[Query Issue]: Non-Tier Zero account with unconstrained delegation

[kaasimir]

Query GUID

e7e9a927-3f34-42c7-b921-d8bcf626011e

Query content

MATCH (n:Base)
WHERE n.unconstraineddelegation = true
AND NOT ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0')
RETURN n

Issue description

Hey folks! :)
The query works fine, however I'd propose changing it to only exclude DCs and not all Tier Zero Objects.

DCs run with unconstrained delegations by default:

• "Unconstrained delegation is enabled by default and required on all domain controllers (DCs)." - https://www.crowe.com/insights/crowe-cyber-watch/unconstrained-delegation-too-trusting-for-its-own-good
• "Review the recommended action at ... to discover which of your non-domain controller entities are configured for unsecure Kerberos delegation." - https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unconstrained-kerberos

To my knowledge an unconstrained delegation on any other Tier Zero object would be a misconfiguration.

So from my point of view it would make sense to exclude DCs but include any other Tier Zero Object.

I modified the query to this one:

MATCH (n:Base)
WHERE n.unconstraineddelegation = true
OPTIONAL MATCH (n)-[:MemberOf]->(g:Group)
WHERE g.objectid ENDS WITH '-516' // Domain Controllers
WITH n, g
WHERE g IS NULL
RETURN n
LIMIT 1000

In case my suggestion gets accepted, changing the title to "Non-DCs with unconstrained delegation" would make sense.

Have a great day, cheers! :)

BloodHound version

lastest version

BloodHound DB

default Neo4j

[martinsohn]

Hi @kaasimir, thank you for the suggestion.

I agree that removing unconstrained delegation from all non-DCs is the most secure, but it's not always viable ($$$) thus the other option is to consider systems with unconstrained delegation as Tier Zero. This works because any Tier Zero system is as important as domain controllers and any Tier Zero system therefore be secured as it was a domain controller.

[kaasimir]

Hi @martinsohn , thanks for the response.

That is a fair point. However, I'd argue there are also cases where it makes sense to check which non-DC Tier Zero object have unconstrained delegations, if only for housekeeping purposes.

So maybe a query where you could check for either Tier-Zero or DCs would be reasonable?
I combined them together and it worked fine for me.
As it is, without commenting out the Tier-Zero-line, it's basically your query with a few extra lines.
However this way you also have the option to only exclude DCs while being able to include PKI etc. by commenting out that one line.

`MATCH (n:Base)
WHERE n.unconstraineddelegation = true

// per default this query excludes all Tier-Zero objects
// if only DCs should be excluded, comment the following line
AND NOT ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0')

OPTIONAL MATCH (n)-[:MemberOf]->(g:Group)
WHERE g.objectid ENDS WITH '-516' // Domain Controllers
WITH n, g
WHERE g IS NULL
RETURN n
LIMIT 1000`

I'd be glad if you could consider my suggestion. However as I said I can understand your point, so if you want to stick to your initial query I'm fine with that as well :)

Cheers,
kaasimir