From d457e4c06f17a8c4f4a968917153fdedc6723fe1 Mon Sep 17 00:00:00 2001 From: Brandon Shearin Date: Thu, 3 Oct 2024 08:33:28 -0700 Subject: [PATCH 1/5] testing --- packages/go/cypher/models/cypher/format/format.go | 9 +++++++++ packages/go/cypher/models/cypher/format/format_test.go | 2 +- packages/go/cypher/test/cases/positive_tests.json | 8 ++++++++ 3 files changed, 18 insertions(+), 1 deletion(-) diff --git a/packages/go/cypher/models/cypher/format/format.go b/packages/go/cypher/models/cypher/format/format.go index 7eaa3ab06..5a68375e2 100644 --- a/packages/go/cypher/models/cypher/format/format.go +++ b/packages/go/cypher/models/cypher/format/format.go @@ -23,6 +23,7 @@ import ( "strings" "github.com/specterops/bloodhound/cypher/models/cypher" + "github.com/specterops/bloodhound/graphschema/ad" "github.com/specterops/bloodhound/dawgs/graph" ) @@ -37,6 +38,14 @@ func writeJoinedKinds(output io.Writer, delimiter string, kinds graph.Kinds) err } } + if kind == "ALL_AD_ATTACKS" { + for _, relType := range ad.PathfindingRelationships() { + if _, err := io.WriteString(output, relType.String()+delimiter); err != nil { + return err + } + } + } + if _, err := io.WriteString(output, kind.String()); err != nil { return err } diff --git a/packages/go/cypher/models/cypher/format/format_test.go b/packages/go/cypher/models/cypher/format/format_test.go index 007acc8e0..00b6337b6 100644 --- a/packages/go/cypher/models/cypher/format/format_test.go +++ b/packages/go/cypher/models/cypher/format/format_test.go @@ -43,7 +43,7 @@ func TestCypherEmitter_StripLiterals(t *testing.T) { } func TestCypherEmitter_HappyPath(t *testing.T) { - test.LoadFixture(t, test.MutationTestCases).Run(t) + // test.LoadFixture(t, test.MutationTestCases).Run(t) test.LoadFixture(t, test.PositiveTestCases).Run(t) } diff --git a/packages/go/cypher/test/cases/positive_tests.json b/packages/go/cypher/test/cases/positive_tests.json index e1f6c7aef..6300c160c 100644 --- a/packages/go/cypher/test/cases/positive_tests.json +++ b/packages/go/cypher/test/cases/positive_tests.json @@ -1,5 +1,13 @@ { "test_cases": [ + { + "name": "brandon testing", + "type": "string_match", + "details": { + "query": "match p = (a)-[:Mon|Tues|Weds]->(b) return p", + "complexity": 3 + } + }, { "name": "Match all nodes in the graph", "type": "string_match", From f7b3317a2f15fdc90d59b27d5238607c63a4a25b Mon Sep 17 00:00:00 2001 From: Brandon Shearin Date: Thu, 3 Oct 2024 09:01:07 -0700 Subject: [PATCH 2/5] add ALL_AD_ATTACKS to cue --- cmd/api/src/api/tools/analysis_schedule.go | 16 ++++++++++++++ .../src/api/tools/analysis_schedule_test.go | 16 ++++++++++++++ packages/cue/bh/ad/ad.cue | 6 ++++++ .../go/cypher/models/cypher/format/format.go | 21 ++++++++++++------- .../go/cypher/test/cases/positive_tests.json | 5 +++-- packages/go/graphschema/ad/ad.go | 4 ++-- packages/go/graphschema/azure/azure.go | 1 - packages/go/graphschema/common/common.go | 1 - .../bh-shared-ui/src/graphSchema.ts | 3 +++ 9 files changed, 60 insertions(+), 13 deletions(-) diff --git a/cmd/api/src/api/tools/analysis_schedule.go b/cmd/api/src/api/tools/analysis_schedule.go index b19b234c6..84f22dd63 100644 --- a/cmd/api/src/api/tools/analysis_schedule.go +++ b/cmd/api/src/api/tools/analysis_schedule.go @@ -1,3 +1,19 @@ +// Copyright 2024 Specter Ops, Inc. +// +// Licensed under the Apache License, Version 2.0 +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// SPDX-License-Identifier: Apache-2.0 + package tools import ( diff --git a/cmd/api/src/api/tools/analysis_schedule_test.go b/cmd/api/src/api/tools/analysis_schedule_test.go index 51c272e9a..9693cbb85 100644 --- a/cmd/api/src/api/tools/analysis_schedule_test.go +++ b/cmd/api/src/api/tools/analysis_schedule_test.go @@ -1,3 +1,19 @@ +// Copyright 2024 Specter Ops, Inc. +// +// Licensed under the Apache License, Version 2.0 +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// SPDX-License-Identifier: Apache-2.0 + package tools_test import ( diff --git a/packages/cue/bh/ad/ad.cue b/packages/cue/bh/ad/ad.cue index 4ba6091a2..418d572d4 100644 --- a/packages/cue/bh/ad/ad.cue +++ b/packages/cue/bh/ad/ad.cue @@ -1293,6 +1293,11 @@ SyncedToEntraUser: types.#Kind & { schema: "active_directory" } +ALL_AD_ATTACKS: types.#Kind & { + symbol: "ALL_AD_ATTACKS" + schema: "active_directory" +} + // Relationship Kinds RelationshipKinds: [ Owns, @@ -1364,6 +1369,7 @@ RelationshipKinds: [ ADCSESC10b, ADCSESC13, SyncedToEntraUser, + ALL_AD_ATTACKS ] // ACL Relationships diff --git a/packages/go/cypher/models/cypher/format/format.go b/packages/go/cypher/models/cypher/format/format.go index 5a68375e2..26b37691e 100644 --- a/packages/go/cypher/models/cypher/format/format.go +++ b/packages/go/cypher/models/cypher/format/format.go @@ -38,16 +38,23 @@ func writeJoinedKinds(output io.Writer, delimiter string, kinds graph.Kinds) err } } - if kind == "ALL_AD_ATTACKS" { - for _, relType := range ad.PathfindingRelationships() { - if _, err := io.WriteString(output, relType.String()+delimiter); err != nil { + // expand token to all pathfinding relationships in AD + if kind == ad.AllADAttacks { + for idx, relType := range ad.PathfindingRelationships() { + if idx > 0 { + if _, err := io.WriteString(output, delimiter); err != nil { + return err + } + } + + if _, err := io.WriteString(output, relType.String()); err != nil { return err } } - } - - if _, err := io.WriteString(output, kind.String()); err != nil { - return err + } else { + if _, err := io.WriteString(output, kind.String()); err != nil { + return err + } } } diff --git a/packages/go/cypher/test/cases/positive_tests.json b/packages/go/cypher/test/cases/positive_tests.json index 6300c160c..e2fd52a9c 100644 --- a/packages/go/cypher/test/cases/positive_tests.json +++ b/packages/go/cypher/test/cases/positive_tests.json @@ -4,9 +4,10 @@ "name": "brandon testing", "type": "string_match", "details": { - "query": "match p = (a)-[:Mon|Tues|Weds]->(b) return p", + "query": "match p = (a)-[:CanRDP|ALL_AD_ATTACKS]->(b) return p", "complexity": 3 - } + }, + "targeted": true }, { "name": "Match all nodes in the graph", diff --git a/packages/go/graphschema/ad/ad.go b/packages/go/graphschema/ad/ad.go index cef7bba52..1a499ee7d 100644 --- a/packages/go/graphschema/ad/ad.go +++ b/packages/go/graphschema/ad/ad.go @@ -21,7 +21,6 @@ package ad import ( "errors" - graph "github.com/specterops/bloodhound/dawgs/graph" ) @@ -111,6 +110,7 @@ var ( ADCSESC10b = graph.StringKind("ADCSESC10b") ADCSESC13 = graph.StringKind("ADCSESC13") SyncedToEntraUser = graph.StringKind("SyncedToEntraUser") + ALL_AD_ATTACKS = graph.StringKind("ALL_AD_ATTACKS") ) type Property string @@ -858,7 +858,7 @@ func Nodes() []graph.Kind { return []graph.Kind{Entity, User, Computer, Group, GPO, OU, Container, Domain, LocalGroup, LocalUser, AIACA, RootCA, EnterpriseCA, NTAuthStore, CertTemplate, IssuancePolicy} } func Relationships() []graph.Kind { - return []graph.Kind{Owns, GenericAll, GenericWrite, WriteOwner, WriteDACL, MemberOf, ForceChangePassword, AllExtendedRights, AddMember, HasSession, Contains, GPLink, AllowedToDelegate, GetChanges, GetChangesAll, GetChangesInFilteredSet, TrustedBy, AllowedToAct, AdminTo, CanPSRemote, CanRDP, ExecuteDCOM, HasSIDHistory, AddSelf, DCSync, ReadLAPSPassword, ReadGMSAPassword, DumpSMSAPassword, SQLAdmin, AddAllowedToAct, WriteSPN, AddKeyCredentialLink, LocalToComputer, MemberOfLocalGroup, RemoteInteractiveLogonPrivilege, SyncLAPSPassword, WriteAccountRestrictions, WriteGPLink, RootCAFor, DCFor, PublishedTo, ManageCertificates, ManageCA, DelegatedEnrollmentAgent, Enroll, HostsCAService, WritePKIEnrollmentFlag, WritePKINameFlag, NTAuthStoreFor, TrustedForNTAuth, EnterpriseCAFor, IssuedSignedBy, GoldenCert, EnrollOnBehalfOf, OIDGroupLink, ExtendedByPolicy, ADCSESC1, ADCSESC3, ADCSESC4, ADCSESC5, ADCSESC6a, ADCSESC6b, ADCSESC7, ADCSESC9a, ADCSESC9b, ADCSESC10a, ADCSESC10b, ADCSESC13, SyncedToEntraUser} + return []graph.Kind{Owns, GenericAll, GenericWrite, WriteOwner, WriteDACL, MemberOf, ForceChangePassword, AllExtendedRights, AddMember, HasSession, Contains, GPLink, AllowedToDelegate, GetChanges, GetChangesAll, GetChangesInFilteredSet, TrustedBy, AllowedToAct, AdminTo, CanPSRemote, CanRDP, ExecuteDCOM, HasSIDHistory, AddSelf, DCSync, ReadLAPSPassword, ReadGMSAPassword, DumpSMSAPassword, SQLAdmin, AddAllowedToAct, WriteSPN, AddKeyCredentialLink, LocalToComputer, MemberOfLocalGroup, RemoteInteractiveLogonPrivilege, SyncLAPSPassword, WriteAccountRestrictions, WriteGPLink, RootCAFor, DCFor, PublishedTo, ManageCertificates, ManageCA, DelegatedEnrollmentAgent, Enroll, HostsCAService, WritePKIEnrollmentFlag, WritePKINameFlag, NTAuthStoreFor, TrustedForNTAuth, EnterpriseCAFor, IssuedSignedBy, GoldenCert, EnrollOnBehalfOf, OIDGroupLink, ExtendedByPolicy, ADCSESC1, ADCSESC3, ADCSESC4, ADCSESC5, ADCSESC6a, ADCSESC6b, ADCSESC7, ADCSESC9a, ADCSESC9b, ADCSESC10a, ADCSESC10b, ADCSESC13, SyncedToEntraUser, ALL_AD_ATTACKS} } func ACLRelationships() []graph.Kind { return []graph.Kind{AllExtendedRights, ForceChangePassword, AddMember, AddAllowedToAct, GenericAll, WriteDACL, WriteOwner, GenericWrite, ReadLAPSPassword, ReadGMSAPassword, Owns, AddSelf, WriteSPN, AddKeyCredentialLink, GetChanges, GetChangesAll, GetChangesInFilteredSet, WriteAccountRestrictions, WriteGPLink, SyncLAPSPassword, DCSync, ManageCertificates, ManageCA, Enroll, WritePKIEnrollmentFlag, WritePKINameFlag} diff --git a/packages/go/graphschema/azure/azure.go b/packages/go/graphschema/azure/azure.go index 787ee392e..00b20f190 100644 --- a/packages/go/graphschema/azure/azure.go +++ b/packages/go/graphschema/azure/azure.go @@ -21,7 +21,6 @@ package azure import ( "errors" - graph "github.com/specterops/bloodhound/dawgs/graph" ) diff --git a/packages/go/graphschema/common/common.go b/packages/go/graphschema/common/common.go index 9320bb8d2..6fd161585 100644 --- a/packages/go/graphschema/common/common.go +++ b/packages/go/graphschema/common/common.go @@ -21,7 +21,6 @@ package common import ( "errors" - graph "github.com/specterops/bloodhound/dawgs/graph" ) diff --git a/packages/javascript/bh-shared-ui/src/graphSchema.ts b/packages/javascript/bh-shared-ui/src/graphSchema.ts index ec571e522..932009e39 100644 --- a/packages/javascript/bh-shared-ui/src/graphSchema.ts +++ b/packages/javascript/bh-shared-ui/src/graphSchema.ts @@ -140,6 +140,7 @@ export enum ActiveDirectoryRelationshipKind { ADCSESC10b = 'ADCSESC10b', ADCSESC13 = 'ADCSESC13', SyncedToEntraUser = 'SyncedToEntraUser', + ALL_AD_ATTACKS = 'ALL_AD_ATTACKS', } export function ActiveDirectoryRelationshipKindToDisplay(value: ActiveDirectoryRelationshipKind): string | undefined { switch (value) { @@ -281,6 +282,8 @@ export function ActiveDirectoryRelationshipKindToDisplay(value: ActiveDirectoryR return 'ADCSESC13'; case ActiveDirectoryRelationshipKind.SyncedToEntraUser: return 'SyncedToEntraUser'; + case ActiveDirectoryRelationshipKind.ALL_AD_ATTACKS: + return 'ALL_AD_ATTACKS'; default: return undefined; } From 521208c0b8c4dceb7f2f395cca252fc79a2929a3 Mon Sep 17 00:00:00 2001 From: Brandon Shearin Date: Thu, 3 Oct 2024 11:35:10 -0700 Subject: [PATCH 3/5] testing --- packages/cue/bh/ad/ad.cue | 7 ++++--- packages/cue/bh/azure/azure.cue | 7 +++++++ .../go/cypher/models/cypher/format/format.go | 19 ++++++++----------- .../go/cypher/test/cases/positive_tests.json | 5 +++-- packages/go/graphschema/ad/ad.go | 4 ++-- packages/go/graphschema/azure/azure.go | 3 ++- .../bh-shared-ui/src/commonSearches.tsx | 6 +++--- .../bh-shared-ui/src/graphSchema.ts | 9 ++++++--- 8 files changed, 35 insertions(+), 25 deletions(-) diff --git a/packages/cue/bh/ad/ad.cue b/packages/cue/bh/ad/ad.cue index 418d572d4..4d1109602 100644 --- a/packages/cue/bh/ad/ad.cue +++ b/packages/cue/bh/ad/ad.cue @@ -1293,9 +1293,10 @@ SyncedToEntraUser: types.#Kind & { schema: "active_directory" } -ALL_AD_ATTACKS: types.#Kind & { - symbol: "ALL_AD_ATTACKS" +AllADAttacks: types.#Kind & { + symbol: "AllADAttacks" schema: "active_directory" + representation: "ALL_AD_ATTACKS" } // Relationship Kinds @@ -1369,7 +1370,7 @@ RelationshipKinds: [ ADCSESC10b, ADCSESC13, SyncedToEntraUser, - ALL_AD_ATTACKS + AllADAttacks ] // ACL Relationships diff --git a/packages/cue/bh/azure/azure.cue b/packages/cue/bh/azure/azure.cue index 4101f0aef..475115655 100644 --- a/packages/cue/bh/azure/azure.cue +++ b/packages/cue/bh/azure/azure.cue @@ -723,6 +723,12 @@ SyncedToADUser: types.#Kind & { representation: "SyncedToADUser" } +AllAZAttacks: types.#Kind & { + symbol: "AllAZAttacks" + schema: "azure" + representation: "ALL_AZ_ATTACKS" +} + RelationshipKinds: [ AvereContributor, Contains, @@ -771,6 +777,7 @@ RelationshipKinds: [ AZMGGrantAppRoles, AZMGGrantRole, SyncedToADUser, + AllAZAttacks ] AppRoleTransitRelationshipKinds: [ diff --git a/packages/go/cypher/models/cypher/format/format.go b/packages/go/cypher/models/cypher/format/format.go index 26b37691e..d61d74fd6 100644 --- a/packages/go/cypher/models/cypher/format/format.go +++ b/packages/go/cypher/models/cypher/format/format.go @@ -24,6 +24,7 @@ import ( "github.com/specterops/bloodhound/cypher/models/cypher" "github.com/specterops/bloodhound/graphschema/ad" + "github.com/specterops/bloodhound/graphschema/azure" "github.com/specterops/bloodhound/dawgs/graph" ) @@ -38,18 +39,14 @@ func writeJoinedKinds(output io.Writer, delimiter string, kinds graph.Kinds) err } } - // expand token to all pathfinding relationships in AD + // if kind is a shortcut edge type, further expansion is required if kind == ad.AllADAttacks { - for idx, relType := range ad.PathfindingRelationships() { - if idx > 0 { - if _, err := io.WriteString(output, delimiter); err != nil { - return err - } - } - - if _, err := io.WriteString(output, relType.String()); err != nil { - return err - } + if err := writeJoinedKinds(output, delimiter, ad.PathfindingRelationships()); err != nil { + return err + } + } else if kind == azure.AllAZAttacks { + if err := writeJoinedKinds(output, delimiter, azure.PathfindingRelationships()); err != nil { + return err } } else { if _, err := io.WriteString(output, kind.String()); err != nil { diff --git a/packages/go/cypher/test/cases/positive_tests.json b/packages/go/cypher/test/cases/positive_tests.json index e2fd52a9c..3538a17a9 100644 --- a/packages/go/cypher/test/cases/positive_tests.json +++ b/packages/go/cypher/test/cases/positive_tests.json @@ -1,10 +1,11 @@ { "test_cases": [ { - "name": "brandon testing", + "name": "ALL_AD_ATTACKS shortcut", "type": "string_match", "details": { - "query": "match p = (a)-[:CanRDP|ALL_AD_ATTACKS]->(b) return p", + "query": "match p = ()-[:ALL_AD_ATTACKS]->() return p", + "matcher": "match p = \\(\\)-\\[:Owns|GenericAll|GenericWrite|WriteOwner|WriteDacl|MemberOf|ForceChangePassword|AllExtendedRights|AddMember|HasSession|Contains|GPLink|AllowedToDelegate|TrustedBy|AllowedToAct|AdminTo|CanPSRemote|CanRDP|ExecuteDCOM|HasSIDHistory|AddSelf|DCSync|ReadLAPSPassword|ReadGMSAPassword|DumpSMSAPassword|SQLAdmin|AddAllowedToAct|WriteSPN|AddKeyCredentialLink|SyncLAPSPassword|WriteAccountRestrictions|WriteGPLink|GoldenCert|ADCSESC1|ADCSESC3|ADCSESC4|ADCSESC5|ADCSESC6a|ADCSESC6b|ADCSESC7|ADCSESC9a|ADCSESC9b|ADCSESC10a|ADCSESC10b|ADCSESC13|DCFor|SyncedToEntraUser\\]->\\(\\) return p", "complexity": 3 }, "targeted": true diff --git a/packages/go/graphschema/ad/ad.go b/packages/go/graphschema/ad/ad.go index 1a499ee7d..803c8f33e 100644 --- a/packages/go/graphschema/ad/ad.go +++ b/packages/go/graphschema/ad/ad.go @@ -110,7 +110,7 @@ var ( ADCSESC10b = graph.StringKind("ADCSESC10b") ADCSESC13 = graph.StringKind("ADCSESC13") SyncedToEntraUser = graph.StringKind("SyncedToEntraUser") - ALL_AD_ATTACKS = graph.StringKind("ALL_AD_ATTACKS") + AllADAttacks = graph.StringKind("ALL_AD_ATTACKS") ) type Property string @@ -858,7 +858,7 @@ func Nodes() []graph.Kind { return []graph.Kind{Entity, User, Computer, Group, GPO, OU, Container, Domain, LocalGroup, LocalUser, AIACA, RootCA, EnterpriseCA, NTAuthStore, CertTemplate, IssuancePolicy} } func