False positive AdminTo edges to DCs based on GPO

[JonasBK]

TLDR: BloodHound creates AdminTo edges to DCs based on group policy preferences in GPOs. Group policy preferences do not apply to DCs, why this is a false positive.

Description
It is possible to add a domain group to the Administrators group of a domain-joined computer through a GPO using Group Policy Preferences:

This will make BloodHound create an AdminTo edge from the given group (Domain Users in this example) to the computers which this GPO is linked to.

However, group policy preferences do not apply to DCs hence false positive edges.

This issue may also apply to other edges created based on group policy preferences.

Note that adding members to Administrators through Restricted Groups DOES apply to DCs:

[kaydaskalakis]

Hi Jonas,

I am testing this as we speak and this appears even for newly created groups properly protected without GPOs in the mix. The issue started appearing my end when these groups were delegated explicitly to a number of independent OUs with basic Helpdesk rights. I can be more specific in terms of numbers and rights but delegating to around 30ish OUs seems to create those edges to DCs.

[JonasBK]

Hi Kay,

That sounds odd... 🤔
Is it AdminTo edges that BloodHound creates to the DCs or other edges?
AdminTo should never be created based on ACLs.

[kaydaskalakis]

Hi Jonas,

Yes all AdminTo edges towards DCs for a group that doesn't have any policies applied to it and generally has no delegated rights to them.

What happened though if i may add here (is that some DCs were improperly decommissioned and moved to an OU that the group had delegation on), effectively giving GenericAll to those items moved there and consequently DCSync but that shouldn't have created an AdminTo edge for the other DCs would it?

[JonasBK]

Cool, thanks for the additional information!

Do you know if there is a GPO that adds that group to Administrators linked to the OU where the decommissioned DCs were located?

BloodHound may have added the AdminTo edge to all DCs instead of just the decommissioned DCs since the local Administrators group on DCs is the domain group Administrators, so members are synced across DCs.

I find it less likely that the GenericAll permission should have caused the AdminTo edges. But something is definitely going wrong somewhere in BloodHound.

[kaydaskalakis]

I highly doubt it as this group was brand new created by myself and applied only delegation rights to the specific OU. If anyone would take that group and added it to a GPO I should have seen an RFC about it but your point is excellent and I need to look into this asap. Will report back!

On the decomissioned DCs it just had the GenericAll permission probably deriving from delegation rights as these are full control on computer objects. The only thing that had the AdminTo edge was all the other DCs that were left in their rightful place.

[JonasBK]

Thanks for checking, Kay!

I see what you mean - my theory sounds unlikely when you created the group..

[kaydaskalakis]

Good morning Jonas! Note I still have these edges being drawn in version 4.1.3. This time weirdly these are AdminTo edges to JUST the PDC but there is nothing to give rights to the specific groups to do so - either from delegation or Group Policy. I am going deep into this today to see what is going on and if there's any chance this could be positive but those groups don't even have rights to logon / let alone be admins to the PDC.

[JonasBK]

Hey Kay,

That sounds very odd.. Likely a bug.
I can also try to dig into it if you are able to anonymize the json files to a point where you are comfortable sharing them with me.