New UI don't show CanRDP

Question

New UI don't show CanRDP

Closed this issue a year ago · 5 comments

Since I have been using Bloodhound for a long time, many of the functions are familiar to me. However, after I decided to try out the new CE edition, I quickly lost enthusiasm for it. The most serious reason why I turn away from the CE edition and go back to the previous one is the fact that there are many inconsistencies between the data presented. In the old edition, among other things, all first-degree execution rights and RDP privileges are displayed in full and these can also be specifically queried. Now with the CE Edition it doesn't even show up for me. Likewise, all execution privileges that were displayed in the previous non-CE edition are completely missing. The same data sets were uploaded in both programs. Such a serious discrepancy is very annoying. I can't be the only one who noticed this. Is there already a solution for this? If not, please fix the problem urgently!

Answer 1 · 2024-03-18T14:59:15.000Z

Good morning; based on what you're saying, it sounds like you're utilizing the same SharpHound output across both products and expecting the same results.

BloodHound CE utilizes a slightly different data format for local permissions like CanRDP. For that reason, you'll need to utilize SharpHound v2+ in combination with BloodHound CE to see those edges. You should see those edges once you recollect your data with SharpHound v2 (the latest version is packaged with BloodHound and available in the gear icon -> Download Collectors).

Let me know if there's anything else we can help with!

Answer 2 · 2024-03-18T15:00:36.000Z

Additionally, there is an open feature request for first-degree relationships here: #117

Answer 3 · 2024-03-18T15:17:41.000Z

I used the data with sharphound.exe v2.3, which I downloaded from this https://github.com/BloodHoundAD/BloodHound. Is this the correct version?

Answer 4 · 2024-03-18T16:32:25.000Z

If that Version of Sharphound was the correct one, please reopen this case.

Answer 5 · 2024-03-18T17:46:59.000Z

It should be the latest version available here: https://github.com/BloodHoundAD/SharpHound/releases

Data exported from that collector should fail to create CanRDP edges in BloodHound Legacy because of the schema differences in the output files. If you were using that version to collect, please provide more information about the steps you took, collection methods, any errors in the output, etc.? It's also worth checking in the compstatus.csv file (TrackComputerCalls flag) whether SharpHound could enumerate the local data on the target system. Please keep in mind that another open issue regarding GPO analysis (#280), if that's the assumed path for data collection in this case.