Skip to content

Add MSSQL and SCCM privilege-escalation analysis#6

Merged
danti1988 merged 12 commits into
mainfrom
public-release
May 22, 2026
Merged

Add MSSQL and SCCM privilege-escalation analysis#6
danti1988 merged 12 commits into
mainfrom
public-release

Conversation

@danti1988

Copy link
Copy Markdown
Member

Merges the public-release working branch into main. Net change vs d35e064.

Features

  • MSSQL and SCCM privilege-escalation analysis — new sccm_privilege_escalation check, reworked mssql_privilege_escalation and mssql_ntlm_relay, replacing the old mssql_sccm check.
  • Linked-server path resolution — canonical MSSQL_LinkedTo / MSSQL_LinkedAsAdmin edges built post-import, with anchored resolution that no longer overmatches sibling instances or empty stubs.

Hardening

  • Reject zip-slip entries during archive extraction.
  • Cap NTLM-relay principal lines per server.
  • Drop dead xp_cmdshell / SCCM target_permissions plumbing and the unused OPENGRAPH_EMPTY_ID_POLICY constant.

CI / tooling

  • Neo4j fixture-test CI job; default pytest run now excludes the neo4j marker.
  • README and demo media refresh.

Tests

478 non-Neo4j tests pass; 102 Neo4j fixture tests pass (34 integration skipped); mypy clean.

danti1988 added 12 commits May 22, 2026 08:08
Introduce the MSSQL/SCCM privilege-escalation feature: a new
sccm_privilege_escalation check, a reworked mssql_privilege_escalation
check, shared mssql_common helpers, and a post-import canonicalization
pass for MSSQL linked-server edges, replacing the former mssql_sccm
check. Includes the supporting display-layer rework and fixture-backed
tests.

Two unrelated fixes are folded in here because their changes interleave
with the above in BloodhoundImporter.py and mssql_ntlm_relay.py:
- NTLM relay dedupe keeps the full FQDN as the principal key, so
  distinct trusted-forest domains no longer collapse.
- OpenGraph import validates node shape before DNS resolution, so a
  malformed kinds payload cannot reach the Cypher import.

Also removes the unused SharedFindingDisplayHandler.
extractall() previously followed ../ and absolute-path entries out of
the tempdir, letting a malicious BloodHound zip overwrite arbitrary
files when the operator imports collector output from a compromised
environment. Validate each member resolves under the extract root
before extracting; reject otherwise.
- Deselect neo4j-marked tests from the default pytest run via addopts,
  so a plain clone-and-pytest no longer errors on the conftest wipe
  guard; the CI neo4j job's own -m filter overrides this.
- Scope that job to all of tests/ rather than tests/checks, so neo4j
  tests outside tests/checks are actually collected.
- Document the full selector in tests/README.md.
Replace the demo, client-report and password-audit media with
slideshow versions, add the OpenGraph chain diagram and blog hero
image, and update the README accordingly. Also gitignore the local
production-readiness plan.
@danti1988
danti1988 merged commit 26ade4a into main May 22, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant