Merge branch 'coercetotgt' of github.com:SpecterOps/BloodHound into c…

…oercetotgt
SpecterOps · Oct 16, 2024 · 58215df · 58215df
2 parents 233a320 + a3450ec
commit 58215df
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 3 deletions.
diff --git a/cmd/api/src/test/fixtures/fixtures/expected_ingest.go b/cmd/api/src/test/fixtures/fixtures/expected_ingest.go
@@ -157,6 +157,12 @@ var (
 			query.Kind(query.Relationship(), ad.HasSession),
 			query.Kind(query.End(), ad.User),
 			query.Equals(query.EndProperty(common.ObjectID.String()), "S-1-5-21-3130019616-2776909439-2417379446-1108")),
+		query.And(
+			query.Kind(query.Start(), ad.Computer),
+			query.Equals(query.StartProperty(common.ObjectID.String()), "S-1-5-21-3130019616-2776909439-2417379446-2120"),
+			query.Kind(query.Relationship(), ad.CoerceToTGT),
+			query.Kind(query.End(), ad.Domain),
+			query.Equals(query.EndProperty(common.ObjectID.String()), "S-1-5-21-3130019616-2776909439-2417379446")),
 
 		//// GPOs
 		query.And(
@@ -242,6 +248,12 @@ var (
 			query.Kind(query.Relationship(), ad.AllExtendedRights),
 			query.Kind(query.End(), ad.User),
 			query.Equals(query.EndProperty(common.ObjectID.String()), "S-1-5-21-3130019616-2776909439-2417379446-1106")),
+		query.And(
+			query.Kind(query.Start(), ad.User),
+			query.Equals(query.StartProperty(common.ObjectID.String()), "S-1-5-21-3130019616-2776909439-2417379446-2125"),
+			query.Kind(query.Relationship(), ad.CoerceToTGT),
+			query.Kind(query.End(), ad.Domain),
+			query.Equals(query.EndProperty(common.ObjectID.String()), "S-1-5-21-3130019616-2776909439-2417379446")),
 
 		//// SESSIONS
 		query.And(

diff --git a/cmd/api/src/test/fixtures/fixtures/v6/ingest/users.json b/cmd/api/src/test/fixtures/fixtures/v6/ingest/users.json
@@ -889,6 +889,37 @@
             "IsDeleted": false,
             "IsACLProtected": false
         },
+        {
+            "Properties": {
+                "domain": "TESTLAB.LOCAL",
+                "name": "UNCONDEL@TESTLAB.LOCAL",
+                "distinguishedname": "CN\u003dADDALLOWEDTOACTTEST,CN\u003dUSERS,DC\u003dTESTLAB,DC\u003dLOCAL",
+                "domainsid": "S-1-5-21-3130019616-2776909439-2417379446",
+                "whencreated": 1617618036,
+                "sensitive": false,
+                "dontreqpreauth": false,
+                "passwordnotreqd": false,
+                "unconstraineddelegation": true,
+                "pwdneverexpires": true,
+                "enabled": true,
+                "trustedtoauth": false,
+                "lastlogon": 0,
+                "lastlogontimestamp": -1,
+                "pwdlastset": 1617643236,
+                "serviceprincipalnames": [],
+                "hasspn": false,
+                "admincount": false,
+                "sidhistory": []
+            },
+            "AllowedToDelegate": [],
+            "PrimaryGroupSID": "S-1-5-21-3130019616-2776909439-2417379446-513",
+            "HasSIDHistory": [],
+            "SpnTargets": [],
+            "Aces": [],
+            "ObjectIdentifier": "S-1-5-21-3130019616-2776909439-2417379446-2125",
+            "IsDeleted": false,
+            "IsACLProtected": false
+        },
         {
             "Properties": {
                 "domain": "TESTLAB.LOCAL",

diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/CoerceToTGT/General.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/CoerceToTGT/General.tsx
@@ -35,7 +35,7 @@ const General: FC<EdgeInfoProps> = ({ sourceName, sourceType }) => {
                 An attacker with control over {sourceName} can coerce a Tier Zero computer (e.g. DC) to authenticate
                 against {sourceName} and obtain the target's TGT. With the TGT of a DC, the attacker can perform DCSync
                 to compromise the domain. Alternatively, the TGT can be used to obtain admin access to the target host
-                using Kerberos S4U2Self.
+                with a shadow credentials + silver ticket attack or a resource-based constrained delegation attack.
             </Typography>
         </>
     );

diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/CoerceToTGT/References.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/CoerceToTGT/References.tsx
@@ -41,8 +41,8 @@ const References: FC = () => {
             <Link
                 target='_blank'
                 rel='noopener'
-                href='https://www.thehacker.recipes/ad/movement/kerberos/delegations/s4u2self-abuse'>
-                The Hackers Recipes: S4U2self abuse
+                href='https://www.thehacker.recipes/ad/movement/kerberos/delegations/rbcd'>
+                (RBCD) Resource-based constrained
             </Link>
             <br />
             <Link