ADCS ESC14 Scenario A coverage

[JonasBK]

Description

This PR adds support for ADCS ESC14 Scenario A attack paths by introducing new edge types and enhancing existing ones.

Motivation and Context

Resolves BED-6155

See above ticket for details.

Depends on this SharpHoundCommon PR: https://github.com/SpecterOps/SharpHoundCommon/pull/235

How Has This Been Tested?

Locally with this dataset: 20250611101235_BloodHound.zip

Screenshots (optional):

Types of changes

• New feature (non-breaking change which adds functionality)

Checklist:

• [x] I have met the contributing prerequisites
  • Assigned myself to this PR
  • Added the appropriate labels
  • Associated an issue: https://github.com/SpecterOps/BloodHound/issues/672
  • Read the Contributing guide: https://github.com/SpecterOps/BloodHound/wiki/Contributing
• [x] I have ensured that related documentation is up-to-date
  • Open API docs
  • Code comments (GoDocs / JSDocs)
• [x] I have followed proper test practices
  • Added/updated tests to cover my changes
  • All new and existing tests passed

Summary by CodeRabbit

• New Features

  • Added two AD relationship types (WriteAltSecurityIdentities, WritePublicInformation) with UI display, pathfinding, and edge info.
  • Added ADCS ESC14 Scenario A help content with Linux and Windows guidance.

• Bug Fixes

  • Updated integration test harnesses and tests to reflect new group/node relationships and expected results.

• Documentation

  • Added extensive help texts, references, and guidance across relevant UI components.

[coderabbitai[bot]]

Walkthrough

Adds two AD relationship kinds (WriteAltSecurityIdentities, WritePublicInformation) across schema, analysis, tests, and UI; updates integration harnesses/expected results; and introduces multiple new help-text React components and references for ADCS ESC14 scenario coverage.

Changes

Cohort / File(s)	Change Summary
Backend: AD schema (Go & CUE) packages/cue/bh/ad/ad.cue, packages/go/graphschema/ad/ad.go, packages/go/graphschema/common/common.go	Introduced WriteAltSecurityIdentities and WritePublicInformation kinds and added them to Relationship/ACL/Pathfinding/Inbound/Outbound lists and enums.
Backend: AD analysis query packages/go/analysis/ad/queries.go	Updated FetchAttackersForEscalations9and10 to apply WritePublicInformation conditionally (moved relationship-kind filtering into scenarioB conditional).
Integration tests & harness code cmd/api/src/analysis/ad/adcs_integration_test.go, cmd/api/src/test/integration/harnesses.go	Added Group7 to ESC9a/ESC10a harness structs/setups; changed relationships (Group5 -> User1 from WriteOwner to Owns; added Group6 -> User1 WritePublicInformation); adjusted test expectations (counts from 6→7, added Group6 check).
Integration test harness JSON cmd/api/src/test/integration/harnesses/esc9aprincipalharness.json, .../esc10aprincipalharness.json	Added new node for Group6, renamed/moved existing Group6→Group7, updated relationship types/ordering, and added new ADCS/Owns/WritePublicInformation relationships.
Frontend: ADCS ESC14 help components packages/javascript/bh-shared-ui/src/components/HelpTexts/AdcsEsc14ScenarioA/*, .../AdcsEsc14ScenarioA/index.ts	Added AdcsEsc14ScenarioALinux, AdcsEsc14ScenarioAWindows, and AltSecIdenitiesBlurb components and index export.
Frontend: WriteAltSecurityIdentities help texts packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/*	New components: General, LinuxAbuse, WindowsAbuse, Opsec, References, and aggregator WriteAltSecurityIdentities.
Frontend: WritePublicInformation help texts packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/*	New components: General, LinuxAbuse, WindowsAbuse, Opsec, References, and aggregator WritePublicInformation.
Frontend: Integrations & references packages/javascript/bh-shared-ui/src/components/HelpTexts/* (GenericAll, GenericWrite, GenericWrite/References, WriteDacl, WriteOwner, Owns, Owns/References, etc.)	Injected ADCS ESC14 components/blurbs into multiple abuse flows (Linux/Windows) and appended ESC14 reference links in several References components.
Frontend: Registration & enums packages/javascript/bh-shared-ui/src/components/HelpTexts/index.tsx, packages/javascript/bh-shared-ui/src/edgeTypes.tsx, packages/javascript/bh-shared-ui/src/graphSchema.ts	Registered new edge help entries, added WriteAltSecurityIdentities and WritePublicInformation to edge type lists, enum, display mapping, and pathfinding arrays.

Sequence Diagram(s)

sequenceDiagram
    %% Styling: subtle rects to highlight new/changed steps
    participant User
    participant UI
    participant Backend
    participant GraphSchema

    User->>UI: Request edge help (e.g. WriteAltSecurityIdentities)
    UI->>Backend: fetch edge metadata & scenario content
    Backend->>GraphSchema: resolve relationship kind (includes new kinds)
    GraphSchema-->>Backend: return kind metadata
    Backend-->>UI: return aggregated help + analysis results
    UI->>UI: render help text, abuse scenarios, references (ADCS ESC14 components)
    UI-->>User: display enriched help content

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• SpecterOps/BloodHound#1817 — also modifies Inbound/Outbound relationship-kind lists in packages/go/graphschema/common/common.go.
• SpecterOps/BloodHound#1627 — related changes to AD analysis and schema files (packages/go/analysis/ad/queries.go, packages/go/graphschema/ad/ad.go).

Suggested reviewers

• mvlipka
• wes-mil
• jvacca-specterops

Poem

"I am a rabbit, nibbling code so neat,
Two new edges hop in on eager feet.
Tests grew a group, the UI learned a tune,
Schemas and help texts bloom like spring in June.
🐇📜 Hooray for paths and docs—now off for a carrot!"

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title succinctly and accurately reflects the primary enhancement—adding coverage for ADCS ESC14 Scenario A—using clear, domain-specific terminology without extraneous details, making the main change immediately apparent to reviewers.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.
Description Check	✅ Passed	The pull request description adheres closely to the repository’s required template by providing a clear Description, linking to the associated ticket under Motivation and Context, outlining testing procedures, including a screenshot, specifying the type of change, and completing the checklist. The “Resolves BED-6155” line correctly replaces the placeholder, and the inclusion of the SharpHoundCommon dependency is helpful. The only minor gap is a brief explanation of the specific problem being solved under Motivation and Context, as it currently defers to the ticket for details.

✨ Finishing touches

• [ ] 📝 Generate Docstrings

🧪 Generate unit tests

• [ ] Create PR with unit tests
• [ ] Post copyable unit tests in a comment
• [ ] Commit unit tests in branch adcsesc14

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🧪 Early access (Sonnet 4.5): enabled

We are currently testing the Sonnet 4.5 model, which is expected to improve code review quality. However, this model may lead to increased noise levels in the review comments. Please disable the early access features if the noise level causes any inconvenience.

Note:

• Public repositories are always opted into early access features.
• You can enable or disable early access features from the CodeRabbit UI or by updating the CodeRabbit configuration file.

_{Comment @coderabbitai help to get the list of available commands and usage tips.}