-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False positive AdminTo edges to DCs based on GPO #645
Comments
Hi Jonas, I am testing this as we speak and this appears even for newly created groups properly protected without GPOs in the mix. The issue started appearing my end when these groups were delegated explicitly to a number of independent OUs with basic Helpdesk rights. I can be more specific in terms of numbers and rights but delegating to around 30ish OUs seems to create those edges to DCs. |
Hi Kay, That sounds odd... 🤔 |
Cool, thanks for the additional information! Do you know if there is a GPO that adds that group to Administrators linked to the OU where the decommissioned DCs were located? BloodHound may have added the AdminTo edge to all DCs instead of just the decommissioned DCs since the local Administrators group on DCs is the domain group Administrators, so members are synced across DCs. I find it less likely that the GenericAll permission should have caused the AdminTo edges. But something is definitely going wrong somewhere in BloodHound. |
I highly doubt it as this group was brand new created by myself and applied only delegation rights to the specific OU. If anyone would take that group and added it to a GPO I should have seen an RFC about it but your point is excellent and I need to look into this asap. Will report back! On the decomissioned DCs it just had the GenericAll permission probably deriving from delegation rights as these are full control on computer objects. The only thing that had the AdminTo edge was all the other DCs that were left in their rightful place. |
Thanks for checking, Kay! I see what you mean - my theory sounds unlikely when you created the group.. |
Good morning Jonas! Note I still have these edges being drawn in version 4.1.3. This time weirdly these are AdminTo edges to JUST the PDC but there is nothing to give rights to the specific groups to do so - either from delegation or Group Policy. I am going deep into this today to see what is going on and if there's any chance this could be positive but those groups don't even have rights to logon / let alone be admins to the PDC. |
Hey Kay, That sounds very odd.. Likely a bug. |
TLDR: BloodHound creates AdminTo edges to DCs based on group policy preferences in GPOs. Group policy preferences do not apply to DCs, why this is a false positive.
Description
![image](https://user-images.githubusercontent.com/12843299/217004404-cfe7307b-40fc-4385-b318-d39c222a651d.png)
It is possible to add a domain group to the Administrators group of a domain-joined computer through a GPO using Group Policy Preferences:
This will make BloodHound create an AdminTo edge from the given group (Domain Users in this example) to the computers which this GPO is linked to.
However, group policy preferences do not apply to DCs hence false positive edges.
This issue may also apply to other edges created based on group policy preferences.
Note that adding members to Administrators through Restricted Groups DOES apply to DCs:
![image](https://user-images.githubusercontent.com/12843299/217006759-c846c082-a78c-4860-bb4c-df1f97538b3c.png)
The text was updated successfully, but these errors were encountered: