Exclude MSAs when searching for Computers affected by GPOs

gMSAs and sMSAs have the same samaccounttype as Computers. So they have to be filtered out.
BloodHoundAD · May 3, 2023 · 1bcf1a8 · 1bcf1a8
1 parent 1ce194f
commit 1bcf1a8
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 2 deletions.
diff --git a/src/CommonLib/LDAPQueries/LDAPFilter.cs b/src/CommonLib/LDAPQueries/LDAPFilter.cs
@@ -144,6 +144,8 @@ public LDAPFilter AddContainers(params string[] conditions)
 
         /// <summary>
         ///     Add a filter that will include Computer objects
+        ///
+        ///     Note that gMSAs and sMSAs have this samaccounttype as well
         /// </summary>
         /// <param name="conditions"></param>
         /// <returns></returns>
@@ -164,6 +166,17 @@ public LDAPFilter AddSchemaID(params string[] conditions)
             return this;
         }
 
+        /// <summary>
+        ///     Add a filter that will include Computer objects but exclude gMSA and sMSA objects
+        /// </summary>
+        /// <param name="conditions"></param>
+        /// <returns></returns>
+        public LDAPFilter AddComputersWoutMSAs(params string[] conditions)
+        {
+            _filterParts.Add(BuildString("(&(samaccounttype=805306369)(!(objectclass=msDS-GroupManagedServiceAccount))(!(objectclass=msDS-ManagedServiceAccount)))", conditions));
+            return this;
+        }
+
         /// <summary>
         /// Adds a generic user specified filter
         /// </summary>

diff --git a/src/CommonLib/Processors/GPOLocalGroupProcessor.cs b/src/CommonLib/Processors/GPOLocalGroupProcessor.cs
@@ -70,7 +70,7 @@ public async Task<ResultingGPOChanges> ReadGPOLocalGroups(string gpLink, string
             // Its cheaper to fetch the affected computers from LDAP first and then process the GPLinks 
             var options = new LDAPQueryOptions
             {
-                Filter = new LDAPFilter().AddComputers().GetFilter(),
+                Filter = new LDAPFilter().AddComputersWoutMSAs().GetFilter(),
                 Scope = SearchScope.Subtree,
                 Properties = CommonProperties.ObjectSID,
                 AdsPath = distinguishedName

diff --git a/test/unit/GPOLocalGroupProcessorTest.cs b/test/unit/GPOLocalGroupProcessorTest.cs
@@ -145,7 +145,7 @@ public async Task GPOLocalGroupProcessor_ReadGPOLocalGroups_Null_Gpcfilesyspath(
             mockSearchResults.Add(mockSearchResultEntry.Object);
             mockLDAPUtils.Setup(x => x.QueryLDAP(new LDAPQueryOptions
                 {
-                    Filter = "(samaccounttype=805306369)",
+                    Filter = "(&(samaccounttype=805306369)(!(objectclass=msDS-GroupManagedServiceAccount))(!(objectclass=msDS-ManagedServiceAccount)))",
                     Scope = SearchScope.Subtree,
                     Properties = CommonProperties.ObjectSID,
                     AdsPath = null