Collect or skip custom deny aces count

[JonasBK]

Description

Adds SharpHound support for custom deny ACE count collection from SharpHoundCommon.

This wires the new LdapConfig.SkipDenyAcesCount setting into SharpHound, exposes the matching --skipdenyacescount CLI option, and updates the PowerShell wrapper and README help text to use the count-oriented name.

Motivation and Context

SharpHoundCommon now reports custom explicit and inherited deny ACE counts as LDAP object properties. SharpHound needs to pass through the opt-out setting so operators can skip that collection path when desired.

This PR addresses: BED-8117

Related PRs:

BloodHound: SpecterOps/BloodHound#2779
SharpHoundCommon: SpecterOps/SharpHoundCommon#298
SharpHoundEnterprise: https://github.com/SpecterOps/sharphound-enterprise/pull/113

How Has This Been Tested?

Tested locally against the sibling SharpHoundCommon BED-8117-deny-aces branch using local DLL references.

Screenshots (if appropriate):

Types of changes

• Chore (a change that does not modify the application functionality)
• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• I have met the contributing prerequisites
  • Assigned myself to this PR
  • Added the appropriate labels
  • Associated an issue: Issues and Pull Requests README BloodHound#672
  • Read the Contributing guide: https://github.com/SpecterOps/BloodHound/wiki/Contributing
• I have ensured that related documentation is up-to-date
  • Open API docs
  • Code comments
• I have followed proper test practices
  • Added/updated tests to cover my changes
  • All new and existing tests passed

Summary by CodeRabbit

• New Features

  • Added --skipdenyacescount command-line argument to skip collection of custom deny Access Control Entry (ACE) counts from LDAP object properties during enumeration.
  • Introduced -SkipDenyAcesCount PowerShell switch parameter for PowerShell-based enumeration workflows.

• Documentation

  • Updated documentation to reference the new command-line argument and its functionality.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 48e2cf4f-192f-4d35-9540-1b77e340a482

📥 Commits

Reviewing files that changed from the base of the PR and between f989500 and b2079f1.

📒 Files selected for processing (5)

• README.md
• src/Options.cs
• src/PowerShell/Template.ps1
• src/Runtime/ObjectProcessors.cs
• src/Sharphound.cs

---

Walkthrough

This PR adds a new SkipDenyAcesCount command-line option to SharpHound that allows users to skip collection of custom deny ACE counts in LDAP object properties. The option is documented, wired through the options and configuration layers, and coincides with a refactoring of LDAP property processors to use instance-based async methods instead of static sync calls.

Changes

SkipDenyAcesCount Feature Implementation

Layer / File(s)	Summary
Option Definition and Documentation README.md, src/Options.cs, src/PowerShell/Template.ps1	Introduces SkipDenyAcesCount as a new boolean CLI option with help text, a public property on the Options class, and a PowerShell [Switch] parameter with corresponding documentation.
Configuration Wiring to LdapConfig src/Sharphound.cs	Wires the parsed options.SkipDenyAcesCount value into the LdapConfig object during LDAP options construction.
LDAP Property Processor Async Refactoring src/Runtime/ObjectProcessors.cs	Refactors eight object processor methods (GPO, OU, Container, RootCA, AIACA, EnterpriseCA, NTAuthStore, CertTemplate) to fetch directory properties via instance-based async calls (_ldapPropertyProcessor.ReadXxxProperties()) instead of static synchronous methods, affecting how properties are merged for ObjectProps collection.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A fuzzy tale unfolds today,
Where ACE counts skip away,
Async calls now take the lead,
Through processors with newfound speed,
SharpHound hops with lighter feet!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main feature: adding CLI support for collecting or skipping custom deny ACE counts, which is the core purpose of the PR.
Description check	✅ Passed	The description covers all required template sections including description, motivation/context with issue reference (BED-8117), testing approach, change type selection, and checklist completion.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch BED-8117-deny-aces

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}