Don't toss entire CA when host SID cannot be resolved, but toss the host

SpecterOps · Mar 14, 2024 · 9a56c26 · 9a56c26
1 parent a8578c3
commit 9a56c26
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/src/Runtime/ObjectProcessors.cs b/src/Runtime/ObjectProcessors.cs
@@ -638,11 +638,11 @@ private async Task<EnterpriseCA> ProcessEnterpriseCA(ISearchResultEntry entry, R
                 {
                     ret.HostingComputer = await _context.LDAPUtils.ResolveHostToSid(dnsHostName, resolvedSearchResult.Domain);
 
-                    // If ResolveHostToSid does not return a valid SID, we don't want to process this CA
-                    if (ret.HostingComputer == null || !ret.HostingComputer.StartsWith("S-1-"))
+                    // If ResolveHostToSid does not return a valid SID, we don't want to record this host
+                    if (ret.HostingComputer != null && !ret.HostingComputer.StartsWith("S-1-"))
                     {
-                        _log.LogWarning("CA could not be resolved to a SID, skipping.", dnsHostName, resolvedSearchResult.Domain);
-                        return null;
+                        _log.LogWarning("CA host could not be resolved to a SID.", dnsHostName, resolvedSearchResult.Domain);
+                        ret.HostingComputer = null;
                     }
 
                     CARegistryData cARegistryData = new()