@etcsec-com/etc-collector 1.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.env.example +60 -0
- package/.env.test.example +33 -0
- package/.github/workflows/ci.yml +83 -0
- package/.github/workflows/release.yml +246 -0
- package/.prettierrc.json +10 -0
- package/CHANGELOG.md +15 -0
- package/Dockerfile +57 -0
- package/LICENSE +190 -0
- package/README.md +194 -0
- package/dist/api/controllers/audit.controller.d.ts +21 -0
- package/dist/api/controllers/audit.controller.d.ts.map +1 -0
- package/dist/api/controllers/audit.controller.js +179 -0
- package/dist/api/controllers/audit.controller.js.map +1 -0
- package/dist/api/controllers/auth.controller.d.ts +16 -0
- package/dist/api/controllers/auth.controller.d.ts.map +1 -0
- package/dist/api/controllers/auth.controller.js +146 -0
- package/dist/api/controllers/auth.controller.js.map +1 -0
- package/dist/api/controllers/export.controller.d.ts +27 -0
- package/dist/api/controllers/export.controller.d.ts.map +1 -0
- package/dist/api/controllers/export.controller.js +80 -0
- package/dist/api/controllers/export.controller.js.map +1 -0
- package/dist/api/controllers/health.controller.d.ts +5 -0
- package/dist/api/controllers/health.controller.d.ts.map +1 -0
- package/dist/api/controllers/health.controller.js +16 -0
- package/dist/api/controllers/health.controller.js.map +1 -0
- package/dist/api/controllers/jobs.controller.d.ts +13 -0
- package/dist/api/controllers/jobs.controller.d.ts.map +1 -0
- package/dist/api/controllers/jobs.controller.js +125 -0
- package/dist/api/controllers/jobs.controller.js.map +1 -0
- package/dist/api/controllers/providers.controller.d.ts +15 -0
- package/dist/api/controllers/providers.controller.d.ts.map +1 -0
- package/dist/api/controllers/providers.controller.js +112 -0
- package/dist/api/controllers/providers.controller.js.map +1 -0
- package/dist/api/dto/AuditRequest.dto.d.ts +6 -0
- package/dist/api/dto/AuditRequest.dto.d.ts.map +1 -0
- package/dist/api/dto/AuditRequest.dto.js +3 -0
- package/dist/api/dto/AuditRequest.dto.js.map +1 -0
- package/dist/api/dto/AuditResponse.dto.d.ts +17 -0
- package/dist/api/dto/AuditResponse.dto.d.ts.map +1 -0
- package/dist/api/dto/AuditResponse.dto.js +3 -0
- package/dist/api/dto/AuditResponse.dto.js.map +1 -0
- package/dist/api/dto/TokenRequest.dto.d.ts +6 -0
- package/dist/api/dto/TokenRequest.dto.d.ts.map +1 -0
- package/dist/api/dto/TokenRequest.dto.js +3 -0
- package/dist/api/dto/TokenRequest.dto.js.map +1 -0
- package/dist/api/dto/TokenResponse.dto.d.ts +12 -0
- package/dist/api/dto/TokenResponse.dto.d.ts.map +1 -0
- package/dist/api/dto/TokenResponse.dto.js +3 -0
- package/dist/api/dto/TokenResponse.dto.js.map +1 -0
- package/dist/api/middlewares/authenticate.d.ts +12 -0
- package/dist/api/middlewares/authenticate.d.ts.map +1 -0
- package/dist/api/middlewares/authenticate.js +141 -0
- package/dist/api/middlewares/authenticate.js.map +1 -0
- package/dist/api/middlewares/errorHandler.d.ts +3 -0
- package/dist/api/middlewares/errorHandler.d.ts.map +1 -0
- package/dist/api/middlewares/errorHandler.js +30 -0
- package/dist/api/middlewares/errorHandler.js.map +1 -0
- package/dist/api/middlewares/rateLimit.d.ts +3 -0
- package/dist/api/middlewares/rateLimit.d.ts.map +1 -0
- package/dist/api/middlewares/rateLimit.js +34 -0
- package/dist/api/middlewares/rateLimit.js.map +1 -0
- package/dist/api/middlewares/validate.d.ts +4 -0
- package/dist/api/middlewares/validate.d.ts.map +1 -0
- package/dist/api/middlewares/validate.js +31 -0
- package/dist/api/middlewares/validate.js.map +1 -0
- package/dist/api/routes/audit.routes.d.ts +5 -0
- package/dist/api/routes/audit.routes.d.ts.map +1 -0
- package/dist/api/routes/audit.routes.js +24 -0
- package/dist/api/routes/audit.routes.js.map +1 -0
- package/dist/api/routes/auth.routes.d.ts +6 -0
- package/dist/api/routes/auth.routes.d.ts.map +1 -0
- package/dist/api/routes/auth.routes.js +22 -0
- package/dist/api/routes/auth.routes.js.map +1 -0
- package/dist/api/routes/export.routes.d.ts +5 -0
- package/dist/api/routes/export.routes.d.ts.map +1 -0
- package/dist/api/routes/export.routes.js +16 -0
- package/dist/api/routes/export.routes.js.map +1 -0
- package/dist/api/routes/health.routes.d.ts +4 -0
- package/dist/api/routes/health.routes.d.ts.map +1 -0
- package/dist/api/routes/health.routes.js +11 -0
- package/dist/api/routes/health.routes.js.map +1 -0
- package/dist/api/routes/index.d.ts +10 -0
- package/dist/api/routes/index.d.ts.map +1 -0
- package/dist/api/routes/index.js +20 -0
- package/dist/api/routes/index.js.map +1 -0
- package/dist/api/routes/providers.routes.d.ts +5 -0
- package/dist/api/routes/providers.routes.d.ts.map +1 -0
- package/dist/api/routes/providers.routes.js +13 -0
- package/dist/api/routes/providers.routes.js.map +1 -0
- package/dist/api/validators/audit.schemas.d.ts +60 -0
- package/dist/api/validators/audit.schemas.d.ts.map +1 -0
- package/dist/api/validators/audit.schemas.js +55 -0
- package/dist/api/validators/audit.schemas.js.map +1 -0
- package/dist/api/validators/auth.schemas.d.ts +17 -0
- package/dist/api/validators/auth.schemas.d.ts.map +1 -0
- package/dist/api/validators/auth.schemas.js +21 -0
- package/dist/api/validators/auth.schemas.js.map +1 -0
- package/dist/app.d.ts +3 -0
- package/dist/app.d.ts.map +1 -0
- package/dist/app.js +62 -0
- package/dist/app.js.map +1 -0
- package/dist/config/config.schema.d.ts +65 -0
- package/dist/config/config.schema.d.ts.map +1 -0
- package/dist/config/config.schema.js +95 -0
- package/dist/config/config.schema.js.map +1 -0
- package/dist/config/index.d.ts +4 -0
- package/dist/config/index.d.ts.map +1 -0
- package/dist/config/index.js +75 -0
- package/dist/config/index.js.map +1 -0
- package/dist/container.d.ts +47 -0
- package/dist/container.d.ts.map +1 -0
- package/dist/container.js +137 -0
- package/dist/container.js.map +1 -0
- package/dist/data/database.d.ts +13 -0
- package/dist/data/database.d.ts.map +1 -0
- package/dist/data/database.js +68 -0
- package/dist/data/database.js.map +1 -0
- package/dist/data/jobs/token-cleanup.job.d.ts +23 -0
- package/dist/data/jobs/token-cleanup.job.d.ts.map +1 -0
- package/dist/data/jobs/token-cleanup.job.js +96 -0
- package/dist/data/jobs/token-cleanup.job.js.map +1 -0
- package/dist/data/migrations/migration.runner.d.ts +13 -0
- package/dist/data/migrations/migration.runner.d.ts.map +1 -0
- package/dist/data/migrations/migration.runner.js +136 -0
- package/dist/data/migrations/migration.runner.js.map +1 -0
- package/dist/data/models/Token.model.d.ts +30 -0
- package/dist/data/models/Token.model.d.ts.map +1 -0
- package/dist/data/models/Token.model.js +3 -0
- package/dist/data/models/Token.model.js.map +1 -0
- package/dist/data/repositories/token.repository.d.ts +16 -0
- package/dist/data/repositories/token.repository.d.ts.map +1 -0
- package/dist/data/repositories/token.repository.js +97 -0
- package/dist/data/repositories/token.repository.js.map +1 -0
- package/dist/providers/azure/auth.provider.d.ts +5 -0
- package/dist/providers/azure/auth.provider.d.ts.map +1 -0
- package/dist/providers/azure/auth.provider.js +13 -0
- package/dist/providers/azure/auth.provider.js.map +1 -0
- package/dist/providers/azure/azure-errors.d.ts +40 -0
- package/dist/providers/azure/azure-errors.d.ts.map +1 -0
- package/dist/providers/azure/azure-errors.js +121 -0
- package/dist/providers/azure/azure-errors.js.map +1 -0
- package/dist/providers/azure/azure-retry.d.ts +41 -0
- package/dist/providers/azure/azure-retry.d.ts.map +1 -0
- package/dist/providers/azure/azure-retry.js +85 -0
- package/dist/providers/azure/azure-retry.js.map +1 -0
- package/dist/providers/azure/graph-client.d.ts +26 -0
- package/dist/providers/azure/graph-client.d.ts.map +1 -0
- package/dist/providers/azure/graph-client.js +146 -0
- package/dist/providers/azure/graph-client.js.map +1 -0
- package/dist/providers/azure/graph.provider.d.ts +23 -0
- package/dist/providers/azure/graph.provider.d.ts.map +1 -0
- package/dist/providers/azure/graph.provider.js +161 -0
- package/dist/providers/azure/graph.provider.js.map +1 -0
- package/dist/providers/azure/queries/app.queries.d.ts +6 -0
- package/dist/providers/azure/queries/app.queries.d.ts.map +1 -0
- package/dist/providers/azure/queries/app.queries.js +9 -0
- package/dist/providers/azure/queries/app.queries.js.map +1 -0
- package/dist/providers/azure/queries/policy.queries.d.ts +6 -0
- package/dist/providers/azure/queries/policy.queries.d.ts.map +1 -0
- package/dist/providers/azure/queries/policy.queries.js +9 -0
- package/dist/providers/azure/queries/policy.queries.js.map +1 -0
- package/dist/providers/azure/queries/user.queries.d.ts +7 -0
- package/dist/providers/azure/queries/user.queries.d.ts.map +1 -0
- package/dist/providers/azure/queries/user.queries.js +10 -0
- package/dist/providers/azure/queries/user.queries.js.map +1 -0
- package/dist/providers/interfaces/IGraphProvider.d.ts +31 -0
- package/dist/providers/interfaces/IGraphProvider.d.ts.map +1 -0
- package/dist/providers/interfaces/IGraphProvider.js +3 -0
- package/dist/providers/interfaces/IGraphProvider.js.map +1 -0
- package/dist/providers/interfaces/ILDAPProvider.d.ts +37 -0
- package/dist/providers/interfaces/ILDAPProvider.d.ts.map +1 -0
- package/dist/providers/interfaces/ILDAPProvider.js +3 -0
- package/dist/providers/interfaces/ILDAPProvider.js.map +1 -0
- package/dist/providers/ldap/acl-parser.d.ts +8 -0
- package/dist/providers/ldap/acl-parser.d.ts.map +1 -0
- package/dist/providers/ldap/acl-parser.js +157 -0
- package/dist/providers/ldap/acl-parser.js.map +1 -0
- package/dist/providers/ldap/ad-mappers.d.ts +8 -0
- package/dist/providers/ldap/ad-mappers.d.ts.map +1 -0
- package/dist/providers/ldap/ad-mappers.js +162 -0
- package/dist/providers/ldap/ad-mappers.js.map +1 -0
- package/dist/providers/ldap/ldap-client.d.ts +33 -0
- package/dist/providers/ldap/ldap-client.d.ts.map +1 -0
- package/dist/providers/ldap/ldap-client.js +195 -0
- package/dist/providers/ldap/ldap-client.js.map +1 -0
- package/dist/providers/ldap/ldap-errors.d.ts +48 -0
- package/dist/providers/ldap/ldap-errors.d.ts.map +1 -0
- package/dist/providers/ldap/ldap-errors.js +120 -0
- package/dist/providers/ldap/ldap-errors.js.map +1 -0
- package/dist/providers/ldap/ldap-retry.d.ts +14 -0
- package/dist/providers/ldap/ldap-retry.d.ts.map +1 -0
- package/dist/providers/ldap/ldap-retry.js +102 -0
- package/dist/providers/ldap/ldap-retry.js.map +1 -0
- package/dist/providers/ldap/ldap-sanitizer.d.ts +12 -0
- package/dist/providers/ldap/ldap-sanitizer.d.ts.map +1 -0
- package/dist/providers/ldap/ldap-sanitizer.js +104 -0
- package/dist/providers/ldap/ldap-sanitizer.js.map +1 -0
- package/dist/providers/ldap/ldap.provider.d.ts +21 -0
- package/dist/providers/ldap/ldap.provider.d.ts.map +1 -0
- package/dist/providers/ldap/ldap.provider.js +165 -0
- package/dist/providers/ldap/ldap.provider.js.map +1 -0
- package/dist/providers/ldap/queries/computer.queries.d.ts +6 -0
- package/dist/providers/ldap/queries/computer.queries.d.ts.map +1 -0
- package/dist/providers/ldap/queries/computer.queries.js +9 -0
- package/dist/providers/ldap/queries/computer.queries.js.map +1 -0
- package/dist/providers/ldap/queries/group.queries.d.ts +6 -0
- package/dist/providers/ldap/queries/group.queries.d.ts.map +1 -0
- package/dist/providers/ldap/queries/group.queries.js +9 -0
- package/dist/providers/ldap/queries/group.queries.js.map +1 -0
- package/dist/providers/ldap/queries/user.queries.d.ts +7 -0
- package/dist/providers/ldap/queries/user.queries.d.ts.map +1 -0
- package/dist/providers/ldap/queries/user.queries.js +10 -0
- package/dist/providers/ldap/queries/user.queries.js.map +1 -0
- package/dist/providers/smb/smb.provider.d.ts +68 -0
- package/dist/providers/smb/smb.provider.d.ts.map +1 -0
- package/dist/providers/smb/smb.provider.js +382 -0
- package/dist/providers/smb/smb.provider.js.map +1 -0
- package/dist/server.d.ts +2 -0
- package/dist/server.d.ts.map +1 -0
- package/dist/server.js +44 -0
- package/dist/server.js.map +1 -0
- package/dist/services/audit/ad-audit.service.d.ts +70 -0
- package/dist/services/audit/ad-audit.service.d.ts.map +1 -0
- package/dist/services/audit/ad-audit.service.js +1019 -0
- package/dist/services/audit/ad-audit.service.js.map +1 -0
- package/dist/services/audit/attack-graph.service.d.ts +62 -0
- package/dist/services/audit/attack-graph.service.d.ts.map +1 -0
- package/dist/services/audit/attack-graph.service.js +702 -0
- package/dist/services/audit/attack-graph.service.js.map +1 -0
- package/dist/services/audit/audit.service.d.ts +4 -0
- package/dist/services/audit/audit.service.d.ts.map +1 -0
- package/dist/services/audit/audit.service.js +10 -0
- package/dist/services/audit/audit.service.js.map +1 -0
- package/dist/services/audit/azure-audit.service.d.ts +37 -0
- package/dist/services/audit/azure-audit.service.d.ts.map +1 -0
- package/dist/services/audit/azure-audit.service.js +153 -0
- package/dist/services/audit/azure-audit.service.js.map +1 -0
- package/dist/services/audit/detectors/ad/accounts.detector.d.ts +37 -0
- package/dist/services/audit/detectors/ad/accounts.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/accounts.detector.js +881 -0
- package/dist/services/audit/detectors/ad/accounts.detector.js.map +1 -0
- package/dist/services/audit/detectors/ad/adcs.detector.d.ts +21 -0
- package/dist/services/audit/detectors/ad/adcs.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/adcs.detector.js +227 -0
- package/dist/services/audit/detectors/ad/adcs.detector.js.map +1 -0
- package/dist/services/audit/detectors/ad/advanced.detector.d.ts +63 -0
- package/dist/services/audit/detectors/ad/advanced.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/advanced.detector.js +867 -0
- package/dist/services/audit/detectors/ad/advanced.detector.js.map +1 -0
- package/dist/services/audit/detectors/ad/attack-paths.detector.d.ts +16 -0
- package/dist/services/audit/detectors/ad/attack-paths.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/attack-paths.detector.js +369 -0
- package/dist/services/audit/detectors/ad/attack-paths.detector.js.map +1 -0
- package/dist/services/audit/detectors/ad/compliance.detector.d.ts +28 -0
- package/dist/services/audit/detectors/ad/compliance.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/compliance.detector.js +896 -0
- package/dist/services/audit/detectors/ad/compliance.detector.js.map +1 -0
- package/dist/services/audit/detectors/ad/computers.detector.d.ts +30 -0
- package/dist/services/audit/detectors/ad/computers.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/computers.detector.js +799 -0
- package/dist/services/audit/detectors/ad/computers.detector.js.map +1 -0
- package/dist/services/audit/detectors/ad/gpo.detector.d.ts +17 -0
- package/dist/services/audit/detectors/ad/gpo.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/gpo.detector.js +257 -0
- package/dist/services/audit/detectors/ad/gpo.detector.js.map +1 -0
- package/dist/services/audit/detectors/ad/groups.detector.d.ts +19 -0
- package/dist/services/audit/detectors/ad/groups.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/groups.detector.js +488 -0
- package/dist/services/audit/detectors/ad/groups.detector.js.map +1 -0
- package/dist/services/audit/detectors/ad/index.d.ts +15 -0
- package/dist/services/audit/detectors/ad/index.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/index.js +51 -0
- package/dist/services/audit/detectors/ad/index.js.map +1 -0
- package/dist/services/audit/detectors/ad/kerberos.detector.d.ts +17 -0
- package/dist/services/audit/detectors/ad/kerberos.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/kerberos.detector.js +293 -0
- package/dist/services/audit/detectors/ad/kerberos.detector.js.map +1 -0
- package/dist/services/audit/detectors/ad/monitoring.detector.d.ts +23 -0
- package/dist/services/audit/detectors/ad/monitoring.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/monitoring.detector.js +328 -0
- package/dist/services/audit/detectors/ad/monitoring.detector.js.map +1 -0
- package/dist/services/audit/detectors/ad/network.detector.d.ts +39 -0
- package/dist/services/audit/detectors/ad/network.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/network.detector.js +257 -0
- package/dist/services/audit/detectors/ad/network.detector.js.map +1 -0
- package/dist/services/audit/detectors/ad/password.detector.d.ts +14 -0
- package/dist/services/audit/detectors/ad/password.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/password.detector.js +235 -0
- package/dist/services/audit/detectors/ad/password.detector.js.map +1 -0
- package/dist/services/audit/detectors/ad/permissions.detector.d.ts +20 -0
- package/dist/services/audit/detectors/ad/permissions.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/permissions.detector.js +392 -0
- package/dist/services/audit/detectors/ad/permissions.detector.js.map +1 -0
- package/dist/services/audit/detectors/ad/trusts.detector.d.ts +11 -0
- package/dist/services/audit/detectors/ad/trusts.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/trusts.detector.js +186 -0
- package/dist/services/audit/detectors/ad/trusts.detector.js.map +1 -0
- package/dist/services/audit/detectors/azure/app-security.detector.d.ts +11 -0
- package/dist/services/audit/detectors/azure/app-security.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/azure/app-security.detector.js +184 -0
- package/dist/services/audit/detectors/azure/app-security.detector.js.map +1 -0
- package/dist/services/audit/detectors/azure/conditional-access.detector.d.ts +10 -0
- package/dist/services/audit/detectors/azure/conditional-access.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/azure/conditional-access.detector.js +130 -0
