Open fastlorenzo opened 5 years ago
fastlorenzo
commented
5 years ago I investigated more and found out the json exports correctly have the multiple domain policies with the same name and different GUIDs.
However, when I query Neo4j DB directly, it only returns 1 object with that name.
fastlorenzo
commented
5 years ago This issue might have to be moved to BloodHound repo
fastlorenzo
commented
5 years ago Actually, it looks like in the OU collection, the GPO is referenced by name as well:
Extract from ous json:
[...]
{
"Properties" : {
"name" : "DOMAIN CONTROLLERS@SUB.DOMAIN",
"highvalue" : false,
"blocksinheritance" : false
},
"Guid" : "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx",
"ChildOus" : [],
"Computers" : ["COMPUTER1.SUB.DOMAIN", "COMPUTER2.SUB.DOMAIN", "COMPUTER3.SUB.DOMAIN", "COMPUTER4.SUB.DOMAIN"],
"Users" : [],
"Links" : [{
"IsEnforced" : false,
"Name" : "DEFAULT DOMAIN CONTROLLERS POLICY@SUB.DOMAIN"
}
],
"Aces" : null
}
[...]Below a redacted extract of the gpos:
[...]
{
"Properties" : {
"highvalue" : false
},
"Name" : "DEFAULT DOMAIN CONTROLLERS POLICY@SUB.DOMAIN",
"Guid" : "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx01",
"Aces" : [{
"PrincipalName" : "USER1@SUB.DOMAIN",
"PrincipalType" : "user",
"RightName" : "Owner",
"AceType" : ""
}, {
"PrincipalName" : "DOMAIN ADMINS@SUB.DOMAIN",
"PrincipalType" : "group",
"RightName" : "WriteDacl",
"AceType" : ""
}, {
"PrincipalName" : "DOMAIN ADMINS@SUB.DOMAIN",
"PrincipalType" : "group",
"RightName" : "WriteOwner",
"AceType" : ""
}, {
"PrincipalName" : "ENTERPRISE ADMINS@DOMAIN",
"PrincipalType" : "group",
"RightName" : "WriteDacl",
"AceType" : ""
}, {
"PrincipalName" : "ENTERPRISE ADMINS@DOMAIN",
"PrincipalType" : "group",
"RightName" : "WriteOwner",
"AceType" : ""
}
]
}, {
"Properties" : {
"highvalue" : false
},
"Name" : "DEFAULT DOMAIN CONTROLLERS POLICY@SUB.DOMAIN",
"Guid" : "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx02",
"Aces" : [{
"PrincipalName" : "USER2@SUB.DOMAIN",
"PrincipalType" : "user",
"RightName" : "Owner",
"AceType" : ""
}, {
"PrincipalName" : "DOMAIN ADMINS@SUB.DOMAIN",
"PrincipalType" : "group",
"RightName" : "WriteDacl",
"AceType" : ""
}, {
"PrincipalName" : "DOMAIN ADMINS@SUB.DOMAIN",
"PrincipalType" : "group",
"RightName" : "WriteOwner",
"AceType" : ""
}, {
"PrincipalName" : "ENTERPRISE ADMINS@DOMAIN",
"PrincipalType" : "group",
"RightName" : "WriteDacl",
"AceType" : ""
}, {
"PrincipalName" : "ENTERPRISE ADMINS@DOMAIN",
"PrincipalType" : "group",
"RightName" : "WriteOwner",
"AceType" : ""
}
]
}
[...]SharpHound should add the Guid property when collection GPO links with OUs: https://github.com/BloodHoundAD/SharpHound/blob/c26b0556bd7d15e7e4c8fb948e32d268321100e6/Sharphound2/Enumeration/ContainerHelpers.cs#L147
Hi,
We noticed that BloodHound gives an incorrect output; it shows that multiple users owns 1 policy, which is not possible.
The following tool is used: https://www.microfocus.com/en-us/products/netiq-group-policy-administrator/overview and might be causing some issues.