@etcsec-com/etc-collector 1.4.0

package/dist/services/audit/ad-audit.service.js

@@ -0,0 +1,1019 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ADAuditService = void 0;
+const acl_parser_1 = require("../../providers/ldap/acl-parser");
+const scoring_service_1 = require("./scoring.service");
+const logger_1 = require("../../utils/logger");
+const smb_provider_1 = require("../../providers/smb/smb.provider");
+const ldapts_1 = require("ldapts");
+const ad_1 = require("./detectors/ad");
+const trust_types_1 = require("../../types/trust.types");
+const attack_graph_service_1 = require("./attack-graph.service");
+function createSDFlagsControl() {
+    const LDAP_SERVER_SD_FLAGS_OID = '1.2.840.113556.1.4.801';
+    const SD_FLAGS = 0x00000007;
+    const buffer = Buffer.from([0x02, 0x01, SD_FLAGS]);
+    return {
+        oid: LDAP_SERVER_SD_FLAGS_OID,
+        critical: false,
+        value: buffer,
+    };
+}
+function convertFiletimeToDate(filetime) {
+    if (!filetime)
+        return undefined;
+    let filetimeNum;
+    if (typeof filetime === 'string') {
+        filetimeNum = parseInt(filetime, 10);
+    }
+    else if (typeof filetime === 'number') {
+        filetimeNum = filetime;
+    }
+    else {
+        return undefined;
+    }
+    if (filetimeNum === 0 || filetimeNum >= 9223372036854775807) {
+        return undefined;
+    }
+    const milliseconds = filetimeNum / 10000;
+    const epochOffset = 11644473600000;
+    const unixTimestamp = milliseconds - epochOffset;
+    if (unixTimestamp < 0 || unixTimestamp > Date.now() + 100 * 365 * 24 * 60 * 60 * 1000) {
+        return undefined;
+    }
+    return new Date(unixTimestamp);
+}
+class ADAuditService {
+    ldapProvider;
+    smbConfig;
+    constructor(ldapProvider, smbConfig) {
+        this.ldapProvider = ldapProvider;
+        this.smbConfig = smbConfig;
+    }
+    async runAudit(options = {}) {
+        const startTime = Date.now();
+        const { includeDetails = false, maxUsers, maxGroups, maxComputers } = options;
+        const baseDN = this.ldapProvider.getBaseDN();
+        const [users, groups, computers, domain, ouCount] = await Promise.all([
+            this.fetchUsers(maxUsers),
+            this.fetchGroups(maxGroups),
+            this.fetchComputers(maxComputers),
+            this.fetchDomain(),
+            this.fetchOUCount(),
+        ]);
+        const [certTemplates, certAuthorities, gpoData, trustsExtended, aclEntries, anonymousAccessAllowed, gpoSecuritySettings] = await Promise.all([
+            this.fetchCertificateTemplates(),
+            this.fetchCertificateAuthorities(),
+            this.fetchGPOsWithAcls(),
+            this.fetchTrustsExtended(),
+            this.fetchAcls(users, groups, computers),
+            this.testAnonymousLdapAccess(),
+            this.fetchGpoSecuritySettings(),
+        ]);
+        const templates = certTemplates;
+        const cas = certAuthorities;
+        const fsps = [];
+        const findings = [];
+        const detectorResults = await Promise.all([
+            Promise.resolve((0, ad_1.detectPasswordVulnerabilities)(users, includeDetails)),
+            Promise.resolve((0, ad_1.detectKerberosVulnerabilities)(users, includeDetails)),
+            Promise.resolve((0, ad_1.detectAccountsVulnerabilities)(users, includeDetails)),
+            Promise.resolve((0, ad_1.detectGroupsVulnerabilities)(users, groups, includeDetails)),
+            Promise.resolve((0, ad_1.detectComputersVulnerabilities)(computers, includeDetails)),
+            Promise.resolve((0, ad_1.detectAdvancedVulnerabilities)(users, computers, domain, templates, cas, fsps, includeDetails, {
+                gpoSettings: gpoSecuritySettings,
+                anonymousAccessAllowed,
+            })),
+            Promise.resolve((0, ad_1.detectPermissionsVulnerabilities)(aclEntries, includeDetails, computers.map((c) => c.dn))),
+            Promise.resolve((0, ad_1.detectAdcsVulnerabilities)(certTemplates, certAuthorities, includeDetails)),
+            Promise.resolve((0, ad_1.detectGpoVulnerabilities)(gpoData.gpos, gpoData.links, domain ? { minPasswordLength: domain['minPwdLength'] } : null, includeDetails, gpoData.gpoAcls)),
+            Promise.resolve((0, ad_1.detectTrustVulnerabilities)(trustsExtended, includeDetails)),
+            Promise.resolve((0, ad_1.detectAttackPathVulnerabilities)(users, groups, computers, aclEntries, gpoData.gpos, trustsExtended, certTemplates, includeDetails)),
+            Promise.resolve((0, ad_1.detectMonitoringVulnerabilities)(users, groups, domain, includeDetails, {
+                gpoSettings: gpoSecuritySettings,
+            })),
+        ]);
+        detectorResults.forEach((categoryFindings) => {
+            findings.push(...categoryFindings);
+        });
+        const score = (0, scoring_service_1.calculateSecurityScore)(findings, users.length);
+        const domainConfig = await this.fetchDomainConfig(domain);
+        logger_1.logger.info('Computing attack graph...');
+        const attackGraphStartTime = Date.now();
+        const attackGraph = (0, attack_graph_service_1.computeAttackGraph)(users, groups, computers, aclEntries, certTemplates, gpoData.gpos, {
+            name: domainConfig?.domainInfo?.domainName || this.extractDomainNameFromDN(baseDN),
+            sid: undefined,
+        }, 500);
+        logger_1.logger.info(`Attack graph computed in ${Date.now() - attackGraphStartTime}ms: ${attackGraph.paths.length} paths found`);
+        const executionTimeMs = Date.now() - startTime;
+        const disabledUsers = users.filter((u) => ((u.userAccountControl ?? 0) & 0x2) !== 0).length;
+        const enabledUsers = users.length - disabledUsers;
+        const disabledComputers = computers.filter((c) => !c.enabled).length;
+        const enabledComputers = computers.length - disabledComputers;
+        return {
+            score,
+            findings,
+            stats: {
+                totalUsers: users.length,
+                enabledUsers,
+                disabledUsers,
+                totalGroups: groups.length,
+                totalComputers: computers.length,
+                enabledComputers,
+                disabledComputers,
+                totalOUs: ouCount,
+                totalFindings: findings.length,
+                executionTimeMs,
+                ldapUrl: this.ldapProvider.getUrl(),
+            },
+            timestamp: new Date(),
+            domainConfig,
+            attackGraph,
+        };
+    }
+    async testConnection() {
+        try {
+            return await this.ldapProvider.testConnection();
+        }
+        catch (error) {
+            return {
+                success: false,
+                message: error instanceof Error ? error.message : 'Unknown connection error',
+            };
+        }
+    }
+    async testAnonymousLdapAccess() {
+        if (!this.smbConfig?.ldap) {
+            return false;
+        }
+        const { ldap } = this.smbConfig;
+        const urlMatch = ldap.url.match(/ldaps?:\/\/([^:/]+)(?::(\d+))?/i);
+        if (!urlMatch || !urlMatch[1]) {
+            return false;
+        }
+        const host = urlMatch[1];
+        const isLdaps = ldap.url.toLowerCase().startsWith('ldaps://');
+        const defaultPort = isLdaps ? 636 : 389;
+        const port = urlMatch[2] ? parseInt(urlMatch[2], 10) : defaultPort;
+        try {
+            const anonClient = new ldapts_1.Client({
+                url: `ldap://${host}:${port}`,
+                timeout: 5000,
+                connectTimeout: 5000,
+            });
+            await anonClient.bind('', '');
+            try {
+                await anonClient.search(ldap.baseDN, {
+                    filter: '(objectClass=domain)',
+                    attributes: ['dn'],
+                    scope: 'base',
+                    sizeLimit: 1,
+                });
+            }
+            catch {
+            }
+            await anonClient.unbind();
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+    async fetchUsers(maxUsers) {
+        const baseDN = this.ldapProvider.getBaseDN();
+        const filter = '(&(objectClass=user)(objectCategory=person))';
+        const attributes = [
+            'dn',
+            'sAMAccountName',
+            'userPrincipalName',
+            'displayName',
+            'mail',
+            'title',
+            'department',
+            'company',
+            'manager',
+            'physicalDeliveryOfficeName',
+            'description',
+            'employeeID',
+            'telephoneNumber',
+            'whenCreated',
+            'whenChanged',
+            'lastLogon',
+            'pwdLastSet',
+            'passwordLastSet',
+            'accountExpires',
+            'badPwdCount',
+            'lockoutTime',
+            'adminCount',
+            'memberOf',
+            'userAccountControl',
+            'servicePrincipalName',
+            'msDS-SupportedEncryptionTypes',
+            'sIDHistory',
+            'msDS-KeyCredentialLink',
+            'msDS-AllowedToActOnBehalfOfOtherIdentity',
+            'msDS-AllowedToDelegateTo',
+            'unixUserPassword',
+            'userPassword',
+        ];
+        const results = await this.ldapProvider.search(baseDN, {
+            filter,
+            attributes,
+            scope: 'sub',
+            sizeLimit: maxUsers,
+            paged: true,
+        });
+        return results.map((entry) => ({
+            ...entry,
+            dn: entry.dn,
+            sAMAccountName: entry.sAMAccountName,
+            userPrincipalName: entry.userPrincipalName,
+            displayName: entry.displayName,
+            enabled: !(entry.userAccountControl & 0x2),
+            passwordLastSet: convertFiletimeToDate(entry.passwordLastSet),
+            lastLogon: convertFiletimeToDate(entry.lastLogon),
+            accountExpires: convertFiletimeToDate(entry.accountExpires),
+            adminCount: entry.adminCount,
+            memberOf: !entry.memberOf ? [] : Array.isArray(entry.memberOf) ? entry.memberOf : [entry.memberOf],
+            servicePrincipalName: !entry.servicePrincipalName
+                ? []
+                : Array.isArray(entry.servicePrincipalName)
+                    ? entry.servicePrincipalName
+                    : [entry.servicePrincipalName],
+            userAccountControl: entry.userAccountControl,
+        }));
+    }
+    async fetchGroups(maxGroups) {
+        const baseDN = this.ldapProvider.getBaseDN();
+        const filter = '(objectClass=group)';
+        const attributes = ['dn', 'sAMAccountName', 'displayName', 'groupType', 'memberOf', 'member'];
+        const results = await this.ldapProvider.search(baseDN, {
+            filter,
+            attributes,
+            scope: 'sub',
+            sizeLimit: maxGroups,
+            paged: true,
+        });
+        return results.map((entry) => ({
+            ...entry,
+            dn: entry.dn,
+            sAMAccountName: entry.sAMAccountName,
+            displayName: entry.displayName,
+            groupType: entry.groupType,
+            memberOf: !entry.memberOf ? [] : Array.isArray(entry.memberOf) ? entry.memberOf : [entry.memberOf],
+            member: !entry.member ? [] : Array.isArray(entry.member) ? entry.member : [entry.member],
+        }));
+    }
+    async fetchComputers(maxComputers) {
+        const baseDN = this.ldapProvider.getBaseDN();
+        const filter = '(objectClass=computer)';
+        const attributes = [
+            'dn',
+            'sAMAccountName',
+            'dNSHostName',
+            'operatingSystem',
+            'operatingSystemVersion',
+            'lastLogon',
+            'userAccountControl',
+            'pwdLastSet',
+            'servicePrincipalName',
+            'ms-Mcs-AdmPwd',
+            'ms-Mcs-AdmPwdExpirationTime',
+            'msLAPS-Password',
+            'msLAPS-PasswordExpirationTime',
+            'lastLogonTimestamp',
+            'msDS-AllowedToDelegateTo',
+            'msDS-AllowedToActOnBehalfOfOtherIdentity',
+            'msDS-SupportedEncryptionTypes',
+            'memberOf',
+            'description',
+            'whenCreated',
+            'whenChanged',
+            'adminCount',
+        ];
+        const results = await this.ldapProvider.search(baseDN, {
+            filter,
+            attributes,
+            scope: 'sub',
+            sizeLimit: maxComputers,
+            paged: true,
+        });
+        return results.map((entry) => ({
+            ...entry,
+            dn: entry.dn,
+            sAMAccountName: entry.sAMAccountName,
+            dNSHostName: entry.dNSHostName,
+            operatingSystem: entry.operatingSystem,
+            operatingSystemVersion: entry.operatingSystemVersion,
+            lastLogon: convertFiletimeToDate(entry.lastLogon),
+            pwdLastSet: convertFiletimeToDate(entry.pwdLastSet),
+            enabled: !(entry.userAccountControl & 0x2),
+            memberOf: !entry.memberOf ? [] : Array.isArray(entry.memberOf) ? entry.memberOf : [entry.memberOf],
+            servicePrincipalName: !entry.servicePrincipalName
+                ? []
+                : Array.isArray(entry.servicePrincipalName)
+                    ? entry.servicePrincipalName
+                    : [entry.servicePrincipalName],
+        }));
+    }
+    async fetchDomain() {
+        try {
+            const baseDN = this.ldapProvider.getBaseDN();
+            const filter = '(objectClass=domain)';
+            const attributes = [
+                'dn',
+                'name',
+                'msDS-Behavior-Version',
+                'minPwdLength',
+                'maxPwdAge',
+                'pwdHistoryLength',
+                'ms-DS-MachineAccountQuota',
+            ];
+            const results = await this.ldapProvider.search(baseDN, {
+                filter,
+                attributes,
+                scope: 'base',
+            });
+            if (results.length === 0)
+                return null;
+            const entry = results[0];
+            const domainFunctionalLevel = entry['msDS-Behavior-Version'] !== undefined
+                ? parseInt(entry['msDS-Behavior-Version'], 10)
+                : undefined;
+            let forestFunctionalLevel;
+            try {
+                const configDN = `CN=Partitions,CN=Configuration,${baseDN}`;
+                const forestResults = await this.ldapProvider.search(configDN, {
+                    filter: '(objectClass=crossRefContainer)',
+                    attributes: ['msDS-Behavior-Version'],
+                    scope: 'base',
+                });
+                if (forestResults.length > 0 && forestResults[0]['msDS-Behavior-Version'] !== undefined) {
+                    forestFunctionalLevel = parseInt(forestResults[0]['msDS-Behavior-Version'], 10);
+                }
+            }
+            catch (e) {
+            }
+            let recycleBinEnabled = false;
+            try {
+                const optionalFeaturesDN = `CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,${baseDN}`;
+                const recycleBinResults = await this.ldapProvider.search(optionalFeaturesDN, {
+                    filter: '(cn=Recycle Bin Feature)',
+                    attributes: ['msDS-EnabledFeatureBL'],
+                    scope: 'sub',
+                });
+                if (recycleBinResults.length > 0) {
+                    const enabledFeatureBL = recycleBinResults[0]['msDS-EnabledFeatureBL'];
+                    recycleBinEnabled = enabledFeatureBL && (Array.isArray(enabledFeatureBL) ? enabledFeatureBL.length > 0 : true);
+                }
+            }
+            catch (e) {
+            }
+            return {
+                dn: entry.dn,
+                name: entry.name,
+                domainFunctionalLevel,
+                forestFunctionalLevel,
+                recycleBinEnabled,
+                ...entry,
+            };
+        }
+        catch (error) {
+            console.error('Failed to fetch domain:', error);
+            return null;
+        }
+    }
+    async fetchGpoSecuritySettings() {
+        if (!this.smbConfig || !this.smbConfig.smb.enabled) {
+            logger_1.logger.debug('SMB is disabled, skipping GPO security settings fetch');
+            return null;
+        }
+        const { smb, ldap } = this.smbConfig;
+        const baseDN = this.ldapProvider.getBaseDN();
+        const domainDnsName = this.extractDomainNameFromDN(baseDN);
+        let dcHostname = null;
+        try {
+            const dcResults = await this.ldapProvider.search(baseDN, {
+                filter: '(&(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))',
+                attributes: ['dNSHostName'],
+                scope: 'sub',
+                sizeLimit: 1,
+            });
+            if (dcResults.length > 0 && dcResults[0].dNSHostName) {
+                dcHostname = dcResults[0].dNSHostName;
+            }
+        }
+        catch (e) {
+            logger_1.logger.debug('Failed to find DC for GPO settings fetch', { error: e });
+        }
+        if (!dcHostname) {
+            const urlMatch = ldap.url.match(/ldaps?:\/\/([^:/]+)/i);
+            if (urlMatch && urlMatch[1]) {
+                dcHostname = urlMatch[1];
+            }
+        }
+        if (!dcHostname) {
+            logger_1.logger.debug('No DC hostname available for GPO settings fetch');
+            return null;
+        }
+        const username = smb.username || ldap.bindDN.split(',')[0]?.replace(/^CN=/i, '') || '';
+        const password = smb.password || ldap.bindPassword;
+        const baseDNMatch = ldap.baseDN.match(/DC=([^,]+)/i);
+        const smbProviderConfig = {
+            host: dcHostname,
+            share: 'SYSVOL',
+            domain: baseDNMatch?.[1] || '',
+            username,
+            password,
+            timeout: smb.timeout,
+        };
+        const smbProvider = new smb_provider_1.SMBProvider(smbProviderConfig);
+        try {
+            await smbProvider.connect();
+            const settings = await smbProvider.readGpoSecuritySettings(domainDnsName);
+            if (settings) {
+                logger_1.logger.debug('Successfully fetched GPO security settings from SYSVOL', {
+                    domainDnsName,
+                    hasLdapSigning: settings.ldapServerIntegrity !== undefined,
+                    hasAuditPolicy: settings.auditPolicies !== undefined,
+                    hasPsLogging: settings.powershellLogging !== undefined,
+                });
+            }
+            return settings;
+        }
+        catch (error) {
+            logger_1.logger.warn('Failed to fetch GPO security settings via SMB', { error, dcHostname });
+            return null;
+        }
+        finally {
+            await smbProvider.disconnect();
+        }
+    }
+    async fetchOUCount() {
+        try {
+            const baseDN = this.ldapProvider.getBaseDN();
+            const filter = '(objectClass=organizationalUnit)';
+            const results = await this.ldapProvider.search(baseDN, {
+                filter,
+                attributes: ['dn'],
+                scope: 'sub',
+                paged: true,
+            });
+            return results.length;
+        }
+        catch (error) {
+            logger_1.logger.warn('Failed to fetch OU count', { error });
+            return 0;
+        }
+    }
+    async fetchAcls(users, groups, computers) {
+        const allAclEntries = [];
+        const baseDN = this.ldapProvider.getBaseDN();
+        try {
+            (0, acl_parser_1.resetParseStats)();
+            const userDns = users.map((u) => u.dn);
+            const userAcls = await this.fetchAclsForObjects(userDns);
+            for (const entry of userAcls) {
+                allAclEntries.push(entry);
+            }
+            const groupDns = groups.map((g) => g.dn);
+            const groupAcls = await this.fetchAclsForObjects(groupDns);
+            for (const entry of groupAcls) {
+                allAclEntries.push(entry);
+            }
+            const computerDns = computers.map((c) => c.dn);
+            const computerAcls = await this.fetchAclsForObjects(computerDns);
+            for (const entry of computerAcls) {
+                allAclEntries.push(entry);
+            }
+            const systemObjects = [
+                baseDN,
+                `CN=AdminSDHolder,CN=System,${baseDN}`,
+                `CN=Policies,CN=System,${baseDN}`,
+            ];
+            const systemAcls = await this.fetchAclsForObjects(systemObjects);
+            for (const entry of systemAcls) {
+                allAclEntries.push(entry);
+            }
+            return allAclEntries;
+        }
+        catch (error) {
+            logger_1.logger.warn('Failed to fetch ACL entries - insufficient permissions or unsupported configuration');
+            return [];
+        }
+    }
+    async fetchAclsForObjects(objectDns) {
+        const allAclEntries = [];
+        let _successCount = 0;
+        const BATCH_SIZE = 100;
+        for (let i = 0; i < objectDns.length; i += BATCH_SIZE) {
+            const batch = objectDns.slice(i, i + BATCH_SIZE);
+            const batchPromises = batch.map(async (dn) => {
+                try {
+                    const results = await this.ldapProvider.search(dn, {
+                        filter: '(objectClass=*)',
+                        attributes: ['nTSecurityDescriptor'],
+                        scope: 'base',
+                        controls: [createSDFlagsControl()],
+                    });
+                    if (results.length > 0 && results[0].nTSecurityDescriptor) {
+                        _successCount++;
+                        const secDescriptor = results[0].nTSecurityDescriptor;
+                        const buffer = Buffer.isBuffer(secDescriptor)
+                            ? secDescriptor
+                            : Buffer.from(secDescriptor, 'binary');
+                        const entries = (0, acl_parser_1.parseSecurityDescriptor)(buffer, dn);
+                        return entries;
+                    }
+                }
+                catch (error) {
+                    return [];
+                }
+                return [];
+            });
+            const batchResults = await Promise.all(batchPromises);
+            batchResults.forEach((entries) => allAclEntries.push(...entries));
+        }
+        return allAclEntries;
+    }
+    async fetchCertificateTemplates() {
+        try {
+            const baseDN = this.ldapProvider.getBaseDN();
+            const templatesDN = `CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,${baseDN}`;
+            const results = await this.ldapProvider.search(templatesDN, {
+                filter: '(objectClass=pKICertificateTemplate)',
+                attributes: [
+                    'dn',
+                    'cn',
+                    'name',
+                    'displayName',
+                    'msPKI-Certificate-Name-Flag',
+                    'msPKI-Enrollment-Flag',
+                    'pKIExtendedKeyUsage',
+                    'nTSecurityDescriptor',
+                ],
+                scope: 'one',
+                controls: [createSDFlagsControl()],
+            });
+            return results.map((entry) => ({
+                dn: entry.dn,
+                cn: entry.cn || entry.name,
+                name: entry.name || entry.cn,
+                displayName: entry.displayName,
+                'msPKI-Certificate-Name-Flag': entry['msPKI-Certificate-Name-Flag']
+                    ? parseInt(entry['msPKI-Certificate-Name-Flag'], 10)
+                    : 0,
+                'msPKI-Enrollment-Flag': entry['msPKI-Enrollment-Flag']
+                    ? parseInt(entry['msPKI-Enrollment-Flag'], 10)
+                    : 0,
+                pKIExtendedKeyUsage: !entry.pKIExtendedKeyUsage
+                    ? []
+                    : Array.isArray(entry.pKIExtendedKeyUsage)
+                        ? entry.pKIExtendedKeyUsage
+                        : [entry.pKIExtendedKeyUsage],
+                nTSecurityDescriptor: entry.nTSecurityDescriptor,
+            }));
+        }
+        catch (error) {
+            logger_1.logger.debug('Could not fetch certificate templates (ADCS may not be configured)', { error });
+            return [];
+        }
+    }
+    async fetchCertificateAuthorities() {
+        try {
+            const baseDN = this.ldapProvider.getBaseDN();
+            const enrollmentDN = `CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,${baseDN}`;
+            const results = await this.ldapProvider.search(enrollmentDN, {
+                filter: '(objectClass=pKIEnrollmentService)',
+                attributes: [
+                    'dn',
+                    'cn',
+                    'name',
+                    'dNSHostName',
+                    'certificateTemplates',
+                    'nTSecurityDescriptor',
+                ],
+                scope: 'one',
+                controls: [createSDFlagsControl()],
+            });
+            return results.map((entry) => ({
+                dn: entry.dn,
+                cn: entry.cn || entry.name,
+                name: entry.name || entry.cn,
+                dNSHostName: entry.dNSHostName,
+                certificateTemplates: !entry.certificateTemplates
+                    ? []
+                    : Array.isArray(entry.certificateTemplates)
+                        ? entry.certificateTemplates
+                        : [entry.certificateTemplates],
+                nTSecurityDescriptor: entry.nTSecurityDescriptor,
+            }));
+        }
+        catch (error) {
+            logger_1.logger.debug('Could not fetch certificate authorities (ADCS may not be configured)', { error });
+            return [];
+        }
+    }
+    async fetchGPOsWithAcls() {
+        const baseDN = this.ldapProvider.getBaseDN();
+        const gpos = [];
+        const links = [];
+        const gpoAcls = [];
+        try {
+            const gpoResults = await this.ldapProvider.search(`CN=Policies,CN=System,${baseDN}`, {
+                filter: '(objectClass=groupPolicyContainer)',
+                attributes: [
+                    'dn',
+                    'cn',
+                    'displayName',
+                    'gPCFileSysPath',
+                    'flags',
+                    'gPCMachineExtensionNames',
+                    'nTSecurityDescriptor',
+                ],
+                scope: 'one',
+                controls: [createSDFlagsControl()],
+            });
+            for (const entry of gpoResults) {
+                const flags = entry.flags ? parseInt(entry.flags, 10) : 0;
+                gpos.push({
+                    dn: entry.dn,
+                    cn: entry.cn,
+                    displayName: entry.displayName,
+                    gPCFileSysPath: entry.gPCFileSysPath,
+                    flags,
+                    gPCMachineExtensionNames: entry.gPCMachineExtensionNames,
+                    nTSecurityDescriptor: entry.nTSecurityDescriptor,
+                });
+                if (entry.nTSecurityDescriptor) {
+                    try {
+                        const buffer = Buffer.isBuffer(entry.nTSecurityDescriptor)
+                            ? entry.nTSecurityDescriptor
+                            : Buffer.from(entry.nTSecurityDescriptor, 'binary');
+                        const aclEntries = (0, acl_parser_1.parseSecurityDescriptor)(buffer, entry.dn);
+                        for (const acl of aclEntries) {
+                            gpoAcls.push({
+                                gpoDn: entry.dn,
+                                gpoName: entry.displayName || entry.cn,
+                                trustee: acl.trustee,
+                                trusteeSid: acl.trustee,
+                                accessMask: acl.accessMask,
+                                aceType: typeof acl.aceType === 'string' ? parseInt(acl.aceType, 10) : acl.aceType,
+                            });
+                        }
+                    }
+                    catch (e) {
+                        logger_1.logger.debug('Could not parse GPO ACLs for', { gpo: entry.displayName, error: e });
+                    }
+                }
+            }
+            const linkResults = await this.ldapProvider.search(baseDN, {
+                filter: '(gPLink=*)',
+                attributes: ['dn', 'gPLink'],
+                scope: 'sub',
+                sizeLimit: 1000,
+            });
+            for (const entry of linkResults) {
+                const gpLink = entry.gPLink;
+                if (!gpLink)
+                    continue;
+                const linkMatches = gpLink.matchAll(/\[LDAP:\/\/([^\]]+);(\d+)\]/gi);
+                for (const match of linkMatches) {
+                    const gpoDn = match[1];
+                    const options = parseInt(match[2], 10);
+                    const guidMatch = gpoDn.match(/cn=(\{[^}]+\})/i);
+                    if (guidMatch) {
+                        links.push({
+                            gpoGuid: guidMatch[1],
+                            linkedTo: entry.dn,
+                            enforced: (options & 2) !== 0,
+                            disabled: (options & 1) !== 0,
+                        });
+                    }
+                }
+            }
+        }
+        catch (error) {
+            logger_1.logger.debug('Could not fetch GPOs with ACLs', { error });
+        }
+        return { gpos, links, gpoAcls };
+    }
+    async fetchTrustsExtended() {
+        try {
+            const baseDN = this.ldapProvider.getBaseDN();
+            const results = await this.ldapProvider.search(`CN=System,${baseDN}`, {
+                filter: '(objectClass=trustedDomain)',
+                attributes: [
+                    'dn',
+                    'name',
+                    'trustDirection',
+                    'trustType',
+                    'trustAttributes',
+                    'flatName',
+                    'securityIdentifier',
+                ],
+                scope: 'one',
+            });
+            return results.map((entry) => {
+                const trustDirection = parseInt(entry.trustDirection || '0', 10);
+                const trustType = parseInt(entry.trustType || '0', 10);
+                const trustAttributes = parseInt(entry.trustAttributes || '0', 10);
+                const parsed = (0, trust_types_1.parseTrustAttributes)(trustAttributes);
+                return {
+                    dn: entry.dn,
+                    name: entry.name,
+                    flatName: entry.flatName,
+                    trustDirection,
+                    trustType,
+                    trustAttributes,
+                    direction: (0, trust_types_1.parseTrustDirection)(trustDirection),
+                    type: (0, trust_types_1.parseTrustType)(trustType, trustAttributes),
+                    ...parsed,
+                };
+            });
+        }
+        catch (error) {
+            logger_1.logger.debug('Could not fetch extended trust information', { error });
+            return [];
+        }
+    }
+    async fetchDomainConfig(domain) {
+        const baseDN = this.ldapProvider.getBaseDN();
+        const config = {
+            passwordPolicy: {
+                minPasswordLength: 0,
+                passwordHistoryLength: 0,
+                maxPasswordAge: 'Not configured',
+                minPasswordAge: 'Not configured',
+                lockoutThreshold: 0,
+                lockoutDuration: 'Not configured',
+                lockoutObservationWindow: 'Not configured',
+                complexity: false,
+            },
+            kerberosPolicy: (0, smb_provider_1.getDefaultKerberosPolicy)(),
+            domainInfo: {
+                forestName: '',
+                domainName: '',
+                domainMode: 'Unknown',
+                forestMode: 'Unknown',
+                domainControllers: [],
+                fsmoRoles: {},
+            },
+            trusts: [],
+            gpoSummary: {
+                totalGPOs: 0,
+                linkedGPOs: 0,
+            },
+        };
+        try {
+            const policyResults = await this.ldapProvider.search(baseDN, {
+                filter: '(objectClass=domain)',
+                attributes: [
+                    'minPwdLength',
+                    'pwdHistoryLength',
