Query for identifying groups with RID higher than 1000 for cross-forest (inter-realm) attacks #648

jsdhasfedssad · 2023-02-21T09:00:02Z

When performing cross-forest (inter-realm) attacks it is vital to first identify groups in the target forest that has RID higher than 1000. As far as I can tell RID does not exist as an attribute on group nodes today. Assuming that is correct, would it be possible to implement this attribute? Or is there perhaps another way to accomplish this already today?

Thanks!

JonasBK · 2023-04-26T07:47:45Z

Hi @jsdhasfedssad,

The RID is the last part of the SID, and the SID is the ObjectID in BloodHound:

You can list all the groups in a given domain with RID >= 1000 using this CYPHER query (replace DUMPSTER.FIRE with your domain name):
MATCH (g:Group) WHERE g.domain = "DUMPSTER.FIRE" AND NOT right(g.objectid,4) STARTS WITH "-5" AND NOT g.objectid STARTS WITH g.domain RETURN g

Hope that helps!

godfuzz3r · 2024-04-08T19:22:19Z

MATCH (n:Group) WHERE n.domain = 'domain.name' AND toInteger(SPLIT(n.objectid,'-')[-1]) > 1000 RETURN n

jsdhasfedssad added the enhancement label Feb 21, 2023

jsdhasfedssad mentioned this issue Feb 21, 2023

Domain Trust Attributes Addition #594

Closed

JonasBK closed this as completed Apr 26, 2023

JonasBK added the wontfix label Apr 26, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Query for identifying groups with RID higher than 1000 for cross-forest (inter-realm) attacks #648

Query for identifying groups with RID higher than 1000 for cross-forest (inter-realm) attacks #648

jsdhasfedssad commented Feb 21, 2023

JonasBK commented Apr 26, 2023

godfuzz3r commented Apr 8, 2024

Query for identifying groups with RID higher than 1000 for cross-forest (inter-realm) attacks #648

Query for identifying groups with RID higher than 1000 for cross-forest (inter-realm) attacks #648

Comments

jsdhasfedssad commented Feb 21, 2023

JonasBK commented Apr 26, 2023

godfuzz3r commented Apr 8, 2024