Sharphound 2.4.1 declared some users as a group, e.g. the MSOL_ accounts (in Neo4J)

Question

Closed this issue 24 days ago · 1 comments

Hi,

I figured out, that some users will be declared as a group, these objects also have three labels.

labels(s)[0] = 'Group'
labels(s)[1] = 'User'
labels(s)[2] = 'Base'

instead of

labels(s)[0] = 'User'
labels(s)[1] = 'Base'

try this in your lab e.g. with the following query:

match (s) where labels(s)[0] = 'Group' return s.name,s.lastlogontimestamp, labels(s)[0],labels(s)[1],labels(s)[2] order by s.lastlogontimestamp

but BH5 CE shows the object, as a correct type.

This is a bug in Sharphound 2.4.1?

TIA

Answer 1 · 2024-09-04T15:26:24.000Z

I believe we've fixed this in SpecterOps/BloodHound#741