Skip to content
This repository has been archived by the owner on Sep 2, 2022. It is now read-only.

GPOs with multiple owners #77

Open
fastlorenzo opened this issue Jul 18, 2019 · 3 comments
Open

GPOs with multiple owners #77

fastlorenzo opened this issue Jul 18, 2019 · 3 comments

Comments

@fastlorenzo
Copy link

Hi,

We noticed that BloodHound gives an incorrect output; it shows that multiple users owns 1 policy, which is not possible.

The following tool is used: https://www.microfocus.com/en-us/products/netiq-group-policy-administrator/overview and might be causing some issues.

PS C:\Windows\System32\WindowsPowerShell\v1.0> Get-GPO -Name "Default Domain Controllers Policy" 

DisplayName      : Default Domain Controllers Policy
DomainName       : xxxxxxxxx
Owner            : XXX\FUNCTIONAL_ACCOUNT
Id               : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
GpoStatus        : AllSettingsEnabled
Description      : 
CreationTime     : 20/04/2002 10:46:22 AM
ModificationTime : 13/12/2018 11:03:36 AM
UserVersion      : AD Version: 10, SysVol Version: 10
ComputerVersion  : AD Version: 179, SysVol Version: 179
WmiFilter        : 
@fastlorenzo
Copy link
Author

I investigated more and found out the json exports correctly have the multiple domain policies with the same name and different GUIDs.

However, when I query Neo4j DB directly, it only returns 1 object with that name.

@fastlorenzo
Copy link
Author

This issue might have to be moved to BloodHound repo

@fastlorenzo
Copy link
Author

fastlorenzo commented Jul 19, 2019

Actually, it looks like in the OU collection, the GPO is referenced by name as well:

Extract from ous json:

[...]
{
	"Properties" : {
		"name" : "DOMAIN [email protected]",
		"highvalue" : false,
		"blocksinheritance" : false
	},
	"Guid" : "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx",
	"ChildOus" : [],
	"Computers" : ["COMPUTER1.SUB.DOMAIN", "COMPUTER2.SUB.DOMAIN", "COMPUTER3.SUB.DOMAIN", "COMPUTER4.SUB.DOMAIN"],
	"Users" : [],
	"Links" : [{
			"IsEnforced" : false,
			"Name" : "DEFAULT DOMAIN CONTROLLERS [email protected]"
		}
	],
	"Aces" : null
}
[...]

Below a redacted extract of the gpos:

[...]
{
	"Properties" : {
		"highvalue" : false
	},
	"Name" : "DEFAULT DOMAIN CONTROLLERS [email protected]",
	"Guid" : "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx01",
	"Aces" : [{
			"PrincipalName" : "[email protected]",
			"PrincipalType" : "user",
			"RightName" : "Owner",
			"AceType" : ""
		}, {
			"PrincipalName" : "DOMAIN [email protected]",
			"PrincipalType" : "group",
			"RightName" : "WriteDacl",
			"AceType" : ""
		}, {
			"PrincipalName" : "DOMAIN [email protected]",
			"PrincipalType" : "group",
			"RightName" : "WriteOwner",
			"AceType" : ""
		}, {
			"PrincipalName" : "ENTERPRISE ADMINS@DOMAIN",
			"PrincipalType" : "group",
			"RightName" : "WriteDacl",
			"AceType" : ""
		}, {
			"PrincipalName" : "ENTERPRISE ADMINS@DOMAIN",
			"PrincipalType" : "group",
			"RightName" : "WriteOwner",
			"AceType" : ""
		}
	]
}, {
	"Properties" : {
		"highvalue" : false
	},
	"Name" : "DEFAULT DOMAIN CONTROLLERS [email protected]",
	"Guid" : "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx02",
	"Aces" : [{
			"PrincipalName" : "[email protected]",
			"PrincipalType" : "user",
			"RightName" : "Owner",
			"AceType" : ""
		}, {
			"PrincipalName" : "DOMAIN [email protected]",
			"PrincipalType" : "group",
			"RightName" : "WriteDacl",
			"AceType" : ""
		}, {
			"PrincipalName" : "DOMAIN [email protected]",
			"PrincipalType" : "group",
			"RightName" : "WriteOwner",
			"AceType" : ""
		}, {
			"PrincipalName" : "ENTERPRISE ADMINS@DOMAIN",
			"PrincipalType" : "group",
			"RightName" : "WriteDacl",
			"AceType" : ""
		}, {
			"PrincipalName" : "ENTERPRISE ADMINS@DOMAIN",
			"PrincipalType" : "group",
			"RightName" : "WriteOwner",
			"AceType" : ""
		}
	]
}
[...]

SharpHound should add the Guid property when collection GPO links with OUs: https://github.com/BloodHoundAD/SharpHound/blob/c26b0556bd7d15e7e4c8fb948e32d268321100e6/Sharphound2/Enumeration/ContainerHelpers.cs#L147

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant