Skip to content

Commit

Permalink
Changed tag "escalation" to "pivot" for edges internally
Browse files Browse the repository at this point in the history
  • Loading branch information
lkarlslund committed Nov 30, 2023
1 parent 8f9f1be commit aeb557e
Show file tree
Hide file tree
Showing 3 changed files with 48 additions and 48 deletions.
6 changes: 3 additions & 3 deletions modules/integrations/activedirectory/analyze/gpoimport.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,16 +23,16 @@ var (
BinarySize = engine.NewAttribute("binarySize").Single()
ExposedPassword = engine.NewAttribute("exposedPassword")

EdgeExposesPassword = engine.NewEdge("ExposesPassword").Tag("Escalation")
EdgeExposesPassword = engine.NewEdge("ExposesPassword").Tag("Pivot")
EdgeContainsSensitiveData = engine.NewEdge("ContainsSensitiveData")
EdgeReadSensitiveData = engine.NewEdge("ReadSensitiveData")
EdgeOwns = engine.NewEdge("Owns")
EdgeFSPartOfGPO = engine.NewEdge("FSPartOfGPO")
EdgeFileCreate = engine.NewEdge("FileCreate")
EdgeDirCreate = engine.NewEdge("DirCreate")
EdgeFileWrite = engine.NewEdge("FileWrite")
EdgeTakeOwnership = engine.NewEdge("FileTakeOwnership").Tag("Escalation")
EdgeModifyDACL = engine.NewEdge("FileModifyDACL").Tag("Escalation")
EdgeTakeOwnership = engine.NewEdge("FileTakeOwnership").Tag("Pivot")
EdgeModifyDACL = engine.NewEdge("FileModifyDACL").Tag("Pivot")
)

func init() {
Expand Down
60 changes: 30 additions & 30 deletions modules/integrations/activedirectory/pwns.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,50 +7,50 @@ func NotAChance(source, target *engine.Object) engine.Probability {
}

var (
EdgeACLContainsDeny = engine.NewEdge("ACLContainsDeny").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability { return -1 }).Tag("Informative")
EdgeACLContainsDeny = engine.NewEdge("ACLContainsDeny").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability { return 0 }).Tag("Informative")
EdgeResetPassword = engine.NewEdge("ResetPassword").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability {
if uac, ok := target.AttrInt(UserAccountControl); ok && uac&engine.UAC_ACCOUNTDISABLE != 0 {
return -1
}
return 100
}).Tag("Escalation")
}).Tag("Pivot")
EdgeReadPasswordId = engine.NewEdge("ReadPasswordId").SetDefault(false, false, false).RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability {
return 5
})
EdgeOwns = engine.NewEdge("Owns").Tag("Escalation")
EdgeOwns = engine.NewEdge("Owns").Tag("Pivot")
EdgeGenericAll = engine.NewEdge("GenericAll").Tag("Informative")
EdgeWriteAll = engine.NewEdge("WriteAll").Tag("Informative").RegisterProbabilityCalculator(NotAChance)
EdgeWritePropertyAll = engine.NewEdge("WritePropertyAll").Tag("Informative").RegisterProbabilityCalculator(NotAChance)
EdgeWriteExtendedAll = engine.NewEdge("WriteExtendedAll").Tag("Informative").RegisterProbabilityCalculator(NotAChance)
EdgeTakeOwnership = engine.NewEdge("TakeOwnership").Tag("Escalation")
EdgeWriteDACL = engine.NewEdge("WriteDACL").Tag("Escalation")
EdgeTakeOwnership = engine.NewEdge("TakeOwnership").Tag("Pivot")
EdgeWriteDACL = engine.NewEdge("WriteDACL").Tag("Pivot")
EdgeWriteSPN = engine.NewEdge("WriteSPN").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability {
if uac, ok := target.AttrInt(UserAccountControl); ok && uac&0x0002 /*UAC_ACCOUNTDISABLE*/ != 0 {
// Account is disabled
return 0
}
return 50
}).Tag("Escalation")
}).Tag("Pivot")
EdgeWriteValidatedSPN = engine.NewEdge("WriteValidatedSPN").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability {
if uac, ok := target.AttrInt(UserAccountControl); ok && uac&0x0002 /*UAC_ACCOUNTDISABLE*/ != 0 {
// Account is disabled
return 0
}
return 50
}).Tag("Escalation")
EdgeWriteAllowedToAct = engine.NewEdge("WriteAllowedToAct").Tag("Escalation")
EdgeAddMember = engine.NewEdge("AddMember").Tag("Escalation")
EdgeAddMemberGroupAttr = engine.NewEdge("AddMemberGroupAttr").Tag("Escalation")
EdgeAddSelfMember = engine.NewEdge("AddSelfMember").Tag("Escalation")
EdgeReadMSAPassword = engine.NewEdge("ReadMSAPassword").Tag("Escalation")
}).Tag("Pivot")
EdgeWriteAllowedToAct = engine.NewEdge("WriteAllowedToAct").Tag("Pivot")
EdgeAddMember = engine.NewEdge("AddMember").Tag("Pivot")
EdgeAddMemberGroupAttr = engine.NewEdge("AddMemberGroupAttr").Tag("Pivot")
EdgeAddSelfMember = engine.NewEdge("AddSelfMember").Tag("Pivot")
EdgeReadMSAPassword = engine.NewEdge("ReadMSAPassword").Tag("Pivot")
EdgeHasMSA = engine.NewEdge("HasMSA").Tag("Granted")
EdgeWriteUserAccountControl = engine.NewEdge("WriteUserAccountControl").Describe("Allows attacker to set ENABLE and set DONT_REQ_PREAUTH and then to do AS_REP Kerberoasting").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability {
/*if uac, ok := target.AttrInt(activedirectory.UserAccountControl); ok && uac&0x0002 != 0 { //UAC_ACCOUNTDISABLE
// Account is disabled
return 0
}*/
return 50
}).Tag("Escalation")
}).Tag("Pivot")

EdgeWriteKeyCredentialLink = engine.NewEdge("WriteKeyCredentialLink").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability {
if uac, ok := target.AttrInt(UserAccountControl); ok && uac&0x0002 /*UAC_ACCOUNTDISABLE*/ != 0 {
Expand All @@ -70,16 +70,16 @@ var (
}
}
return 100
}).Tag("Escalation")
EdgeWriteAttributeSecurityGUID = engine.NewEdge("WriteAttrSecurityGUID").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability { return 5 }) // Only if you patch the DC, so this will actually never work
EdgeSIDHistoryEquality = engine.NewEdge("SIDHistoryEquality").Tag("Escalation")
}).Tag("Pivot")
EdgeWriteAttributeSecurityGUID = engine.NewEdge("WriteAttrSecurityGUID").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability { return 0 }) // Only if you patch the DC, so this will actually never work
EdgeSIDHistoryEquality = engine.NewEdge("SIDHistoryEquality").Tag("Pivot")
EdgeAllExtendedRights = engine.NewEdge("AllExtendedRights").Tag("Informative").RegisterProbabilityCalculator(NotAChance)
EdgeDSReplicationSyncronize = engine.NewEdge("DSReplSync").Tag("Granted")
EdgeDSReplicationGetChanges = engine.NewEdge("DSReplGetChngs").SetDefault(false, false, false).Tag("Granted")
EdgeDSReplicationGetChangesAll = engine.NewEdge("DSReplGetChngsAll").SetDefault(false, false, false).Tag("Granted")
EdgeDSReplicationGetChangesInFilteredSet = engine.NewEdge("DSReplGetChngsInFiltSet").SetDefault(false, false, false).Tag("Granted")
EdgeDCsync = engine.NewEdge("DCsync").Tag("Granted")
EdgeReadLAPSPassword = engine.NewEdge("ReadLAPSPassword").Tag("Escalation").Tag("Granted")
EdgeReadLAPSPassword = engine.NewEdge("ReadLAPSPassword").Tag("Pivot").Tag("Granted")
EdgeMemberOfGroup = engine.NewEdge("MemberOfGroup").Tag("Granted")
EdgeMemberOfGroupIndirect = engine.NewEdge("MemberOfGroupIndirect").SetDefault(false, false, false).Tag("Granted")
EdgeHasSPN = engine.NewEdge("HasSPN").Describe("Kerberoastable by requesting Kerberos service ticket against SPN and then bruteforcing the ticket").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability {
Expand All @@ -88,26 +88,26 @@ var (
return 0
}
return 50
}).Tag("Escalation")
}).Tag("Pivot")
EdgeDontReqPreauth = engine.NewEdge("DontReqPreauth").Describe("Kerberoastable by AS-REP by requesting a TGT and then bruteforcing the ticket").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability {
if uac, ok := target.AttrInt(UserAccountControl); ok && uac&0x0002 /*UAC_ACCOUNTDISABLE*/ != 0 {
// Account is disabled
return 0
}
return 50
}).Tag("Escalation").Tag("Granted")
}).Tag("Pivot")
EdgeOverwritesACL = engine.NewEdge("OverwritesACL")
EdgeAffectedByGPO = engine.NewEdge("AffectedByGPO").Tag("Granted")
PartOfGPO = engine.NewEdge("PartOfGPO").Tag("Granted")
EdgeLocalAdminRights = engine.NewEdge("AdminRights").Tag("Granted")
EdgeLocalRDPRights = engine.NewEdge("RDPRights").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability { return 30 })
EdgeLocalDCOMRights = engine.NewEdge("DCOMRights").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability { return 50 })
EdgeScheduledTaskOnUNCPath = engine.NewEdge("SchedTaskOnUNCPath")
EdgeMachineScript = engine.NewEdge("MachineScript")
EdgeWriteAltSecurityIdentities = engine.NewEdge("WriteAltSecIdent").Tag("Escalation")
EdgeWriteProfilePath = engine.NewEdge("WriteProfilePath").Tag("Escalation")
EdgeWriteScriptPath = engine.NewEdge("WriteScriptPath").Tag("Escalation")
EdgeAffectedByGPO = engine.NewEdge("AffectedByGPO").Tag("Granted").Tag("Pivot")
PartOfGPO = engine.NewEdge("PartOfGPO").Tag("Granted").Tag("Pivot")
EdgeLocalAdminRights = engine.NewEdge("AdminRights").Tag("Granted").Tag("Pivot")
EdgeLocalRDPRights = engine.NewEdge("RDPRights").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability { return 30 }).Tag("Pivot")
EdgeLocalDCOMRights = engine.NewEdge("DCOMRights").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability { return 50 }).Tag("Pivot")
EdgeScheduledTaskOnUNCPath = engine.NewEdge("SchedTaskOnUNCPath").Tag("Pivot")
EdgeMachineScript = engine.NewEdge("MachineScript").Tag("Pivot")
EdgeWriteAltSecurityIdentities = engine.NewEdge("WriteAltSecIdent").Tag("Pivot")
EdgeWriteProfilePath = engine.NewEdge("WriteProfilePath").Tag("Pivot")
EdgeWriteScriptPath = engine.NewEdge("WriteScriptPath").Tag("Pivot")
EdgeCertificateEnroll = engine.NewEdge("CertificateEnroll").Tag("Granted")
EdgeCertificateAutoEnroll = engine.NewEdge("CertificateAutoEnroll").Tag("Granted")
EdgeVoodooBit = engine.NewEdge("VoodooBit")
EdgeVoodooBit = engine.NewEdge("VoodooBit").SetDefault(false, false, false).Tag("Internal").Hidden()
)
30 changes: 15 additions & 15 deletions modules/integrations/localmachine/analyze/analyzer.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,14 +32,14 @@ var (
probability = 30
}
return probability
}).Tag("Granted").Tag("Escalation")
}).Tag("Granted").Tag("Pivot")
EdgeLocalDCOMRights = engine.NewEdge("DCOMRights").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability { return 50 }).Tag("Granted")
EdgeLocalSMSAdmins = engine.NewEdge("SMSAdmins").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability { return 50 }).Tag("Granted")
EdgeLocalSessionLastDay = engine.NewEdge("SessionLastDay").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability { return 80 }).Tag("Escalation")
EdgeLocalSessionLastWeek = engine.NewEdge("SessionLastWeek").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability { return 55 }).Tag("Escalation")
EdgeLocalSessionLastMonth = engine.NewEdge("SessionLastMonth").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability { return 30 }).Tag("Escalation")
EdgeHasServiceAccountCredentials = engine.NewEdge("SvcAccntCreds").Tag("Escalation")
EdgeHasAutoAdminLogonCredentials = engine.NewEdge("AutoAdminLogonCreds").Tag("Escalation")
EdgeLocalSessionLastDay = engine.NewEdge("SessionLastDay").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability { return 80 }).Tag("Pivot")
EdgeLocalSessionLastWeek = engine.NewEdge("SessionLastWeek").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability { return 55 }).Tag("Pivot")
EdgeLocalSessionLastMonth = engine.NewEdge("SessionLastMonth").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability { return 30 }).Tag("Pivot")
EdgeHasServiceAccountCredentials = engine.NewEdge("SvcAccntCreds").Tag("Pivot")
EdgeHasAutoAdminLogonCredentials = engine.NewEdge("AutoAdminLogonCreds").Tag("Pivot")
EdgeRunsExecutable = engine.NewEdge("RunsExecutable")
EdgeHosts = engine.NewEdge("Hosts")
EdgeExecuted = engine.NewEdge("Executed")
Expand All @@ -56,15 +56,15 @@ var (
EdgeSeRestorePrivilege = engine.NewEdge("SeRestorePrivilege")
EdgeSeTakeOwnershipPrivilege = engine.NewEdge("SeTakeOwnershipPrivilege")

EdgeSeAssignPrimaryToken = engine.NewEdge("SeAssignPrimaryToken").Tag("Escalation")
EdgeSeCreateToken = engine.NewEdge("SeCreateToken").Tag("Escalation")
EdgeSeDebug = engine.NewEdge("SeDebug").Tag("Escalation")
EdgeSeImpersonate = engine.NewEdge("SeImpersonate").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability { return 20 }).Tag("Escalation")
EdgeSeLoadDriver = engine.NewEdge("SeLoadDriver").Tag("Escalation")
EdgeSeManageVolume = engine.NewEdge("SeManageVolume").Tag("Escalation")
EdgeSeTakeOwnership = engine.NewEdge("SeTakeOwnership").Tag("Escalation")
EdgeSeTrustedCredManAccess = engine.NewEdge("SeTrustedCredManAccess").Tag("Escalation")
EdgeSeTcb = engine.NewEdge("SeTcb").Tag("Escalation")
EdgeSeAssignPrimaryToken = engine.NewEdge("SeAssignPrimaryToken").Tag("Pivot")
EdgeSeCreateToken = engine.NewEdge("SeCreateToken").Tag("Pivot")
EdgeSeDebug = engine.NewEdge("SeDebug").Tag("Pivot")
EdgeSeImpersonate = engine.NewEdge("SeImpersonate").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability { return 20 }).Tag("Pivot")
EdgeSeLoadDriver = engine.NewEdge("SeLoadDriver").Tag("Pivot")
EdgeSeManageVolume = engine.NewEdge("SeManageVolume").Tag("Pivot")
EdgeSeTakeOwnership = engine.NewEdge("SeTakeOwnership").Tag("Pivot")
EdgeSeTrustedCredManAccess = engine.NewEdge("SeTrustedCredManAccess").Tag("Pivot")
EdgeSeTcb = engine.NewEdge("SeTcb").Tag("Pivot")

EdgeSeNetworkLogonRight = engine.NewEdge("SeNetworkLogonRight").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability { return 10 })
// RDPRight used ... EdgeSeRemoteInteractiveLogonRight = engine.NewEdge("SeRemoteInteractiveLogonRight").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability { return 10 })
Expand Down

0 comments on commit aeb557e

Please sign in to comment.