdholderprotected", isAdminSdHolderProtected);
+                }
             }
 
             if (_methods.HasFlag(CollectionMethod.Group)) {
@@ -329,7 +365,7 @@ await compStatusChannel.Writer.WriteAsync(new CSVComputerStatus {
             //     var cred = _context.Flags.DoLocalAdminSessionEnum
             //         ? new NetworkCredential(_context.LocalAdminUsername, _context.LocalAdminPassword, ".")
             //         : null;
-            //     
+            //
             //     var evntProcessor = new EventLogProcessor(
             //         _context.LDAPUtils,
             //         _log,
@@ -378,11 +414,11 @@ private async void ProcessDomainController(ResolvedSearchResult resolvedSearchRe
                 ret.Properties.Add("ldapavailable", ldapServices.HasLdap);
                 ret.Properties.Add("ldapsavailable", ldapServices.HasLdaps);
                 if (ldapServices.IsChannelBindingDisabled.Collected) {
-                    ret.Properties.Add("ldapsepa", !ldapServices.IsChannelBindingDisabled.Result);    
+                    ret.Properties.Add("ldapsepa", !ldapServices.IsChannelBindingDisabled.Result);
                 }
 
                 if (ldapServices.IsSigningRequired.Collected) {
-                    ret.Properties.Add("ldapsigning", ldapServices.IsSigningRequired.Result);    
+                    ret.Properties.Add("ldapsigning", ldapServices.IsSigningRequired.Result);
                 }
             }
         }
@@ -396,14 +432,23 @@ private async Task<Group> ProcessGroupObject(IDirectoryObject entry,
             ret.Properties = new Dictionary<string, object>(GetCommonProperties(entry, resolvedSearchResult));
             ret.Properties.Add("samaccountname", entry.GetProperty(LDAPProperties.SAMAccountName));
 
-            if (_methods.HasFlag(CollectionMethod.ACL)) {
+            if (_methods.HasFlag(CollectionMethod.ACL))
+            {
+                // AdminSDHolderProtected only on security principal nodes: User, Computer, Group
+                var adminSdHolderHash = GetAdminSdHolderHash(resolvedSearchResult.Domain);
+
                 var aces = await _aclProcessor.ProcessACL(resolvedSearchResult, entry, true)
                     .ToArrayAsync(cancellationToken: _cancellationToken);
                 ret.Properties.Add("doesanyacegrantownerrights", aces.Any(ace => ace.IsPermissionForOwnerRightsSid));
                 ret.Properties.Add("doesanyinheritedacegrantownerrights", aces.Any(ace => ace.IsInheritedPermissionForOwnerRightsSid));
                 ret.Aces = aces;
                 ret.IsACLProtected = _aclProcessor.IsACLProtected(entry);
                 ret.Properties.Add("isaclprotected", ret.IsACLProtected);
+                var isAdminSdHolderProtected = _aclProcessor.IsAdminSDHolderProtected(entry, adminSdHolderHash);
+                if (isAdminSdHolderProtected != null)
+                {
+                    ret.Properties.Add("adminsdholderprotected", isAdminSdHolderProtected);
+                }
             }
 
             if (_methods.HasFlag(CollectionMethod.Group))

Original file line number	Diff line number	Diff line change
`@@ -76,5 +76,10 @@ public interface IContext`
`76`	`76`	`EnumerationDomain[] Domains { get; set; }`
`77`	`77`	`void UpdateLoopTime();`
`78`	`78`	`public HashSet<string> CollectedDomainSids { get; }`
	`79`	`+`
	`80`	`+ /// <summary>`
	`81`	`+ /// Dictionary mapping domain names to their AdminSDHolder authoritative security descriptor hash`
	`82`	`+ /// </summary>`
	`83`	`+ Dictionary<string, string> AdminSDHolderHash { get; set; }`
`79`	`84`	`}`
`80`	`85`	`}`