Skip to content

Add netlogon reg key #244

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
zinic merged 1 commit into from
Sep 26, 2025
Merged

Add netlogon reg key #244

zinic merged 1 commit into from
Sep 26, 2025

Conversation

@JonasBK
Copy link
Contributor

@JonasBK JonasBK commented Sep 1, 2025
edited by coderabbitai bot
Loading

Description

Collect the registry key that holds the security descriptor that determines who can perform the vulnerable version of netlogon

Motivation and Context

Ticket: BED-6429

How Has This Been Tested?

Locally in GOAD lab.

Screenshots (if appropriate):

From corresponding BloodHound PR:
image

Types of changes

  • Chore (a change that does not modify the application functionality)
  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • Documentation updates are needed, and have been made accordingly.
  • I have added and/or updated tests to cover my changes.
  • All new and existing tests passed.
  • My changes include a database migration.

Summary by CodeRabbit

  • New Features
    • Added retrieval and reporting of the Netlogon security descriptor vulnerability setting from domain controllers.
    • Introduced a new string-based registry result type for API responses to represent registry values as plain text.
    • Extended computer/domain controller registry output to include this string-based configuration value for clearer visibility.

@JonasBK JonasBK self-assigned this Sep 1, 2025
@JonasBK JonasBK added the enhancement New feature or request label Sep 1, 2025
@coderabbitai
Copy link

coderabbitai bot commented Sep 1, 2025
edited
Loading

Walkthrough

Adds a new string-based API result type, exposes it on DCRegistryData, and implements a DCRegistryProcessor method to read the Netlogon VulnerableChannelAllowList registry value and return it as a StrRegistryAPIResult.

Changes

Cohort / File(s) Summary of modifications
API result type
src/CommonLib/OutputTypes/APIResults/StrRegistryAPIResult.cs		 Added public class StrRegistryAPIResult : APIResult with public string Value { get; set; }.
Output model update
src/CommonLib/OutputTypes/Computer.cs		 In DCRegistryData, added property public StrRegistryAPIResult VulnerableNetlogonSecurityDescriptor { get; set; }.
Processor logic
src/CommonLib/Processors/DCRegistryProcessor.cs		 Added StrRegistryAPIResult GetVulnerableNetlogonSecurityDescriptor(string target) which reads HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\VulnerableChannelAllowList, sets Collected, FailureReason and Value following existing patterns, and is annotated with [ExcludeFromCodeCoverage].

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Caller
  participant Proc as DCRegistryProcessor
  participant Reg as Registry

  Caller->>Proc: GetVulnerableNetlogonSecurityDescriptor(target)
  note right of Proc: create StrRegistryAPIResult

  Proc->>Reg: Read HKLM\\SYSTEM\\...\\Netlogon\\Parameters\\VulnerableChannelAllowList
  Reg-->>Proc: { Collected, Value?, FailureReason? }

  alt Collected = false
    Proc-->>Caller: StrRegistryAPIResult { Collected=false, FailureReason }
  else Collected = true and Value = null
    Proc-->>Caller: StrRegistryAPIResult { Collected=true, Value=null }
  else Collected = true and Value present
    Proc-->>Caller: StrRegistryAPIResult { Collected=true, Value=string }
  end
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

I nibble keys in registry night,
A string found by lantern-light.
New result hops into the stack,
I fetch, I pack, I send it back.
A carrot for this tidy sight. 🥕

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Title Check ✅ Passed The title succinctly describes the main change in the PR by indicating that a Netlogon registry key is being added, aligning with the added method, property, and API result type for collecting that key.
Description Check ✅ Passed The PR description follows the repository’s template by including all required sections including Description, Motivation and Context (with linked ticket), How Has This Been Tested, Screenshots, Types of changes, and Checklist, and it clearly outlines the feature, its rationale, testing approach, and checklist status.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
✨ Finishing touches
  • 📝 Generate Docstrings
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch bed-6429

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

  • Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
  • Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@JonasBK JonasBK mentioned this pull request Sep 1, 2025
Merged
8 tasks
coderabbitai[bot]
coderabbitai bot reviewed Sep 1, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (4)
src/CommonLib/OutputTypes/Computer.cs (1)

65-69: Document intent and consider initializing the new field

This holds the SDDL from HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters:VulnerableChannelAllowList (the allow-list backing the “Allow vulnerable Netlogon secure channel connections” policy). A short XML doc comment would prevent ambiguity, and initializing avoids null consumers. (calcomsoftware.com, support.microsoft.com)

