DCSync Relation is not being creating when you have DS-Replication-Get-Changes and DS-Replication-Get-Changes-All

[cateOVR]

If we look at the description inside the BloodHound Comunnity Edition we will be able to see that when we have both permision DS-Replication-Get-Changes and DS-Replication-Get-Changes-ALL we will be able to perform a DCSync Attack.

In the image of the BloodHound Comunity Edition we have the relation of the Get-Changes-ALL and Get-Changes permissions but the tool doesn't create the DCSync relation.

However, old BloodHound does.

This is annoying because if we filter by Principals with DCSync Privileges it won't appear even though this relationship can be exploited.

[StephenHinck]

Hi @cateOVR - how did you upload the data into BloodHound? The DCSync edges are created during post-processing, which runs at the completion of a file ingest task. It's possible it didn't run. You can manually force it to run by hitting the API at PUT /api/v2/analysis (can be done in your browser's network console by re-sending a request). After doing so, if the edge still doesn't exist, can you please check the API container logs to see if you see any errors.

[cateOVR]

I have been doing some research and testing and have come to these conclusions.

If I use SharpHound v.2.0.2 (BCE WEB UI download collector) or the new SharpHound v.2.3.0 (from the official repository) it create the DCSync relation and it works correctly.

If I use crackmapexec (or newer NetExec) Bloodhound modul, the DCSync relation it's not created. However, in the logs everything seems to work correctly and the API requests work the same as with SharpHound. I understand that it is difficult to support all the tools for a correct operation, and according to the documentation of the tool, SharpHound it's 100% functional.

Thanks to the support team for the brief and concise response. Best regards and if you consider we can close the issue.