[FeatureRequest] Dumps SMB ACL

[1mm0rt41PC]

During an audit, I discovered:

• a GPO folder writable by "Domain Users" located at \\corp.lo\SYSVOL\corp.lo\Policies\{00D0CA88-64A5-4765-A9C5-7CA0D8C27265}\
• a script in \\corp.lo\SYSVOL\corp.lo\scripts\xxxxx.vbs writable also by "Domain Users"

It would be a good idea to collect the ACLs of SMB shares. Especially those linked to domain controllers.

However, this idea implies the addition of new objects not referenced by Bloodhound. In my lab, I got around the problem by hand, creating GPOs like for certificates.

I have done this trick via smbclient.py (impacket) and ugly insert directly in neo4j

But ideally I imagine somethings like:

(:Computer{"samaccountname":"MACHINE$"}) -[:Contains]-> (:GPO{"type":"Share", "name":"SYSVOL"}) -[:Contains]-> (:GPO{"type":"folder", "name":"xxxxx","objectid":"42-GUID"}) -[:Contains]-> (:GPO{"type":"file", "name":"toto.vbs", objectid:"42-42-42-42"})

(:Group{"samaccountname":"Everyone"})-[:GenericWrite]->(:GPO{"type":"folder", "name":"xxxxx", objectid:"42-GUID"})

(:Group{"samaccountname":"Everyone"})-[:GenericWrite]->(:GPO{"type":"file", "name":"toto.vbs", objectid:"42-GUID"})