Sharphound denial of service due to inefficient LDAP query in LocalGroupHelpers.cs

[BitzerMaloney]

https://github.com/BloodHoundAD/SharpHound/blob/master/Sharphound2/Enumeration/LocalGroupHelpers.cs#L748 in a small AD environment will not produce a noticeable impact, but in larger enterprise environments this will generate hugely inefficient LDAP queries that will consume CPU resources and ultimately result in a denial of service on the target server. A better method would be to utilise GPMgmt.GPM (RSAT GPMC tools) which will provide near instant results. I do not have a C# example for you as I am not a C# coder. But I have a PowerShell example.

$GPOGUID = "11111111-2222-3333-4444-555555555555"
$gpm = New-Object -ComObject GPMgmt.GPM
$constants = $gpm.GetConstants()
$GPODomain = $gpm.GetDomain($env:USERDNSDOMAIN,$null,$constants.UsePDC)
$gpmSearchCriteria = $gpm.CreateSearchCriteria()
$gpmSearchCriteria.Add($constants.SearchPropertyGPOID,$constants.SearchOpEquals,"{$($GPOGUID)}")
$GPO = $GPODomain.SearchGPOs($gpmSearchCriteria) | Select-Object -First 1
$gpmSearchCriteria = $gpm.CreateSearchCriteria()
$gpmSearchCriteria.Add($constants.SearchPropertySOMLinks,$constants.SearchOpContains,$GPO)
$somlist = $GPODomain.SearchSOMs($gpmSearchCriteria)
$somlist

Below is a side by side of the difference difference between the 2 methods in a test environment. GPMgmt.GPM vs. LDAP is almost 100x quicker. In larger environments the time taken and impact from the inefficient LDAP query will be exponentially worse.

[rvazarkar]

Is GPMgmt available to non-admin users?

[BitzerMaloney]

Yes, as long as the system has GPMC installed via RSAT GPMgmt.gpm is available to all users (admin or otherwise). Something to consider.