+                    'maxPwdAge',
+                    'minPwdAge',
+                    'lockoutThreshold',
+                    'lockoutDuration',
+                    'lockOutObservationWindow',
+                    'pwdProperties',
+                    'name',
+                ],
+                scope: 'base',
+            });
+            if (policyResults.length > 0) {
+                const policy = policyResults[0];
+                config.passwordPolicy.minPasswordLength = parseInt(policy.minPwdLength || '0', 10);
+                config.passwordPolicy.passwordHistoryLength = parseInt(policy.pwdHistoryLength || '0', 10);
+                config.passwordPolicy.maxPasswordAge = this.formatFiletimeDuration(policy.maxPwdAge);
+                config.passwordPolicy.minPasswordAge = this.formatFiletimeDuration(policy.minPwdAge);
+                config.passwordPolicy.lockoutThreshold = parseInt(policy.lockoutThreshold || '0', 10);
+                config.passwordPolicy.lockoutDuration = this.formatFiletimeDuration(policy.lockoutDuration);
+                config.passwordPolicy.lockoutObservationWindow = this.formatFiletimeDuration(policy.lockOutObservationWindow);
+                config.passwordPolicy.complexity = (parseInt(policy.pwdProperties || '0', 10) & 1) === 1;
+                config.domainInfo.domainName = policy.name || '';
+            }
+            if (domain) {
+                config.domainInfo.domainMode = this.getDomainModeName(domain.domainFunctionalLevel);
+                config.domainInfo.forestMode = this.getDomainModeName(domain.forestFunctionalLevel);
+                config.domainInfo.forestName = this.extractDomainNameFromDN(baseDN);
+                config.domainInfo.domainName = this.extractDomainNameFromDN(baseDN);
+            }
+            const dcResults = await this.ldapProvider.search(baseDN, {
+                filter: '(&(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))',
+                attributes: ['dNSHostName', 'name'],
+                scope: 'sub',
+            });
+            config.domainInfo.domainControllers = dcResults
+                .map((dc) => dc.dNSHostName || dc.name)
+                .filter((name) => name);
+            await this.fetchFSMORoles(config, baseDN);
+            await this.fetchTrusts(config, baseDN);
+            await this.fetchGPOCount(config, baseDN);
+            const dcHostname = config.domainInfo.domainControllers[0];
+            if (dcHostname) {
+                const domainDnsName = this.extractDomainNameFromDN(baseDN);
+                config.kerberosPolicy = await this.fetchKerberosPolicyViaSMB(domainDnsName, dcHostname);
+            }
+            else {
+                config.kerberosPolicy = (0, smb_provider_1.getDefaultKerberosPolicy)();
+            }
+        }
+        catch (error) {
+            logger_1.logger.warn('Failed to fetch some domain configuration', { error });
+        }
+        return config;
+    }
+    formatFiletimeDuration(filetime) {
+        if (!filetime)
+            return 'Not configured';
+        const value = typeof filetime === 'string' ? parseInt(filetime, 10) : filetime;
+        if (value === 0 || isNaN(value))
+            return 'Not configured';
+        const minutes = Math.abs(value) / (10000000 * 60);
+        if (minutes < 60) {
+            return `${Math.round(minutes)} min`;
+        }
+        else if (minutes < 1440) {
+            const hours = Math.round(minutes / 60);
+            return `${hours} hour${hours > 1 ? 's' : ''}`;
+        }
+        else {
+            const days = Math.round(minutes / 1440);
+            return `${days} day${days > 1 ? 's' : ''}`;
+        }
+    }
+    getDomainModeName(level) {
+        if (level === undefined)
+            return 'Unknown';
+        const levels = {
+            0: 'Windows2000Domain',
+            1: 'Windows2003InterimDomain',
+            2: 'Windows2003Domain',
+            3: 'Windows2008Domain',
+            4: 'Windows2008R2Domain',
+            5: 'Windows2012Domain',
+            6: 'Windows2012R2Domain',
+            7: 'Windows2016Domain',
+        };
+        return levels[level] || `Unknown (${level})`;
+    }
+    extractDomainNameFromDN(dn) {
+        const parts = dn.match(/DC=([^,]+)/gi);
+        if (!parts)
+            return dn;
+        return parts.map((p) => p.replace(/DC=/i, '')).join('.');
+    }
+    async fetchFSMORoles(config, baseDN) {
+        try {
+            const domainRoles = await this.ldapProvider.search(baseDN, {
+                filter: '(objectClass=domain)',
+                attributes: ['fSMORoleOwner'],
+                scope: 'base',
+            });
+            if (domainRoles.length > 0 && domainRoles[0].fSMORoleOwner) {
+                config.domainInfo.fsmoRoles.pdcEmulator = this.extractServerFromDN(domainRoles[0].fSMORoleOwner);
+            }
+            const ridResults = await this.ldapProvider.search(`CN=RID Manager$,CN=System,${baseDN}`, {
+                filter: '(objectClass=*)',
+                attributes: ['fSMORoleOwner'],
+                scope: 'base',
+            });
+            if (ridResults.length > 0 && ridResults[0].fSMORoleOwner) {
+                config.domainInfo.fsmoRoles.ridMaster = this.extractServerFromDN(ridResults[0].fSMORoleOwner);
+            }
+            const infraResults = await this.ldapProvider.search(`CN=Infrastructure,${baseDN}`, {
