Remote Registry enumerates local users

Question

Remote Registry enumerates local users

rustaska opened this issue 3 years ago · 1 comments

The re-introduced method to get sessions using the Windows Remote Registry uses a regex to filter out user accounts: SidRegex = new(@"S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$", RegexOptions.Compiled);

Line: https://github.com/BloodHoundAD/SharpHoundCommon/blob/3cedabb8ca96b223a0eaae2ad8ef8a3176ab3e82/src/CommonLib/Processors/ComputerSessionProcessor.cs#L15

This regex will also find logged in local users accounts, which will then be in the final JSON result. This is contrary to the other methods used for session enumeration. Is this intended?

Thx for clarification and the great work

Answer 1 · 2022-08-02T21:10:11.000Z

This is probably a bug. Unfortunately, I just missed it in our current release. I'll address this in a future one.