Skip to content

Add CompStatus Events to CertAbuseProcessor BED-6967 #264

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lrfalslev merged 12 commits into from
Jan 16, 2026
Merged

Add CompStatus Events to CertAbuseProcessor BED-6967 #264

Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
352238f
write to compStatus for CA lookups
lrfalslev Dec 8, 2025
0c72806
move remote registry dependencies out of static helpers
lrfalslev Dec 10, 2025
39c87b6
add certAbuseProc tests
lrfalslev Dec 10, 2025
b20b2dd
replace registry lookup functions in Helpers/IRegistryKey with Regist…
lrfalslev Dec 10, 2025
4d3636a
test cleanup
lrfalslev Dec 12, 2025
69da9fb
add tests for successful lookup in ProcessEAPermissions
lrfalslev Dec 15, 2025
1590a84
test successful lookup for ProcessRegistryEnrollmentPermissions
lrfalslev Dec 15, 2025
41b4f25
consolidate ProcessEAPermissions Tests
lrfalslev Dec 15, 2025
434738e
resolve pr comments
lrfalslev Dec 16, 2025
6c2b85e
Merge branch 'v4' into lfalslev/bed-6967
lrfalslev Jan 15, 2026
e8a8102
Collect EnrollmentAgent Restrictions For AllTemplates, add CertAbuseP…
lrfalslev Jan 16, 2026
db33182
fix success const in test
lrfalslev Jan 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 1 addition & 43 deletions src/CommonLib/Helpers.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,6 @@
using System.Text.RegularExpressions;
using SharpHoundCommonLib.Enums;
using Microsoft.Extensions.Logging;
using System.IO;
using System.Security;
using SharpHoundCommonLib.Processors;
using Microsoft.Win32;
using System.Threading.Tasks;

namespace SharpHoundCommonLib {
Expand Down Expand Up @@ -151,7 +147,7 @@ public static string DistinguishedNameToDomain(string distinguishedName) {
}

/// <summary>
/// Converts a domain name to a distinguished name using simple string substitution
/// Converts a domain name to a distinguished name using simple string substitution
/// </summary>
/// <param name="domainName"></param>
/// <returns></returns>
Expand Down Expand Up @@ -258,44 +254,6 @@ public static bool IsSidFiltered(string sid) {
return false;
}

public static RegistryResult GetRegistryKeyData(string target, string subkey, string subvalue, ILogger log) {
var data = new RegistryResult();

try {
var baseKey = OpenRemoteRegistry(target);
var value = baseKey.GetValue(subkey, subvalue);
data.Value = value;

data.Collected = true;
}
catch (IOException e) {
log.LogDebug(e, "Error getting data from registry for {Target}: {RegSubKey}:{RegValue}",
target, subkey, subvalue);
data.FailureReason = "Target machine was not found or not connectable";
}
catch (SecurityException e) {
log.LogDebug(e, "Error getting data from registry for {Target}: {RegSubKey}:{RegValue}",
target, subkey, subvalue);
data.FailureReason = "User does not have the proper permissions to perform this operation";
}
catch (UnauthorizedAccessException e) {
log.LogDebug(e, "Error getting data from registry for {Target}: {RegSubKey}:{RegValue}",
target, subkey, subvalue);
data.FailureReason = "User does not have the necessary registry rights";
}
catch (Exception e) {
log.LogDebug(e, "Error getting data from registry for {Target}: {RegSubKey}:{RegValue}",
target, subkey, subvalue);
data.FailureReason = e.Message;
}

return data;
}

public static IRegistryKey OpenRemoteRegistry(string target) {
return SHRegistryKey.Connect(RegistryHive.LocalMachine, target).GetAwaiter().GetResult();
}

public static string[] AuthenticationOIDs = new string[] {
CommonOids.ClientAuthentication,
CommonOids.PKINITClientAuthentication,
Expand Down
76 changes: 76 additions & 0 deletions src/CommonLib/IRegistryAccessor.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
using System;
using System.IO;
using System.Security;
using System.Threading.Tasks;
using Microsoft.Extensions.Logging;
using Microsoft.Win32;
using SharpHoundCommonLib.Processors;

namespace SharpHoundCommonLib {
public interface IRegistryAccessor {
public RegistryResult GetRegistryKeyData(string target, string subkey, string subvalue, ILogger log);
public IRegistryKey OpenRemoteRegistry(string target);
public Task<IRegistryKey> Connect(RegistryHive hive, string machineName);
}

public class RegistryAccessor : IRegistryAccessor {
private static readonly AdaptiveTimeout _adaptiveTimeout =
new AdaptiveTimeout(maxTimeout: TimeSpan.FromSeconds(10), Logging.LogProvider.CreateLogger(nameof(SHRegistryKey)));

public RegistryResult GetRegistryKeyData(string target, string subkey, string subvalue, ILogger log) {
var data = new RegistryResult();

try {
var baseKey = OpenRemoteRegistry(target);
var value = baseKey.GetValue(subkey, subvalue);
data.Value = value;
data.Collected = true;
}
catch (IOException e) {
log.LogDebug(e, "Error getting data from registry for {Target}: {RegSubKey}:{RegValue}",
target, subkey, subvalue);
data.FailureReason = "Target machine was not found or not connectable";
}
catch (SecurityException e) {
log.LogDebug(e, "Error getting data from registry for {Target}: {RegSubKey}:{RegValue}",
target, subkey, subvalue);
data.FailureReason = "User does not have the proper permissions to perform this operation";
}
catch (UnauthorizedAccessException e) {
log.LogDebug(e, "Error getting data from registry for {Target}: {RegSubKey}:{RegValue}",
target, subkey, subvalue);
data.FailureReason = "User does not have the necessary registry rights";
}
catch (Exception e) {
log.LogDebug(e, "Error getting data from registry for {Target}: {RegSubKey}:{RegValue}",
target, subkey, subvalue);
data.FailureReason = e.Message;
}

return data;
}

public IRegistryKey OpenRemoteRegistry(string target) {
return Connect(RegistryHive.LocalMachine, target).GetAwaiter().GetResult();
}

/// <summary>
/// Gets a handle to a remote registry.
/// </summary>
/// <param name="hive"></param>
/// <param name="machineName"></param>
/// <returns></returns>
/// <exception cref="TimeoutException"></exception>
/// <exception cref="ArgumentException"></exception>
/// <exception cref="System.IO.IOException"></exception>
/// <exception cref="ArgumentNullException"></exception>
/// <exception cref="System.Security.SecurityException"></exception>
/// <exception cref="UnauthorizedAccessException"></exception>
public async Task<IRegistryKey> Connect(RegistryHive hive, string machineName) {
var remoteKey = await _adaptiveTimeout.ExecuteWithTimeout((_) => RegistryKey.OpenRemoteBaseKey(hive, machineName));
if (remoteKey.IsSuccess)
return new SHRegistryKey(remoteKey.Value);
throw new TimeoutException($"Failed to connect to registry on {machineName}: {remoteKey.Error}");
}
}
}
49 changes: 14 additions & 35 deletions src/CommonLib/IRegistryKey.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,18 +1,16 @@
using System;
using System.Threading.Tasks;
using Microsoft.Win32;

namespace SharpHoundCommonLib {
public interface IRegistryKey {
public interface IRegistryKey: IDisposable {
public object GetValue(string subkey, string name);
public string[] GetSubKeyNames();
}

public class SHRegistryKey : IRegistryKey, IDisposable {
public class SHRegistryKey : IRegistryKey {
private readonly RegistryKey _currentKey;
private static readonly AdaptiveTimeout _adaptiveTimeout = new AdaptiveTimeout(maxTimeout: TimeSpan.FromSeconds(10), Logging.LogProvider.CreateLogger(nameof(SHRegistryKey)));

private SHRegistryKey(RegistryKey registryKey) {

public SHRegistryKey(RegistryKey registryKey) {
_currentKey = registryKey;
}

Expand All @@ -23,38 +21,19 @@ public object GetValue(string subkey, string name) {

public string[] GetSubKeyNames() => _currentKey.GetSubKeyNames();

/// <summary>
/// Gets a handle to a remote registry.
/// </summary>
/// <param name="hive"></param>
/// <param name="machineName"></param>
/// <returns></returns>
/// <exception cref="TimeoutException"></exception>
/// <exception cref="ArgumentException"></exception>
/// <exception cref="System.IO.IOException"></exception>
/// <exception cref="ArgumentNullException"></exception>
/// <exception cref="System.Security.SecurityException"></exception>
/// <exception cref="UnauthorizedAccessException"></exception>
public static async Task<SHRegistryKey> Connect(RegistryHive hive, string machineName) {
var remoteKey = await _adaptiveTimeout.ExecuteWithTimeout((_) => RegistryKey.OpenRemoteBaseKey(hive, machineName));
if (remoteKey.IsSuccess)
return new SHRegistryKey(remoteKey.Value);
throw new TimeoutException($"Failed to connect to registry on {machineName}: {remoteKey.Error}");
}

public void Dispose() {
_currentKey.Dispose();
}
}

public class MockRegistryKey : IRegistryKey {
public virtual object GetValue(string subkey, string name) {
//Unimplemented
return default;
}

public virtual string[] GetSubKeyNames() {
throw new NotImplementedException();
}
}
// public class MockRegistryKey : IRegistryKey {
// public virtual object GetValue(string subkey, string name) {
// //Unimplemented
// return default;
// }
//
// public virtual string[] GetSubKeyNames() {
// throw new NotImplementedException();
// }
// }
}
Loading
Loading