Skip to content

Commit

Permalink
Merge pull request #421 from gbe/imp-bhcq-impersonate-request
Browse files Browse the repository at this point in the history 
BH Customqueries: add detection for RID 500 administrator impersonation and more
  • Loading branch information
@ShutdownRepo
ShutdownRepo authored Dec 12, 2024
2 parents 48808db + 191ea93 commit 42cba20
Showing 1 changed file with 4 additions and 4 deletions.
8 changes: 4 additions & 4 deletions sources/assets/bloodhound/customqueries.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -459,23 +459,23 @@
"category": "Admins",
"queryList": [{
"final": true,
"query": "MATCH (u:User {enabled:TRUE})-[:MemberOf*1..]->(g:Group) WHERE g.objectid =~ '(?i)S-1-5-.*-525$' WITH COLLECT (u.objectid) AS protectedUsers MATCH p=(u2:User {enabled:TRUE, admincount:TRUE, sensitive:FALSE})-[:MemberOf*1..3]->(g2:Group) WHERE NOT u2.objectid IN protectedUsers RETURN p"
"query": "MATCH (u:User {enabled:TRUE})-[:MemberOf*1..]->(g:Group) WHERE g.objectid =~ '(?i)S-1-5-.*-525$' WITH COLLECT (u.objectid) AS protectedUsers MATCH p=(u2:User {enabled:TRUE, admincount:TRUE, sensitive:FALSE})-[:MemberOf*1..3]->(g2:Group) WHERE (NOT u2.objectid IN protectedUsers OR u2.objectid =~ '.*-500$') RETURN p"
}]
},
{
"name": "Enabled Domain/Enterprise Administrators, not sensitive for delegation and not members of Protected Users",
"name": "Enabled Domain/Enterprise Administrators, Account/Backup/Print/Server Operators,... not sensitive for delegation and not members of Protected Users",
"category": "Admins",
"queryList": [{
"final": true,
"query": "MATCH (u:User {enabled: TRUE, admincount: TRUE})-[:MemberOf*1..]->(g:Group) WHERE g.objectid =~ '.*-525$' WITH COLLECT(u.objectid) AS protectedUsers MATCH p=(u2:User {enabled: TRUE, admincount: TRUE, sensitive: FALSE})-[:MemberOf*1..]->(g2:Group) WHERE NOT u2.objectid IN protectedUsers AND g2.objectid =~ '.*-(512|519|(?i)S-1-5-32-544)$' RETURN p"
"query": "MATCH (u:User {enabled: TRUE, admincount: TRUE})-[:MemberOf*1..]->(g:Group) WHERE g.objectid =~ '.*-525$' WITH COLLECT(u.objectid) AS protectedUsers MATCH p=(u2:User {enabled: TRUE, admincount: TRUE, sensitive: FALSE})-[:MemberOf*1..]->(g2:Group) WHERE (NOT u2.objectid IN protectedUsers OR u2.objectid =~ '.*-500$') AND g2.objectid =~ '.*-(512|517|518|519|544|548|549|550|551|574|583)$' RETURN p"
}]
},
{
"name": "Enabled users, members of high value groups, not sensitive for delegation and not members of Protected Users (Heavy)",
"category": "Admins",
"queryList": [{
"final": true,
"query": "MATCH (u:User {enabled: TRUE, admincount: TRUE})-[:MemberOf*1..]->(g:Group) WHERE g.objectid =~ '.*-525$' WITH COLLECT (u.objectid) AS protectedUsers MATCH p=(u2:User {enabled: TRUE, sensitive: FALSE})-[:MemberOf*1..]->(g2:Group {highvalue: TRUE}) WHERE NOT u2.objectid IN protectedUsers RETURN p"
"query": "MATCH (u:User {enabled: TRUE, admincount: TRUE})-[:MemberOf*1..]->(g:Group) WHERE g.objectid =~ '.*-525$' WITH COLLECT (u.objectid) AS protectedUsers MATCH p=(u2:User {enabled: TRUE, sensitive: FALSE})-[:MemberOf*1..]->(g2:Group {highvalue: TRUE}) WHERE (NOT u2.objectid IN protectedUsers OR u2.objectid =~ '.*-500$') RETURN p"
}]
},
{
Expand Down

0 comments on commit 42cba20

Please sign in to comment.