User Delegation is not Identified

[m4lwhere]

I've noticed that the latest version of SharpHound (2.3.3) appears to not find delegation correctly for BHCE. I've gathered this with data within GOAD and noticed that some of the edges I've seen in the past are no longer there. I've validated that these permissions do exist in the domain still and were not removed from GOAD.

Specifically, I've noticed the AllowedToDelegate edge is missing from users, as well as the Unconstrained Delegation setting.

Additionally, I've been able to gather these edges from the latest version of BloodHound.py (bloodhound-ce branch) which properly shows the delegation.

The images below focus specifically on the user sansa.stark, the user jon.snow is missing the AllowedToDelegate edge as well.

SharpHound.exe (v2.3.3) Collection

The user sansa.stark is marked without Unconstrained Delegation

findDelegation.py Results

The user sansa.stark is labeled with Unconstrained Delegation

BloodHound.py Collection

The user sansa.stark is properly marked with Unconstrained Delegation

Is this a known issue or some other type of deployment issue? Are there any known workarounds for this issue?

I've attached copies of the data collection here as well. Please let me know if you need more data, screenshots, or samples - I would be happy to gather them! Thanks!

NORTH_20240410083414_BloodHound-2.3.3.zip

ce_branch_bloodhoundpy_north_20240411011008_bloodhound.zip

[rvazarkar]

What collection method was used to gather the info?

[m4lwhere]

This was collected with -c All and I was running it from WINTERFELL.NORTH.SEVENKINGDOMS.LOCAL using the hodor account via an RDP session. Windows Defender was disabled.

The full command used to gather this info is below:

.\SharpHound.exe -c All --outputprefix NORTH

[rvazarkar]

I just tested this in my own lab. Created a new user and marked it with unconstrained delegation and got the following results:

  "Properties": {
    "domain": "TESTLAB.LOCAL",
    "name": "UCTEST@TESTLAB.LOCAL",
    "distinguishedname": "CN=UCTEST,CN=USERS,DC=TESTLAB,DC=LOCAL",
    "domainsid": "S-1-5-21-318463681-1533741871-3192839656",
    "samaccountname": "uctest",
    "isaclprotected": false,
    "description": null,
    "whencreated": 1712910813,
    "sensitive": false,
    "dontreqpreauth": false,
    "passwordnotreqd": false,
    "unconstraineddelegation": true,
    "pwdneverexpires": true,
    "enabled": true,
    "trustedtoauth": false,
    "lastlogon": 0,
    "lastlogontimestamp": -1,
    "pwdlastset": 1712936013,
    "serviceprincipalnames": [
      "TEST/abc"
    ],
    "hasspn": true,
    "displayname": "UCTest",
    "email": null,
    "title": null,
    "homedirectory": null,
    "userpassword": null,
    "unixpassword": null,
    "unicodepassword": null,
    "sfupassword": null,
    "logonscript": null,
    "admincount": false,
    "sidhistory": []
  },

Ran with:
.\SharpHound.exe -c All --PrettyPrint --nozip

So I'm not sure whats going off the rails here, but at least the check for unconstrained delegation appears to be working fine on a binary built off main. Can you try building from source to see if you hit the same issue?

[m4lwhere]

I've built from source and had the same issue, here's a copy of the information generated if it helps. I used the same flags to run the command: .\SharpHound_local.exe -c All --outputprefix NORTH for this.

NORTH_localbuild_20240417031536_BloodHound.zip

Information gathered via local build of SharpHound.exe

 {
  "Properties": {
    "domain": "NORTH.SEVENKINGDOMS.LOCAL",
    "name": "SANSA.STARK@NORTH.SEVENKINGDOMS.LOCAL",
    "distinguishedname": "CN=SANSA.STARK,CN=USERS,DC=NORTH,DC=SEVENKINGDOMS,DC=LOCAL",
    "domainsid": "S-1-5-21-1252223512-2665318757-2669098637",
    "samaccountname": "sansa.stark",
    "isaclprotected": false,
    "description": "Sansa Stark",
    "whencreated": 0,
    "sensitive": false,
    "dontreqpreauth": false,
    "passwordnotreqd": false,
    "unconstraineddelegation": false,
    "pwdneverexpires": false,
    "enabled": true,
    "trustedtoauth": false,
    "lastlogon": -1,
    "lastlogontimestamp": -1,
    "pwdlastset": -1,
    "serviceprincipalnames": [
      "HTTP/eyrie.north.sevenkingdoms.local"
    ],
    "hasspn": true,
    "displayname": null,
    "email": null,
    "title": null,
    "homedirectory": null,
    "userpassword": null,
    "unixpassword": null,
    "unicodepassword": null,
    "sfupassword": null,
    "logonscript": null,
    "admincount": false,
    "sidhistory": []
  }

Sansa.stark is set with unconstrained delegation

What's strange is I know the Bloodhound.py (ce-branch) is gathering this information and I know the condition exists within the domain. I can try to cross reference between both projects to see how they both collect this information and come back, it might be a few weeks since I have a lot of other projects going on :)

[rvazarkar]

Are you collecting this in GOAD? I've got my own lab setup so can check with the new v2.5.6

[m4lwhere]

Correct, this is with GOAD, directly installed using the virtualbox provider and docker ansible provisioner. This was for the GOAD original lab as well