diff --git a/Sharphound2/Enumeration/ContainerHelpers.cs b/Sharphound2/Enumeration/ContainerHelpers.cs index 9970cfe..57b5129 100644 --- a/Sharphound2/Enumeration/ContainerHelpers.cs +++ b/Sharphound2/Enumeration/ContainerHelpers.cs @@ -29,7 +29,7 @@ internal static void BuildGpoCache(string domain) domain = d.Name; foreach (var entry in _utils.DoSearch("(&(objectCategory=groupPolicyContainer)(name=*)(gpcfilesyspath=*))", - SearchScope.Subtree, new[] { "displayname", "name" }, domain)) + SearchScope.Subtree, new[] { "displayname", "name" })) { var name = entry.GetProp("name").ToUpper(); var dName = entry.GetProp("displayname")?.ToUpper() ?? name; @@ -66,13 +66,16 @@ internal static void ResolveContainer(SearchResultEntry entry, ResolvedEntry res var index = dn.IndexOf("CN=", StringComparison.OrdinalIgnoreCase) + 4; var name = dn.Substring(index, index + 25).ToUpper(); + var dc = dn.Split(new string[] { ",DC=" }, StringSplitOptions.None).Skip(1); + var gpoDomain = string.Join(".", dc.ToArray()); + if (!_gpoCache.ContainsKey(name)) continue; var dName = _gpoCache[name]; links.Add(new GpLink { IsEnforced = enforced, - Name = $"{dName}@{domain}" + Name = $"{dName}@{gpoDomain}" }); } @@ -142,13 +145,17 @@ internal static void ResolveContainer(SearchResultEntry entry, ResolvedEntry res var enforced = status.Equals("2"); var index = dn.IndexOf("CN=", StringComparison.OrdinalIgnoreCase) + 4; var name = dn.Substring(index, index + 25).ToUpper(); + + var dc = dn.Split(new string[] { ",DC=" }, StringSplitOptions.None).Skip(1); + var gpoDomain = string.Join(".", dc.ToArray()); + if (!_gpoCache.ContainsKey(name)) continue; var dName = _gpoCache[name]; links.Add(new GpLink { IsEnforced = enforced, - Name = $"{dName}@{domain}" + Name = $"{dName}@{gpoDomain}" }); }