search

netwrix / pingcastle

PingCastle - Get Active Directory Security at 80% in 20% of the time
https://www.pingcastle.com
Other
2.35k stars 292 forks source link

Reported control path does not seem exploitable #229

Closed maxime-huyghe closed 4 months ago

maxime-huyghe commented 6 months ago

Hi, PingCastle reports a control path that looks like this :

[Suspicious user] --member-> [Some Group] --GEN_RIGHT_ALL-> [Organizational Unit] --container hierarchy-> [Admin group] --member-> [Administrators]

However, as it is a member of Administrators, Admin group has its adminCount attribute set to 1. In my understanding, this means it cannot inherit any permission, and its permissions are periodically reset to AdminSDHolder's.

Given this, I don't understand how Suspicious user could gain any additional privileges.

This seems like it could either be a PingCastle bug or a misunderstanding on my part.

vletoux commented 4 months ago

you can apply GPO (with a login script for example) So yes the path is exploitable

maxime-huyghe commented 4 months ago

Thanks!