Feature Request: Add in Edge Support and Built-in Query for DS-Install-Replica

[dmasters31]

Feature Description:

Add in parsing, edges, and edge descriptions for DS-Install-Replica rights. By default Domain Admin, Enterprise Admins, and Administrators have these rights. It would be nice to know if other groups in an AD environment also hold these rights as well to perform the server untrust account attack from stealthbits (https://stealthbits.com/blog/server-untrust-account/).

More information about the DS-Install-Replica right can be found here: https://github.com/MicrosoftDocs/win32/blob/docs/desktop-src/ADSchema/r-ds-install-replica.md

The DS-Install-Replica right's GUID is: 9923a32a-3607-11d2-b9be-0000f87a36b2

Current Behavior:

BloodHound 4.3.1 and BloodHound CE do not parse this information.

Desired Behavior:

Add in edges for DS-Install-Replica rights, similar to GetReplicationChanges and GetReplicationChangesAll along with the edge info for exploiting the rights. The stealthbits article links in the description provides a walkthrough of exploiting it from Windows and links to PowerShell scripts created to do this: https://github.com/netwrix/server-untrust-account.

Linux equivalent steps will need to be created using the functions from the PowerShell script and tool suites like Impacket or BloodyAD (https://github.com/CravateRouge/bloodyAD).

Also having a built-in query to identify non-standard groups or systems that have these rights would be extremely beneficial.

Use Case:

It can help identify permissions (DS-Install-Replica rights on groups) that can be abused to promote a computer to a DomainController by updating UserAccountControl values with the UF_SERVER_TRUST_ACCOUNT bit, which automatically changes the PrimaryGroupID of the machine to 516 - Domain Controllers. Then the modified machine account can be used to perform DCSync Attacks in the domain.