2025/01/14
The issue where a group had ActiveDirectoryRights:Self with a SID mapped to it, theoretically allowing a user to add themselves to the group, has been fixed. Thanks to @shyam0904a for identifying and fixing this issue! #4
2025/01/05
This version fixes the issue of the lack of WriteGPLink for Organization Units and WriteSPN for Computers.
2024/12/28
The latest update introduces enhanced functionality and optimizations for handling Active Directory objects. It includes support for IssuancePolicies. Fixing unconstrained delegation issues where FQDNs were replaced with SIDs to ensure compatibility with BloodHound CE. GUIDs are now properly parsed in the Windows Active Directory format, adhering to the little-endian structure, this allow to fixe all issues related to ACEs permissions. Password policy attributes from Active Directory are retrieved and associated with the domain object in domain.json. Additionally, Kerberos service ticket encryption algorithms are now extracted via the msDS-SupportedEncryptionTypes attribute. Finally, the code has been optimized to improve object type verification and streamline offline value replacements in src/json/checker/common.rs, enhancing performance and maintainability.
The tests were conducted on Mayfly's GOAD lab environment.
Shortest paths to systems trusted for unconstrained delegation
MATCH p=shortestPath((n)-[:Owns|GenericAll|GenericWrite|WriteOwner|WriteDacl|MemberOf|ForceChangePassword|AllExtendedRights|AddMember|HasSession|Contains|GPLink|AllowedToDelegate|TrustedBy|AllowedToAct|AdminTo|CanPSRemote|CanRDP|ExecuteDCOM|HasSIDHistory|AddSelf|DCSync|ReadLAPSPassword|ReadGMSAPassword|DumpSMSAPassword|SQLAdmin|AddAllowedToAct|WriteSPN|AddKeyCredentialLink|SyncLAPSPassword|WriteAccountRestrictions|WriteGPLink|GoldenCert|ADCSESC1|ADCSESC3|ADCSESC4|ADCSESC5|ADCSESC6a|ADCSESC6b|ADCSESC7|ADCSESC9a|ADCSESC9b|ADCSESC10a|ADCSESC10b|ADCSESC13|DCFor|SyncedToEntraUser*1..]->(m:Computer))
WHERE m.unconstraineddelegation = true AND n<>m
RETURN p
LIMIT 1000rusthound-ce.exe -c All -d ESSOS.local -u vagrant -p vagrant -z
SharpHound.exe -c All -d ESSOS.local --ldapusername vagrant --ldappassword vagrant