BloodHoundAD / BloodHound

Six Degrees of Domain Admin

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Query for identifying groups with RID higher than 1000 for cross-forest (inter-realm) attacks

jsdhasfedssad opened this issue · comments

When performing cross-forest (inter-realm) attacks it is vital to first identify groups in the target forest that has RID higher than 1000. As far as I can tell RID does not exist as an attribute on group nodes today. Assuming that is correct, would it be possible to implement this attribute? Or is there perhaps another way to accomplish this already today?

Thanks!

Hi @jsdhasfedssad,

The RID is the last part of the SID, and the SID is the ObjectID in BloodHound:
image

You can list all the groups in a given domain with RID >= 1000 using this CYPHER query (replace DUMPSTER.FIRE with your domain name):
MATCH (g:Group) WHERE g.domain = "DUMPSTER.FIRE" AND NOT right(g.objectid,4) STARTS WITH "-5" AND NOT g.objectid STARTS WITH g.domain RETURN g

Hope that helps!

MATCH (n:Group) WHERE n.domain = 'domain.name' AND toInteger(SPLIT(n.objectid,'-')[-1]) > 1000 RETURN n