Apply:

 public class DCRegistryData {
   public IntRegistryAPIResult CertificateMappingMethods { get; set; }
   public IntRegistryAPIResult StrongCertificateBindingEnforcement { get; set; }
-  public StrRegistryAPIResult VulnerableNetlogonSecurityDescriptor { get; set; }
+  /// <summary>
+  /// SDDL from HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\VulnerableChannelAllowList,
+  /// which controls exceptions for vulnerable Netlogon secure channel connections.
+  /// </summary>
+  public StrRegistryAPIResult VulnerableNetlogonSecurityDescriptor { get; set; } = new();
 }
src/CommonLib/OutputTypes/APIResults/StrRegistryAPIResult.cs (1)

1-7: Make Value non-null by default (aligns with typical APIResult consumers)

Calls may return “collected but not present”; returning empty avoids null-handling churn and matches how int results use a sentinel.

 namespace SharpHoundCommonLib.OutputTypes
 {
     public class StrRegistryAPIResult : APIResult
     {
-        public string Value { get; set; }
+        public string Value { get; set; } = string.Empty;
     }
 }
src/CommonLib/Processors/DCRegistryProcessor.cs (2)

106-114: Harden against unexpected registry data types

On some systems the value might be stored or returned differently; handle string[] defensively and surface an explicit FailureReason on type mismatch. (learn.microsoft.com)

-            if (data.Value == null)
-            {
-                return ret;
-            }
-
-            ret.Value = (string)data.Value;
+            if (data.Value == null)
+            {
+                return ret;
+            }
+            if (data.Value is string s)
+            {
+                ret.Value = s;
+                return ret;
+            }
+            if (data.Value is string[] arr)
+            {
+                ret.Value = string.Join(";", arr);
+                return ret;
+            }
+            ret.FailureReason = $"Unexpected registry value type for {subValue}: {data.Value.GetType().Name}";

95-97: Minor: add a short inline comment with the policy name for future readers

Reduces context-switching when scanning code later. (support.microsoft.com)

-            const string subValue = "VulnerableChannelAllowList";
+            const string subValue = "VulnerableChannelAllowList"; // GPO: "Domain controller: Allow vulnerable Netlogon secure channel connections"
📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

  • MCP integration is disabled by default for public repositories
  • Jira integration is disabled by default for public repositories
  • Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 68a68c6 and fafc032.

📒 Files selected for processing (3)
  • src/CommonLib/OutputTypes/APIResults/StrRegistryAPIResult.cs (1 hunks)
  • src/CommonLib/OutputTypes/Computer.cs (1 hunks)
  • src/CommonLib/Processors/DCRegistryProcessor.cs (1 hunks)
🧰 Additional context used
🧬 Code graph analysis (2)
src/CommonLib/Processors/DCRegistryProcessor.cs (2)
src/CommonLib/OutputTypes/APIResults/StrRegistryAPIResult.cs (1)
  • StrRegistryAPIResult (3-6)
src/CommonLib/Helpers.cs (1)
  • Helpers (17-343)
src/CommonLib/OutputTypes/Computer.cs (1)
src/CommonLib/OutputTypes/APIResults/StrRegistryAPIResult.cs (1)
  • StrRegistryAPIResult (3-6)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: build
🔇 Additional comments (1)
src/CommonLib/Processors/DCRegistryProcessor.cs (1)

85-114: LGTM: Reads Netlogon allow-list SDDL safely and follows existing patterns

Name, path, and behavior match Microsoft guidance and prior methods; null returns are handled. (support.microsoft.com, learn.microsoft.com)

This was referenced Sep 1, 2025
Merged
Merged
coderabbitai[bot]
coderabbitai bot reviewed Sep 25, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fafc032 and 12f1faf.

📒 Files selected for processing (3)
  • src/CommonLib/OutputTypes/APIResults/StrRegistryAPIResult.cs (1 hunks)
  • src/CommonLib/OutputTypes/Computer.cs (1 hunks)
  • src/CommonLib/Processors/DCRegistryProcessor.cs (1 hunks)
🚧 Files skipped from review as they are similar to previous changes (2)
  • src/CommonLib/OutputTypes/Computer.cs
  • src/CommonLib/OutputTypes/APIResults/StrRegistryAPIResult.cs
🧰 Additional context used
🧬 Code graph analysis (1)
src/CommonLib/Processors/DCRegistryProcessor.cs (2)
src/CommonLib/OutputTypes/APIResults/StrRegistryAPIResult.cs (1)
  • StrRegistryAPIResult (3-6)
src/CommonLib/Helpers.cs (1)
  • Helpers (17-343)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: build

@zinic zinic merged commit ca8b552 into v4 Sep 26, 2025
3 checks passed
@zinic zinic deleted the bed-6429 branch September 26, 2025 20:32
@github-actions github-actions bot locked and limited conversation to collaborators Sep 26, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@wes-mil wes-mil wes-mil approved these changes

Assignees

@JonasBK JonasBK

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@JonasBK @wes-mil @zinic