diff --git a/cmd/api/src/test/integration/harnesses/esc3harness1.svg b/cmd/api/src/test/integration/harnesses/esc3harness1.svg
index 4a138bac7d..0eef29bed2 100644
--- a/cmd/api/src/test/integration/harnesses/esc3harness1.svg
+++ b/cmd/api/src/test/integration/harnesses/esc3harness1.svg
@@ -1 +1,18 @@
-
\ No newline at end of file
+
+
diff --git a/cmd/api/src/test/integration/harnesses/esc3harness2.svg b/cmd/api/src/test/integration/harnesses/esc3harness2.svg
index 194ea5ee7f..07e3199102 100644
--- a/cmd/api/src/test/integration/harnesses/esc3harness2.svg
+++ b/cmd/api/src/test/integration/harnesses/esc3harness2.svg
@@ -1 +1,18 @@
-
\ No newline at end of file
+
+
diff --git a/examples/helm/templates/cmbh.yaml b/examples/helm/templates/cmbh.yaml
index 4599e17538..d45d450e21 100644
--- a/examples/helm/templates/cmbh.yaml
+++ b/examples/helm/templates/cmbh.yaml
@@ -1,3 +1,19 @@
+# Copyright 2023 Specter Ops, Inc.
+#
+# Licensed under the Apache License, Version 2.0
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+
apiVersion: v1
kind: ConfigMap
metadata:
diff --git a/examples/helm/templates/ingressgraphdb.yaml b/examples/helm/templates/ingressgraphdb.yaml
index 75fa0809c1..660df09c7e 100644
--- a/examples/helm/templates/ingressgraphdb.yaml
+++ b/examples/helm/templates/ingressgraphdb.yaml
@@ -1,3 +1,19 @@
+# Copyright 2023 Specter Ops, Inc.
+#
+# Licensed under the Apache License, Version 2.0
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+
{{- if .Values.graphdb.ingress.enabled }}
apiVersion: networking.k8s.io/v1
kind: Ingress
diff --git a/packages/cue/bh/ad/ad.cue b/packages/cue/bh/ad/ad.cue
index 5d15104fa8..c6922385a3 100644
--- a/packages/cue/bh/ad/ad.cue
+++ b/packages/cue/bh/ad/ad.cue
@@ -377,6 +377,41 @@ SubjectAltRequireUPN: types.#StringEnum & {
representation: "subjectaltrequireupn"
}
+SubjectAltRequireDNS: types.#StringEnum & {
+ symbol: "SubjectAltRequireDNS"
+ schema: "ad"
+ name: "Subject Alternative Name Require DNS"
+ representation: "subjectaltrequiredns"
+}
+
+SubjectAltRequireDomainDNS: types.#StringEnum & {
+ symbol: "SubjectAltRequireDomainDNS"
+ schema: "ad"
+ name: "Subject Alternative Name Require Domain DNS"
+ representation: "subjectaltrequiredomaindns"
+}
+
+SubjectAltRequireEmail: types.#StringEnum & {
+ symbol: "SubjectAltRequireEmail"
+ schema: "ad"
+ name: "Subject Alternative Name Require Email"
+ representation: "subjectaltrequireemail"
+}
+
+SubjectAltRequireSPN: types.#StringEnum & {
+ symbol: "SubjectAltRequireSPN"
+ schema: "ad"
+ name: "Subject Alternative Name Require SPN"
+ representation: "subjectaltrequirespn"
+}
+
+SubjectRequireEmail: types.#StringEnum & {
+ symbol: "SubjectRequireEmail"
+ schema: "ad"
+ name: "Subject Require Email"
+ representation: "subjectrequireemail"
+}
+
AuthorizedSignatures: types.#StringEnum & {
symbol: "AuthorizedSignatures"
schema: "ad"
@@ -539,6 +574,11 @@ Properties: [
StrongCertificateBindingEnforcement,
EKUs,
SubjectAltRequireUPN,
+ SubjectAltRequireDNS,
+ SubjectAltRequireDomainDNS,
+ SubjectAltRequireEmail,
+ SubjectAltRequireSPN,
+ SubjectRequireEmail,
AuthorizedSignatures,
ApplicationPolicies,
IssuancePolicies,
@@ -786,11 +826,6 @@ DCSync: types.#Kind & {
schema: "active_directory"
}
-DCFor: types.#Kind & {
- symbol: "DCFor"
- schema: "active_directory"
-}
-
ReadLAPSPassword: types.#Kind & {
symbol: "ReadLAPSPassword"
schema: "active_directory"
@@ -851,6 +886,11 @@ RootCAFor: types.#Kind & {
schema: "active_directory"
}
+DCFor: types.#Kind & {
+ symbol: "DCFor"
+ schema: "active_directory"
+}
+
PublishedTo: types.#Kind & {
symbol: "PublishedTo"
schema: "active_directory"
@@ -988,7 +1028,6 @@ RelationshipKinds: [
HasSIDHistory,
AddSelf,
DCSync,
- DCFor,
ReadLAPSPassword,
ReadGMSAPassword,
DumpSMSAPassword,
@@ -1002,6 +1041,7 @@ RelationshipKinds: [
SyncLAPSPassword,
WriteAccountRestrictions,
RootCAFor,
+ DCFor,
PublishedTo,
ManageCertificates,
ManageCA,
diff --git a/packages/go/analysis/ad/esc3.go b/packages/go/analysis/ad/esc3.go
index 1dbec0dd71..b26804047d 100644
--- a/packages/go/analysis/ad/esc3.go
+++ b/packages/go/analysis/ad/esc3.go
@@ -18,6 +18,7 @@ package ad
import (
"context"
+
"github.com/specterops/bloodhound/analysis"
"github.com/specterops/bloodhound/dawgs/graph"
"github.com/specterops/bloodhound/dawgs/util/channels"
diff --git a/packages/go/graphschema/ad/ad.go b/packages/go/graphschema/ad/ad.go
index 348916f363..031a147863 100644
--- a/packages/go/graphschema/ad/ad.go
+++ b/packages/go/graphschema/ad/ad.go
@@ -65,7 +65,6 @@ var (
HasSIDHistory = graph.StringKind("HasSIDHistory")
AddSelf = graph.StringKind("AddSelf")
DCSync = graph.StringKind("DCSync")
- DCFor = graph.StringKind("DCFor")
ReadLAPSPassword = graph.StringKind("ReadLAPSPassword")
ReadGMSAPassword = graph.StringKind("ReadGMSAPassword")
DumpSMSAPassword = graph.StringKind("DumpSMSAPassword")
@@ -79,6 +78,7 @@ var (
SyncLAPSPassword = graph.StringKind("SyncLAPSPassword")
WriteAccountRestrictions = graph.StringKind("WriteAccountRestrictions")
RootCAFor = graph.StringKind("RootCAFor")
+ DCFor = graph.StringKind("DCFor")
PublishedTo = graph.StringKind("PublishedTo")
ManageCertificates = graph.StringKind("ManageCertificates")
ManageCA = graph.StringKind("ManageCA")
@@ -155,6 +155,11 @@ const (
StrongCertificateBindingEnforcement Property = "strongcertificatebindingenforcement"
EKUs Property = "ekus"
SubjectAltRequireUPN Property = "subjectaltrequireupn"
+ SubjectAltRequireDNS Property = "subjectaltrequiredns"
+ SubjectAltRequireDomainDNS Property = "subjectaltrequiredomaindns"
+ SubjectAltRequireEmail Property = "subjectaltrequireemail"
+ SubjectAltRequireSPN Property = "subjectaltrequirespn"
+ SubjectRequireEmail Property = "subjectrequireemail"
AuthorizedSignatures Property = "authorizedsignatures"
ApplicationPolicies Property = "applicationpolicies"
IssuancePolicies Property = "issuancepolicies"
@@ -175,7 +180,7 @@ const (
)
func AllProperties() []Property {
- return []Property{AdminCount, CASecurityCollected, CAName, CertChain, CertName, CertThumbprint, CertThumbprints, HasEnrollmentAgentRestrictions, EnrollmentAgentRestrictionsCollected, IsUserSpecifiesSanEnabled, IsUserSpecifiesSanEnabledCollected, HasBasicConstraints, BasicConstraintPathLength, DNSHostname, CrossCertificatePair, DistinguishedName, DomainFQDN, DomainSID, Sensitive, HighValue, BlocksInheritance, IsACL, IsACLProtected, IsDeleted, Enforced, Department, HasCrossCertificatePair, HasSPN, UnconstrainedDelegation, LastLogon, LastLogonTimestamp, IsPrimaryGroup, HasLAPS, DontRequirePreAuth, LogonType, HasURA, PasswordNeverExpires, PasswordNotRequired, FunctionalLevel, TrustType, SidFiltering, TrustedToAuth, SamAccountName, CertificateMappingMethodsRaw, CertificateMappingMethods, StrongCertificateBindingEnforcementRaw, StrongCertificateBindingEnforcement, EKUs, SubjectAltRequireUPN, AuthorizedSignatures, ApplicationPolicies, IssuancePolicies, SchemaVersion, RequiresManagerApproval, AuthenticationEnabled, EnrolleeSuppliesSubject, CertificateApplicationPolicy, CertificateNameFlag, EffectiveEKUs, EnrollmentFlag, Flags, NoSecurityExtension, RenewalPeriod, ValidityPeriod, OID, HomeDirectory}
+ return []Property{AdminCount, CASecurityCollected, CAName, CertChain, CertName, CertThumbprint, CertThumbprints, HasEnrollmentAgentRestrictions, EnrollmentAgentRestrictionsCollected, IsUserSpecifiesSanEnabled, IsUserSpecifiesSanEnabledCollected, HasBasicConstraints, BasicConstraintPathLength, DNSHostname, CrossCertificatePair, DistinguishedName, DomainFQDN, DomainSID, Sensitive, HighValue, BlocksInheritance, IsACL, IsACLProtected, IsDeleted, Enforced, Department, HasCrossCertificatePair, HasSPN, UnconstrainedDelegation, LastLogon, LastLogonTimestamp, IsPrimaryGroup, HasLAPS, DontRequirePreAuth, LogonType, HasURA, PasswordNeverExpires, PasswordNotRequired, FunctionalLevel, TrustType, SidFiltering, TrustedToAuth, SamAccountName, CertificateMappingMethodsRaw, CertificateMappingMethods, StrongCertificateBindingEnforcementRaw, StrongCertificateBindingEnforcement, EKUs, SubjectAltRequireUPN, SubjectAltRequireDNS, SubjectAltRequireDomainDNS, SubjectAltRequireEmail, SubjectAltRequireSPN, SubjectRequireEmail, AuthorizedSignatures, ApplicationPolicies, IssuancePolicies, SchemaVersion, RequiresManagerApproval, AuthenticationEnabled, EnrolleeSuppliesSubject, CertificateApplicationPolicy, CertificateNameFlag, EffectiveEKUs, EnrollmentFlag, Flags, NoSecurityExtension, RenewalPeriod, ValidityPeriod, OID, HomeDirectory}
}
func ParseProperty(source string) (Property, error) {
switch source {
@@ -277,6 +282,16 @@ func ParseProperty(source string) (Property, error) {
return EKUs, nil
case "subjectaltrequireupn":
return SubjectAltRequireUPN, nil
+ case "subjectaltrequiredns":
+ return SubjectAltRequireDNS, nil
+ case "subjectaltrequiredomaindns":
+ return SubjectAltRequireDomainDNS, nil
+ case "subjectaltrequireemail":
+ return SubjectAltRequireEmail, nil
+ case "subjectaltrequirespn":
+ return SubjectAltRequireSPN, nil
+ case "subjectrequireemail":
+ return SubjectRequireEmail, nil
case "authorizedsignatures":
return AuthorizedSignatures, nil
case "applicationpolicies":
@@ -415,6 +430,16 @@ func (s Property) String() string {
return string(EKUs)
case SubjectAltRequireUPN:
return string(SubjectAltRequireUPN)
+ case SubjectAltRequireDNS:
+ return string(SubjectAltRequireDNS)
+ case SubjectAltRequireDomainDNS:
+ return string(SubjectAltRequireDomainDNS)
+ case SubjectAltRequireEmail:
+ return string(SubjectAltRequireEmail)
+ case SubjectAltRequireSPN:
+ return string(SubjectAltRequireSPN)
+ case SubjectRequireEmail:
+ return string(SubjectRequireEmail)
case AuthorizedSignatures:
return string(AuthorizedSignatures)
case ApplicationPolicies:
@@ -553,6 +578,16 @@ func (s Property) Name() string {
return "Enhanced Key Usage"
case SubjectAltRequireUPN:
return "Subject Alternative Name Require UPN"
+ case SubjectAltRequireDNS:
+ return "Subject Alternative Name Require DNS"
+ case SubjectAltRequireDomainDNS:
+ return "Subject Alternative Name Require Domain DNS"
+ case SubjectAltRequireEmail:
+ return "Subject Alternative Name Require Email"
+ case SubjectAltRequireSPN:
+ return "Subject Alternative Name Require SPN"
+ case SubjectRequireEmail:
+ return "Subject Require Email"
case AuthorizedSignatures:
return "Authorized Signatures Required"
case ApplicationPolicies:
@@ -603,7 +638,7 @@ func Nodes() []graph.Kind {
return []graph.Kind{Entity, User, Computer, Group, GPO, OU, Container, Domain, LocalGroup, LocalUser, AIACA, RootCA, EnterpriseCA, NTAuthStore, CertTemplate}
}
func Relationships() []graph.Kind {
- return []graph.Kind{Owns, GenericAll, GenericWrite, WriteOwner, WriteDACL, MemberOf, ForceChangePassword, AllExtendedRights, AddMember, HasSession, Contains, GPLink, AllowedToDelegate, GetChanges, GetChangesAll, GetChangesInFilteredSet, TrustedBy, AllowedToAct, AdminTo, CanPSRemote, CanRDP, ExecuteDCOM, HasSIDHistory, AddSelf, DCSync, DCFor, ReadLAPSPassword, ReadGMSAPassword, DumpSMSAPassword, SQLAdmin, AddAllowedToAct, WriteSPN, AddKeyCredentialLink, LocalToComputer, MemberOfLocalGroup, RemoteInteractiveLogonPrivilege, SyncLAPSPassword, WriteAccountRestrictions, RootCAFor, PublishedTo, ManageCertificates, ManageCA, DelegatedEnrollmentAgent, Enroll, HostsCAService, WritePKIEnrollmentFlag, WritePKINameFlag, NTAuthStoreFor, TrustedForNTAuth, EnterpriseCAFor, CanAbuseUPNCertMapping, CanAbuseWeakCertBinding, IssuedSignedBy, GoldenCert, EnrollOnBehalfOf, ADCSESC1, ADCSESC3, ADCSESC4, ADCSESC5, ADCSESC6, ADCSESC7}
+ return []graph.Kind{Owns, GenericAll, GenericWrite, WriteOwner, WriteDACL, MemberOf, ForceChangePassword, AllExtendedRights, AddMember, HasSession, Contains, GPLink, AllowedToDelegate, GetChanges, GetChangesAll, GetChangesInFilteredSet, TrustedBy, AllowedToAct, AdminTo, CanPSRemote, CanRDP, ExecuteDCOM, HasSIDHistory, AddSelf, DCSync, ReadLAPSPassword, ReadGMSAPassword, DumpSMSAPassword, SQLAdmin, AddAllowedToAct, WriteSPN, AddKeyCredentialLink, LocalToComputer, MemberOfLocalGroup, RemoteInteractiveLogonPrivilege, SyncLAPSPassword, WriteAccountRestrictions, RootCAFor, DCFor, PublishedTo, ManageCertificates, ManageCA, DelegatedEnrollmentAgent, Enroll, HostsCAService, WritePKIEnrollmentFlag, WritePKINameFlag, NTAuthStoreFor, TrustedForNTAuth, EnterpriseCAFor, CanAbuseUPNCertMapping, CanAbuseWeakCertBinding, IssuedSignedBy, GoldenCert, EnrollOnBehalfOf, ADCSESC1, ADCSESC3, ADCSESC4, ADCSESC5, ADCSESC6, ADCSESC7}
}
func ACLRelationships() []graph.Kind {
return []graph.Kind{AllExtendedRights, ForceChangePassword, AddMember, AddAllowedToAct, GenericAll, WriteDACL, WriteOwner, GenericWrite, ReadLAPSPassword, ReadGMSAPassword, Owns, AddSelf, WriteSPN, AddKeyCredentialLink, GetChanges, GetChangesAll, GetChangesInFilteredSet, WriteAccountRestrictions, SyncLAPSPassword, DCSync, ManageCertificates, ManageCA, Enroll, WritePKIEnrollmentFlag, WritePKINameFlag}