Relationships() []graph.Kind { - return []graph.Kind{Owns, GenericAll, GenericWrite, WriteOwner, WriteDACL, MemberOf, ForceChangePassword, AllExtendedRights, AddMember, HasSession, Contains, GPLink, AllowedToDelegate, GetChanges, GetChangesAll, GetChangesInFilteredSet, TrustedBy, AllowedToAct, AdminTo, CanPSRemote, CanRDP, ExecuteDCOM, HasSIDHistory, AddSelf, DCSync, ReadLAPSPassword, ReadGMSAPassword, DumpSMSAPassword, SQLAdmin, AddAllowedToAct, WriteSPN, AddKeyCredentialLink, LocalToComputer, MemberOfLocalGroup, RemoteInteractiveLogonPrivilege, SyncLAPSPassword, WriteAccountRestrictions, WriteGPLink, RootCAFor, DCFor, PublishedTo, ManageCertificates, ManageCA, DelegatedEnrollmentAgent, Enroll, HostsCAService, WritePKIEnrollmentFlag, WritePKINameFlag, NTAuthStoreFor, TrustedForNTAuth, EnterpriseCAFor, IssuedSignedBy, GoldenCert, EnrollOnBehalfOf, OIDGroupLink, ExtendedByPolicy, ADCSESC1, ADCSESC3, ADCSESC4, ADCSESC5, ADCSESC6a, ADCSESC6b, ADCSESC7, ADCSESC9a, ADCSESC9b, ADCSESC10a, ADCSESC10b, ADCSESC13, SyncedToEntraUser, ALL_AD_ATTACKS} + return []graph.Kind{Owns, GenericAll, GenericWrite, WriteOwner, WriteDACL, MemberOf, ForceChangePassword, AllExtendedRights, AddMember, HasSession, Contains, GPLink, AllowedToDelegate, GetChanges, GetChangesAll, GetChangesInFilteredSet, TrustedBy, AllowedToAct, AdminTo, CanPSRemote, CanRDP, ExecuteDCOM, HasSIDHistory, AddSelf, DCSync, ReadLAPSPassword, ReadGMSAPassword, DumpSMSAPassword, SQLAdmin, AddAllowedToAct, WriteSPN, AddKeyCredentialLink, LocalToComputer, MemberOfLocalGroup, RemoteInteractiveLogonPrivilege, SyncLAPSPassword, WriteAccountRestrictions, WriteGPLink, RootCAFor, DCFor, PublishedTo, ManageCertificates, ManageCA, DelegatedEnrollmentAgent, Enroll, HostsCAService, WritePKIEnrollmentFlag, WritePKINameFlag, NTAuthStoreFor, TrustedForNTAuth, EnterpriseCAFor, IssuedSignedBy, GoldenCert, EnrollOnBehalfOf, OIDGroupLink, ExtendedByPolicy, ADCSESC1, ADCSESC3, ADCSESC4, ADCSESC5, ADCSESC6a, ADCSESC6b, ADCSESC7, ADCSESC9a, ADCSESC9b, ADCSESC10a, ADCSESC10b, ADCSESC13, SyncedToEntraUser, AllADAttacks} } func ACLRelationships() []graph.Kind { return []graph.Kind{AllExtendedRights, ForceChangePassword, AddMember, AddAllowedToAct, GenericAll, WriteDACL, WriteOwner, GenericWrite, ReadLAPSPassword, ReadGMSAPassword, Owns, AddSelf, WriteSPN, AddKeyCredentialLink, GetChanges, GetChangesAll, GetChangesInFilteredSet, WriteAccountRestrictions, WriteGPLink, SyncLAPSPassword, DCSync, ManageCertificates, ManageCA, Enroll, WritePKIEnrollmentFlag, WritePKINameFlag} diff --git a/packages/go/graphschema/azure/azure.go b/packages/go/graphschema/azure/azure.go index 00b20f190..752980d03 100644 --- a/packages/go/graphschema/azure/azure.go +++ b/packages/go/graphschema/azure/azure.go @@ -92,6 +92,7 @@ var ( AZMGGrantAppRoles = graph.StringKind("AZMGGrantAppRoles") AZMGGrantRole = graph.StringKind("AZMGGrantRole") SyncedToADUser = graph.StringKind("SyncedToADUser") + AllAZAttacks = graph.StringKind("ALL_AZ_ATTACKS") ) type Property string @@ -353,7 +354,7 @@ func (s Property) Is(others ...graph.Kind) bool { return false } func Relationships() []graph.Kind { - return []graph.Kind{AvereContributor, Contains, Contributor, GetCertificates, GetKeys, GetSecrets, HasRole, MemberOf, Owner, RunsAs, VMContributor, AutomationContributor, KeyVaultContributor, VMAdminLogin, AddMembers, AddSecret, ExecuteCommand, GlobalAdmin, PrivilegedAuthAdmin, Grant, GrantSelf, PrivilegedRoleAdmin, ResetPassword, UserAccessAdministrator, Owns, ScopedTo, CloudAppAdmin, AppAdmin, AddOwner, ManagedIdentity, ApplicationReadWriteAll, AppRoleAssignmentReadWriteAll, DirectoryReadWriteAll, GroupReadWriteAll, GroupMemberReadWriteAll, RoleManagementReadWriteDirectory, ServicePrincipalEndpointReadWriteAll, AKSContributor, NodeResourceGroup, WebsiteContributor, LogicAppContributor, AZMGAddMember, AZMGAddOwner, AZMGAddSecret, AZMGGrantAppRoles, AZMGGrantRole, SyncedToADUser} + return []graph.Kind{AvereContributor, Contains, Contributor, GetCertificates, GetKeys, GetSecrets, HasRole, MemberOf, Owner, RunsAs, VMContributor, AutomationContributor, KeyVaultContributor, VMAdminLogin, AddMembers, AddSecret, ExecuteCommand, GlobalAdmin, PrivilegedAuthAdmin, Grant, GrantSelf, PrivilegedRoleAdmin, ResetPassword, UserAccessAdministrator, Owns, ScopedTo, CloudAppAdmin, AppAdmin, AddOwner, ManagedIdentity, ApplicationReadWriteAll, AppRoleAssignmentReadWriteAll, DirectoryReadWriteAll, GroupReadWriteAll, GroupMemberReadWriteAll, RoleManagementReadWriteDirectory, ServicePrincipalEndpointReadWriteAll, AKSContributor, NodeResourceGroup, WebsiteContributor, LogicAppContributor, AZMGAddMember, AZMGAddOwner, AZMGAddSecret, AZMGGrantAppRoles, AZMGGrantRole, SyncedToADUser, AllAZAttacks} } func AppRoleTransitRelationshipKinds() []graph.Kind { return []graph.Kind{AZMGAddMember, AZMGAddOwner, AZMGAddSecret, AZMGGrantAppRoles, AZMGGrantRole} diff --git a/packages/javascript/bh-shared-ui/src/commonSearches.tsx b/packages/javascript/bh-shared-ui/src/commonSearches.tsx index c51dc2a48..694edf058 100644 --- a/packages/javascript/bh-shared-ui/src/commonSearches.tsx +++ b/packages/javascript/bh-shared-ui/src/commonSearches.tsx @@ -14,13 +14,13 @@ // // SPDX-License-Identifier: Apache-2.0 -import { ActiveDirectoryPathfindingEdges, AzurePathfindingEdges } from './graphSchema'; +import { ActiveDirectoryRelationshipKind, AzureRelationshipKind } from './graphSchema'; const categoryAD = 'Active Directory'; const categoryAzure = 'Azure'; -const azureTransitEdgeTypes = AzurePathfindingEdges().join('|'); -const adTransitEdgeTypes = ActiveDirectoryPathfindingEdges().join('|'); +const adTransitEdgeTypes = ActiveDirectoryRelationshipKind.AllADAttacks; +const azureTransitEdgeTypes = AzureRelationshipKind.AllAZAttacks; const highPrivilegedRoleDisplayNameRegex = 'Global Administrator.*|User Administrator.*|Cloud Application Administrator.*|Authentication Policy Administrator.*|Exchange Administrator.*|Helpdesk Administrator.*|Privileged Authentication Administrator.*'; diff --git a/packages/javascript/bh-shared-ui/src/graphSchema.ts b/packages/javascript/bh-shared-ui/src/graphSchema.ts index 932009e39..65f0dbe87 100644 --- a/packages/javascript/bh-shared-ui/src/graphSchema.ts +++ b/packages/javascript/bh-shared-ui/src/graphSchema.ts @@ -140,7 +140,7 @@ export enum ActiveDirectoryRelationshipKind { ADCSESC10b = 'ADCSESC10b', ADCSESC13 = 'ADCSESC13', SyncedToEntraUser = 'SyncedToEntraUser', - ALL_AD_ATTACKS = 'ALL_AD_ATTACKS', + AllADAttacks = 'ALL_AD_ATTACKS', } export function ActiveDirectoryRelationshipKindToDisplay(value: ActiveDirectoryRelationshipKind): string | undefined { switch (value) { @@ -282,8 +282,8 @@ export function ActiveDirectoryRelationshipKindToDisplay(value: ActiveDirectoryR return 'ADCSESC13'; case ActiveDirectoryRelationshipKind.SyncedToEntraUser: return 'SyncedToEntraUser'; - case ActiveDirectoryRelationshipKind.ALL_AD_ATTACKS: - return 'ALL_AD_ATTACKS'; + case ActiveDirectoryRelationshipKind.AllADAttacks: + return 'AllADAttacks'; default: return undefined; } @@ -780,6 +780,7 @@ export enum AzureRelationshipKind { AZMGGrantAppRoles = 'AZMGGrantAppRoles', AZMGGrantRole = 'AZMGGrantRole', SyncedToADUser = 'SyncedToADUser', + AllAZAttacks = 'ALL_AZ_ATTACKS', } export function AzureRelationshipKindToDisplay(value: AzureRelationshipKind): string | undefined { switch (value) { @@ -877,6 +878,8 @@ export function AzureRelationshipKindToDisplay(value: AzureRelationshipKind): st return 'AZMGGrantRole'; case AzureRelationshipKind.SyncedToADUser: return 'SyncedToADUser'; + case AzureRelationshipKind.AllAZAttacks: + return 'AllAZAttacks'; default: return undefined; } From 9622f76c8f504ecd252611bd4651e7e2d25edc2d Mon Sep 17 00:00:00 2001 From: Brandon Shearin Date: Thu, 3 Oct 2024 18:14:54 -0700 Subject: [PATCH 4/5] tests added --- .../models/cypher/format/format_test.go | 2 +- .../go/cypher/test/cases/positive_tests.json | 42 ++++++++++++++----- 2 files changed, 33 insertions(+), 11 deletions(-) diff --git a/packages/go/cypher/models/cypher/format/format_test.go b/packages/go/cypher/models/cypher/format/format_test.go index 00b6337b6..007acc8e0 100644 --- a/packages/go/cypher/models/cypher/format/format_test.go +++ b/packages/go/cypher/models/cypher/format/format_test.go @@ -43,7 +43,7 @@ func TestCypherEmitter_StripLiterals(t *testing.T) { } func TestCypherEmitter_HappyPath(t *testing.T) { - // test.LoadFixture(t, test.MutationTestCases).Run(t) + test.LoadFixture(t, test.MutationTestCases).Run(t) test.LoadFixture(t, test.PositiveTestCases).Run(t) } diff --git a/packages/go/cypher/test/cases/positive_tests.json b/packages/go/cypher/test/cases/positive_tests.json index 3538a17a9..7dd3e87a4 100644 --- a/packages/go/cypher/test/cases/positive_tests.json +++ b/packages/go/cypher/test/cases/positive_tests.json @@ -1,15 +1,5 @@ { "test_cases": [ - { - "name": "ALL_AD_ATTACKS shortcut", - "type": "string_match", - "details": { - "query": "match p = ()-[:ALL_AD_ATTACKS]->() return p", - "matcher": "match p = \\(\\)-\\[:Owns|GenericAll|GenericWrite|WriteOwner|WriteDacl|MemberOf|ForceChangePassword|AllExtendedRights|AddMember|HasSession|Contains|GPLink|AllowedToDelegate|TrustedBy|AllowedToAct|AdminTo|CanPSRemote|CanRDP|ExecuteDCOM|HasSIDHistory|AddSelf|DCSync|ReadLAPSPassword|ReadGMSAPassword|DumpSMSAPassword|SQLAdmin|AddAllowedToAct|WriteSPN|AddKeyCredentialLink|SyncLAPSPassword|WriteAccountRestrictions|WriteGPLink|GoldenCert|ADCSESC1|ADCSESC3|ADCSESC4|ADCSESC5|ADCSESC6a|ADCSESC6b|ADCSESC7|ADCSESC9a|ADCSESC9b|ADCSESC10a|ADCSESC10b|ADCSESC13|DCFor|SyncedToEntraUser\\]->\\(\\) return p", - "complexity": 3 - }, - "targeted": true - }, { "name": "Match all nodes in the graph", "type": "string_match", @@ -922,6 +912,38 @@ "query": "match (u:User {dontreqpreauth: true}) return u", "complexity": 1 } + }, + { + "name": "ALL_AD_ATTACKS edge shortcut", + "type": "string_match", + "details": { + "query": "match p = ()-[:ALL_AD_ATTACKS]->() return p", + "matcher": "match\\s+p\\s*=\\s*\\(\\)\\s*-\\[:Owns\\|GenericAll\\|GenericWrite\\|WriteOwner\\|WriteDacl\\|MemberOf\\|ForceChangePassword\\|AllExtendedRights\\|AddMember\\|HasSession\\|Contains\\|GPLink\\|AllowedToDelegate\\|TrustedBy\\|AllowedToAct\\|AdminTo\\|CanPSRemote\\|CanRDP\\|ExecuteDCOM\\|HasSIDHistory\\|AddSelf\\|DCSync\\|ReadLAPSPassword\\|ReadGMSAPassword\\|DumpSMSAPassword\\|SQLAdmin\\|AddAllowedToAct\\|WriteSPN\\|AddKeyCredentialLink\\|SyncLAPSPassword\\|WriteAccountRestrictions\\|WriteGPLink\\|GoldenCert\\|ADCSESC1\\|ADCSESC3\\|ADCSESC4\\|ADCSESC5\\|ADCSESC6a\\|ADCSESC6b\\|ADCSESC7\\|ADCSESC9a\\|ADCSESC9b\\|ADCSESC10a\\|ADCSESC10b\\|ADCSESC13\\|DCFor\\|SyncedToEntraUser\\]->\\(\\)\\s+return\\s+p" + } + }, + { + "name": "ALL_AZ_ATTACKS edge shortcut", + "type": "string_match", + "details": { + "query": "match p = ()-[:ALL_AZ_ATTACKS]->() return p", + "matcher": "match\\s+p\\s*=\\s*\\(\\)\\s*-\\[:AZAvereContributor\\|AZContains\\|AZContributor\\|AZGetCertificates\\|AZGetKeys\\|AZGetSecrets\\|AZHasRole\\|AZMemberOf\\|AZOwner\\|AZRunsAs\\|AZVMContributor\\|AZAutomationContributor\\|AZKeyVaultContributor\\|AZVMAdminLogin\\|AZAddMembers\\|AZAddSecret\\|AZExecuteCommand\\|AZGlobalAdmin\\|AZPrivilegedAuthAdmin\\|AZGrant\\|AZGrantSelf\\|AZPrivilegedRoleAdmin\\|AZResetPassword\\|AZUserAccessAdministrator\\|AZOwns\\|AZCloudAppAdmin\\|AZAppAdmin\\|AZAddOwner\\|AZManagedIdentity\\|AZAKSContributor\\|AZNodeResourceGroup\\|AZWebsiteContributor\\|AZLogicAppContributor\\|AZMGAddMember\\|AZMGAddOwner\\|AZMGAddSecret\\|AZMGGrantAppRoles\\|AZMGGrantRole\\|SyncedToADUser\\]->\\(\\)\\s+return\\s+p" + } + }, + { + "name": "ALL_AD_ATTACKS edge shortcut with extra edge after", + "type": "string_match", + "details": { + "query": "match p = ()-[:ALL_AD_ATTACKS|ExtraEdge]->() return p", + "matcher": "match\\s+p\\s*=\\s*\\(\\)\\s*-\\[:Owns\\|GenericAll\\|GenericWrite\\|WriteOwner\\|WriteDacl\\|MemberOf\\|ForceChangePassword\\|AllExtendedRights\\|AddMember\\|HasSession\\|Contains\\|GPLink\\|AllowedToDelegate\\|TrustedBy\\|AllowedToAct\\|AdminTo\\|CanPSRemote\\|CanRDP\\|ExecuteDCOM\\|HasSIDHistory\\|AddSelf\\|DCSync\\|ReadLAPSPassword\\|ReadGMSAPassword\\|DumpSMSAPassword\\|SQLAdmin\\|AddAllowedToAct\\|WriteSPN\\|AddKeyCredentialLink\\|SyncLAPSPassword\\|WriteAccountRestrictions\\|WriteGPLink\\|GoldenCert\\|ADCSESC1\\|ADCSESC3\\|ADCSESC4\\|ADCSESC5\\|ADCSESC6a\\|ADCSESC6b\\|ADCSESC7\\|ADCSESC9a\\|ADCSESC9b\\|ADCSESC10a\\|ADCSESC10b\\|ADCSESC13\\|DCFor\\|SyncedToEntraUser\\|ExtraEdge\\]->\\(\\)\\s+return\\s+p" + } + }, + { + "name": "ALL_AD_ATTACKS edge shortcut with extra edge before", + "type": "string_match", + "details": { + "query": "match p = ()-[:ExtraEdge|ALL_AD_ATTACKS]->() return p", + "matcher": "match\\s+p\\s*=\\s*\\(\\)\\s*-\\[:ExtraEdge\\|Owns\\|GenericAll\\|GenericWrite\\|WriteOwner\\|WriteDacl\\|MemberOf\\|ForceChangePassword\\|AllExtendedRights\\|AddMember\\|HasSession\\|Contains\\|GPLink\\|AllowedToDelegate\\|TrustedBy\\|AllowedToAct\\|AdminTo\\|CanPSRemote\\|CanRDP\\|ExecuteDCOM\\|HasSIDHistory\\|AddSelf\\|DCSync\\|ReadLAPSPassword\\|ReadGMSAPassword\\|DumpSMSAPassword\\|SQLAdmin\\|AddAllowedToAct\\|WriteSPN\\|AddKeyCredentialLink\\|SyncLAPSPassword\\|WriteAccountRestrictions\\|WriteGPLink\\|GoldenCert\\|ADCSESC1\\|ADCSESC3\\|ADCSESC4\\|ADCSESC5\\|ADCSESC6a\\|ADCSESC6b\\|ADCSESC7\\|ADCSESC9a\\|ADCSESC9b\\|ADCSESC10a\\|ADCSESC10b\\|ADCSESC13\\|DCFor\\|SyncedToEntraUser\\]->\\(\\)\\s+return\\s+p" + } } ] } \ No newline at end of file From 3977af1d679730991b3d089fbf625e8e60d31978 Mon Sep 17 00:00:00 2001 From: Brandon Shearin Date: Thu, 3 Oct 2024 18:54:50 -0700 Subject: [PATCH 5/5] put edge shortcuts into common --- packages/cue/bh/ad/ad.cue | 9 +-------- packages/cue/bh/azure/azure.cue | 9 +-------- packages/cue/bh/common/common.cue | 14 +++++++++++++ .../go/cypher/models/cypher/format/format.go | 5 +++-- packages/go/graphschema/ad/ad.go | 3 +-- packages/go/graphschema/azure/azure.go | 3 +-- packages/go/graphschema/common/common.go | 4 +++- .../bh-shared-ui/src/commonSearches.tsx | 6 +++--- .../bh-shared-ui/src/graphSchema.ts | 20 +++++++++++++------ 9 files changed, 41 insertions(+), 32 deletions(-) diff --git a/packages/cue/bh/ad/ad.cue b/packages/cue/bh/ad/ad.cue index 4d1109602..dd71d1bca 100644 --- a/packages/cue/bh/ad/ad.cue +++ b/packages/cue/bh/ad/ad.cue @@ -1293,12 +1293,6 @@ SyncedToEntraUser: types.#Kind & { schema: "active_directory" } -AllADAttacks: types.#Kind & { - symbol: "AllADAttacks" - schema: "active_directory" - representation: "ALL_AD_ATTACKS" -} - // Relationship Kinds RelationshipKinds: [ Owns, @@ -1369,8 +1363,7 @@ RelationshipKinds: [ ADCSESC10a, ADCSESC10b, ADCSESC13, - SyncedToEntraUser, - AllADAttacks + SyncedToEntraUser ] // ACL Relationships diff --git a/packages/cue/bh/azure/azure.cue b/packages/cue/bh/azure/azure.cue index 475115655..f08d3ead4 100644 --- a/packages/cue/bh/azure/azure.cue +++ b/packages/cue/bh/azure/azure.cue @@ -723,12 +723,6 @@ SyncedToADUser: types.#Kind & { representation: "SyncedToADUser" } -AllAZAttacks: types.#Kind & { - symbol: "AllAZAttacks" - schema: "azure" - representation: "ALL_AZ_ATTACKS" -} - RelationshipKinds: [ AvereContributor, Contains, @@ -776,8 +770,7 @@ RelationshipKinds: [ AZMGAddSecret, AZMGGrantAppRoles, AZMGGrantRole, - SyncedToADUser, - AllAZAttacks + SyncedToADUser ] AppRoleTransitRelationshipKinds: [ diff --git a/packages/cue/bh/common/common.cue b/packages/cue/bh/common/common.cue index a24f1d5f9..ed10a44d4 100644 --- a/packages/cue/bh/common/common.cue +++ b/packages/cue/bh/common/common.cue @@ -162,9 +162,23 @@ MigrationData: types.#Kind & { representation: "MigrationData" } +AllADAttacks: types.#Kind & { + symbol: "AllADAttacks" + schema: "active_directory" + representation: "ALL_AD_ATTACKS" +} + +AllAZAttacks: types.