Revert "CoerceToTGT edge (#903)" (#956)

This reverts commit 3f1a4f8.

cmd/api/src/test/fixtures/fixtures/expected_ingest.go

@@ -157,12 +157,6 @@ var (
 			query.Kind(query.Relationship(), ad.HasSession),
 			query.Kind(query.End(), ad.User),
 			query.Equals(query.EndProperty(common.ObjectID.String()), "S-1-5-21-3130019616-2776909439-2417379446-1108")),
-		query.And(
-			query.Kind(query.Start(), ad.Computer),
-			query.Equals(query.StartProperty(common.ObjectID.String()), "S-1-5-21-3130019616-2776909439-2417379446-2120"),
-			query.Kind(query.Relationship(), ad.CoerceToTGT),
-			query.Kind(query.End(), ad.Domain),
-			query.Equals(query.EndProperty(common.ObjectID.String()), "S-1-5-21-3130019616-2776909439-2417379446")),
 
 		//// GPOs
 		query.And(
@@ -248,12 +242,6 @@ var (
 			query.Kind(query.Relationship(), ad.AllExtendedRights),
 			query.Kind(query.End(), ad.User),
 			query.Equals(query.EndProperty(common.ObjectID.String()), "S-1-5-21-3130019616-2776909439-2417379446-1106")),
-		query.And(
-			query.Kind(query.Start(), ad.User),
-			query.Equals(query.StartProperty(common.ObjectID.String()), "S-1-5-21-3130019616-2776909439-2417379446-2125"),
-			query.Kind(query.Relationship(), ad.CoerceToTGT),
-			query.Kind(query.End(), ad.Domain),
-			query.Equals(query.EndProperty(common.ObjectID.String()), "S-1-5-21-3130019616-2776909439-2417379446")),
 
 		//// SESSIONS
 		query.And(

cmd/api/src/test/fixtures/fixtures/v6/ingest/computers.json

@@ -475,8 +475,6 @@
                 "sidhistory": [
                 ]
             },
-            "UnconstrainedDelegation": true,
-            "DomainSID": "S-1-5-21-3130019616-2776909439-2417379446",
             "PrimaryGroupSID": "S-1-5-21-3130019616-2776909439-2417379446-515",
             "AllowedToDelegate": [
             ],

cmd/api/src/test/fixtures/fixtures/v6/ingest/users.json

@@ -889,39 +889,6 @@
             "IsDeleted": false,
             "IsACLProtected": false
         },
-        {
-            "Properties": {
-                "domain": "TESTLAB.LOCAL",
-                "name": "[email protected]",
-                "distinguishedname": "CN\u003dADDALLOWEDTOACTTEST,CN\u003dUSERS,DC\u003dTESTLAB,DC\u003dLOCAL",
-                "domainsid": "S-1-5-21-3130019616-2776909439-2417379446",
-                "whencreated": 1617618036,
-                "sensitive": false,
-                "dontreqpreauth": false,
-                "passwordnotreqd": false,
-                "unconstraineddelegation": true,
-                "pwdneverexpires": true,
-                "enabled": true,
-                "trustedtoauth": false,
-                "lastlogon": 0,
-                "lastlogontimestamp": -1,
-                "pwdlastset": 1617643236,
-                "serviceprincipalnames": [],
-                "hasspn": false,
-                "admincount": false,
-                "sidhistory": []
-            },
-            "AllowedToDelegate": [],
-            "DomainSID": "S-1-5-21-3130019616-2776909439-2417379446",
-            "UnconstrainedDelegation": true,
-            "PrimaryGroupSID": "S-1-5-21-3130019616-2776909439-2417379446-513",
-            "HasSIDHistory": [],
-            "SpnTargets": [],
-            "Aces": [],
-            "ObjectIdentifier": "S-1-5-21-3130019616-2776909439-2417379446-2125",
-            "IsDeleted": false,
-            "IsACLProtected": false
-        },
         {
             "Properties": {
                 "domain": "TESTLAB.LOCAL",

packages/cue/bh/ad/ad.cue

@@ -1018,11 +1018,6 @@ AllowedToDelegate: types.#Kind & {
 	schema: "active_directory"
 }
 
