SpecterOps · neumachen · Apr 23, 2025 · Apr 15, 2025 · Apr 15, 2025 · Apr 16, 2025
diff --git a/cmd/api/src/config/default.go b/cmd/api/src/config/default.go
@@ -43,6 +43,7 @@ func NewDefaultConfiguration() (Configuration, error) {
 			WorkDir:                      "/opt/bhe/work",
 			LogLevel:                     "INFO",
 			CollectorsBasePath:           "/etc/bloodhound/collectors",
+			CollectorsBucketURL:          serde.MustParseURL("https://bhe-hound-artifacts.s3.amazonaws.com/"),
 			DatapipeInterval:             60,
 			EnableStartupWaitPeriod:      true,
 			EnableAPILogging:             true,

diff --git a/cmd/api/src/database/migration/migrations/schema.sql b/cmd/api/src/database/migration/migrations/schema.sql
@@ -655,7 +655,7 @@ INSERT INTO feature_flags (key, name, description, enabled, user_updatable, crea
     'dark_mode', 
     'Dark Mode', 
     'Allows users to enable or disable dark mode via a toggle in the settings menu', 
-    false, true, current_timestamp, current_timestamp
+    true, false, current_timestamp, current_timestamp
 ), ( 
     'pg_migration_dual_ingest', 
     'PostgreSQL Migration Dual Ingest', 

diff --git a/cmd/api/src/database/migration/migrations/v7.3.0.sql b/cmd/api/src/database/migration/migrations/v7.3.0.sql
@@ -107,3 +107,6 @@ CREATE TABLE IF NOT EXISTS asset_group_tag_selector_seeds
 ALTER TABLE IF EXISTS file_upload_jobs RENAME TO ingest_jobs;
 ALTER TABLE ingest_tasks ADD COLUMN IF NOT EXISTS is_generic BOOLEAN NOT NULL DEFAULT FALSE;
 
+-- GA for ntlm post processing
+UPDATE feature_flags SET user_updatable = false WHERE key = 'ntlm_post_processing';
+UPDATE feature_flags SET enabled = true WHERE key = 'ntlm_post_processing';
diff --git a/cmd/api/src/go.mod b/cmd/api/src/go.mod
@@ -29,6 +29,7 @@ require (
 	github.com/gobeam/stringy v0.0.6
 	github.com/gofrs/uuid v4.4.0+incompatible
 	github.com/golang-jwt/jwt/v4 v4.5.2
+	github.com/google/go-cmp v0.6.0
 	github.com/gorilla/handlers v1.5.1
 	github.com/gorilla/mux v1.8.0
 	github.com/gorilla/schema v1.4.1
@@ -40,7 +41,7 @@ require (
 	github.com/prometheus/client_golang v1.16.0
 	github.com/russellhaering/goxmldsig v1.4.0
 	github.com/santhosh-tekuri/jsonschema/v6 v6.0.1
-	github.com/stretchr/testify v1.9.0
+	github.com/stretchr/testify v1.10.0
 	github.com/teambition/rrule-go v1.8.2
 	github.com/ulule/limiter/v3 v3.11.2
 	github.com/unrolled/secure v1.13.0

diff --git a/cmd/api/src/migrations/manifest.go b/cmd/api/src/migrations/manifest.go
@@ -51,7 +51,7 @@ func RequiresMigration(ctx context.Context, db graph.Database) (bool, error) {
 func Version_730_Migration(ctx context.Context, db graph.Database) error {
 	const adminRightsCount = "adminrightscount"
 
-	defer measure.LogAndMeasure(slog.LevelInfo, "Migration to remove admin_rights_count property from user nodes")
+	defer measure.LogAndMeasure(slog.LevelInfo, "Migration to remove admin_rights_count property from user nodes and smbsigning from computer nodes")
 
 	return db.WriteTransaction(ctx, func(tx graph.Transaction) error {
 		// MATCH(n:User) WHERE n.adminrightscount <> null
@@ -69,6 +69,21 @@ func Version_730_Migration(ctx context.Context, db graph.Database) error {
 					return err
 				}
 			}
+		}
+
+		if nodes, err := ops.FetchNodes(tx.Nodes().Filter(query.And(
+			query.Kind(query.Node(), ad.Computer),
+			query.IsNotNull(query.NodeProperty(ad.SMBSigning.String())),
+			query.Equals(query.NodeProperty(ad.SMBSigning.String()), false),
+		))); err != nil {
+			return err
+		} else {
+			for _, node := range nodes {
+				node.Properties.Delete(ad.SMBSigning.String())
+				if err := tx.UpdateNode(node); err != nil {
+					return err
+				}
+			}
 
 			return nil
 		}

diff --git a/cmd/api/src/migrations/migrations_test.go b/cmd/api/src/migrations/migrations_test.go
@@ -0,0 +1,66 @@
+// Copyright 2025 Specter Ops, Inc.
+//
+// Licensed under the Apache License, Version 2.0
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package migrations_test
+
+import (
+	"context"
+	"errors"
+	"testing"
+
+	"github.com/specterops/bloodhound/dawgs/graph"
+	"github.com/specterops/bloodhound/dawgs/ops"
+	"github.com/specterops/bloodhound/dawgs/query"
+	"github.com/specterops/bloodhound/graphschema"
+	"github.com/specterops/bloodhound/graphschema/ad"
+	"github.com/specterops/bloodhound/src/migrations"
+	"github.com/specterops/bloodhound/src/test/integration"
+	"github.com/stretchr/testify/require"
+)
+
+func TestVersion_730_Migration(t *testing.T) {
+	testContext := integration.NewGraphTestContext(t, graphschema.DefaultGraphSchema())
+
+	t.Run("Migration_v730 Success", func(t *testing.T) {
+		testContext.DatabaseTestWithSetup(func(harness *integration.HarnessDetails) error {
+			harness.Version730_Migration.Setup(testContext)
+			return nil
+		}, func(harness integration.HarnessDetails, db graph.Database) {
+			err := migrations.Version_730_Migration(context.Background(), db)
+			require.Nil(t, err)
+
+			db.ReadTransaction(context.Background(), func(tx graph.Transaction) error {
+				computers, err := ops.FetchNodes(tx.Nodes().Filter(query.Kind(query.Node(), ad.Computer)))
+
+				require.Nil(t, err)
+
+				for _, computer := range computers {
+					if computer.ID == harness.Version730_Migration.Computer1.ID {
+						smbSigning, err := computer.Properties.Get(ad.SMBSigning.String()).Bool()
+						require.Nil(t, err)
+						require.True(t, smbSigning)
+					} else {
+						_, err := computer.Properties.Get(ad.SMBSigning.String()).Bool()
+						require.Error(t, err)
+						require.True(t, errors.Is(err, graph.ErrPropertyNotFound))
+					}
+				}
+
+				return nil
+			})
+		})
+	})
+}
diff --git a/cmd/api/src/test/integration/harnesses.go b/cmd/api/src/test/integration/harnesses.go
@@ -9752,6 +9752,23 @@ func (s *CoerceAndRelayNTLMToLDAPSSelfRelay) Setup(graphTestContext *GraphTestCo
 	graphTestContext.NewRelationship(s.Computer1, s.Domain1, ad.DCFor)
 }
 
+type Version730_Migration_Harness struct {
+	Computer1 *graph.Node
+	Computer2 *graph.Node
+}
+
+func (s *Version730_Migration_Harness) Setup(graphTestContext *GraphTestContext) {
+	domain1Sid := RandomDomainSID()
+
+	s.Computer1 = graphTestContext.NewActiveDirectoryComputer("Computer1", domain1Sid)
+	s.Computer1.Properties.Set(ad.SMBSigning.String(), true)
+	graphTestContext.UpdateNode(s.Computer1)
+
+	s.Computer2 = graphTestContext.NewActiveDirectoryComputer("Computer2", domain1Sid)
+	s.Computer2.Properties.Set(ad.SMBSigning.String(), false)
+	graphTestContext.UpdateNode(s.Computer1)
+}
+
 type HarnessDetails struct {
 	RDP                                             RDPHarness
 	RDPB                                            RDPHarness2
@@ -9860,4 +9877,5 @@ type HarnessDetails struct {
 	NTLMCoerceAndRelayToLDAPSSelfRelay              CoerceAndRelayNTLMToLDAPSSelfRelay
 	NTLMCoerceAndRelayNTLMToSMBSelfRelay            CoerceAndRelayNTLMToSMBSelfRelay
 	OwnsWriteOwnerPriorCollectorVersions            OwnsWriteOwnerPriorCollectorVersions
+	Version730_Migration                            Version730_Migration_Harness
 }