From e7363446103d6a53113e5db49b3550b0bcb83814 Mon Sep 17 00:00:00 2001
From: Lars Karlslund <lars@karlslund.dk>
Date: Fri, 15 Dec 2023 15:10:24 +0100
Subject: [PATCH] Constrained delegation edge

---
 .../activedirectory/analyze/analyze-ad.go     | 41 +++++++++++++++----
 .../activedirectory/attributes.go             |  1 +
 2 files changed, 33 insertions(+), 9 deletions(-)

diff --git a/modules/integrations/activedirectory/analyze/analyze-ad.go b/modules/integrations/activedirectory/analyze/analyze-ad.go
index aa3dab7..cba0f8e 100644
--- a/modules/integrations/activedirectory/analyze/analyze-ad.go
+++ b/modules/integrations/activedirectory/analyze/analyze-ad.go
@@ -470,7 +470,7 @@ func init() {
 		})
 	}, `Modify the msDS-AllowedToActOnBehalfOfOtherIdentity (Resource Based Constrained Delegation) on an account to enable any SPN enabled user to impersonate it`, engine.BeforeMergeFinal)
 
-	EdgeRBCD := engine.NewEdge("RBCD")
+	EdgeRBCD := engine.NewEdge("RBConstrainedDeleg")
 	Loader.AddProcessor(func(ao *engine.Objects) {
 		ao.Iterate(func(o *engine.Object) bool {
 			// Only computers
@@ -479,19 +479,43 @@ func init() {
 			}
 			o.Attr(activedirectory.MSDSAllowedToActOnBehalfOfOtherIdentity).Iterate(func(val engine.AttributeValue) bool {
 				// Each of these is a SID, so find that SID and add an edge
-				sd := val.Raw().(*engine.SecurityDescriptor)
-				ui.Debug().Msgf("Found msDS-AllowedToActOnBehalfOfOtherIdentity on %v as %v", o.DN(), sd.String(ao))
-				for _, acl := range sd.DACL.Entries {
-					if acl.Type == engine.ACETYPE_ACCESS_ALLOWED {
-						ao.FindOrAddAdjacentSID(acl.SID, o).EdgeTo(o, EdgeRBCD)
+				if sd, ok := val.Raw().(*engine.SecurityDescriptor); ok {
+					// ui.Debug().Msgf("Found msDS-AllowedToActOnBehalfOfOtherIdentity on %v as %v", o.DN(), sd.String(ao))
+					for _, acl := range sd.DACL.Entries {
+						if acl.Type == engine.ACETYPE_ACCESS_ALLOWED {
+							ao.FindOrAddAdjacentSID(acl.SID, o).EdgeTo(o, EdgeRBCD)
+						}
 					}
 				}
-				// o.EdgeTo(ao.FindOrAddAdjacentSID(sid, o), EdgeRBCD)
 				return true
 			})
 			return true
 		})
 	}, `Someone is listed in the msDS-AllowedToActOnBehalfOfOtherIdentity (Resource Based Constrained Delegation) on an account`, engine.BeforeMergeFinal)
+
+	EdgeCD := engine.NewEdge("ConstrainedDeleg")
+	Loader.AddProcessor(func(ao *engine.Objects) {
+		ao.Iterate(func(o *engine.Object) bool {
+			// Only computers
+			if o.Type() != engine.ObjectTypeComputer && o.Type() != engine.ObjectTypeUser {
+				return true
+			}
+			o.Attr(activedirectory.MSDSAllowedToDelegateTo).Iterate(func(val engine.AttributeValue) bool {
+				// Each of these is a SID, so find that SID and add an edge
+				// sd := val.Raw().(*engine.SecurityDescriptor)
+				ui.Debug().Msgf("Found msDS-AllowedToDelegate on %v as %v", o.DN(), val.String())
+				if target, found := ao.Find(activedirectory.ServicePrincipalName, val); found {
+					o.EdgeTo(target, EdgeCD)
+				} else {
+					ui.Error().Msgf("Could not find constrained delegation SPN %v in the AD", val.String())
+				}
+
+				return true
+			})
+			return true
+		})
+	}, `Someone is listed in the msDS-AllowedToDelegate (Constrained Delegation) on an account`, engine.BeforeMergeFinal)
+
 	/*
 		// https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
 		Loader.AddProcessor(func(ao *engine.Objects) {
@@ -577,8 +601,7 @@ func init() {
 	Loader.AddProcessor(func(ao *engine.Objects) {
 		ao.Iterate(func(o *engine.Object) bool {
 			o.Attr(activedirectory.MSDSGroupMSAMembership).Iterate(func(msads engine.AttributeValue) bool {
-				sd, err := engine.ParseSecurityDescriptor([]byte(msads.String()))
-				if err == nil {
+				if sd, ok := msads.Raw().(*engine.SecurityDescriptor); ok {
 					for _, acl := range sd.DACL.Entries {
 						if acl.Type == engine.ACETYPE_ACCESS_ALLOWED {
 							ao.FindOrAddAdjacentSID(acl.SID, o).EdgeTo(o, activedirectory.EdgeReadMSAPassword)
diff --git a/modules/integrations/activedirectory/attributes.go b/modules/integrations/activedirectory/attributes.go
index ce39de4..f77157b 100644
--- a/modules/integrations/activedirectory/attributes.go
+++ b/modules/integrations/activedirectory/attributes.go
@@ -61,6 +61,7 @@ var (
 	ObjectSid                               = engine.NewAttribute("objectSid").Tag("AD").Merge().Single().Type(engine.AttributeTypeSID)
 	CreatorSID                              = engine.NewAttribute("mS-DS-CreatorSID").Tag("AD").Single().Type(engine.AttributeTypeSID)
 	MSDSAllowedToActOnBehalfOfOtherIdentity = engine.NewAttribute("msDS-AllowedToActOnBehalfOfOtherIdentity").Tag("AD").Type(engine.AttributeTypeSecurityDescriptor)
+	MSDSAllowedToDelegateTo                 = engine.NewAttribute("msDS-AllowedToDelegateTo").Tag("AD")
 	FRSRootSecurity                         = engine.NewAttribute("fRSRootSecurity").Tag("AD").Type(engine.AttributeTypeSecurityDescriptor)
 	MSDFSLinkSecurityDescriptorv2           = engine.NewAttribute("msDFS-LinkSecurityDescriptorv2").Tag("AD").Type(engine.AttributeTypeSecurityDescriptor)
 	PKIEnrollmentAccess                     = engine.NewAttribute("pKIEnrollmentAccess").Tag("AD")