BloodHoundAD / BloodHound

Six Degrees of Domain Admin

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

False positive edges with disabled GPO

federicodotta opened this issue · comments

Describe the bug
On a domain I found many wrong arches that, once verified actively, were false positives. I looked at the sources of those arches and was a GPO with flag 2 ("Flags=2; the computer configuration portion of GPO is disabled", from Microsoft). The reason of these false positives was that BloodHound should not add those arches because related to computer configuration on a policy with Flag 2.

Expected behavior
Do not add arches related to computer configuration when GPO flag is 2 ("Flags=2; the computer configuration portion of GPO is disabled") or 3 ("Flags=3; the GPO is disabled") and do not add arches related to user configuration when GPO flag is 1 ("Flags=1; the user configuration portion of the GPO is disabled") or 3 ("Flags=3; the GPO is disabled").

Thank you for your help and for your great tool!
Federico

Hi!

If a GPO has this flag, but you have control over the GPO, then you could modify the flag. So the attack path would still be valid I guess. Let me know if I'm mistaken.

BR Jonas

Hi!

If you have control over GPO yes, but this wasn't my situation. I think that it is a different scenario.

I had an arc from a user to a server created by a GPO, with flag 2. I owned that user and I tried to gain control over that server using this arc without success because of the flag 2. I owned that user but the user itself had no privileges over the GPO, only theoretically on the server, based on the arc.

If such user had control over GPO it should have a different arc over that GPO and different attack paths, but I think that it is a different scenario.

I hope I explained my situation clearly.

Thank you for your help!

Federico

Right - now I get what you mean. You are absolutely right. We should check that.

I have created a new issue here as the change should be implemented in SharpHoundCommon: BloodHoundAD/SharpHoundCommon#85

Thanks for reporting it! :)

Perfect! Thanks @JonasBK!