False positive for cleartext password

[noraj]

Describe the bug

All domain users have an empty string for userpassword property.

$ cat users.json | jq '.data[].Properties?.userpassword? | if . == "" then "empty" else "redacted" end' | grep empty | wc
   6776    6776   54208

$ cat users.json | jq '.data[].Properties?.userpassword? | if . == "" then "empty" else "redacted" end' | grep redacted | wc
      0       0       0

When I manually run this cypher query on BloudHound, I have an empty result.

AD_Miner/ad_miner/sources/modules/requests.json

Line 586 in 6467f51

"request": "MATCH (u:User) WHERE NOT u.userpassword IS null RETURN u.name AS user,\"[redacted for security purposes]\" AS password, u.is_da as `is Domain Admin`",

Which confirms no user have a cleartext password and the query is correct.

Yet there must be an issue with users_pwd_cleartext https://github.com/AD-Security/AD_Miner/blob/6467f51c7d9c7c5cb9f4f0c5162c211ce57fac90/ad_miner/sources/modules/controls/users_pwd_cleartext.py because it is generating a false positive, telling me that 6776 (all) users have a cleartext password.

System information

• OS: ArchLinux
• Python version 3.14.2
• rusthound-ce 2.4.7
• ad-miner 1.8.1.r0.g6467f51-2
• bloudhound-ce 8.5.2