#Kind & { + symbol: "AllAZAttacks" + schema: "azure" + representation: "ALL_AZ_ATTACKS" +} + NodeKinds: [ MigrationData, ] RelationshipKinds: [ + AllADAttacks, + AllAZAttacks ] diff --git a/packages/go/cypher/models/cypher/format/format.go b/packages/go/cypher/models/cypher/format/format.go index d61d74fd6..5a6ebb585 100644 --- a/packages/go/cypher/models/cypher/format/format.go +++ b/packages/go/cypher/models/cypher/format/format.go @@ -25,6 +25,7 @@ import ( "github.com/specterops/bloodhound/cypher/models/cypher" "github.com/specterops/bloodhound/graphschema/ad" "github.com/specterops/bloodhound/graphschema/azure" + "github.com/specterops/bloodhound/graphschema/common" "github.com/specterops/bloodhound/dawgs/graph" ) @@ -40,11 +41,11 @@ func writeJoinedKinds(output io.Writer, delimiter string, kinds graph.Kinds) err } // if kind is a shortcut edge type, further expansion is required - if kind == ad.AllADAttacks { + if kind == common.AllADAttacks { if err := writeJoinedKinds(output, delimiter, ad.PathfindingRelationships()); err != nil { return err } - } else if kind == azure.AllAZAttacks { + } else if kind == common.AllAZAttacks { if err := writeJoinedKinds(output, delimiter, azure.PathfindingRelationships()); err != nil { return err } diff --git a/packages/go/graphschema/ad/ad.go b/packages/go/graphschema/ad/ad.go index 803c8f33e..27e38f0da 100644 --- a/packages/go/graphschema/ad/ad.go +++ b/packages/go/graphschema/ad/ad.go @@ -110,7 +110,6 @@ var ( ADCSESC10b = graph.StringKind("ADCSESC10b") ADCSESC13 = graph.StringKind("ADCSESC13") SyncedToEntraUser = graph.StringKind("SyncedToEntraUser") - AllADAttacks = graph.StringKind("ALL_AD_ATTACKS") ) type Property string @@ -858,7 +857,7 @@ func Nodes() []graph.Kind { return []graph.Kind{Entity, User, Computer, Group, GPO, OU, Container, Domain, LocalGroup, LocalUser, AIACA, RootCA, EnterpriseCA, NTAuthStore, CertTemplate, IssuancePolicy} } func Relationships() []graph.Kind { - return []graph.Kind{Owns, GenericAll, GenericWrite, WriteOwner, WriteDACL, MemberOf, ForceChangePassword, AllExtendedRights, AddMember, HasSession, Contains, GPLink, AllowedToDelegate, GetChanges, GetChangesAll, GetChangesInFilteredSet, TrustedBy, AllowedToAct, AdminTo, CanPSRemote, CanRDP, ExecuteDCOM, HasSIDHistory, AddSelf, DCSync, ReadLAPSPassword, ReadGMSAPassword, DumpSMSAPassword, SQLAdmin, AddAllowedToAct, WriteSPN, AddKeyCredentialLink, LocalToComputer, MemberOfLocalGroup, RemoteInteractiveLogonPrivilege, SyncLAPSPassword, WriteAccountRestrictions, WriteGPLink, RootCAFor, DCFor, PublishedTo, ManageCertificates, ManageCA, DelegatedEnrollmentAgent, Enroll, HostsCAService, WritePKIEnrollmentFlag, WritePKINameFlag, NTAuthStoreFor, TrustedForNTAuth, EnterpriseCAFor, IssuedSignedBy, GoldenCert, EnrollOnBehalfOf, OIDGroupLink, ExtendedByPolicy, ADCSESC1, ADCSESC3, ADCSESC4, ADCSESC5, ADCSESC6a, ADCSESC6b, ADCSESC7, ADCSESC9a, ADCSESC9b, ADCSESC10a, ADCSESC10b, ADCSESC13, SyncedToEntraUser, AllADAttacks} + return []graph.Kind{Owns, GenericAll, GenericWrite, WriteOwner, WriteDACL, MemberOf, ForceChangePassword, AllExtendedRights, AddMember, HasSession, Contains, GPLink, AllowedToDelegate, GetChanges, GetChangesAll, GetChangesInFilteredSet, TrustedBy, AllowedToAct, AdminTo, CanPSRemote, CanRDP, ExecuteDCOM, HasSIDHistory, AddSelf, DCSync, ReadLAPSPassword, ReadGMSAPassword, DumpSMSAPassword, SQLAdmin, AddAllowedToAct, WriteSPN, AddKeyCredentialLink, LocalToComputer, MemberOfLocalGroup, RemoteInteractiveLogonPrivilege, SyncLAPSPassword, WriteAccountRestrictions, WriteGPLink, RootCAFor, DCFor, PublishedTo, ManageCertificates, ManageCA, DelegatedEnrollmentAgent, Enroll, HostsCAService, WritePKIEnrollmentFlag, WritePKINameFlag, NTAuthStoreFor, TrustedForNTAuth, EnterpriseCAFor, IssuedSignedBy, GoldenCert, EnrollOnBehalfOf, OIDGroupLink, ExtendedByPolicy, ADCSESC1, ADCSESC3, ADCSESC4, ADCSESC5, ADCSESC6a, ADCSESC6b, ADCSESC7, ADCSESC9a, ADCSESC9b, ADCSESC10a, ADCSESC10b, ADCSESC13, SyncedToEntraUser} } func ACLRelationships() []graph.Kind { return []graph.Kind{AllExtendedRights, ForceChangePassword, AddMember, AddAllowedToAct, GenericAll, WriteDACL, WriteOwner, GenericWrite, ReadLAPSPassword, ReadGMSAPassword, Owns, AddSelf, WriteSPN, AddKeyCredentialLink, GetChanges, GetChangesAll, GetChangesInFilteredSet, WriteAccountRestrictions, WriteGPLink, SyncLAPSPassword, DCSync, ManageCertificates, ManageCA, Enroll, WritePKIEnrollmentFlag, WritePKINameFlag} diff --git a/packages/go/graphschema/azure/azure.go b/packages/go/graphschema/azure/azure.go index 752980d03..00b20f190 100644 --- a/packages/go/graphschema/azure/azure.go +++ b/packages/go/graphschema/azure/azure.go @@ -92,7 +92,6 @@ var ( AZMGGrantAppRoles = graph.StringKind("AZMGGrantAppRoles") AZMGGrantRole = graph.StringKind("AZMGGrantRole") SyncedToADUser = graph.StringKind("SyncedToADUser") - AllAZAttacks = graph.StringKind("ALL_AZ_ATTACKS") ) type Property string @@ -354,7 +353,7 @@ func (s Property) Is(others ...graph.Kind) bool { return false } func Relationships() []graph.Kind { - return []graph.Kind{AvereContributor, Contains, Contributor, GetCertificates, GetKeys, GetSecrets, HasRole, MemberOf, Owner, RunsAs, VMContributor, AutomationContributor, KeyVaultContributor, VMAdminLogin, AddMembers, AddSecret, ExecuteCommand, GlobalAdmin, PrivilegedAuthAdmin, Grant, GrantSelf, PrivilegedRoleAdmin, ResetPassword, UserAccessAdministrator, Owns, ScopedTo, CloudAppAdmin, AppAdmin, AddOwner, ManagedIdentity, ApplicationReadWriteAll, AppRoleAssignmentReadWriteAll, DirectoryReadWriteAll, GroupReadWriteAll, GroupMemberReadWriteAll, RoleManagementReadWriteDirectory, ServicePrincipalEndpointReadWriteAll, AKSContributor, NodeResourceGroup, WebsiteContributor, LogicAppContributor, AZMGAddMember, AZMGAddOwner, AZMGAddSecret, AZMGGrantAppRoles, AZMGGrantRole, SyncedToADUser, AllAZAttacks} + return []graph.Kind{AvereContributor, Contains, Contributor, GetCertificates, GetKeys, GetSecrets, HasRole, MemberOf, Owner, RunsAs, VMContributor, AutomationContributor, KeyVaultContributor, VMAdminLogin, AddMembers, AddSecret, ExecuteCommand, GlobalAdmin, PrivilegedAuthAdmin, Grant, GrantSelf, PrivilegedRoleAdmin, ResetPassword, UserAccessAdministrator, Owns, ScopedTo, CloudAppAdmin, AppAdmin, AddOwner, ManagedIdentity, ApplicationReadWriteAll, AppRoleAssignmentReadWriteAll, DirectoryReadWriteAll, GroupReadWriteAll, GroupMemberReadWriteAll, RoleManagementReadWriteDirectory, ServicePrincipalEndpointReadWriteAll, AKSContributor, NodeResourceGroup, WebsiteContributor, LogicAppContributor, AZMGAddMember, AZMGAddOwner, AZMGAddSecret, AZMGGrantAppRoles, AZMGGrantRole, SyncedToADUser} } func AppRoleTransitRelationshipKinds() []graph.Kind { return []graph.Kind{AZMGAddMember, AZMGAddOwner, AZMGAddSecret, AZMGGrantAppRoles, AZMGGrantRole} diff --git a/packages/go/graphschema/common/common.go b/packages/go/graphschema/common/common.go index 6fd161585..61f7ebce6 100644 --- a/packages/go/graphschema/common/common.go +++ b/packages/go/graphschema/common/common.go @@ -26,6 +26,8 @@ import ( var ( MigrationData = graph.StringKind("MigrationData") + AllADAttacks = graph.StringKind("ALL_AD_ATTACKS") + AllAZAttacks = graph.StringKind("ALL_AZ_ATTACKS") ) type Property string @@ -178,7 +180,7 @@ func Nodes() []graph.Kind { return []graph.Kind{MigrationData} } func Relationships() []graph.Kind { - return []graph.Kind{} + return []graph.Kind{AllADAttacks, AllAZAttacks} } func NodeKinds() []graph.Kind { return []graph.Kind{MigrationData} diff --git a/packages/javascript/bh-shared-ui/src/commonSearches.tsx b/packages/javascript/bh-shared-ui/src/commonSearches.tsx index 694edf058..0a846f6b3 100644 --- a/packages/javascript/bh-shared-ui/src/commonSearches.tsx +++ b/packages/javascript/bh-shared-ui/src/commonSearches.tsx @@ -14,13 +14,13 @@ // // SPDX-License-Identifier: Apache-2.0 -import { ActiveDirectoryRelationshipKind, AzureRelationshipKind } from './graphSchema'; +import { CommonRelationshipKind } from './graphSchema'; const categoryAD = 'Active Directory'; const categoryAzure = 'Azure'; -const adTransitEdgeTypes = ActiveDirectoryRelationshipKind.AllADAttacks; -const azureTransitEdgeTypes = AzureRelationshipKind.AllAZAttacks; +const adTransitEdgeTypes = CommonRelationshipKind.AllADAttacks; +const azureTransitEdgeTypes = CommonRelationshipKind.AllAZAttacks; const highPrivilegedRoleDisplayNameRegex = 'Global Administrator.*|User Administrator.*|Cloud Application Administrator.*|Authentication Policy Administrator.*|Exchange Administrator.*|Helpdesk Administrator.*|Privileged Authentication Administrator.*'; diff --git a/packages/javascript/bh-shared-ui/src/graphSchema.ts b/packages/javascript/bh-shared-ui/src/graphSchema.ts index 65f0dbe87..3fc35376f 100644 --- a/packages/javascript/bh-shared-ui/src/graphSchema.ts +++ b/packages/javascript/bh-shared-ui/src/graphSchema.ts @@ -140,7 +140,6 @@ export enum ActiveDirectoryRelationshipKind { ADCSESC10b = 'ADCSESC10b', ADCSESC13 = 'ADCSESC13', SyncedToEntraUser = 'SyncedToEntraUser', - AllADAttacks = 'ALL_AD_ATTACKS', } export function ActiveDirectoryRelationshipKindToDisplay(value: ActiveDirectoryRelationshipKind): string | undefined { switch (value) { @@ -282,8 +281,6 @@ export function ActiveDirectoryRelationshipKindToDisplay(value: ActiveDirectoryR return 'ADCSESC13'; case ActiveDirectoryRelationshipKind.SyncedToEntraUser: return 'SyncedToEntraUser'; - case ActiveDirectoryRelationshipKind.AllADAttacks: - return 'AllADAttacks'; default: return undefined; } @@ -780,7 +777,6 @@ export enum AzureRelationshipKind { AZMGGrantAppRoles = 'AZMGGrantAppRoles', AZMGGrantRole = 'AZMGGrantRole', SyncedToADUser = 'SyncedToADUser', - AllAZAttacks = 'ALL_AZ_ATTACKS', } export function AzureRelationshipKindToDisplay(value: AzureRelationshipKind): string | undefined { switch (value) { @@ -878,8 +874,6 @@ export function AzureRelationshipKindToDisplay(value: AzureRelationshipKind): st return 'AZMGGrantRole'; case AzureRelationshipKind.SyncedToADUser: return 'SyncedToADUser'; - case AzureRelationshipKind.AllAZAttacks: - return 'AllAZAttacks'; default: return undefined; } @@ -1043,6 +1037,20 @@ export function CommonNodeKindToDisplay(value: CommonNodeKind): string | undefin return undefined; } } +export enum CommonRelationshipKind { + AllADAttacks = 'ALL_AD_ATTACKS', + AllAZAttacks = 'ALL_AZ_ATTACKS', +} +export function CommonRelationshipKindToDisplay(value: CommonRelationshipKind): string | undefined { + switch (value) { + case CommonRelationshipKind.AllADAttacks: + return 'AllADAttacks'; + case CommonRelationshipKind.AllAZAttacks: + return 'AllAZAttacks'; + default: + return undefined; + } +} export enum CommonKindProperties { ObjectID = 'objectid', Name = 'name',