Skip to content

Commit

Permalink
Constrained delegation edge
Browse files Browse the repository at this point in the history
  • Loading branch information
lkarlslund committed Dec 15, 2023
1 parent 08d311c commit e736344
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 9 deletions.
41 changes: 32 additions & 9 deletions modules/integrations/activedirectory/analyze/analyze-ad.go
Original file line number Diff line number Diff line change
Expand Up @@ -470,7 +470,7 @@ func init() {
})
}, `Modify the msDS-AllowedToActOnBehalfOfOtherIdentity (Resource Based Constrained Delegation) on an account to enable any SPN enabled user to impersonate it`, engine.BeforeMergeFinal)

EdgeRBCD := engine.NewEdge("RBCD")
EdgeRBCD := engine.NewEdge("RBConstrainedDeleg")
Loader.AddProcessor(func(ao *engine.Objects) {
ao.Iterate(func(o *engine.Object) bool {
// Only computers
Expand All @@ -479,19 +479,43 @@ func init() {
}
o.Attr(activedirectory.MSDSAllowedToActOnBehalfOfOtherIdentity).Iterate(func(val engine.AttributeValue) bool {
// Each of these is a SID, so find that SID and add an edge
sd := val.Raw().(*engine.SecurityDescriptor)
ui.Debug().Msgf("Found msDS-AllowedToActOnBehalfOfOtherIdentity on %v as %v", o.DN(), sd.String(ao))
for _, acl := range sd.DACL.Entries {
if acl.Type == engine.ACETYPE_ACCESS_ALLOWED {
ao.FindOrAddAdjacentSID(acl.SID, o).EdgeTo(o, EdgeRBCD)
if sd, ok := val.Raw().(*engine.SecurityDescriptor); ok {
// ui.Debug().Msgf("Found msDS-AllowedToActOnBehalfOfOtherIdentity on %v as %v", o.DN(), sd.String(ao))
for _, acl := range sd.DACL.Entries {
if acl.Type == engine.ACETYPE_ACCESS_ALLOWED {
ao.FindOrAddAdjacentSID(acl.SID, o).EdgeTo(o, EdgeRBCD)
}
}
}
// o.EdgeTo(ao.FindOrAddAdjacentSID(sid, o), EdgeRBCD)
return true
})
return true
})
}, `Someone is listed in the msDS-AllowedToActOnBehalfOfOtherIdentity (Resource Based Constrained Delegation) on an account`, engine.BeforeMergeFinal)

EdgeCD := engine.NewEdge("ConstrainedDeleg")
Loader.AddProcessor(func(ao *engine.Objects) {
ao.Iterate(func(o *engine.Object) bool {
// Only computers
if o.Type() != engine.ObjectTypeComputer && o.Type() != engine.ObjectTypeUser {
return true
}
o.Attr(activedirectory.MSDSAllowedToDelegateTo).Iterate(func(val engine.AttributeValue) bool {
// Each of these is a SID, so find that SID and add an edge
// sd := val.Raw().(*engine.SecurityDescriptor)
ui.Debug().Msgf("Found msDS-AllowedToDelegate on %v as %v", o.DN(), val.String())
if target, found := ao.Find(activedirectory.ServicePrincipalName, val); found {
o.EdgeTo(target, EdgeCD)
} else {
ui.Error().Msgf("Could not find constrained delegation SPN %v in the AD", val.String())
}

return true
})
return true
})
}, `Someone is listed in the msDS-AllowedToDelegate (Constrained Delegation) on an account`, engine.BeforeMergeFinal)

/*
// https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
Loader.AddProcessor(func(ao *engine.Objects) {
Expand Down Expand Up @@ -577,8 +601,7 @@ func init() {
Loader.AddProcessor(func(ao *engine.Objects) {
ao.Iterate(func(o *engine.Object) bool {
o.Attr(activedirectory.MSDSGroupMSAMembership).Iterate(func(msads engine.AttributeValue) bool {
sd, err := engine.ParseSecurityDescriptor([]byte(msads.String()))
if err == nil {
if sd, ok := msads.Raw().(*engine.SecurityDescriptor); ok {
for _, acl := range sd.DACL.Entries {
if acl.Type == engine.ACETYPE_ACCESS_ALLOWED {
ao.FindOrAddAdjacentSID(acl.SID, o).EdgeTo(o, activedirectory.EdgeReadMSAPassword)
Expand Down
1 change: 1 addition & 0 deletions modules/integrations/activedirectory/attributes.go
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ var (
ObjectSid = engine.NewAttribute("objectSid").Tag("AD").Merge().Single().Type(engine.AttributeTypeSID)
CreatorSID = engine.NewAttribute("mS-DS-CreatorSID").Tag("AD").Single().Type(engine.AttributeTypeSID)
MSDSAllowedToActOnBehalfOfOtherIdentity = engine.NewAttribute("msDS-AllowedToActOnBehalfOfOtherIdentity").Tag("AD").Type(engine.AttributeTypeSecurityDescriptor)
MSDSAllowedToDelegateTo = engine.NewAttribute("msDS-AllowedToDelegateTo").Tag("AD")
FRSRootSecurity = engine.NewAttribute("fRSRootSecurity").Tag("AD").Type(engine.AttributeTypeSecurityDescriptor)
MSDFSLinkSecurityDescriptorv2 = engine.NewAttribute("msDFS-LinkSecurityDescriptorv2").Tag("AD").Type(engine.AttributeTypeSecurityDescriptor)
PKIEnrollmentAccess = engine.NewAttribute("pKIEnrollmentAccess").Tag("AD")
Expand Down

0 comments on commit e736344

Please sign in to comment.