SpecterOps · JonasBK · Oct 14, 2024 · Oct 14, 2024 · Oct 16, 2024 · Oct 16, 2024
diff --git a/cmd/api/src/test/fixtures/fixtures/expected_ingest.go b/cmd/api/src/test/fixtures/fixtures/expected_ingest.go
@@ -157,6 +157,12 @@ var (
 			query.Kind(query.Relationship(), ad.HasSession),
 			query.Kind(query.End(), ad.User),
 			query.Equals(query.EndProperty(common.ObjectID.String()), "S-1-5-21-3130019616-2776909439-2417379446-1108")),
+		query.And(
+			query.Kind(query.Start(), ad.Computer),
+			query.Equals(query.StartProperty(common.ObjectID.String()), "S-1-5-21-3130019616-2776909439-2417379446-2120"),
+			query.Kind(query.Relationship(), ad.CoerceToTGT),
+			query.Kind(query.End(), ad.Domain),
+			query.Equals(query.EndProperty(common.ObjectID.String()), "S-1-5-21-3130019616-2776909439-2417379446")),
 
 		//// GPOs
 		query.And(
@@ -242,6 +248,12 @@ var (
 			query.Kind(query.Relationship(), ad.AllExtendedRights),
 			query.Kind(query.End(), ad.User),
 			query.Equals(query.EndProperty(common.ObjectID.String()), "S-1-5-21-3130019616-2776909439-2417379446-1106")),
+		query.And(
+			query.Kind(query.Start(), ad.User),
+			query.Equals(query.StartProperty(common.ObjectID.String()), "S-1-5-21-3130019616-2776909439-2417379446-2125"),
+			query.Kind(query.Relationship(), ad.CoerceToTGT),
+			query.Kind(query.End(), ad.Domain),
+			query.Equals(query.EndProperty(common.ObjectID.String()), "S-1-5-21-3130019616-2776909439-2417379446")),
 
 		//// SESSIONS
 		query.And(

diff --git a/cmd/api/src/test/fixtures/fixtures/v6/ingest/computers.json b/cmd/api/src/test/fixtures/fixtures/v6/ingest/computers.json
@@ -475,6 +475,8 @@
                 "sidhistory": [
                 ]
             },
+            "UnconstrainedDelegation": true,
+            "DomainSID": "S-1-5-21-3130019616-2776909439-2417379446",
             "PrimaryGroupSID": "S-1-5-21-3130019616-2776909439-2417379446-515",
             "AllowedToDelegate": [
             ],

diff --git a/cmd/api/src/test/fixtures/fixtures/v6/ingest/users.json b/cmd/api/src/test/fixtures/fixtures/v6/ingest/users.json
@@ -889,6 +889,39 @@
             "IsDeleted": false,
             "IsACLProtected": false
         },
+        {
+            "Properties": {
+                "domain": "TESTLAB.LOCAL",
+                "name": "[email protected]",
+                "distinguishedname": "CN\u003dADDALLOWEDTOACTTEST,CN\u003dUSERS,DC\u003dTESTLAB,DC\u003dLOCAL",
+                "domainsid": "S-1-5-21-3130019616-2776909439-2417379446",
+                "whencreated": 1617618036,
+                "sensitive": false,
+                "dontreqpreauth": false,
+                "passwordnotreqd": false,
+                "unconstraineddelegation": true,
+                "pwdneverexpires": true,
+                "enabled": true,
+                "trustedtoauth": false,
+                "lastlogon": 0,
+                "lastlogontimestamp": -1,
+                "pwdlastset": 1617643236,
+                "serviceprincipalnames": [],
+                "hasspn": false,
+                "admincount": false,
+                "sidhistory": []
+            },
+            "AllowedToDelegate": [],
+            "DomainSID": "S-1-5-21-3130019616-2776909439-2417379446",
+            "UnconstrainedDelegation": true,
+            "PrimaryGroupSID": "S-1-5-21-3130019616-2776909439-2417379446-513",
+            "HasSIDHistory": [],
+            "SpnTargets": [],
+            "Aces": [],
+            "ObjectIdentifier": "S-1-5-21-3130019616-2776909439-2417379446-2125",
+            "IsDeleted": false,
+            "IsACLProtected": false
+        },
         {
             "Properties": {
                 "domain": "TESTLAB.LOCAL",

diff --git a/packages/cue/bh/ad/ad.cue b/packages/cue/bh/ad/ad.cue
@@ -1018,6 +1018,11 @@ AllowedToDelegate: types.#Kind & {
 	schema: "active_directory"
 }
 
