ADCS ESC14 Scenario A coverage

cmd/api/src/analysis/ad/adcs_integration_test.go

@@ -1272,13 +1272,14 @@ func TestADCSESC9a(t *testing.T) {
 			})); err != nil {
 				t.Fatalf("error fetching esc9a edges in integration test; %v", err)
 			} else {
-				assert.Equal(t, 6, len(results))
+				assert.Equal(t, 7, len(results))
 
 				assert.True(t, results.Contains(harness.ESC9aPrincipalHarness.Group1))
 				assert.True(t, results.Contains(harness.ESC9aPrincipalHarness.Group2))
 				assert.True(t, results.Contains(harness.ESC9aPrincipalHarness.Group3))
 				assert.True(t, results.Contains(harness.ESC9aPrincipalHarness.Group4))
 				assert.True(t, results.Contains(harness.ESC9aPrincipalHarness.Group5))
+				assert.True(t, results.Contains(harness.ESC9aPrincipalHarness.Group6))
 				assert.True(t, results.Contains(harness.ESC9aPrincipalHarness.User2))
 			}
 			return nil
@@ -2658,13 +2659,14 @@ func TestADCSESC10a(t *testing.T) {
 			})); err != nil {
 				t.Fatalf("error fetching esc10a edges in integration test; %v", err)
 			} else {
-				require.Equal(t, 6, len(results))
+				require.Equal(t, 7, len(results))
 
 				require.True(t, results.Contains(harness.ESC10aPrincipalHarness.Group1))
 				require.True(t, results.Contains(harness.ESC10aPrincipalHarness.Group2))
 				require.True(t, results.Contains(harness.ESC10aPrincipalHarness.Group3))
 				require.True(t, results.Contains(harness.ESC10aPrincipalHarness.Group4))
 				require.True(t, results.Contains(harness.ESC10aPrincipalHarness.Group5))
+				require.True(t, results.Contains(harness.ESC10aPrincipalHarness.Group6))
 				require.True(t, results.Contains(harness.ESC10aPrincipalHarness.User2))
 
 			}

cmd/api/src/test/integration/harnesses.go

@@ -2210,6 +2210,7 @@ type ESC9aPrincipalHarness struct {
 	Group4       *graph.Node
 	Group5       *graph.Node
 	Group6       *graph.Node
+	Group7       *graph.Node
 	NTAuthStore  *graph.Node
 	RootCA       *graph.Node
 	User1        *graph.Node
@@ -2241,6 +2242,7 @@ func (s *ESC9aPrincipalHarness) Setup(graphTestContext *GraphTestContext) {
 	s.Group4 = graphTestContext.NewActiveDirectoryGroup("Group4", domainSid)
 	s.Group5 = graphTestContext.NewActiveDirectoryGroup("Group5", domainSid)
 	s.Group6 = graphTestContext.NewActiveDirectoryGroup("Group6", domainSid)
+	s.Group7 = graphTestContext.NewActiveDirectoryGroup("Group7", domainSid)
 	s.NTAuthStore = graphTestContext.NewActiveDirectoryNTAuthStore("NTAuthStore", domainSid)
 	s.RootCA = graphTestContext.NewActiveDirectoryRootCA("RootCA", domainSid)
 	s.User1 = graphTestContext.NewActiveDirectoryUser("User1", domainSid)
@@ -2256,7 +2258,8 @@ func (s *ESC9aPrincipalHarness) Setup(graphTestContext *GraphTestContext) {
 	graphTestContext.NewRelationship(s.Group6, s.User1, ad.AllExtendedRights)
 	graphTestContext.NewRelationship(s.Group3, s.User1, ad.WriteDACL)
 	graphTestContext.NewRelationship(s.Group4, s.User1, ad.WriteOwner)
-	graphTestContext.NewRelationship(s.Group5, s.User1, ad.WriteOwner)
+	graphTestContext.NewRelationship(s.Group5, s.User1, ad.Owns)
+	graphTestContext.NewRelationship(s.Group6, s.User1, ad.WritePublicInformation)
 	graphTestContext.NewRelationship(s.User2, s.User2, ad.GenericAll)
 	graphTestContext.NewRelationship(s.User1, s.Group0, ad.MemberOf)
 	graphTestContext.NewRelationship(s.User2, s.Group0, ad.MemberOf)
@@ -3747,10 +3750,11 @@ type ESC10aPrincipalHarness struct {
 	User1        *graph.Node
 	Group1       *graph.Node
 	Group2       *graph.Node
-	Group6       *graph.Node
 	Group3       *graph.Node
 	Group4       *graph.Node
 	Group5       *graph.Node
+	Group6       *graph.Node
+	Group7       *graph.Node
 	User2        *graph.Node
 	Group0       *graph.Node
 }
@@ -3777,10 +3781,11 @@ func (s *ESC10aPrincipalHarness) Setup(graphTestContext *GraphTestContext) {
 	s.User1 = graphTestContext.NewActiveDirectoryUser("User1", domainSid)
 	s.Group1 = graphTestContext.NewActiveDirectoryGroup("Group1", domainSid)
 	s.Group2 = graphTestContext.NewActiveDirectoryGroup("Group2", domainSid)
-	s.Group6 = graphTestContext.NewActiveDirectoryGroup("Group6", domainSid)
 	s.Group3 = graphTestContext.NewActiveDirectoryGroup("Group3", domainSid)
 	s.Group4 = graphTestContext.NewActiveDirectoryGroup("Group4", domainSid)
 	s.Group5 = graphTestContext.NewActiveDirectoryGroup("Group5", domainSid)
+	s.Group6 = graphTestContext.NewActiveDirectoryGroup("Group6", domainSid)
+	s.Group7 = graphTestContext.NewActiveDirectoryGroup("Group7", domainSid)
 	s.User2 = graphTestContext.NewActiveDirectoryUser("User2", domainSid)
 	s.Group0 = graphTestContext.NewActiveDirectoryGroup("Group0", domainSid)
 	graphTestContext.NewRelationship(s.RootCA, s.Domain, ad.RootCAFor)
@@ -3794,7 +3799,8 @@ func (s *ESC10aPrincipalHarness) Setup(graphTestContext *GraphTestContext) {
 	graphTestContext.NewRelationship(s.Group6, s.User1, ad.AllExtendedRights)
 	graphTestContext.NewRelationship(s.Group3, s.User1, ad.WriteDACL)
 	graphTestContext.NewRelationship(s.Group4, s.User1, ad.WriteOwner)
-	graphTestContext.NewRelationship(s.Group5, s.User1, ad.WriteOwner)
+	graphTestContext.NewRelationship(s.Group5, s.User1, ad.Owns)
+	graphTestContext.NewRelationship(s.Group6, s.User1, ad.WritePublicInformation)
 	graphTestContext.NewRelationship(s.User2, s.User2, ad.GenericAll)
 	graphTestContext.NewRelationship(s.User1, s.Group0, ad.MemberOf)
 	graphTestContext.NewRelationship(s.User2, s.Group0, ad.MemberOf)

cmd/api/src/test/integration/harnesses/esc10aprincipalharness.json

@@ -189,10 +189,10 @@
     {
       "id": "n9",
       "position": {
-        "x": 482.94623164792375,
-        "y": 657.1984889145978
+        "x": 654.085839099432,
+        "y": 633.957307655751
       },
-      "caption": "Group6",
+      "caption": "Group7",
       "labels": [],
       "properties": {},
       "style": {
@@ -264,6 +264,19 @@
       "style": {
         "node-color": "#fcdc00"
       }
+    },
+    {
+      "id": "n15",
+      "position": {
+        "x": 495.7801848291077,
+        "y": 652.6385696871592
+      },
+      "caption": "Group6",
+      "style": {
+        "node-color": "#fcdc00"
+      },
+      "labels": [],
+      "properties": {}
     }
   ],
   "relationships": [
@@ -408,11 +421,11 @@
     },
     {
       "id": "n16",
-      "fromId": "n12",
-      "toId": "n6",
-      "type": "WriteOwner",
+      "type": "Owns",
+      "style": {},
       "properties": {},
-      "style": {}
+      "fromId": "n12",
+      "toId": "n6"
     },
     {
       "id": "n17",
@@ -461,6 +474,22 @@
       "type": "Enroll",
       "properties": {},
       "style": {}
+    },
+    {
+      "id": "n23",
+      "type": "ADCSESC10a",
+      "fromId": "n15",
+      "toId": "n0",
+      "style": {},
+      "properties": {}
+    },
+    {
+      "id": "n24",
+      "type": "Owns",
+      "fromId": "n15",
+      "toId": "n6",
+      "style": {},
+      "properties": {}
     }
   ]
 }

