-
Notifications
You must be signed in to change notification settings - Fork 109
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug: Missing Enroll Edge Type in Pathfinding #799
Comments
Hi @spyr0-sec, Thank you for taking the time to open this issue. Why this isn't a bugThe pathfinding feature's job is to identify the shortest attack path from a source node to a target node. The pathfinding feature is limited in which edges it will traverse to only those edges that represent, by themselves, valid takeover primitives from one node to another - we internally refer to this class of edge as "traversable". By itself, the Enroll edge is not enough to indicate a takeover primitive from one node to another. A user having enrollment rights on a template does not guarantee that the user can take control of anything else in the directory. Instead of classifying the Enroll type edge as "traversable", we instead use it along with several other edge types and node properties to construct traversable edges that correspond to the named ADCS escalation primitives. For example, "ADCSESC1" is a traversable edge, and the Enroll type edge is part of the logic of constructing that edge during what we call "post-processing". Here is a detailed explanation of how that process works: https://youtu.be/vc3J0wGl7g0?t=352 How to confirm a user has enroll rights on a templateA user gains the ability to enroll in a template if they have both: One of the following:
AND:
Currently the most straight-forward way to manually confirm a user has enroll rights on a template is by using the "Inbound Object Control" accordions in the entity panels for the template and certificate authorities in question. For example, here I have clicked "Inbound Object Control" on a template called "ESC1", and I can see the users that have, or that can give themselves the Enroll privilege on the template: Then, I can do the same for the CA the template is published to: Here, I can identify the principals that appeared in both sets and identify the principals with effective enrollment ability on the template. This can be betterAnswering the simple question of "Can this user enroll in this template" is currently not easily answered in the product. I think we can make this better by introducing a feature for the user entity panel called, perhaps, "Effective ADCS Enrollment Rights" that does all this work for you. What do you think about something like that? |
Appreciate the thorough response. My use-case at the time was more for ADCS administration as I was troubleshooting why a colleague could not enroll to a particular certificate template but I could. Taking the Path Finding feature at face value I thought I would be able to put each of our user nodes and the CT node and return the paths between them so I thought it was an oversight that the Enroll edges were missing. We do have a Cypher query for "Certificate Enrollment Rights for X User" which we ended up using instead:
There is of course the in-built "Enrollment rights on published certificate templates" as well which would have also helped, but both come with the additional noise. Happy to close the issue as there is a trivial workaround, I guess there is an argument that this could be a non-default edge which can be enabled in the Path Edge Filtering tab? |
Closing this issue per the conversation above. While there are uses for this edge, it does not represent a generally transitable edge, which is what are enabled by default in PathFinding. |
Description:
When trying to find a path to confirm if a particular user had enrolment rights to a certificate template I was investigating, I noticed the Enroll edge type is missing from pathfinding.
Are you intending to fix this bug?
Yes - PR will follow this issue
Component(s) Affected:
Steps to Reproduce:
Expected Behavior:
Path is generated
Actual Behavior:
Path is not generated
Screenshots/Code Snippets/Sample Files:
Environment Information:
BloodHound: 5.13.1
Collector: [SharpHound version / AzureHound version]
OS: [your OS and version]
Browser (if UI related): [browser name and version]
Node.js (if UI related: [Node.js version]
Go (if API related): [Go version]
Database (if persistence related): [Neo4j version / PostgreSQL version]
Docker (if using Docker): [docker version]
Additional Information:
Any additional context or information that might be helpful in understanding and diagnosing the issue.
Potential Solution (optional):
I have submitted a PR but will need a review if it requires more than just updating the Edge Types file
Related Issues:
If you've found related issues in the project's issue tracker, mention them here.
Contributor Checklist:
The text was updated successfully, but these errors were encountered: