[Query Issue]: Potential GPO 'Apply' misconfiguration (filtering out Admins does not work #40
Description
Query GUID
f5f2455e-afdc-4708-9a34-98f539ce52d8
Query content
MATCH p=(n:Base)-[:GenericAll|GenericWrite]->(g:GPO)
// Exclude Enterprise Admins and Domain Admins
WHERE NOT n.objectid =~ "-(519|512)$"
// Exclude unresolved SIDs
AND NOT (n.distinguishedname IS NULL)
// Asset description may reveal if it's a delegation group (false-positive) or a filter group (true-positive)
//AND n.description is not null
//AND n.description =~ "(?i)apply"
RETURN p
LIMIT 1000
Issue description
Issue
The query does not correctly exclude admins. When I run
MATCH p=(n:Base)-[:GenericAll|GenericWrite]->(g:GPO)
WHERE NOT n.objectid =~ "-(519|512)$"
AND NOT (n.distinguishedname IS NULL)
RETURN n.objectid
I get (sorry for bad formatting, but you get the point
╒═══════════════════════════════════════════════╕
│n.objectid │
╞═══════════════════════════════════════════════╡
│"S-1-5-21-1936219977-138304643-1546849883-519" │
├───────────────────────────────────────────────┤
│"S-1-5-21-1936219977-138304643-1546849883-512" │
├───────────────────────────────────────────────┤
│"S-1-5-21-1936219977-138304643-1546849883-512" │
├───────────────────────────────────────────────┤
│"S-1-5-21-1936219977-138304643-1546849883-519" │
├───────────────────────────────────────────────┤
[....]
Remediation
Changing the query to
MATCH p = (n:Base)-[:GenericAll|GenericWrite]->(g:GPO)
WHERE
NOT n.objectid =~ ".*-(519|512)$"
AND n.distinguishedname IS NOT NULL
RETURN n.objectid
(note the change in the NOT n.objectid =~ ".*-(519|512)$") fixed the issue for me.
Important notice
Thanks for your work! The community strives because of the hard work of amazing ppl like you do, we highly appreciate that!
BloodHound version
BloodHound v8.4.1
BloodHound DB
Neo4j