SpecterOps
Bug: GPOLocalGroup Collection Method Ignores Item-Level Targeting
Description:
AdminTo Edges are created even if the entry for the local group contains Item-Level targeting. This can create a lot of false AdminTo Edges, resulting in false-positive attack paths.
Are you intending to fix this bug?
no / maybe
Component(s) Affected:
- Data Collector (SharpHound, AzureHound)
https://github.com/SpecterOps/SharpHoundCommon/blob/v4/src/CommonLib/Processors/GPOLocalGroupProcessor.cs
Steps to Reproduce:
- Use two computer objects for testing
- Create a security group and add one computer object as member
- Create GPO that adds a principal to local administrators
- Add Item-Level targeting to the entry that requires the computer to be member of security group created in step 1
Bloodhound will create an AdminTo edge to both computers, but the principal is only local admin on one computer.
Expected Behavior:
Item-level targeting should be honored when processing GPOLocalGroups
Actual Behavior:
BloodHound creates AdminTo edges for security principals, that are not actually administrators on computers.
Screenshots/Code Snippets/Sample Files:
Example GPO entry:
Environment Information:
BloodHound: 8.2.0
Collector: SharpHound v2.7.2
Contributor Checklist:
- [X] I have searched the issue tracker to ensure this bug hasn't been reported before or is not already being addressed.
- [X] I have provided clear steps to reproduce the issue.
- [X] I have included relevant environment information details.
- [X] I have attached necessary supporting documents.
As this is a duplicate of https://github.com/SpecterOps/SharpHound/issues/180 I will go ahead and close this one.
Thank you for your interest in BloodHound.
