SharpHoundCommon icon indicating copy to clipboard operation
SharpHoundCommon copied to clipboard

Published 20 hours ago verified publisher icon BloodHoundAD

Remote Registry enumerates local users

Open rustaska opened this issue 2 years ago • 1 comments

The re-introduced method to get sessions using the Windows Remote Registry uses a regex to filter out user accounts: SidRegex = new(@"S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$", RegexOptions.Compiled);

Line: https://github.com/BloodHoundAD/SharpHoundCommon/blob/3cedabb8ca96b223a0eaae2ad8ef8a3176ab3e82/src/CommonLib/Processors/ComputerSessionProcessor.cs#L15

This regex will also find logged in local users accounts, which will then be in the final JSON result. This is contrary to the other methods used for session enumeration. Is this intended?

Thx for clarification and the great work

rustaska avatar Mar 22 '22 17:03 rustaska

This is probably a bug. Unfortunately, I just missed it in our current release. I'll address this in a future one.

rvazarkar avatar Aug 02 '22 21:08 rvazarkar