BED-4447: Hybrid Paths Small Tasks (#698)

* feat: new common searches for Cross Platform Attack Paths * feat: add new edge types to pathfinding filter * feat: missing cypher query
SpecterOps · Jul 18, 2024 · 168ebd8 · 168ebd8
1 parent 68ac15e
commit 168ebd8
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 0 deletions.
diff --git a/packages/javascript/bh-shared-ui/src/commonSearches.tsx b/packages/javascript/bh-shared-ui/src/commonSearches.tsx
@@ -309,4 +309,38 @@ export const CommonSearches: CommonSearchType[] = [
             },
         ],
     },
+    {
+        subheader: 'Cross Platform Attack Paths',
+        category: categoryAzure,
+        queries: [
+            {
+                description: 'Entra Users synced from On-Prem Users added to Domain Admins group',
+                cypher: 'MATCH p = (:AZUser)-[:SyncedToADUser]->(:User)-[:MemberOf]->(g:Group)\nWHERE g.objectid ENDS WITH "-512"\nRETURN p',
+            },
+            {
+                description: 'On-Prem Users synced to Entra Users with Entra Admin Roles (direct)',
+                cypher: 'MATCH p = (:User)-[:SyncedToEntraUser]->(:AZUser)-[:AZHasRole]->(:AZRole)\nRETURN p',
+            },
+            {
+                description: 'On-Prem Users synced to Entra Users with Entra Admin Roles (group delegated)',
+                cypher: 'MATCH p = (:User)-[:SyncedToEntraUser]->(:AZUser)-[:AZMemberOf]->(:AZGroup)-[:AZHasRole]->(:AZRole)\nRETURN p',
+            },
+            {
+                description: 'On-Prem Users synced to Entra Users with Azure RM Roles (direct)',
+                cypher: 'MATCH p = (:User)-[:SyncedToEntraUser]->(:AZUser)-[:AZOwner|AZUserAccessAdministrator|AZGetCertificates|AZGetKeys|AZGetSecrets|AZAvereContributor|AZKeyVaultContributor|AZContributor|AZVMAdminLogin|AZVMContributor|AZAKSContributor|AZAutmomationContributor|AZLogicAppContributor|AZWebsiteContributor]->(:AZBase)\nRETURN p',
+            },
+            {
+                description: 'On-Prem Users synced to Entra Users with Azure RM Roles (group delegated)',
+                cypher: 'MATCH p = (:User)-[:SyncedToEntraUser]->(:AZUser)-[:AZMemberOf]->(:AZGroup)-[:AZOwner|AZUserAccessAdministrator|AZGetCertificates|AZGetKeys|AZGetSecrets|AZAvereContributor|AZKeyVaultContributor|AZContributor|AZVMAdminLogin|AZVMContributor|AZAKSContributor|AZAutmomationContributor|AZLogicAppContributor|AZWebsiteContributor]->(:AZBase)\nRETURN p',
+            },
+            {
+                description: 'On-Prem Users synced to Entra Users that Own Entra Objects',
+                cypher: 'MATCH p = (:User)-[:SyncedToEntraUser]->(:AZUser)-[:AZOwns]->(:AZBase)\nRETURN p',
+            },
+            {
+                description: 'On-Prem Users synced to Entra Users with Entra Group Membership',
+                cypher: 'MATCH p = (:User)-[:SyncedToEntraUser]->(:AZUser)-[:AZMemberOf]->(:AZGroup)\nRETURN p',
+            },
+        ],
+    },
 ];
diff --git a/packages/javascript/bh-shared-ui/src/views/Explore/ExploreSearch/edgeTypes.tsx b/packages/javascript/bh-shared-ui/src/views/Explore/ExploreSearch/edgeTypes.tsx
@@ -109,6 +109,10 @@ export const AllEdgeTypes: Category[] = [
                     ActiveDirectoryRelationshipKind.ADCSESC13,
                 ],
             },
+            {
+                name: 'Cross Platform',
+                edgeTypes: [ActiveDirectoryRelationshipKind.SyncedToEntraUser],
+            },
         ],
     },
     {
@@ -182,6 +186,10 @@ export const AllEdgeTypes: Category[] = [
                     AzureRelationshipKind.WebsiteContributor,
                 ],
             },
+            {
+                name: 'Cross Platform',
+                edgeTypes: [AzureRelationshipKind.SyncedToADUser],
+            },
         ],
     },
 ];