SpecterOps · JonasBK · Jun 11, 2025 · Jun 20, 2025 · Jun 23, 2025 · Jun 23, 2025
diff --git a/cmd/api/src/database/migration/extensions/ad_graph_schema.sql b/cmd/api/src/database/migration/extensions/ad_graph_schema.sql
@@ -238,6 +238,8 @@ BEGIN
 	PERFORM genscript_upsert_kind('GPOAppliesTo');
 	PERFORM genscript_upsert_kind('CanApplyGPO');
 	PERFORM genscript_upsert_kind('HasTrustKeys');
+	PERFORM genscript_upsert_kind('WriteAltSecurityIdentities');
+	PERFORM genscript_upsert_kind('WritePublicInformation');
 	PERFORM genscript_upsert_kind('ProtectAdminGroups');
 
 	PERFORM genscript_upsert_schema_node_kind(extension_id, 'Base', 'Base', '', false, '', '');
@@ -342,6 +344,8 @@ BEGIN
 	PERFORM genscript_upsert_schema_relationship_kind(extension_id, 'GPOAppliesTo', '', true);
 	PERFORM genscript_upsert_schema_relationship_kind(extension_id, 'CanApplyGPO', '', true);
 	PERFORM genscript_upsert_schema_relationship_kind(extension_id, 'HasTrustKeys', '', true);
+	PERFORM genscript_upsert_schema_relationship_kind(extension_id, 'WriteAltSecurityIdentities', '', true);
+	PERFORM genscript_upsert_schema_relationship_kind(extension_id, 'WritePublicInformation', '', true);
 	PERFORM genscript_upsert_schema_relationship_kind(extension_id, 'ProtectAdminGroups', '', false);
 
 	PERFORM genscript_upsert_source_kind('Base');

diff --git a/cmd/api/src/test/integration/harnesses.go b/cmd/api/src/test/integration/harnesses.go
@@ -2252,6 +2252,7 @@ type ESC9aPrincipalHarness struct {
 	Group4       *graph.Node
 	Group5       *graph.Node
 	Group6       *graph.Node
+	Group7       *graph.Node
 	NTAuthStore  *graph.Node
 	RootCA       *graph.Node
 	User1        *graph.Node
@@ -2283,6 +2284,7 @@ func (s *ESC9aPrincipalHarness) Setup(graphTestContext *GraphTestContext) {
 	s.Group4 = graphTestContext.NewActiveDirectoryGroup("Group4", domainSid)
 	s.Group5 = graphTestContext.NewActiveDirectoryGroup("Group5", domainSid)
 	s.Group6 = graphTestContext.NewActiveDirectoryGroup("Group6", domainSid)
+	s.Group7 = graphTestContext.NewActiveDirectoryGroup("Group7", domainSid)
 	s.NTAuthStore = graphTestContext.NewActiveDirectoryNTAuthStore("NTAuthStore", domainSid)
 	s.RootCA = graphTestContext.NewActiveDirectoryRootCA("RootCA", domainSid)
 	s.User1 = graphTestContext.NewActiveDirectoryUser("User1", domainSid)
@@ -2298,7 +2300,8 @@ func (s *ESC9aPrincipalHarness) Setup(graphTestContext *GraphTestContext) {
 	graphTestContext.NewRelationship(s.Group6, s.User1, ad.AllExtendedRights)
 	graphTestContext.NewRelationship(s.Group3, s.User1, ad.WriteDACL)
 	graphTestContext.NewRelationship(s.Group4, s.User1, ad.WriteOwner)
-	graphTestContext.NewRelationship(s.Group5, s.User1, ad.WriteOwner)
+	graphTestContext.NewRelationship(s.Group5, s.User1, ad.Owns)
+	graphTestContext.NewRelationship(s.Group6, s.User1, ad.WritePublicInformation)
 	graphTestContext.NewRelationship(s.User2, s.User2, ad.GenericAll)
 	graphTestContext.NewRelationship(s.User1, s.Group0, ad.MemberOf)
 	graphTestContext.NewRelationship(s.User2, s.Group0, ad.MemberOf)
@@ -3792,10 +3795,11 @@ type ESC10aPrincipalHarness struct {
 	User1        *graph.Node
 	Group1       *graph.Node
 	Group2       *graph.Node
-	Group6       *graph.Node
 	Group3       *graph.Node
 	Group4       *graph.Node
 	Group5       *graph.Node
+	Group6       *graph.Node
+	Group7       *graph.Node
 	User2        *graph.Node
 	Group0       *graph.Node
 }
@@ -3822,10 +3826,11 @@ func (s *ESC10aPrincipalHarness) Setup(graphTestContext *GraphTestContext) {
 	s.User1 = graphTestContext.NewActiveDirectoryUser("User1", domainSid)
 	s.Group1 = graphTestContext.NewActiveDirectoryGroup("Group1", domainSid)
 	s.Group2 = graphTestContext.NewActiveDirectoryGroup("Group2", domainSid)
-	s.Group6 = graphTestContext.NewActiveDirectoryGroup("Group6", domainSid)
 	s.Group3 = graphTestContext.NewActiveDirectoryGroup("Group3", domainSid)
 	s.Group4 = graphTestContext.NewActiveDirectoryGroup("Group4", domainSid)
 	s.Group5 = graphTestContext.NewActiveDirectoryGroup("Group5", domainSid)
+	s.Group6 = graphTestContext.NewActiveDirectoryGroup("Group6", domainSid)
+	s.Group7 = graphTestContext.NewActiveDirectoryGroup("Group7", domainSid)
 	s.User2 = graphTestContext.NewActiveDirectoryUser("User2", domainSid)
 	s.Group0 = graphTestContext.NewActiveDirectoryGroup("Group0", domainSid)
 	graphTestContext.NewRelationship(s.RootCA, s.Domain, ad.RootCAFor)
@@ -3839,7 +3844,8 @@ func (s *ESC10aPrincipalHarness) Setup(graphTestContext *GraphTestContext) {
 	graphTestContext.NewRelationship(s.Group6, s.User1, ad.AllExtendedRights)
 	graphTestContext.NewRelationship(s.Group3, s.User1, ad.WriteDACL)
 	graphTestContext.NewRelationship(s.Group4, s.User1, ad.WriteOwner)
-	graphTestContext.NewRelationship(s.Group5, s.User1, ad.WriteOwner)
+	graphTestContext.NewRelationship(s.Group5, s.User1, ad.Owns)
+	graphTestContext.NewRelationship(s.Group6, s.User1, ad.WritePublicInformation)
 	graphTestContext.NewRelationship(s.User2, s.User2, ad.GenericAll)
 	graphTestContext.NewRelationship(s.User1, s.Group0, ad.MemberOf)
 	graphTestContext.NewRelationship(s.User2, s.Group0, ad.MemberOf)

diff --git a/cmd/api/src/test/integration/harnesses/esc10aprincipalharness.json b/cmd/api/src/test/integration/harnesses/esc10aprincipalharness.json
@@ -189,10 +189,10 @@
     {
       "id": "n9",
       "position": {
-        "x": 482.94623164792375,
-        "y": 657.1984889145978
+        "x": 654.085839099432,
+        "y": 633.957307655751
       },
-      "caption": "Group6",
+      "caption": "Group7",
       "labels": [],
       "properties": {},
       "style": {
@@ -264,6 +264,19 @@
       "style": {
         "node-color": "#fcdc00"
       }
+    },
+    {
+      "id": "n15",
+      "position": {
+        "x": 495.7801848291077,
+        "y": 652.6385696871592
+      },
+      "caption": "Group6",
+      "style": {
+        "node-color": "#fcdc00"
+      },
+      "labels": [],
+      "properties": {}
     }
   ],
   "relationships": [
@@ -408,11 +421,11 @@
     },
     {
       "id": "n16",
-      "fromId": "n12",
-      "toId": "n6",
-      "type": "WriteOwner",
+      "type": "Owns",
+      "style": {},
       "properties": {},
-      "style": {}
+      "fromId": "n12",
+      "toId": "n6"
     },
     {
       "id": "n17",
@@ -461,6 +474,22 @@
       "type": "Enroll",
       "properties": {},
       "style": {}
+    },
+    {
+      "id": "n23",
+      "type": "ADCSESC10a",
+      "fromId": "n15",
+      "toId": "n0",
+      "style": {},
+      "properties": {}
+    },
+    {
+      "id": "n24",
+      "type": "Owns",
+      "fromId": "n15",
+      "toId": "n6",
+      "style": {},
+      "properties": {}
     }
   ]
 }
diff --git a/cmd/api/src/test/integration/harnesses/esc10aprincipalharness.svg b/cmd/api/src/test/integration/harnesses/esc10aprincipalharness.svg
diff --git a/cmd/api/src/test/integration/harnesses/esc9aprincipalharness.json b/cmd/api/src/test/integration/harnesses/esc9aprincipalharness.json
@@ -190,10 +190,10 @@
     {
       "id": "n9",
       "position": {
-        "x": 482.94623164792375,
-        "y": 657.1984889145978
+        "x": 660.4243430791171,
+        "y": 636.7404784228806
       },
-      "caption": "Group6",
+      "caption": "Group7",
       "labels": [],
       "properties": {},
       "style": {
@@ -265,6 +265,19 @@
       "style": {
         "node-color": "#fcdc00"
       }
+    },
+    {
+      "id": "n15",
+      "position": {
+        "x": 463.0761473193729,
+        "y": 665.7935615621888
+      },
+      "caption": "Group6",
+      "style": {
+        "node-color": "#fcdc00"
+      },
+      "labels": [],
+      "properties": {}
     }
   ],
   "relationships": [
@@ -409,11 +422,11 @@
     },
     {
       "id": "n16",
-      "fromId": "n12",
-      "toId": "n6",
-      "type": "WriteOwner",
+      "type": "Owns",
+      "style": {},
       "properties": {},
-      "style": {}
+      "fromId": "n12",
+      "toId": "n6"
     },
     {
       "id": "n17",
@@ -462,6 +475,22 @@
       "type": "Enroll",
       "properties": {},
       "style": {}
+    },
+    {
+      "id": "n23",
+      "type": "ADCSESC9a",
+      "fromId": "n15",
+      "toId": "n0",
+      "style": {},
+      "properties": {}
+    },
+    {
+      "id": "n24",
+      "type": "WritePublicInformation",
+      "style": {},
+      "properties": {},
+      "fromId": "n15",
+      "toId": "n6"
     }
   ]
 }
diff --git a/cmd/api/src/test/integration/harnesses/esc9aprincipalharness.svg b/cmd/api/src/test/integration/harnesses/esc9aprincipalharness.svg
diff --git a/packages/cue/bh/ad/ad.cue b/packages/cue/bh/ad/ad.cue
@@ -1720,6 +1720,16 @@ CanApplyGPO: types.#Kind & {
 	schema: "active_directory"
 }
 
+WriteAltSecurityIdentities: types.#Kind & {
+	symbol: "WriteAltSecurityIdentities"
+	schema: "active_directory"
+}
+
+WritePublicInformation: types.#Kind & {
+	symbol: "WritePublicInformation"
+	schema: "active_directory"
+}
+
 // Relationship Kinds
 RelationshipKinds: [
 	Owns,
@@ -1807,6 +1817,8 @@ RelationshipKinds: [
 	GPOAppliesTo,
 	CanApplyGPO,
 	HasTrustKeys,
+	WriteAltSecurityIdentities,
+	WritePublicInformation,
 	ProtectAdminGroups,
 ]
 
@@ -1840,6 +1852,8 @@ ACLRelationships: [
 	WritePKINameFlag,
 	WriteOwnerLimitedRights,
 	OwnsLimitedRights,
+	WriteAltSecurityIdentities,
+	WritePublicInformation,
 ]
 
 IngestACLRelationships: [for r in ACLRelationships if !list.Contains(AllPostProcessedRelationships, r) {r}],
@@ -1901,6 +1915,8 @@ SharedRelationshipKinds: [
 	GPOAppliesTo,
 	CanApplyGPO,
 	HasTrustKeys,
+	WriteAltSecurityIdentities,
+	WritePublicInformation,
 	ManageCA,
 	ManageCertificates,
 ]

diff --git a/packages/go/analysis/ad/adcs_integration_test.go b/packages/go/analysis/ad/adcs_integration_test.go
@@ -1761,13 +1761,14 @@ func TestADCSESC10a(t *testing.T) {
 				})); err != nil {
 					t.Fatalf("error fetching esc10a edges in integration test; %v", err)
 				} else {
-					require.Equal(t, 6, len(results))
+					require.Equal(t, 7, len(results))
 
 					require.True(t, results.Contains(harness.ESC10aPrincipalHarness.Group1))
 					require.True(t, results.Contains(harness.ESC10aPrincipalHarness.Group2))
 					require.True(t, results.Contains(harness.ESC10aPrincipalHarness.Group3))
 					require.True(t, results.Contains(harness.ESC10aPrincipalHarness.Group4))
 					require.True(t, results.Contains(harness.ESC10aPrincipalHarness.Group5))
+					require.True(t, results.Contains(harness.ESC10aPrincipalHarness.Group6))
 					require.True(t, results.Contains(harness.ESC10aPrincipalHarness.User2))
 
 				}

diff --git a/packages/go/analysis/ad/queries.go b/packages/go/analysis/ad/queries.go
@@ -1871,13 +1871,17 @@ func FetchAttackersForEscalations9and10(tx graph.Transaction, victimBitmap cardi
 	if attackers, err := ops.FetchStartNodeIDs(tx.Relationships().Filterf(func() graph.Criteria {
 		criteria := query.And(
 			query.KindIn(query.Start(), ad.Group, ad.User, ad.Computer),
-			query.KindIn(query.Relationship(), ad.GenericAll, ad.GenericWrite, ad.Owns, ad.WriteOwner, ad.WriteDACL),
 			query.InIDs(query.EndID(), graph.DuplexToGraphIDs(victimBitmap)...),
 		)
 		if scenarioB {
-			return query.And(criteria, query.KindIn(query.End(), ad.Computer))
+			return query.And(criteria,
+				query.KindIn(query.End(), ad.Computer),
+				query.KindIn(query.Relationship(), ad.GenericAll, ad.GenericWrite, ad.Owns, ad.WriteOwner, ad.WriteDACL),
+			)
+		} else {
+			return query.And(criteria,
+				query.KindIn(query.Relationship(), ad.GenericAll, ad.GenericWrite, ad.Owns, ad.WriteOwner, ad.WriteDACL, ad.WritePublicInformation))
 		}
-		return criteria
 	})); err != nil {
 		return nil, err
 	} else {