ENTERPRISE DOMAIN CONTROLLERS collect all computers with Unconstrained Delegation

[spyr0-sec]

The logic for adding members to the special ENTERPRISE DOMAIN CONTROLLERS group with the well-known SID of S-1-5-9 is to include all machine accounts with Unconstrained Delegation which I believe are causing false positives. The offending line is referenced below.

RustHound/src/json/checker/common.rs

Line 37 in c4e8eb3

if computer.properties().unconstraineddelegation().to_owned()

The function also references Bloodhound.py functionality which doesn't do this so I was wondering if there is rationale behind this?

[Zinterax]

Just chiming in as I ran into this as well recently. I believe this ended up causing BH to show some false attack paths related to DCSync and other edges.