Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Edge entity panel updates #314

Merged
merged 7 commits into from
Jan 23, 2024
Merged

Edge entity panel updates #314

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
c57274b
docs: Add Shadow Credentials attack to abuse info
JonasBK Jan 13, 2024
a61b203
docs: Replace ACL 'privilege' with 'permission'
JonasBK Jan 13, 2024
6a52fe7
docs: Remove Shadows Credentials attack from AllExtendedRights
JonasBK Jan 14, 2024
c2ce01e
docs: fix GenericAll linux abuse info
JonasBK Jan 14, 2024
b20ed7d
docs: improve linux abuse format
JonasBK Jan 14, 2024
63e40e4
docs: fix typo
JonasBK Jan 17, 2024
e7a328f
Merge branch 'main' into more-abuse-info
JonasBK Jan 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion packages/javascript/bh-shared-ui/src/components/HelpTexts/AddAllowedToAct/WindowsAbuse.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ const WindowsAbuse: FC = () => {
</Typography>
<Typography variant='body2'>
Next, we need to set this newly created security descriptor in the
msDS-AllowedToActOnBehalfOfOtherIdentity field of the comptuer account we're taking over, again using
msDS-AllowedToActOnBehalfOfOtherIdentity field of the computer account we're taking over, again using
PowerView in this case:
</Typography>
<Typography component={'pre'}>
Expand Down
2 changes: 1 addition & 1 deletion ...ages/javascript/bh-shared-ui/src/components/HelpTexts/AddKeyCredentialLink/LinuxAbuse.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ const LinuxAbuse: FC<EdgeInfoProps> = ({ sourceName, sourceType }) => {
return (
<>
<Typography variant='body2'>
To abuse this privilege, use{' '}
To abuse this permission, use{' '}
<Link target='_blank' rel='noopener' href='https://github.com/ShutdownRepo/pywhisker'>
pyWhisker
</Link>
Expand Down
2 changes: 1 addition & 1 deletion ...es/javascript/bh-shared-ui/src/components/HelpTexts/AddKeyCredentialLink/WindowsAbuse.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ import { EdgeInfoProps } from '../index';
const WindowsAbuse: FC<EdgeInfoProps> = ({ sourceName, sourceType }) => {
return (
<>
<Typography variant='body2'>To abuse this privilege, use Whisker. </Typography>
<Typography variant='body2'>To abuse this permission, use Whisker. </Typography>

<Typography variant='body2'>
You may need to authenticate to the Domain Controller as{' '}
Expand Down
5 changes: 2 additions & 3 deletions packages/javascript/bh-shared-ui/src/components/HelpTexts/AddMember/LinuxAbuse.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,12 +33,11 @@ const LinuxAbuse: FC<EdgeInfoProps> = ({ sourceName, sourceType }) => {
</Typography>

<Typography variant='body2'>
Pass-the-hash can also be done here with{' '}
It can also be done with pass-the-hash using{' '}
<Link target='_blank' rel='noopener' href='https://github.com/byt3bl33d3r/pth-toolkit'>
pth-toolkit's net tool
</Link>
. If the LM hash is not known it must be replaced with{' '}
<Typography component={'pre'}>ffffffffffffffffffffffffffffffff</Typography>.
. If the LM hash is not known, use 'ffffffffffffffffffffffffffffffff'.
</Typography>

<Typography component={'pre'}>
Expand Down
4 changes: 2 additions & 2 deletions packages/javascript/bh-shared-ui/src/components/HelpTexts/AddMember/WindowsAbuse.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,12 +27,12 @@ const WindowsAbuse: FC<EdgeInfoProps> = ({ sourceName, sourceType }) => {
considerations tab for why this may be a bad idea. The second, and highly recommended method, is by
using the Add-DomainGroupMember function in PowerView. This function is superior to using the net.exe
binary in several ways. For instance, you can supply alternate credentials, instead of needing to run a
process as or logon as the user with the AddMember privilege. Additionally, you have much safer
process as or logon as the user with the AddMember permission. Additionally, you have much safer
execution options than you do with spawning net.exe (see the opsec tab).
</Typography>

<Typography variant='body2'>
To abuse this privilege with PowerView's Add-DomainGroupMember, first import PowerView into your agent
To abuse this permission with PowerView's Add-DomainGroupMember, first import PowerView into your agent
session or into a PowerShell instance at the console.
</Typography>

Expand Down
5 changes: 2 additions & 3 deletions packages/javascript/bh-shared-ui/src/components/HelpTexts/AddSelf/LinuxAbuse.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,12 +33,11 @@ const LinuxAbuse: FC<EdgeInfoProps> = ({ sourceName, sourceType }) => {
</Typography>

<Typography variant='body2'>
Pass-the-hash can also be done here with{' '}
It can also be done with pass-the-hash using{' '}
<Link target='_blank' rel='noopener' href='https://github.com/byt3bl33d3r/pth-toolkit'>
pth-toolkit's net tool
</Link>
. If the LM hash is not known it must be replace with{' '}
<Typography component={'pre'}>ffffffffffffffffffffffffffffffff</Typography>.
. If the LM hash is not known, use 'ffffffffffffffffffffffffffffffff'.
</Typography>

<Typography component={'pre'}>
Expand Down
4 changes: 2 additions & 2 deletions packages/javascript/bh-shared-ui/src/components/HelpTexts/AddSelf/WindowsAbuse.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,12 +27,12 @@ const WindowsAbuse: FC<EdgeInfoProps> = ({ sourceName, sourceType }) => {
considerations tab for why this may be a bad idea. The second, and highly recommended method, is by
using the Add-DomainGroupMember function in PowerView. This function is superior to using the net.exe
binary in several ways. For instance, you can supply alternate credentials, instead of needing to run a
process as or logon as the user with the AddMember privilege. Additionally, you have much safer
process as or logon as the user with the AddMember permission. Additionally, you have much safer
execution options than you do with spawning net.exe (see the opsec tab).
</Typography>

<Typography variant='body2'>
To abuse this privilege with PowerView's Add-DomainGroupMember, first import PowerView into your agent
To abuse this permission with PowerView's Add-DomainGroupMember, first import PowerView into your agent
session or into a PowerShell instance at the console.{' '}
</Typography>

Expand Down
5 changes: 2 additions & 3 deletions packages/javascript/bh-shared-ui/src/components/HelpTexts/AllExtendedRights/General.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,9 +23,8 @@ const General: FC<EdgeInfoProps> = ({ sourceName, sourceType, targetName, target
return (
<>
<Typography variant='body2'>
{groupSpecialFormat(sourceType, sourceName)} the AllExtendedRights privilege to the{' '}
{typeFormat(targetType)}
{targetName}.
{groupSpecialFormat(sourceType, sourceName)} the AllExtendedRights permission to the{' '}
{typeFormat(targetType)} {targetName}.
</Typography>

<Typography variant='body2'>
Expand Down
63 changes: 24 additions & 39 deletions packages/javascript/bh-shared-ui/src/components/HelpTexts/AllExtendedRights/LinuxAbuse.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ const LinuxAbuse: FC<EdgeInfoProps & { haslaps: boolean }> = ({ sourceName, targ
return (
<>
<Typography variant='body2'>
The AllExtendedRights privilege grants {sourceName} the ability to change the password of the
The AllExtendedRights permission grants {sourceName} the ability to change the password of the
user {targetName} without knowing their current password. This is equivalent to the
"ForceChangePassword" edge in BloodHound.
</Typography>
Expand All @@ -42,12 +42,11 @@ const LinuxAbuse: FC<EdgeInfoProps & { haslaps: boolean }> = ({ sourceName, targ
</Typography>

<Typography variant='body2'>
Pass-the-hash can also be done here with{' '}
It can also be done with pass-the-hash using{' '}
<Link target='_blank' rel='noopener' href='https://github.com/byt3bl33d3r/pth-toolkit'>
pth-toolkit's net tool
</Link>
. If the LM hash is not known it must be replace with{' '}
<Typography component={'pre'}>ffffffffffffffffffffffffffffffff</Typography>.
. If the LM hash is not known, use 'ffffffffffffffffffffffffffffffff'.
</Typography>

<Typography component={'pre'}>
Expand All @@ -61,9 +60,22 @@ const LinuxAbuse: FC<EdgeInfoProps & { haslaps: boolean }> = ({ sourceName, targ
if (haslaps) {
return (
<>
<Typography variant='body2'>
The AllExtendedRights permission grants {sourceName} the ability to obtain the LAPS (RID 500
administrator) password of {targetName}. {sourceName} can do so by listing a computer
object's AD properties with PowerView using Get-DomainComputer {targetName}. The value of
the ms-mcs-AdmPwd property will contain password of the administrative local account on{' '}
{targetName}.
</Typography>

<Typography variant='body2'>
Alternatively, AllExtendedRights on a computer object can be used to perform a
Resource-Based Constrained Delegation attack.
</Typography>

<Typography variant='body1'> Retrieve LAPS Password </Typography>
<Typography variant='body2'>
The AllExtendedRights privilege grants {sourceName} the ability to obtain the RID 500
The AllExtendedRights permission grants {sourceName} the ability to obtain the RID 500
administrator password of {targetName}. {sourceName} can do so by listing a computer
object's AD properties with PowerView using Get-DomainComputer {targetName}. The value of
the ms-mcs-AdmPwd property will contain password of the administrative local account on{' '}
Expand Down Expand Up @@ -110,27 +122,16 @@ const LinuxAbuse: FC<EdgeInfoProps & { haslaps: boolean }> = ({ sourceName, targ
This ticket can then be used with Pass-the-Ticket, and could grant access to the file system
of the TARGETCOMPUTER.
</Typography>
<Typography variant='body1'> Shadow Credentials attack </Typography>
<Typography variant='body2'>
To abuse this privilege, use{' '}
<Link target='_blank' rel='noopener' href='https://github.com/ShutdownRepo/pywhisker'>
pyWhisker
</Link>
.
</Typography>
<Typography component={'pre'}>
{
'pywhisker.py -d "domain.local" -u "controlledAccount" -p "somepassword" --target "targetAccount" --action "add"'
}
</Typography>
<Typography variant='body2'>
For other optional parameters, view the pyWhisker documentation.
</Typography>
</>
);
} else {
return (
<>
<Typography variant='body2'>
AllExtendedRights on a computer object can be used to perform a Resource-Based Constrained
Delegation attack.
</Typography>

<Typography variant='body1'> Resource-Based Constrained Delegation </Typography>
<Typography variant='body2'>
First, if an attacker does not control an account with an SPN set, a new attacker-controlled
Expand Down Expand Up @@ -163,22 +164,6 @@ const LinuxAbuse: FC<EdgeInfoProps & { haslaps: boolean }> = ({ sourceName, targ
This ticket can then be used with Pass-the-Ticket, and could grant access to the file system
of the TARGETCOMPUTER.
</Typography>
<Typography variant='body1'> Shadow Credentials attack </Typography>
<Typography variant='body2'>
To abuse this privilege, use{' '}
<Link target='_blank' rel='noopener' href='https://github.com/ShutdownRepo/pywhisker'>
pyWhisker
</Link>
.
</Typography>
<Typography component={'pre'}>
{
'pywhisker.py -d "domain.local" -u "controlledAccount" -p "somepassword" --target "targetAccount" --action "add"'
}
</Typography>
<Typography variant='body2'>
For other optional parameters, view the pyWhisker documentation.
</Typography>
</>
);
}
Expand All @@ -188,7 +173,7 @@ const LinuxAbuse: FC<EdgeInfoProps & { haslaps: boolean }> = ({ sourceName, targ
<Typography variant='body1'>DCSync</Typography>

<Typography variant='body2'>
The AllExtendedRights privilege grants {sourceName} both the DS-Replication-Get-Changes and
The AllExtendedRights permission grants {sourceName} both the DS-Replication-Get-Changes and
DS-Replication-Get-Changes-All privileges, which combined allow a principal to replicate objects
from the domain {targetName}.
</Typography>
Expand All @@ -204,7 +189,7 @@ const LinuxAbuse: FC<EdgeInfoProps & { haslaps: boolean }> = ({ sourceName, targ
<Typography variant='body1'> Retrieve LAPS Passwords </Typography>

<Typography variant='body2'>
The AllExtendedRights privilege also grants {sourceName} enough privileges, to retrieve LAPS
The AllExtendedRights permission also grants {sourceName} enough privileges, to retrieve LAPS
passwords domain-wise.
</Typography>

Expand Down
Loading
Loading