+                filter: '(objectClass=*)',
+                attributes: ['fSMORoleOwner'],
+                scope: 'base',
+            });
+            if (infraResults.length > 0 && infraResults[0].fSMORoleOwner) {
+                config.domainInfo.fsmoRoles.infrastructureMaster = this.extractServerFromDN(infraResults[0].fSMORoleOwner);
+            }
+        }
+        catch (error) {
+            logger_1.logger.debug('Could not fetch all FSMO roles', { error });
+        }
+    }
+    extractServerFromDN(dn) {
+        const match = dn.match(/CN=NTDS Settings,CN=([^,]+)/i);
+        return match && match[1] ? match[1] : dn;
+    }
+    async fetchTrusts(config, baseDN) {
+        try {
+            const trustResults = await this.ldapProvider.search(`CN=System,${baseDN}`, {
+                filter: '(objectClass=trustedDomain)',
+                attributes: ['name', 'trustDirection', 'trustType', 'trustAttributes'],
+                scope: 'one',
+            });
+            config.trusts = trustResults.map((trust) => {
+                const direction = parseInt(trust.trustDirection || '0', 10);
+                const trustType = parseInt(trust.trustType || '0', 10);
+                const attributes = parseInt(trust.trustAttributes || '0', 10);
+                return {
+                    name: trust.name || 'Unknown',
+                    direction: this.getTrustDirection(direction),
+                    type: this.getTrustType(trustType),
+                    transitive: (attributes & 1) === 1,
+                };
+            });
+        }
+        catch (error) {
+            logger_1.logger.debug('Could not fetch trust relationships', { error });
+        }
+    }
+    getTrustDirection(direction) {
+        switch (direction) {
+            case 1:
+                return 'inbound';
+            case 2:
+                return 'outbound';
+            case 3:
+                return 'bidirectional';
+            default:
+                return 'inbound';
+        }
+    }
+    getTrustType(type) {
+        switch (type) {
+            case 1:
+                return 'external';
+            case 2:
+                return 'external';
+            case 3:
+                return 'realm';
+            case 4:
+                return 'external';
+            default:
+                return 'external';
+        }
+    }
+    async fetchGPOCount(config, baseDN) {
+        try {
+            const gpoResults = await this.ldapProvider.search(`CN=Policies,CN=System,${baseDN}`, {
+                filter: '(objectClass=groupPolicyContainer)',
+                attributes: ['cn', 'gPCFileSysPath'],
+                scope: 'one',
+            });
+            config.gpoSummary.totalGPOs = gpoResults.length;
+            const linkedResults = await this.ldapProvider.search(baseDN, {
+                filter: '(gPLink=*)',
+                attributes: ['gPLink'],
+                scope: 'sub',
+                sizeLimit: 1000,
+            });
+            const linkedGPOs = new Set();
+            linkedResults.forEach((obj) => {
+                const gpLink = obj.gPLink;
+                if (gpLink) {
+                    const matches = gpLink.match(/cn=\{[^}]+\}/gi);
+                    if (matches) {
+                        matches.forEach((m) => linkedGPOs.add(m.toLowerCase()));
+                    }
+                }
+            });
+            config.gpoSummary.linkedGPOs = linkedGPOs.size;
+        }
+        catch (error) {
+            logger_1.logger.debug('Could not fetch GPO count', { error });
+        }
+    }
+    async fetchKerberosPolicyViaSMB(domainDnsName, dcHostname) {
+        if (!this.smbConfig || !this.smbConfig.smb.enabled) {
+            logger_1.logger.debug('SMB is disabled, returning default Kerberos policy values');
+            return (0, smb_provider_1.getDefaultKerberosPolicy)();
+        }
+        const { smb, ldap } = this.smbConfig;
+        const username = smb.username || ldap.bindDN.split(',')[0]?.replace(/^CN=/i, '') || '';
+        const password = smb.password || ldap.bindPassword;
+        const baseDNMatch = ldap.baseDN.match(/DC=([^,]+)/i);
+        const smbProviderConfig = {
+            host: dcHostname,
+            share: 'SYSVOL',
+            domain: baseDNMatch?.[1] || '',
+            username,
+            password,
+            timeout: smb.timeout,
+        };
+        const smbProvider = new smb_provider_1.SMBProvider(smbProviderConfig);
+        try {
+            await smbProvider.connect();
+            const kerberosPolicy = await smbProvider.readKerberosPolicy(domainDnsName);
+            if (kerberosPolicy) {
+                logger_1.logger.debug('Successfully fetched Kerberos policy from SYSVOL', { domainDnsName });
+                return (0, smb_provider_1.formatKerberosPolicy)(kerberosPolicy, false);
+            }
+            logger_1.logger.debug('GptTmpl.inf not found, using Windows default Kerberos policy values');
+            return (0, smb_provider_1.getDefaultKerberosPolicy)();
+        }
+        catch (error) {
+            logger_1.logger.warn('Failed to fetch Kerberos policy via SMB, using defaults', { error, dcHostname });
+            return (0, smb_provider_1.getDefaultKerberosPolicy)();
+        }
+        finally {
+            await smbProvider.disconnect();
+        }
+    }
+}
+exports.ADAuditService = ADAuditService;
+//# sourceMappingURL=ad-audit.service.js.map