+CoerceToTGT: types.#Kind & {
+	symbol: "CoerceToTGT"
+	schema: "active_directory"
+}
+
 GetChanges: types.#Kind & {
 	symbol: "GetChanges"
 	schema: "active_directory"
@@ -1308,6 +1313,7 @@ RelationshipKinds: [
 	Contains,
 	GPLink,
 	AllowedToDelegate,
+	CoerceToTGT,
 	GetChanges,
 	GetChangesAll,
 	GetChangesInFilteredSet,
@@ -1411,6 +1417,7 @@ PathfindingRelationships: [
 	Contains,
 	GPLink,
 	AllowedToDelegate,
+	CoerceToTGT,
 	TrustedBy,
 	AllowedToAct,
 	AdminTo,

diff --git a/packages/go/cypher/test/cases/positive_tests.json b/packages/go/cypher/test/cases/positive_tests.json
@@ -709,7 +709,7 @@
             "name": "Find Dangerous Privileges for Domain Users Groups",
             "type": "string_match",
             "details": {
-                "query": "match p = (m:Group)-[:Owns|GenericAll|GenericWrite|WriteOwner|WriteDacl|MemberOf|ForceChangePassword|AllExtendedRights|AddMember|HasSession|Contains|GPLink|AllowedToDelegate|TrustedBy|AllowedToAct|AdminTo|CanPSRemote|CanRDP|ExecuteDCOM|HasSIDHistory|AddSelf|DCSync|ReadLAPSPassword|ReadGMSAPassword|DumpSMSAPassword|SQLAdmin|AddAllowedToAct|WriteSPN|AddKeyCredentialLink|SyncLAPSPassword|WriteAccountRestrictions|GoldenCert|ADCSESC1|ADCSESC3|ADCSESC4|ADCSESC5|ADCSESC6a|ADCSESC6b|ADCSESC7|ADCSESC9a|ADCSESC9b|ADCSESC10a|ADCSESC10b|ADCSESC13|DCFor|SyncedToEntraUser]->(n:Base) where m.objectid ends with '-513' return p",
+                "query": "match p = (m:Group)-[:Owns|GenericAll|GenericWrite|WriteOwner|WriteDacl|MemberOf|ForceChangePassword|AllExtendedRights|AddMember|HasSession|Contains|GPLink|AllowedToDelegate|CoerceToTGT|TrustedBy|AllowedToAct|AdminTo|CanPSRemote|CanRDP|ExecuteDCOM|HasSIDHistory|AddSelf|DCSync|ReadLAPSPassword|ReadGMSAPassword|DumpSMSAPassword|SQLAdmin|AddAllowedToAct|WriteSPN|AddKeyCredentialLink|SyncLAPSPassword|WriteAccountRestrictions|GoldenCert|ADCSESC1|ADCSESC3|ADCSESC4|ADCSESC5|ADCSESC6a|ADCSESC6b|ADCSESC7|ADCSESC9a|ADCSESC9b|ADCSESC10a|ADCSESC10b|ADCSESC13|DCFor|SyncedToEntraUser]->(n:Base) where m.objectid ends with '-513' return p",
                 "complexity": 3
             }
         },

diff --git a/packages/go/ein/ad.go b/packages/go/ein/ad.go
@@ -235,6 +235,31 @@ func ParseUserMiscData(user User) []IngestibleRelationship {
 		))
 	}
 
+	// CoerceToTGT / unconstrained delegation
+	uncondel := user.UnconstrainedDelegation
+	uncondelProps, _ := user.Properties[strings.ToLower(ad.UnconstrainedDelegation.String())].(bool) // SH v2.5.7 and earlier have unconstraineddelegation under 'Properties' only
+	if uncondel || uncondelProps {
+		domainsid := user.DomainSID
+		if domainsid == "" { // SH v2.5.7 and earlier have domainsid under 'Properties' only
+			domainsid, _ = user.Properties[strings.ToLower(ad.DomainSID.String())].(string)
+		}
+
+		data = append(data, NewIngestibleRelationship(
+			IngestibleSource{
+				Source:     user.ObjectIdentifier,
+				SourceType: ad.User,
+			},
+			IngestibleTarget{
+				Target:     domainsid,
+				TargetType: ad.Domain,
+			},
+			IngestibleRel{
+				RelProps: map[string]any{"isacl": false},
+				RelType:  ad.CoerceToTGT,
+			},
+		))
+	}
+
 	return data
 }
 
@@ -341,7 +366,7 @@ func ParseDomainTrusts(domain Domain) ParsedDomainTrustData {
 	return parsedData
 }
 
-// ParseComputerMiscData parses AllowedToDelegate, AllowedToAct, HasSIDHistory,DumpSMSAPassword,DCFor and Sessions
+// ParseComputerMiscData parses AllowedToDelegate, AllowedToAct, HasSIDHistory, DumpSMSAPassword, DCFor, Sessions, and CoerceToTGT
 func ParseComputerMiscData(computer Computer) []IngestibleRelationship {
 	relationships := make([]IngestibleRelationship, 0)
 	for _, target := range computer.AllowedToDelegate {
@@ -484,6 +509,25 @@ func ParseComputerMiscData(computer Computer) []IngestibleRelationship {
 				RelType:  ad.DCFor,
 			},
 		))
+	} else { // We do not want CoerceToTGT edges from DCs
+		uncondel := computer.UnconstrainedDelegation
+		uncondelProps, _ := computer.Properties[strings.ToLower(ad.UnconstrainedDelegation.String())].(bool) // SH v2.5.7 and earlier have unconstraineddelegation under 'Properties' only
+		if uncondel || uncondelProps {
+			relationships = append(relationships, NewIngestibleRelationship(
+				IngestibleSource{
+					Source:     computer.ObjectIdentifier,
+					SourceType: ad.Computer,
+				},
+				IngestibleTarget{
+					Target:     computer.DomainSID,
+					TargetType: ad.Domain,
+				},
+				IngestibleRel{
+					RelProps: map[string]any{"isacl": false},
+					RelType:  ad.CoerceToTGT,
+				},
+			))
+		}
 	}
 
 	return relationships

diff --git a/packages/go/ein/incoming_models.go b/packages/go/ein/incoming_models.go
@@ -189,10 +189,12 @@ type Group struct {
 
 type User struct {
 	IngestBase
-	AllowedToDelegate []TypedPrincipal
-	SPNTargets        []SPNTarget
-	PrimaryGroupSID   string
-	HasSIDHistory     []TypedPrincipal
+	AllowedToDelegate       []TypedPrincipal
+	SPNTargets              []SPNTarget
+	PrimaryGroupSID         string
+	HasSIDHistory           []TypedPrincipal
+	DomainSID               string
+	UnconstrainedDelegation bool
 }
 
 type Container struct {
@@ -260,20 +262,21 @@ type UserRightsAssignmentAPIResult struct {
 
 type Computer struct {
 	IngestBase
-	PrimaryGroupSID    string
-	AllowedToDelegate  []TypedPrincipal
-	AllowedToAct       []TypedPrincipal
-	DumpSMSAPassword   []TypedPrincipal
-	Sessions           SessionAPIResult
-	PrivilegedSessions SessionAPIResult
-	RegistrySessions   SessionAPIResult
-	LocalGroups        []LocalGroupAPIResult
-	UserRights         []UserRightsAssignmentAPIResult
-	DCRegistryData     DCRegistryData
-	Status             ComputerStatus
-	HasSIDHistory      []TypedPrincipal
-	IsDC               bool
-	DomainSID          string
+	PrimaryGroupSID         string
+	AllowedToDelegate       []TypedPrincipal
+	AllowedToAct            []TypedPrincipal
+	DumpSMSAPassword        []TypedPrincipal
+	Sessions                SessionAPIResult
+	PrivilegedSessions      SessionAPIResult
+	RegistrySessions        SessionAPIResult
+	LocalGroups             []LocalGroupAPIResult
+	UserRights              []UserRightsAssignmentAPIResult
+	DCRegistryData          DCRegistryData
+	Status                  ComputerStatus
+	HasSIDHistory           []TypedPrincipal
+	IsDC                    bool
+	DomainSID               string
+	UnconstrainedDelegation bool
 }
 
 type OU struct {

diff --git a/packages/go/graphschema/ad/ad.go b/packages/go/graphschema/ad/ad.go
diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/CoerceToTGT/CoerceToTGT.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/CoerceToTGT/CoerceToTGT.tsx
@@ -0,0 +1,31 @@
+// Copyright 2023 Specter Ops, Inc.
+//
+// Licensed under the Apache License, Version 2.0
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+import General from './General';
+import WindowsAbuse from './WindowsAbuse';
+import LinuxAbuse from './LinuxAbuse';
+import Opsec from './Opsec';
+import References from './References';
+
+const CoerceToTGT = {
+    general: General,
+    windowsAbuse: WindowsAbuse,
+    linuxAbuse: LinuxAbuse,
+    opsec: Opsec,
+    references: References,
+};
+
+export default CoerceToTGT;
diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/CoerceToTGT/General.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/CoerceToTGT/General.tsx
@@ -0,0 +1,44 @@
+// Copyright 2023 Specter Ops, Inc.
+//
+// Licensed under the Apache License, Version 2.0
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+import { FC } from 'react';
+import { typeFormat } from '../utils';
+import { EdgeInfoProps } from '../index';
+import { Typography } from '@mui/material';
+
+const General: FC<EdgeInfoProps> = ({ sourceName, sourceType }) => {
+    return (
+        <>
+            <Typography variant='body2'>
+                The {typeFormat(sourceType)} {sourceName} is configured with Kerberos unconstrained delegation.
+            </Typography>
+
+            <Typography variant='body2'>
+                Users and computers authenticating against {sourceName} will have their Kerberos TGT sent to{' '}
+                {sourceName}, unless they are marked as sensitive or members of Protected Users.
+            </Typography>
+
+            <Typography variant='body2'>
+                An attacker with control over {sourceName} can coerce a Tier Zero computer (e.g. DC) to authenticate
+                against {sourceName} and obtain the target's TGT. With the TGT of a DC, the attacker can perform DCSync
+                to compromise the domain. Alternatively, the TGT can be used to obtain admin access to the target host
+                with a shadow credentials + silver ticket attack or a resource-based constrained delegation attack.
+            </Typography>
+        </>
+    );
+};
+
+export default General;