diff --git a/packages/javascript/bh-shared-ui/src/graphSchema.ts b/packages/javascript/bh-shared-ui/src/graphSchema.ts
index bea8f3bf82..04c748bcc2 100644
--- a/packages/javascript/bh-shared-ui/src/graphSchema.ts
+++ b/packages/javascript/bh-shared-ui/src/graphSchema.ts
@@ -93,7 +93,6 @@ export enum ActiveDirectoryRelationshipKind {
HasSIDHistory = 'HasSIDHistory',
AddSelf = 'AddSelf',
DCSync = 'DCSync',
- DCFor = 'DCFor',
ReadLAPSPassword = 'ReadLAPSPassword',
ReadGMSAPassword = 'ReadGMSAPassword',
DumpSMSAPassword = 'DumpSMSAPassword',
@@ -107,6 +106,7 @@ export enum ActiveDirectoryRelationshipKind {
SyncLAPSPassword = 'SyncLAPSPassword',
WriteAccountRestrictions = 'WriteAccountRestrictions',
RootCAFor = 'RootCAFor',
+ DCFor = 'DCFor',
PublishedTo = 'PublishedTo',
ManageCertificates = 'ManageCertificates',
ManageCA = 'ManageCA',
@@ -182,8 +182,6 @@ export function ActiveDirectoryRelationshipKindToDisplay(value: ActiveDirectoryR
return 'AddSelf';
case ActiveDirectoryRelationshipKind.DCSync:
return 'DCSync';
- case ActiveDirectoryRelationshipKind.DCFor:
- return 'DCFor';
case ActiveDirectoryRelationshipKind.ReadLAPSPassword:
return 'ReadLAPSPassword';
case ActiveDirectoryRelationshipKind.ReadGMSAPassword:
@@ -210,6 +208,8 @@ export function ActiveDirectoryRelationshipKindToDisplay(value: ActiveDirectoryR
return 'WriteAccountRestrictions';
case ActiveDirectoryRelationshipKind.RootCAFor:
return 'RootCAFor';
+ case ActiveDirectoryRelationshipKind.DCFor:
+ return 'DCFor';
case ActiveDirectoryRelationshipKind.PublishedTo:
return 'PublishedTo';
case ActiveDirectoryRelationshipKind.ManageCertificates:
@@ -309,6 +309,11 @@ export enum ActiveDirectoryKindProperties {
StrongCertificateBindingEnforcement = 'strongcertificatebindingenforcement',
EKUs = 'ekus',
SubjectAltRequireUPN = 'subjectaltrequireupn',
+ SubjectAltRequireDNS = 'subjectaltrequiredns',
+ SubjectAltRequireDomainDNS = 'subjectaltrequiredomaindns',
+ SubjectAltRequireEmail = 'subjectaltrequireemail',
+ SubjectAltRequireSPN = 'subjectaltrequirespn',
+ SubjectRequireEmail = 'subjectrequireemail',
AuthorizedSignatures = 'authorizedsignatures',
ApplicationPolicies = 'applicationpolicies',
IssuancePolicies = 'issuancepolicies',
@@ -427,6 +432,16 @@ export function ActiveDirectoryKindPropertiesToDisplay(value: ActiveDirectoryKin
return 'Enhanced Key Usage';
case ActiveDirectoryKindProperties.SubjectAltRequireUPN:
return 'Subject Alternative Name Require UPN';
+ case ActiveDirectoryKindProperties.SubjectAltRequireDNS:
+ return 'Subject Alternative Name Require DNS';
+ case ActiveDirectoryKindProperties.SubjectAltRequireDomainDNS:
+ return 'Subject Alternative Name Require Domain DNS';
+ case ActiveDirectoryKindProperties.SubjectAltRequireEmail:
+ return 'Subject Alternative Name Require Email';
+ case ActiveDirectoryKindProperties.SubjectAltRequireSPN:
+ return 'Subject Alternative Name Require SPN';
+ case ActiveDirectoryKindProperties.SubjectRequireEmail:
+ return 'Subject Require Email';
case ActiveDirectoryKindProperties.AuthorizedSignatures:
return 'Authorized Signatures Required';
case ActiveDirectoryKindProperties.ApplicationPolicies: