Filter GPA managed GPOs

Fix based on PR from @Crypt0-M3lon SpecterOps/SharpHound#65
BloodHoundAD · Nov 7, 2019 · 3d353f2 · 3d353f2
1 parent 553d67d
commit 3d353f2
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/SharpHound3/LdapBuilder.cs b/SharpHound3/LdapBuilder.cs
@@ -35,7 +35,7 @@ internal static LdapQueryData BuildLdapQuery(CollectionMethodResolved methods)
 
             if (methods.HasFlag(CollectionMethodResolved.ACL))
             {
-                ldapFilterParts.Add("(|(samAccountType=805306368)(samAccountType=805306369)(samAccountType=268435456)(samAccountType=268435457)(samAccountType=536870912)(samAccountType=536870913)(objectClass=domain)(objectCategory=groupPolicyContainer)(objectcategory=organizationalUnit))");
+                ldapFilterParts.Add("(|(samAccountType=805306368)(samAccountType=805306369)(samAccountType=268435456)(samAccountType=268435457)(samAccountType=536870912)(samAccountType=536870913)(objectClass=domain)(&(objectcategory=groupPolicyContainer)(flags=*))(objectcategory=organizationalUnit))");
                 ldapProperties.AddRange(new []
                 {
                     "ntsecuritydescriptor", "displayname", "name"
@@ -49,7 +49,7 @@ internal static LdapQueryData BuildLdapQuery(CollectionMethodResolved methods)
 
             if (methods.HasFlag(CollectionMethodResolved.ObjectProps))
             {
-                ldapFilterParts.Add("(|(samaccounttype=268435456)(samaccounttype=268435457)(samaccounttype=536870912)(samaccounttype=536870913)(samaccounttype=805306368)(samaccounttype=805306369)(objectclass=domain)(objectclass=organizationalUnit)(objectcategory=groupPolicyContainer))");
+                ldapFilterParts.Add("(|(samaccounttype=268435456)(samaccounttype=268435457)(samaccounttype=536870912)(samaccounttype=536870913)(samaccounttype=805306368)(samaccounttype=805306369)(objectclass=domain)(objectclass=organizationalUnit)(&(objectcategory=groupPolicyContainer)(flags=*)))");
                 ldapProperties.AddRange(new[]
                 {
                     "pwdlastset", "lastlogon", "lastlogontimestamp", "objectsid",
@@ -62,13 +62,13 @@ internal static LdapQueryData BuildLdapQuery(CollectionMethodResolved methods)
 
             if (methods.HasFlag(CollectionMethodResolved.Container))
             {
-                ldapFilterParts.Add("(|(&(objectCategory=groupPolicyContainer)(name=*)(gpcfilesyspath=*))(objectcategory=organizationalUnit)(objectClass=domain))");
+                ldapFilterParts.Add("(|(&(&(objectcategory=groupPolicyContainer)(flags=*))(name=*)(gpcfilesyspath=*))(objectcategory=organizationalUnit)(objectClass=domain))");
                 ldapProperties.AddRange(new[] {"gplink", "gpoptions", "name", "displayname"});
             }
 
             if (methods.HasFlag(CollectionMethodResolved.GPOLocalGroup))
             {
-                //ldapFilterParts.Add("(&(objectCategory=groupPolicyContainer)(name=*)(gpcfilesyspath=*))");
+                //ldapFilterParts.Add("(&(&(objectcategory=groupPolicyContainer)(flags=*))(name=*)(gpcfilesyspath=*))");
                 //ldapProperties.AddRange(new[] {"gpcfilesyspath", "displayname"});
                 ldapFilterParts.Add("(&(|(objectcategory=organizationalUnit)(objectclass=domain))(gplink=*))");
                 ldapProperties.AddRange(new []{"gplink", "name" });