Query for identifying groups with RID higher than 1000 for cross-forest (inter-realm) attacks

BloodHoundAD / BloodHound

Six Degrees of Domain Admin

GNU General Public License v3.0

9.62k stars 1.7k forks source link

Query for identifying groups with RID higher than 1000 for cross-forest (inter-realm) attacks #648

Closed jsdhasfedssad closed 1 year ago

jsdhasfedssad commented 1 year ago

When performing cross-forest (inter-realm) attacks it is vital to first identify groups in the target forest that has RID higher than 1000. As far as I can tell RID does not exist as an attribute on group nodes today. Assuming that is correct, would it be possible to implement this attribute? Or is there perhaps another way to accomplish this already today?

Thanks!

JonasBK commented 1 year ago

Hi @jsdhasfedssad,

The RID is the last part of the SID, and the SID is the ObjectID in BloodHound:

You can list all the groups in a given domain with RID >= 1000 using this CYPHER query (replace DUMPSTER.FIRE with your domain name): MATCH (g:Group) WHERE g.domain = "DUMPSTER.FIRE" AND NOT right(g.objectid,4) STARTS WITH "-5" AND NOT g.objectid STARTS WITH g.domain RETURN g

Hope that helps!

godfuzz3r commented 3 months ago

MATCH (n:Group) WHERE n.domain = 'domain.name' AND toInteger(SPLIT(n.objectid,'-')[-1]) > 1000 RETURN n