Bug: AZAddMembers Edge Creation Logic Excludes AZServicePrincipals (any non-AZUser) #1842
Description
Description:
It is possible to add an Entra ID service principal (represented by AZServicePrincipal node class in BloodHound) to a security group (AZGroup) that is assigned a directory role (AZRole) such as GROUPS ADMINISTRATOR, allowing that service principal to add members to groups. However, the function that is used to create AZAddMembers edges only checks role assignments for AZUser nodes by using the UsersWithRole function instead of the PrincipalsWithRole function.
Are you intending to fix this bug?
Yes
Steps to Reproduce:
- Collect and ingest azurehound data from an Entra ID tenant that has a service principal and a user that are both members of a security group assigned the
GROUPS ADMINISTRATORdirectory role. - Navigate to the Cypher tab in BloodHound, then execute:
MATCH p = (:AZServicePrincipal)-[:AZAddMembers]->(:AZGroup)
RETURN p LIMIT 10
There will be no results.
However, there are results for AZUser nodes that are members of groups assigned the GROUPS ADMINISTRATOR directory role:
MATCH p = (:AZUser)-[:AZAddMembers]->(:AZGroup)
RETURN p LIMIT 10
Expected Behavior:
The AZAddMembers edge should be created from service principals in addition to users.
Actual Behavior:
Only user role assignments are evaluated.
Screenshots/Code Snippets/Sample Files:
- https://github.com/SpecterOps/BloodHound/blob/ef88e15e2044aeae048ef13df2216a55462e358b/packages/go/analysis/azure/post.go#L861C75-L861C79
BloodHound/packages/go/analysis/azure/post.go
Line 884 in ef88e15
BloodHound/packages/go/analysis/azure/role.go
Line 146 in ef88e15
Environment Information:
BloodHound CE 8.1.0
Potential Solution (optional):
Swap UsersWithRole for PrincipalsWithRole. PR incoming.
Contributor Checklist:
- I have searched the issue tracker to ensure this bug hasn't been reported before or is not already being addressed.
- I have provided clear steps to reproduce the issue.
- I have included relevant environment information details.