-CoerceToTGT: types.#Kind & {
-	symbol: "CoerceToTGT"
-	schema: "active_directory"
-}
-
 GetChanges: types.#Kind & {
 	symbol: "GetChanges"
 	schema: "active_directory"
@@ -1313,7 +1308,6 @@ RelationshipKinds: [
 	Contains,
 	GPLink,
 	AllowedToDelegate,
-	CoerceToTGT,
 	GetChanges,
 	GetChangesAll,
 	GetChangesInFilteredSet,
@@ -1417,7 +1411,6 @@ PathfindingRelationships: [
 	Contains,
 	GPLink,
 	AllowedToDelegate,
-	CoerceToTGT,
 	TrustedBy,
 	AllowedToAct,
 	AdminTo,

packages/go/cypher/test/cases/positive_tests.json

@@ -709,7 +709,7 @@
             "name": "Find Dangerous Privileges for Domain Users Groups",
             "type": "string_match",
             "details": {
-                "query": "match p = (m:Group)-[:Owns|GenericAll|GenericWrite|WriteOwner|WriteDacl|MemberOf|ForceChangePassword|AllExtendedRights|AddMember|HasSession|Contains|GPLink|AllowedToDelegate|CoerceToTGT|TrustedBy|AllowedToAct|AdminTo|CanPSRemote|CanRDP|ExecuteDCOM|HasSIDHistory|AddSelf|DCSync|ReadLAPSPassword|ReadGMSAPassword|DumpSMSAPassword|SQLAdmin|AddAllowedToAct|WriteSPN|AddKeyCredentialLink|SyncLAPSPassword|WriteAccountRestrictions|GoldenCert|ADCSESC1|ADCSESC3|ADCSESC4|ADCSESC5|ADCSESC6a|ADCSESC6b|ADCSESC7|ADCSESC9a|ADCSESC9b|ADCSESC10a|ADCSESC10b|ADCSESC13|DCFor|SyncedToEntraUser]->(n:Base) where m.objectid ends with '-513' return p",
+                "query": "match p = (m:Group)-[:Owns|GenericAll|GenericWrite|WriteOwner|WriteDacl|MemberOf|ForceChangePassword|AllExtendedRights|AddMember|HasSession|Contains|GPLink|AllowedToDelegate|TrustedBy|AllowedToAct|AdminTo|CanPSRemote|CanRDP|ExecuteDCOM|HasSIDHistory|AddSelf|DCSync|ReadLAPSPassword|ReadGMSAPassword|DumpSMSAPassword|SQLAdmin|AddAllowedToAct|WriteSPN|AddKeyCredentialLink|SyncLAPSPassword|WriteAccountRestrictions|GoldenCert|ADCSESC1|ADCSESC3|ADCSESC4|ADCSESC5|ADCSESC6a|ADCSESC6b|ADCSESC7|ADCSESC9a|ADCSESC9b|ADCSESC10a|ADCSESC10b|ADCSESC13|DCFor|SyncedToEntraUser]->(n:Base) where m.objectid ends with '-513' return p",
                 "complexity": 3
             }
         },

packages/go/ein/ad.go

@@ -289,31 +289,6 @@ func ParseUserMiscData(user User) []IngestibleRelationship {
 		))
 	}
 
-	// CoerceToTGT / unconstrained delegation
-	var (
-		userProps        = graph.AsProperties(user.Properties)
-		uncondel, _      = userProps.GetOrDefault(ad.UnconstrainedDelegation.String(), user.UnconstrainedDelegation).Bool() // SH v2.5.7 and earlier have unconstraineddelegation under 'Properties' only
-		domainsid, _     = userProps.GetOrDefault(ad.DomainSID.String(), user.DomainSID).String()                           // SH v2.5.7 and earlier have domainsid under 'Properties' only
-		validCoerceToTGT = uncondel && domainsid != ""
-	)
-
-	if validCoerceToTGT {
-		data = append(data, NewIngestibleRelationship(
-			IngestibleSource{
-				Source:     user.ObjectIdentifier,
-				SourceType: ad.User,
-			},
-			IngestibleTarget{
-				Target:     domainsid,
-				TargetType: ad.Domain,
-			},
-			IngestibleRel{
-				RelProps: map[string]any{"isacl": false},
-				RelType:  ad.CoerceToTGT,
-			},
-		))
-	}
-
 	return data
 }
 
@@ -436,7 +411,7 @@ func ParseDomainTrusts(domain Domain) ParsedDomainTrustData {
 	return parsedData
 }
 
-// ParseComputerMiscData parses AllowedToDelegate, AllowedToAct, HasSIDHistory, DumpSMSAPassword, DCFor, Sessions, and CoerceToTGT
+// ParseComputerMiscData parses AllowedToDelegate, AllowedToAct, HasSIDHistory,DumpSMSAPassword,DCFor and Sessions
 func ParseComputerMiscData(computer Computer) []IngestibleRelationship {
 	relationships := make([]IngestibleRelationship, 0)
 	for _, target := range computer.AllowedToDelegate {
@@ -579,30 +554,6 @@ func ParseComputerMiscData(computer Computer) []IngestibleRelationship {
 				RelType:  ad.DCFor,
 			},
 		))
-	} else { // We do not want CoerceToTGT edges from DCs
-		var (
-			computerProps    = graph.AsProperties(computer.Properties)
-			uncondel, _      = computerProps.GetOrDefault(ad.UnconstrainedDelegation.String(), computer.UnconstrainedDelegation).Bool() // SH v2.5.7 and earlier have unconstraineddelegation under 'Properties' only
-			domainsid, _     = computerProps.GetOrDefault(ad.DomainSID.String(), computer.DomainSID).String()                           // SH v2.5.7 and earlier have domainsid under 'Properties' only
-			validCoerceToTGT = uncondel && domainsid != ""
-		)
-
-		if validCoerceToTGT {
-			relationships = append(relationships, NewIngestibleRelationship(
-				IngestibleSource{
-					Source:     computer.ObjectIdentifier,
-					SourceType: ad.Computer,
-				},
-				IngestibleTarget{
-					Target:     computer.DomainSID,
-					TargetType: ad.Domain,
-				},
-				IngestibleRel{
-					RelProps: map[string]any{"isacl": false},
-					RelType:  ad.CoerceToTGT,
-				},
-			))
-		}
 	}
 
 	return relationships

packages/go/ein/incoming_models.go

@@ -189,12 +189,10 @@ type Group struct {
 
 type User struct {
 	IngestBase
-	AllowedToDelegate       []TypedPrincipal
-	SPNTargets              []SPNTarget
-	PrimaryGroupSID         string
-	HasSIDHistory           []TypedPrincipal
-	DomainSID               string
-	UnconstrainedDelegation bool
+	AllowedToDelegate []TypedPrincipal
+	SPNTargets        []SPNTarget
+	PrimaryGroupSID   string
+	HasSIDHistory     []TypedPrincipal
 }
 
 type Container struct {
@@ -262,21 +260,20 @@ type UserRightsAssignmentAPIResult struct {
 
 type Computer struct {
 	IngestBase
-	PrimaryGroupSID         string
-	AllowedToDelegate       []TypedPrincipal
-	AllowedToAct            []TypedPrincipal
-	DumpSMSAPassword        []TypedPrincipal
-	Sessions                SessionAPIResult
-	PrivilegedSessions      SessionAPIResult
-	RegistrySessions        SessionAPIResult
-	LocalGroups             []LocalGroupAPIResult
-	UserRights              []UserRightsAssignmentAPIResult
-	DCRegistryData          DCRegistryData
-	Status                  ComputerStatus
-	HasSIDHistory           []TypedPrincipal
-	IsDC                    bool
-	DomainSID               string
-	UnconstrainedDelegation bool
+	PrimaryGroupSID    string
+	AllowedToDelegate  []TypedPrincipal
+	AllowedToAct       []TypedPrincipal
+	DumpSMSAPassword   []TypedPrincipal
+	Sessions           SessionAPIResult
+	PrivilegedSessions SessionAPIResult
+	RegistrySessions   SessionAPIResult
+	LocalGroups        []LocalGroupAPIResult
+	UserRights         []UserRightsAssignmentAPIResult
+	DCRegistryData     DCRegistryData
+	Status             ComputerStatus
+	HasSIDHistory      []TypedPrincipal
+	IsDC               bool
+	DomainSID          string
 }
 
 type OU struct {