Remote Registry enumerates local users #27
Comments
|
This is probably a bug. Unfortunately, I just missed it in our current release. I'll address this in a future one. |
rvazarkar
added a commit
that referenced
this issue
Nov 3, 2022
fix: lookup accounts in registry enum to remove local ones Closes: #27
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The re-introduced method to get sessions using the Windows Remote Registry uses a regex to filter out user accounts:
SidRegex = new(@"S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$", RegexOptions.Compiled);Line: https://github.com/BloodHoundAD/SharpHoundCommon/blob/3cedabb8ca96b223a0eaae2ad8ef8a3176ab3e82/src/CommonLib/Processors/ComputerSessionProcessor.cs#L15
This regex will also find logged in local users accounts, which will then be in the final JSON result. This is contrary to the other methods used for session enumeration. Is this intended?
Thx for clarification and the great work
The text was updated successfully, but these errors were encountered: