Add MSSQL and SCCM privilege-escalation analysis#6
Merged
Conversation
Introduce the MSSQL/SCCM privilege-escalation feature: a new sccm_privilege_escalation check, a reworked mssql_privilege_escalation check, shared mssql_common helpers, and a post-import canonicalization pass for MSSQL linked-server edges, replacing the former mssql_sccm check. Includes the supporting display-layer rework and fixture-backed tests. Two unrelated fixes are folded in here because their changes interleave with the above in BloodhoundImporter.py and mssql_ntlm_relay.py: - NTLM relay dedupe keeps the full FQDN as the principal key, so distinct trusted-forest domains no longer collapse. - OpenGraph import validates node shape before DNS resolution, so a malformed kinds payload cannot reach the Cypher import. Also removes the unused SharedFindingDisplayHandler.
extractall() previously followed ../ and absolute-path entries out of the tempdir, letting a malicious BloodHound zip overwrite arbitrary files when the operator imports collector output from a compromised environment. Validate each member resolves under the extract root before extracting; reject otherwise.
- Deselect neo4j-marked tests from the default pytest run via addopts, so a plain clone-and-pytest no longer errors on the conftest wipe guard; the CI neo4j job's own -m filter overrides this. - Scope that job to all of tests/ rather than tests/checks, so neo4j tests outside tests/checks are actually collected. - Document the full selector in tests/README.md.
Replace the demo, client-report and password-audit media with slideshow versions, add the OpenGraph chain diagram and blog hero image, and update the README accordingly. Also gitignore the local production-readiness plan.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Merges the
public-releaseworking branch intomain. Net change vsd35e064.Features
sccm_privilege_escalationcheck, reworkedmssql_privilege_escalationandmssql_ntlm_relay, replacing the oldmssql_sccmcheck.MSSQL_LinkedTo/MSSQL_LinkedAsAdminedges built post-import, with anchored resolution that no longer overmatches sibling instances or empty stubs.Hardening
xp_cmdshell/ SCCMtarget_permissionsplumbing and the unusedOPENGRAPH_EMPTY_ID_POLICYconstant.CI / tooling
pytestrun now excludes theneo4jmarker.Tests
478 non-Neo4j tests pass; 102 Neo4j fixture tests pass (34 integration skipped); mypy clean.