-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False positive edges with disabled GPO #699
Comments
Hi! If a GPO has this flag, but you have control over the GPO, then you could modify the flag. So the attack path would still be valid I guess. Let me know if I'm mistaken. BR Jonas |
Hi! If you have control over GPO yes, but this wasn't my situation. I think that it is a different scenario. I had an arc from a user to a server created by a GPO, with flag 2. I owned that user and I tried to gain control over that server using this arc without success because of the flag 2. I owned that user but the user itself had no privileges over the GPO, only theoretically on the server, based on the arc. If such user had control over GPO it should have a different arc over that GPO and different attack paths, but I think that it is a different scenario. I hope I explained my situation clearly. Thank you for your help! Federico |
Right - now I get what you mean. You are absolutely right. We should check that. I have created a new issue here as the change should be implemented in SharpHoundCommon: SpecterOps/SharpHoundCommon#85 Thanks for reporting it! :) |
Perfect! Thanks @JonasBK! |
Describe the bug
On a domain I found many wrong arches that, once verified actively, were false positives. I looked at the sources of those arches and was a GPO with flag 2 ("Flags=2; the computer configuration portion of GPO is disabled", from Microsoft). The reason of these false positives was that BloodHound should not add those arches because related to computer configuration on a policy with Flag 2.
Expected behavior
Do not add arches related to computer configuration when GPO flag is 2 ("Flags=2; the computer configuration portion of GPO is disabled") or 3 ("Flags=3; the GPO is disabled") and do not add arches related to user configuration when GPO flag is 1 ("Flags=1; the user configuration portion of the GPO is disabled") or 3 ("Flags=3; the GPO is disabled").
Thank you for your help and for your great tool!
Federico
The text was updated successfully, but these errors were encountered: