[Query Issue]: Non-Tier Zero account with 'Admin Count' flag #30
Description
Query GUID
e7f703b3-5dba-4aef-8346-4d589be2c828
Query content
MATCH (n:User)
WHERE NOT ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0')
AND n.admincount = true
RETURN n
Issue description
While this query works, it requires additional work, since some groups or the KRBTGT Account aren't declared Tier Zero per default.
Regarding to MS dokumentation, members of these groups have their AdminCount set to 1: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory#protected-groups
I modified the query, so it looks for all other users not included in this list.
MATCH (u:User)
WHERE u.admincount = true
AND NOT u.objectid ENDS WITH '-502' // krbtgt Account
AND NOT u.objectid ENDS WITH '-500' // Administrator
OPTIONAL MATCH (u)-[:MemberOf]->(g:Group)
WHERE g.objectid ENDS WITH '-512' // Domain Admins
OR g.objectid ENDS WITH '-548' // Account Operators
OR g.objectid ENDS WITH '-544' // Administrators
OR g.objectid ENDS WITH '-551' // Backup Operators
OR g.objectid ENDS WITH '-516' // Domain Controllers
OR g.objectid ENDS WITH '-519' // Enterprise Admins
OR g.objectid ENDS WITH '-527' // Enterprise Key Admins
OR g.objectid ENDS WITH '-526' // Key Admins
OR g.objectid ENDS WITH '-550' // Print Operators
OR g.objectid ENDS WITH '-521' // Read-Only Domain Controllers
OR g.objectid ENDS WITH '-552' // Replicators
OR g.objectid ENDS WITH '-518' // Schema Admins
OR g.objectid ENDS WITH '-549' // Server Operators
WITH u, g
WHERE g IS NULL
RETURN u
//LIMIT 1000
BloodHound version
BH CE 7.0
BloodHound DB
Neo4j