This is nice as it allows to perform queries using common names, like "Anonymous" without caring about the local AD language. However, the original SID (like "S-1-5-7" for "Anonymous") is lost in the process and is missing from the Group object in neo4j (objectsid attribute).
Groups with missing objectsid attributes can be found with:
MATCH (n:Group) where n.objectsid IS NULL RETURN n
I suggest keeping the SID information to have it in the Group object in neo4j to be able to perform Cypher queries based on SID
Several well-known SIDs are converted to
MappedPrincipal
objects, see: https://github.com/BloodHoundAD/SharpHound/blob/9d71fb7e3033a7da07cf2ba6daaebd11c09bbd7b/Sharphound2/Enumeration/MappedPrincipal.csThis is nice as it allows to perform queries using common names, like "Anonymous" without caring about the local AD language. However, the original SID (like "S-1-5-7" for "Anonymous") is lost in the process and is missing from the Group object in neo4j (
objectsid
attribute). Groups with missing objectsid attributes can be found with:MATCH (n:Group) where n.objectsid IS NULL RETURN n
I suggest keeping the SID information to have it in the Group object in neo4j to be able to perform Cypher queries based on SID