Bug: Missing Enroll Edge Type in Pathfinding

[spyr0-sec]

Description:

When trying to find a path to confirm if a particular user had enrolment rights to a certificate template I was investigating, I noticed the Enroll edge type is missing from pathfinding.

Are you intending to fix this bug?

Yes - PR will follow this issue

Component(s) Affected:

• UI

Steps to Reproduce:

1. Attempt to path find node that has enrolment rights to Cert Template

Expected Behavior:

Path is generated

Actual Behavior:

Path is not generated

Screenshots/Code Snippets/Sample Files:

Environment Information:

BloodHound: 5.13.1

Collector: [SharpHound version / AzureHound version]

OS: [your OS and version]

Browser (if UI related): [browser name and version]

Node.js (if UI related: [Node.js version]

Go (if API related): [Go version]

Database (if persistence related): [Neo4j version / PostgreSQL version]

Docker (if using Docker): [docker version]

Additional Information:

Any additional context or information that might be helpful in understanding and diagnosing the issue.

Potential Solution (optional):

I have submitted a PR but will need a review if it requires more than just updating the Edge Types file

Related Issues:

If you've found related issues in the project's issue tracker, mention them here.

Contributor Checklist:

• I have searched the issue tracker to ensure this bug hasn't been reported before or is not already being addressed.
• I have provided clear steps to reproduce the issue.
• I have included relevant environment information details.
• I have attached necessary supporting documents.
• I have checked that any JSON files I am attempting to upload to BloodHound are valid.

[andyrobbins]

Hi @spyr0-sec,

Thank you for taking the time to open this issue.

Why this isn't a bug

The pathfinding feature's job is to identify the shortest attack path from a source node to a target node. The pathfinding feature is limited in which edges it will traverse to only those edges that represent, by themselves, valid takeover primitives from one node to another - we internally refer to this class of edge as "traversable".

By itself, the Enroll edge is not enough to indicate a takeover primitive from one node to another. A user having enrollment rights on a template does not guarantee that the user can take control of anything else in the directory. Instead of classifying the Enroll type edge as "traversable", we instead use it along with several other edge types and node properties to construct traversable edges that correspond to the named ADCS escalation primitives. For example, "ADCSESC1" is a traversable edge, and the Enroll type edge is part of the logic of constructing that edge during what we call "post-processing".

Here is a detailed explanation of how that process works: https://youtu.be/vc3J0wGl7g0?t=352

How to confirm a user has enroll rights on a template

A user gains the ability to enroll in a template if they have both:

One of the following:

1. GenericAll on the template
2. AllExtendedRights on the template
3. Enroll on the template

AND:

1. Enroll on a certificate authority the template is published to

Currently the most straight-forward way to manually confirm a user has enroll rights on a template is by using the "Inbound Object Control" accordions in the entity panels for the template and certificate authorities in question. For example, here I have clicked "Inbound Object Control" on a template called "ESC1", and I can see the users that have, or that can give themselves the Enroll privilege on the template:

Then, I can do the same for the CA the template is published to:

Here, I can identify the principals that appeared in both sets and identify the principals with effective enrollment ability on the template.

This can be better

Answering the simple question of "Can this user enroll in this template" is currently not easily answered in the product. I think we can make this better by introducing a feature for the user entity panel called, perhaps, "Effective ADCS Enrollment Rights" that does all this work for you. What do you think about something like that?

[spyr0-sec]

@andyrobbins

Appreciate the thorough response. My use-case at the time was more for ADCS administration as I was troubleshooting why a colleague could not enroll to a particular certificate template but I could.

Taking the Path Finding feature at face value I thought I would be able to put each of our user nodes and the CT node and return the paths between them so I thought it was an oversight that the Enroll edges were missing.

We do have a Cypher query for "Certificate Enrollment Rights for X User" which we ended up using instead:

MATCH p=allshortestPaths((n:User)-[r:Enroll|MemberOf|Contains*1..]->(m:CertTemplate))
WHERE n.name CONTAINS 'XXX'
RETURN p

There is of course the in-built "Enrollment rights on published certificate templates" as well which would have also helped, but both come with the additional noise.

Happy to close the issue as there is a trivial workaround, I guess there is an argument that this could be a non-default edge which can be enabled in the Path Edge Filtering tab?

[StephenHinck]

Closing this issue per the conversation above. While there are uses for this edge, it does not represent a generally transitable edge, which is what are enabled by default in PathFinding.