cmd/api/src/test/integration/harnesses/esc9aprincipalharness.json

@@ -190,10 +190,10 @@
     {
       "id": "n9",
       "position": {
-        "x": 482.94623164792375,
-        "y": 657.1984889145978
+        "x": 660.4243430791171,
+        "y": 636.7404784228806
       },
-      "caption": "Group6",
+      "caption": "Group7",
       "labels": [],
       "properties": {},
       "style": {
@@ -265,6 +265,19 @@
       "style": {
         "node-color": "#fcdc00"
       }
+    },
+    {
+      "id": "n15",
+      "position": {
+        "x": 463.0761473193729,
+        "y": 665.7935615621888
+      },
+      "caption": "Group6",
+      "style": {
+        "node-color": "#fcdc00"
+      },
+      "labels": [],
+      "properties": {}
     }
   ],
   "relationships": [
@@ -409,11 +422,11 @@
     },
     {
       "id": "n16",
-      "fromId": "n12",
-      "toId": "n6",
-      "type": "WriteOwner",
+      "type": "Owns",
+      "style": {},
       "properties": {},
-      "style": {}
+      "fromId": "n12",
+      "toId": "n6"
     },
     {
       "id": "n17",
@@ -462,6 +475,22 @@
       "type": "Enroll",
       "properties": {},
       "style": {}
+    },
+    {
+      "id": "n23",
+      "type": "ADCSESC9a",
+      "fromId": "n15",
+      "toId": "n0",
+      "style": {},
+      "properties": {}
+    },
+    {
+      "id": "n24",
+      "type": "WritePublicInformation",
+      "style": {},
+      "properties": {},
+      "fromId": "n15",
+      "toId": "n6"
     }
   ]
 }

packages/cue/bh/ad/ad.cue

@@ -1655,6 +1655,16 @@ CanApplyGPO: types.#Kind & {
 	schema: "active_directory"
 }
 
+WriteAltSecurityIdentities: types.#Kind & {
+	symbol: "WriteAltSecurityIdentities"
+	schema: "active_directory"
+}
+
+WritePublicInformation: types.#Kind & {
+	symbol: "WritePublicInformation"
+	schema: "active_directory"
+}
+
 // Relationship Kinds
 RelationshipKinds: [
 	Owns,
@@ -1742,6 +1752,8 @@ RelationshipKinds: [
 	GPOAppliesTo,
 	CanApplyGPO,
 	HasTrustKeys,
+	WriteAltSecurityIdentities,
+	WritePublicInformation,
 ]
 
 // ACL Relationships
@@ -1774,6 +1786,8 @@ ACLRelationships: [
 	WritePKINameFlag,
 	WriteOwnerLimitedRights,
 	OwnsLimitedRights,
+	WriteAltSecurityIdentities,
+	WritePublicInformation,
 ]
 
 // these edges are common to inbound/outbound/pathfinding
@@ -1832,6 +1846,8 @@ SharedRelationshipKinds: [
 	GPOAppliesTo,
 	CanApplyGPO,
 	HasTrustKeys,
+	WriteAltSecurityIdentities,
+	WritePublicInformation,
 ]
 
 // Edges that are used during inbound traversal

packages/go/analysis/ad/queries.go

@@ -1872,13 +1872,17 @@ func FetchAttackersForEscalations9and10(tx graph.Transaction, victimBitmap cardi
 	if attackers, err := ops.FetchStartNodeIDs(tx.Relationships().Filterf(func() graph.Criteria {
 		criteria := query.And(
 			query.KindIn(query.Start(), ad.Group, ad.User, ad.Computer),
-			query.KindIn(query.Relationship(), ad.GenericAll, ad.GenericWrite, ad.Owns, ad.WriteOwner, ad.WriteDACL),
 			query.InIDs(query.EndID(), graph.DuplexToGraphIDs(victimBitmap)...),
 		)
 		if scenarioB {
-			return query.And(criteria, query.KindIn(query.End(), ad.Computer))
+			return query.And(criteria,
+				query.KindIn(query.End(), ad.Computer),
+				query.KindIn(query.Relationship(), ad.GenericAll, ad.GenericWrite, ad.Owns, ad.WriteOwner, ad.WriteDACL),
+			)
+		} else {
+			return query.And(criteria,
+				query.KindIn(query.Relationship(), ad.GenericAll, ad.GenericWrite, ad.Owns, ad.WriteOwner, ad.WriteDACL, ad.WritePublicInformation))
 		}
-		return criteria
 	})); err != nil {
 		return nil, err
 	} else {