Collect or skip custom deny aces count

README.md

@@ -109,6 +109,8 @@ The listing below details the CLI arguments SharpHound supports. Additional deta
 
   --collectallproperties     Collect all LDAP properties from objects
 
+  --skipdenyacescount        Skip collecting custom deny ACE counts in LDAP object properties
+
   -l, --Loop                 Loop computer collection
 
   --loopduration             Loop duration (hh:mm:ss - 05:00:00 is 5 hours, default: 2 hrs)

src/Options.cs

@@ -139,6 +139,9 @@ public class Options
 
         [Option(HelpText = "Collect all LDAP properties from objects")]
         public bool CollectAllProperties { get; set; }
+
+        [Option(HelpText = "Skip collecting custom deny ACE counts in LDAP object properties")]
+        public bool SkipDenyAcesCount { get; set; }
 
         [Option(HelpText = "Split the main ldap query into smaller chunks to attempt to reduce server load")]
         public bool PartitionLdapQueries { get; set; }

src/PowerShell/Template.ps1

@@ -184,6 +184,10 @@
     .PARAMETER CollectAllProperties
 
         Collect all string LDAP properties on objects
+
+    .PARAMETER SkipDenyAcesCount
+
+        Skip collecting custom deny ACE counts in LDAP object properties
 
     .PARAMETER Loop
 
@@ -360,6 +364,9 @@
         [Switch]
         $CollectAllProperties,
 
+        [Switch]
+        $SkipDenyAcesCount,
+
         [Switch]
         $Loop,
 

src/Runtime/ObjectProcessors.cs

@@ -581,7 +581,7 @@
             }
 
             if (_methods.HasFlag(CollectionMethod.ObjectProps)) {
-                ret.Properties = ContextUtils.Merge(ret.Properties, LdapPropertyProcessor.ReadGPOProperties(entry));
+                ret.Properties = ContextUtils.Merge(ret.Properties, await _ldapPropertyProcessor.ReadGPOProperties(entry));
                 if (_context.Flags.CollectAllProperties) {
                     ret.Properties = ContextUtils.Merge(_ldapPropertyProcessor.ParseAllProperties(entry),
                         ret.Properties);
@@ -611,7 +611,7 @@
             }
 
             if (_methods.HasFlag(CollectionMethod.ObjectProps)) {
-                ret.Properties = ContextUtils.Merge(ret.Properties, LdapPropertyProcessor.ReadOUProperties(entry));
+                ret.Properties = ContextUtils.Merge(ret.Properties, await _ldapPropertyProcessor.ReadOUProperties(entry));
                 if (_context.Flags.CollectAllProperties) {
                     ret.Properties = ContextUtils.Merge(_ldapPropertyProcessor.ParseAllProperties(entry),
                         ret.Properties);
@@ -662,7 +662,7 @@
 
             if (_methods.HasFlag(CollectionMethod.ObjectProps) || _methods.HasFlag(CollectionMethod.CertServices)) {
                 ret.Properties =
-                    ContextUtils.Merge(LdapPropertyProcessor.ReadContainerProperties(entry), ret.Properties);
+                    ContextUtils.Merge(await _ldapPropertyProcessor.ReadContainerProperties(entry), ret.Properties);
                 if (_context.Flags.CollectAllProperties) {
                     ret.Properties = ContextUtils.Merge(_ldapPropertyProcessor.ParseAllProperties(entry),
                         ret.Properties);
@@ -693,7 +693,7 @@
             }
 
             if (_methods.HasFlag(CollectionMethod.ObjectProps) || _methods.HasFlag(CollectionMethod.CertServices)) {
-                var props = LdapPropertyProcessor.ReadRootCAProperties(entry);
+                var props = await _ldapPropertyProcessor.ReadRootCAProperties(entry);
                 ret.Properties.Merge(props);
             }
 
@@ -724,7 +724,7 @@
             }
 
             if (_methods.HasFlag(CollectionMethod.ObjectProps) || _methods.HasFlag(CollectionMethod.CertServices)) {
-                var props = LdapPropertyProcessor.ReadAIACAProperties(entry);
+                var props = await _ldapPropertyProcessor.ReadAIACAProperties(entry);
                 ret.Properties.Merge(props);
             }
 
@@ -754,7 +754,7 @@
             }
 
             if (_methods.HasFlag(CollectionMethod.ObjectProps) || _methods.HasFlag(CollectionMethod.CertServices)) {
-                var props = LdapPropertyProcessor.ReadEnterpriseCAProperties(entry);
+                var props = await _ldapPropertyProcessor.ReadEnterpriseCAProperties(entry);
                 ret.Properties.Merge(props);
 
                 // Enabled cert templates
@@ -871,7 +871,7 @@
             }
 
             if (_methods.HasFlag(CollectionMethod.ObjectProps) || _methods.HasFlag(CollectionMethod.CertServices)) {
-                var props = LdapPropertyProcessor.ReadNTAuthStoreProperties(entry);
+                var props = await _ldapPropertyProcessor.ReadNTAuthStoreProperties(entry);
 
                 if (entry.TryGetByteArrayProperty(LDAPProperties.CACertificate, out var rawCertificates)) {
                     var certificates = from rawCertificate in rawCertificates
@@ -910,7 +910,7 @@
             }
 
             if (_methods.HasFlag(CollectionMethod.ObjectProps) || _methods.HasFlag(CollectionMethod.CertServices)) {
-                var certTemplatesProps = LdapPropertyProcessor.ReadCertTemplateProperties(entry);
+                var certTemplatesProps = await _ldapPropertyProcessor.ReadCertTemplateProperties(entry);
                 ret.Properties.Merge(certTemplatesProps);
             }
 
@@ -956,4 +956,4 @@
             return ret;
         }
     }
-}
+}

src/Sharphound.cs

@@ -104,7 +104,8 @@
                         DisableSigning = options.DisableSigning,
                         ForceSSL = options.ForceSecureLDAP,
                         AuthType = AuthType.Negotiate,
-                        DisableCertVerification = options.DisableCertVerification
+                        DisableCertVerification = options.DisableCertVerification,
+                        SkipDenyAcesCount = options.SkipDenyAcesCount
                     };
 
                     if (options.DomainController != null) ldapOptions.Server = options.DomainController;
@@ -264,4 +265,4 @@
     }
 
     #endregion
-}
+}