Our first use case is identifying Domain Trusts that exist within an environment.
Our specific query here, Map Domain Trusts can be selected which automatically populates the search window with the built-in query.
Selecting Search will then return a similar result should your own environment have several instances of domain trusts.
We've discovered frequently that customers are surprised to find domains that they were either unaware of or didn't realize the nature of the trust relationship that existed between domains.
In the above figure, you'll notice that most domains have a TrustedBy relationship that goes in both directions.
This may be normal, but perhaps there are some domains where this shouldn't be the case.
This may be the case in situations where an organization allows users in one domain to access resources from another domain, but not in the other direction.
BloodHound Enterprise currently includes over 30 of these Pre-built Searches which include categories like Domain Information, Domain Privileges, and Shortest Paths, each of which have context-providing queries that can shed some light on the nature of your own environment.
Consider an environment where you may use a particular naming convention to separate users.
This further demonstrates value in that we can identify those areas where differences in domain management across a forest may be problematic within the larger enterprise environment.
It is problematic to begin with when non-Tier Zero users can reach Tier Zero, but our attack surface is dramatically increased when non-Tier Zero users in Domain B can reach Tier Zero in Domain A because of improper nesting of non-Tier Zero principals within Tier Zero groups.
For real world examples, consider a company merger where two domains are joined and the parent company group, Domain Admins adds the child company's group Domain Admins to the parent Domain Admins group.
Only, consider the situation where the child group has also included something like Workstation Admins to their Domain Admins group.
While not necessarily common, the ability to identify where such nesting has occurred provides significant value in being able to spot where misconfigurations abound.
Group n is a member of group t, with no constraint on the number of links between groups Group n and group t are in separate domains Groups n and t are both part of Tier Zero.
Returning relationship, p, will then show us those relationships that include nesting from external domains.
As an example of what this might look like, consider the MiddleEarth domain where the parent domain, MiddleEarth, has added both domain admins for Shire.
This might have been fine within the original intent of nesting administrators under a certain group, but Mordor in its domain administration excellence has added its workstation administrators under its domain administrators group.
So now there is a nesting where workstation administrators within Mordor have been added to the Administrators group for MiddleEarth, which is great for Sauron and his desire to reclaim Tier 0 from Frodo, but not so great for the rest of the MiddleEarth domain.
Cypher Queries in BloodHound Enterprise was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.
This Cyber News was published on securityboulevard.com. Publication date: Wed, 10 Jan 2024 18:13:05 +0000