Skip to content

[Query Issue]: Domains allowing unauthenticated rootDSE searches and binds #39

New issue
New issue
Open
Open
[Query Issue]: Domains allowing unauthenticated rootDSE searches and binds#39
@HerrHozi

Description

@HerrHozi
HerrHozi
opened on Nov 30, 2025

Query GUID

ebc79aa4-e816-4be8-93fe-a0b30dbc771d

Query content

MATCH (n:Domain)
WHERE n.dsheuristics =~ ".{6}[^2].*"
RETURN n

Issue description

Correct me, if I'm wrong, but if you see dSHeuristics = 0000002 in a production AD forest, it means anonymous LDAP access has been explicitly enabled via this heuristic.

so the regex syntax is wrong, it must be

n.dsheuristics =~ ".{6}[^2]." or
n.dsheuristics =~ ".{6}2."

H.

BloodHound version

BloodHound v8.3.0

BloodHound DB

Neo4j

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions