Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

User Delegation is not Identified #95

Open
m4lwhere opened this issue Apr 11, 2024 · 6 comments
Open

User Delegation is not Identified #95

m4lwhere opened this issue Apr 11, 2024 · 6 comments

Comments

@m4lwhere
Copy link

I've noticed that the latest version of SharpHound (2.3.3) appears to not find delegation correctly for BHCE. I've gathered this with data within GOAD and noticed that some of the edges I've seen in the past are no longer there. I've validated that these permissions do exist in the domain still and were not removed from GOAD.

Specifically, I've noticed the AllowedToDelegate edge is missing from users, as well as the Unconstrained Delegation setting.

Additionally, I've been able to gather these edges from the latest version of BloodHound.py (bloodhound-ce branch) which properly shows the delegation.

The images below focus specifically on the user sansa.stark, the user jon.snow is missing the AllowedToDelegate edge as well.

SharpHound.exe (v2.3.3) Collection

The user sansa.stark is marked without Unconstrained Delegation
image

findDelegation.py Results

The user sansa.stark is labeled with Unconstrained Delegation
image

BloodHound.py Collection

The user sansa.stark is properly marked with Unconstrained Delegation
image

Is this a known issue or some other type of deployment issue? Are there any known workarounds for this issue?

I've attached copies of the data collection here as well. Please let me know if you need more data, screenshots, or samples - I would be happy to gather them! Thanks!

NORTH_20240410083414_BloodHound-2.3.3.zip

ce_branch_bloodhoundpy_north_20240411011008_bloodhound.zip

@rvazarkar
Copy link
Contributor

What collection method was used to gather the info?

@m4lwhere
Copy link
Author

This was collected with -c All and I was running it from WINTERFELL.NORTH.SEVENKINGDOMS.LOCAL using the hodor account via an RDP session. Windows Defender was disabled.

The full command used to gather this info is below:

.\SharpHound.exe -c All --outputprefix NORTH

@rvazarkar
Copy link
Contributor

rvazarkar commented Apr 12, 2024

I just tested this in my own lab. Created a new user and marked it with unconstrained delegation and got the following results:

  "Properties": {
    "domain": "TESTLAB.LOCAL",
    "name": "UCTEST@TESTLAB.LOCAL",
    "distinguishedname": "CN=UCTEST,CN=USERS,DC=TESTLAB,DC=LOCAL",
    "domainsid": "S-1-5-21-318463681-1533741871-3192839656",
    "samaccountname": "uctest",
    "isaclprotected": false,
    "description": null,
    "whencreated": 1712910813,
    "sensitive": false,
    "dontreqpreauth": false,
    "passwordnotreqd": false,
    "unconstraineddelegation": true,
    "pwdneverexpires": true,
    "enabled": true,
    "trustedtoauth": false,
    "lastlogon": 0,
    "lastlogontimestamp": -1,
    "pwdlastset": 1712936013,
    "serviceprincipalnames": [
      "TEST/abc"
    ],
    "hasspn": true,
    "displayname": "UCTest",
    "email": null,
    "title": null,
    "homedirectory": null,
    "userpassword": null,
    "unixpassword": null,
    "unicodepassword": null,
    "sfupassword": null,
    "logonscript": null,
    "admincount": false,
    "sidhistory": []
  },

Ran with:
.\SharpHound.exe -c All --PrettyPrint --nozip

So I'm not sure whats going off the rails here, but at least the check for unconstrained delegation appears to be working fine on a binary built off main. Can you try building from source to see if you hit the same issue?

@m4lwhere
Copy link
Author

I've built from source and had the same issue, here's a copy of the information generated if it helps. I used the same flags to run the command: .\SharpHound_local.exe -c All --outputprefix NORTH for this.

NORTH_localbuild_20240417031536_BloodHound.zip

Information gathered via local build of SharpHound.exe

 {
  "Properties": {
    "domain": "NORTH.SEVENKINGDOMS.LOCAL",
    "name": "SANSA.STARK@NORTH.SEVENKINGDOMS.LOCAL",
    "distinguishedname": "CN=SANSA.STARK,CN=USERS,DC=NORTH,DC=SEVENKINGDOMS,DC=LOCAL",
    "domainsid": "S-1-5-21-1252223512-2665318757-2669098637",
    "samaccountname": "sansa.stark",
    "isaclprotected": false,
    "description": "Sansa Stark",
    "whencreated": 0,
    "sensitive": false,
    "dontreqpreauth": false,
    "passwordnotreqd": false,
    "unconstraineddelegation": false,
    "pwdneverexpires": false,
    "enabled": true,
    "trustedtoauth": false,
    "lastlogon": -1,
    "lastlogontimestamp": -1,
    "pwdlastset": -1,
    "serviceprincipalnames": [
      "HTTP/eyrie.north.sevenkingdoms.local"
    ],
    "hasspn": true,
    "displayname": null,
    "email": null,
    "title": null,
    "homedirectory": null,
    "userpassword": null,
    "unixpassword": null,
    "unicodepassword": null,
    "sfupassword": null,
    "logonscript": null,
    "admincount": false,
    "sidhistory": []
  }

Sansa.stark is set with unconstrained delegation

image

What's strange is I know the Bloodhound.py (ce-branch) is gathering this information and I know the condition exists within the domain. I can try to cross reference between both projects to see how they both collect this information and come back, it might be a few weeks since I have a lot of other projects going on :)

@rvazarkar
Copy link
Contributor

rvazarkar commented Sep 4, 2024

Are you collecting this in GOAD? I've got my own lab setup so can check with the new v2.5.6

@m4lwhere
Copy link
Author

m4lwhere commented Sep 6, 2024

Correct, this is with GOAD, directly installed using the virtualbox provider and docker ansible provisioner. This was for the GOAD original lab as well

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants