ADExplorerSnapshot.py icon indicating copy to clipboard operation
ADExplorerSnapshot.py copied to clipboard
verified publisher icon c3c

Possible ADCS ESC7 false positives

Open adindrabkin opened this issue 2 years ago • 1 comments

Ran across some possible ADCS ESC7 false positives which only occur when using ADExplorerSnapshot to parse ADExplorer snapshots. These results did not occur when using ly4k's Certipy.

Steps to reproduce

  1. Use ADExplorerSnapshot to parse a snapshot of a domain with a 2016 functional level.
  2. Import to BloodHound 4.2 (ly4k version)
  3. Use the prebuilt ESC7 query and notice that the authenticated users group has "Auditor" permissions to the enrollment services.

I have not triaged the issue but wanted to open this thread in case anyone comes across something similar. Otherwise, the massive ADCS PR #10 by @PTVB has worked great.

adindrabkin avatar Jun 05 '23 18:06 adindrabkin

Thanks for reporting! @PTVB have you run into this before? May also be related to this line that is commented out atm https://github.com/c3c/ADExplorerSnapshot.py/blob/main/adexpsnapshot/init.py#L1063

c3c avatar Jun 05 '23 19:06 c3c