Skip to content

Add netlogon reg key #170

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mykeelium merged 3 commits into from
Oct 23, 2025
Merged

Add netlogon reg key #170

mykeelium merged 3 commits into from
Oct 23, 2025

Conversation

@JonasBK
Copy link
Contributor

@JonasBK JonasBK commented Sep 1, 2025
edited by coderabbitai bot
Loading

Description

Collect the registry key that holds the security descriptor that determines who can perform the vulnerable version of netlogon

Motivation and Context

Ticket: BED-6429

Depends on this Commonlib PR: SpecterOps/SharpHoundCommon#244

How Has This Been Tested?

Locally in GOAD lab.

Screenshots (if appropriate):

From corresponding BloodHound PR:
image

Types of changes

  • Chore (a change that does not modify the application functionality)
  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • Documentation updates are needed, and have been made accordingly.
  • I have added and/or updated tests to cover my changes.
  • All new and existing tests passed.
  • My changes include a database migration.

Summary by CodeRabbit

  • New Features
    • Domain controller registry export now includes a Netlogon security descriptor field, adding more detail to exported DC registry data.
    • Enables richer analysis of Netlogon-related security settings in exported results and downstream tools.
    • Additive change — existing behavior and workflows remain unchanged while providing enhanced registry detail for auditing and reporting.

@JonasBK JonasBK self-assigned this Sep 1, 2025
@JonasBK JonasBK added enhancement New feature or request blocked by SHC PR A SharpHoundCommon PR must be merged in first before this PR labels Sep 1, 2025
@coderabbitai
Copy link

coderabbitai bot commented Sep 1, 2025
edited
Loading

Walkthrough

Adds population of a new DCRegistryData field, VulnerableNetlogonSecurityDescriptor, in ProcessDomainController by calling _dcRegistryProcessor.GetVulnerableNetlogonSecurityDescriptor(apiName); DCRegistryData now exposes this property publicly.

Changes

Cohort / File(s) Summary
Runtime: DC registry data population
src/Runtime/ObjectProcessors.cs		 Extends DCRegistryData initializer to set VulnerableNetlogonSecurityDescriptor via _dcRegistryProcessor.GetVulnerableNetlogonSecurityDescriptor(apiName); inserted after StrongCertificateBindingEnforcement.
Public contract: Output model update
.../DCRegistryData		 Adds public property VulnerableNetlogonSecurityDescriptor to the DCRegistryData model so the value is carried in outputs.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Caller
  participant ObjectProcessors as ObjectProcessors
  participant DCRegistryProcessor as DCRegistryProcessor
  participant DCRegistryData as DCRegistryData

  Caller->>ObjectProcessors: ProcessDomainController(apiName)
  ObjectProcessors->>DCRegistryProcessor: GetVulnerableNetlogonSecurityDescriptor(apiName)
  DCRegistryProcessor-->>ObjectProcessors: securityDescriptor
  ObjectProcessors->>DCRegistryData: Initialize {..., VulnerableNetlogonSecurityDescriptor = securityDescriptor}
  ObjectProcessors-->>Caller: DCRegistryData
Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

I twitch my ears at registry lore,
A new descriptor joins the score.
Hop, hop — a field set just right,
Netlogon whispers through the night.
Paws on keys, I send it on its way. 🐇🔧

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)
Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. You can run @coderabbitai generate docstrings to improve docstring coverage.
✅ Passed checks (2 passed)
Check name Status Explanation
Title Check ✅ Passed The title "Add netlogon reg key" is directly related to the main change in the pull request, which adds collection of the VulnerableNetlogonSecurityDescriptor registry key to DCRegistryData. The title is concise, clear, and specific enough that a teammate scanning history would understand this is about adding netlogon registry key collection support. While brief, it accurately summarizes the primary change without unnecessary noise.
Description Check ✅ Passed The PR description follows the required template structure and covers all major sections: it provides a clear description of the change, includes motivation and context with a ticket reference and dependency link, describes testing done locally in a GOAD lab, includes relevant screenshots, properly marks the change type as a new feature, and completes the checklist with appropriate selections. All required information is present, and the description is mostly complete despite some checklist items being intentionally unchecked (reflecting that no new tests were added, which aligns with the PR objectives).
✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch bed-6429
📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 65abec2 and fa94d90.

📒 Files selected for processing (1)
  • src/Runtime/ObjectProcessors.cs (1 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
  • src/Runtime/ObjectProcessors.cs

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Sep 1, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (2)
src/Runtime/ObjectProcessors.cs (2)

405-407: Batch DC registry reads to a single RPC session (optional).

Three per-property calls may incur extra RemoteRegistry round-trips. Consider a DCRegistryProcessor method that opens the registry once and returns a populated DCRegistryData to minimize latency and handle transient errors atomically.

405-407: Expose a 'collected' indicator for parity (optional).

If VulnerableNetlogonSecurityDescriptor uses a Collected pattern internally, consider surfacing a boolean (e.g., vnlsecdesccollected) alongside other DC flags for quick filtering—mirroring CARegistry collected flags elsewhere in this file.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

  • MCP integration is disabled by default for public repositories
  • Jira integration is disabled by default for public repositories
  • Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between a073f1a and 65abec2.

📒 Files selected for processing (1)
  • src/Runtime/ObjectProcessors.cs (1 hunks)
🔇 Additional comments (1)
src/Runtime/ObjectProcessors.cs (1)

405-407: Verify SharpHoundCommon dependency and serialization

  • csproj still pulls SharpHoundCommon 4.3.1 from NuGet; ensure that release (or a prerelease you target) includes the new VulnerableNetlogonSecurityDescriptor property and GetVulnerableNetlogonSecurityDescriptor(string) method. If not, switch to the local project reference or bump to the PR-244 preview.
  • Confirm on DCRegistryData that VulnerableNetlogonSecurityDescriptor is public and of type string (SDDL), and that the processor method returns an SDDL string rather than raw bytes.

@JonasBK JonasBK marked this pull request as draft September 2, 2025 09:38
@JonasBK JonasBK mentioned this pull request Sep 3, 2025
Merged
@JonasBK JonasBK marked this pull request as ready for review September 29, 2025 22:04
@JonasBK JonasBK removed the blocked by SHC PR A SharpHoundCommon PR must be merged in first before this PR label Sep 29, 2025
@mykeelium mykeelium merged commit 1e6de84 into 2.X Oct 23, 2025
2 checks passed
@mykeelium mykeelium deleted the bed-6429 branch October 23, 2025 19:02
@github-actions github-actions bot locked and limited conversation to collaborators Oct 23, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@definitelynotagoblin definitelynotagoblin definitelynotagoblin approved these changes

Assignees

@JonasBK JonasBK

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@JonasBK @definitelynotagoblin @mykeelium