RustHound icon indicating copy to clipboard operation
RustHound copied to clipboard
verified publisher icon NH-RED-TEAM

ENTERPRISE DOMAIN CONTROLLERS collect all computers with Unconstrained Delegation

Open spyr0-sec opened this issue 1 year ago • 1 comments

The logic for adding members to the special ENTERPRISE DOMAIN CONTROLLERS group with the well-known SID of S-1-5-9 is to include all machine accounts with Unconstrained Delegation which I believe are causing false positives. The offending line is referenced below.

https://github.com/NH-RED-TEAM/RustHound/blob/c4e8eb3d2f4191879dadbc3629db713e39ca3948/src/json/checker/common.rs#L37

The function also references Bloodhound.py functionality which doesn't do this so I was wondering if there is rationale behind this?

spyr0-sec avatar Sep 10 '24 06:09 spyr0-sec

Just chiming in as I ran into this as well recently. I believe this ended up causing BH to show some false attack paths related to DCSync and other edges.

Zinterax avatar Sep 10 '24 16:09 Zinterax