search

BloodHoundAD / BloodHound

Six Degrees of Domain Admin
GNU General Public License v3.0
9.8k stars 1.73k forks source link

Shortest Path from Owned Principals #661

Open xmpf opened 1 year ago

xmpf commented 1 year ago

https://github.com/BloodHoundAD/BloodHound/blob/69786fa46fa18090e7641e086cd2aed70a530748/src/components/SearchContainer/Tabs/PrebuiltQueries.json#L294

I think the following query would fit better:

MATCH p=shortestPath((a: {owned:true})-[:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GPLink|AddAllowedToAct|AllowedToAct|SQLAdmin|ReadGMSAPassword|HasSIDHistory|CanPSRemote|SyncLAPSPassword|AZAddMembers|AZAddSecret|AZAvereContributor|AZContains|AZContributor|AZExecuteCommand|AZGetCertificates|AZGetKeys|AZGetSecrets|AZGlobalAdmin|AZGrant|AZGrantSelf|AZHasRole|AZMemberOf|AZOwner|AZOwns|AZPrivilegedRoleAdmin|AZResetPassword|AZUserAccessAdministrator|AZAppAdmin|AZCloudAppAdmin|AZRunsAs|AZKeyVaultContributor|AZVMAdminLogin|AddSelf|WriteSPN|AddKeyCredentialLink*1..]->(b:Computer)) WHERE NOT a=b RETURN p
JonasBK commented 1 year ago

Hi @xmpf,

I assume you have excluded some edge types from that list. That would make sense to do to avoid traversing meta edges like GetChanges. At some point, we should review all the queries and make sure they are all good.