Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IsAdmin from group policy preferences does not account for Item Level Targeting #37

Open
kitchung opened this issue Dec 24, 2022 · 1 comment

Comments

@kitchung
Copy link

SharpHound does not account for Item Level Targetting when collecting local group membership collection from GPOs linked to OUs,

Group Policy Preference in a GPO can add groups or users into local administrators group only if the host has a matching NETBIOS name or member of an AD group.

I know it will be impossible for SharpHound to account for some item level targeting options such as WMI, but I believe ones that are likely used for managing local groups can, such as hostname, OU and security group membership.

Item level targeting details:
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn789189(v=ws.11)

@JonasBK
Copy link
Collaborator

JonasBK commented Apr 28, 2023

Hi @kitchung,

Thanks for pointing this out. I agree, it would be a very cool enhancement!
We would definitely approve it if anyone made a pull request for this. If that does not happen, we should look into this someday.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants