Closed TH3xACE closed 2 months ago
Thanks for sharing this issue. Could you please tell us whether you are using BH legacy or BH CE to ingest the data ?
Also, were the data generated by Sharphound or Rusthound or bloodhound.py ?
Do your data contain on-prem and/or Azure ?
Could you please also run the following cypher (either using cypher-shell or from the neo4j web interface - NOT from the BH cypher prompt):
MATCH (d:Domain) WITH collect(d.domain) AS doms MATCH (n) where NOT n.domain IN doms return n.name and tell us if this return anything
Thanks
The tools seems amazing... and looking forward to be able to test it fully
Returned nothing with the cypher : MATCH (d:Domain) WITH collect(d.domain) AS doms MATCH (n) where NOT n.domain IN doms return n.name
Thanks for the rapid response :)
We are observing different issues with data coming from rusthound. Would it be possible for you to collect with sharphound or even dirkjan's script? That's not going to fix the bug of course but would at least give us some clues if rusthound's involvement in this issue is confirmed. Also feel free to join our discord server (as we might answer in a faster fashion). Thanks
Thank you I will join the discord. I have used dump not made wih rusthound and works fine. I guess the issue is with rusthound. Do you know what is the issue ? how it works on BH if the data collected has some issues. I guess it is a known issue ? data collected with Rusthound
Any updates on this issue? I'm having the same problem :dagger: Oh, I see there is https://github.com/Mazars-Tech/AD_Miner/pull/125
The issue seems to be related to the collected data when using rusthound. Using another collector seems to work. The issue/bug is not fixed but is like a workaround despite identifying the issue and correcting it would be great.
@jmbesnard if you perform two collections from the same environment using SharpHound and RustHound, does comparing the two collections (json) will not help identifying the issue and could alter AD-MINER to take care of some malformed json or else when collecting with RH ?
@cmprmsd does the https://github.com/Mazars-Tech/AD_Miner/pull/125 helped to fix the issue ?? works now with RH??
I cloned the repo ran poetry
install and poetry shell
,
confirmed with which ad-miner
that it is using the venv but it seems the error persists.
[+]Requests finished !
[+]Computing domains objects
[+]Generate paths to objects that can GPLink GPOs on OUs
[+]Split objects into types...
Traceback (most recent call last):
File "adminer/AD_Miner/.venv/bin/AD-miner", line 6, in <module>
sys.exit(main())
^^^^^^
File "adminer/AD_Miner/ad_miner/__main__.py", line 182, in main
domains = Domains(arguments, neo4j)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "adminer/AD_Miner/ad_miner/sources/modules/domains.py", line 243, in __init__
self.generatePathToDa()
File "adminer/AD_Miner/ad_miner/sources/modules/domains.py", line 666, in generatePathToDa
self.ou_to_domain_admin[path.nodes[-1].domain].append(path)
~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^
KeyError: 'a.b.LOCAL.INT'
The change was pushed into main and does not appear in the release. A new release will be issued in a few minutes. Once that is done, could you please retry and let us know ? Thanks
@jmbesnard Thanks, but isn't this what I do, when I clone the repo and run the poetry commands from above?
True, I misread the comment. @TH3xACE I did try that and could not reproduce the problem unfortunately.
@cmprmsd also feel free to join us on Discord as it may be easier to further discuss the issue
Not receiving any updates on this issue so closing it.
[144/145] [+]From cache : Paths between two global admins belonging to different tenants - 0 objects [145/145] [+]From cache : Paths between tenants admin and domain admins - 0 objects [+]Requests finished ! [+]Computing domains objects [+]Generate paths to objects that can GPLink GPOs on OUs [+]Split objects into types... Traceback (most recent call last): File "/workspace/ctools/AD_Tools/AD_Miner/.venv/bin/AD-miner", line 6, in
sys.exit(main())
File "/workspace/ctools/AD_Tools/AD_Miner/ad_miner/main.py", line 182, in main
domains = Domains(arguments, neo4j)
File "/workspace/ctools/AD_Tools/AD_Miner/ad_miner/sources/modules/domains.py", line 243, in init
self.generatePathToDa()
File "/workspace/ctools/AD_Tools/AD_Miner/ad_miner/sources/modules/domains.py", line 666, in generatePathToDa
self.ou_to_domain_admin[path.nodes[-1].domain].append(path)
KeyError: 'ADTEST.ROOT.NET'