- package/dist/services/audit/detectors/azure/conditional-access.detector.js.map +1 -0
- package/dist/services/audit/detectors/azure/privilege-security.detector.d.ts +8 -0
- package/dist/services/audit/detectors/azure/privilege-security.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/azure/privilege-security.detector.js +113 -0
- package/dist/services/audit/detectors/azure/privilege-security.detector.js.map +1 -0
- package/dist/services/audit/detectors/azure/user-security.detector.d.ts +14 -0
- package/dist/services/audit/detectors/azure/user-security.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/azure/user-security.detector.js +198 -0
- package/dist/services/audit/detectors/azure/user-security.detector.js.map +1 -0
- package/dist/services/audit/detectors/index.d.ts +2 -0
- package/dist/services/audit/detectors/index.d.ts.map +1 -0
- package/dist/services/audit/detectors/index.js +38 -0
- package/dist/services/audit/detectors/index.js.map +1 -0
- package/dist/services/audit/response-formatter.d.ts +176 -0
- package/dist/services/audit/response-formatter.d.ts.map +1 -0
- package/dist/services/audit/response-formatter.js +240 -0
- package/dist/services/audit/response-formatter.js.map +1 -0
- package/dist/services/audit/scoring.service.d.ts +15 -0
- package/dist/services/audit/scoring.service.d.ts.map +1 -0
- package/dist/services/audit/scoring.service.js +139 -0
- package/dist/services/audit/scoring.service.js.map +1 -0
- package/dist/services/auth/crypto.service.d.ts +19 -0
- package/dist/services/auth/crypto.service.d.ts.map +1 -0
- package/dist/services/auth/crypto.service.js +135 -0
- package/dist/services/auth/crypto.service.js.map +1 -0
- package/dist/services/auth/errors.d.ts +19 -0
- package/dist/services/auth/errors.d.ts.map +1 -0
- package/dist/services/auth/errors.js +46 -0
- package/dist/services/auth/errors.js.map +1 -0
- package/dist/services/auth/token.service.d.ts +41 -0
- package/dist/services/auth/token.service.d.ts.map +1 -0
- package/dist/services/auth/token.service.js +208 -0
- package/dist/services/auth/token.service.js.map +1 -0
- package/dist/services/config/config.service.d.ts +6 -0
- package/dist/services/config/config.service.d.ts.map +1 -0
- package/dist/services/config/config.service.js +64 -0
- package/dist/services/config/config.service.js.map +1 -0
- package/dist/services/export/export.service.d.ts +28 -0
- package/dist/services/export/export.service.d.ts.map +1 -0
- package/dist/services/export/export.service.js +28 -0
- package/dist/services/export/export.service.js.map +1 -0
- package/dist/services/export/formatters/csv.formatter.d.ts +8 -0
- package/dist/services/export/formatters/csv.formatter.d.ts.map +1 -0
- package/dist/services/export/formatters/csv.formatter.js +46 -0
- package/dist/services/export/formatters/csv.formatter.js.map +1 -0
- package/dist/services/export/formatters/json.formatter.d.ts +40 -0
- package/dist/services/export/formatters/json.formatter.d.ts.map +1 -0
- package/dist/services/export/formatters/json.formatter.js +58 -0
- package/dist/services/export/formatters/json.formatter.js.map +1 -0
- package/dist/services/jobs/azure-job-runner.d.ts +38 -0
- package/dist/services/jobs/azure-job-runner.d.ts.map +1 -0
- package/dist/services/jobs/azure-job-runner.js +199 -0
- package/dist/services/jobs/azure-job-runner.js.map +1 -0
- package/dist/services/jobs/index.d.ts +4 -0
- package/dist/services/jobs/index.d.ts.map +1 -0
- package/dist/services/jobs/index.js +20 -0
- package/dist/services/jobs/index.js.map +1 -0
- package/dist/services/jobs/job-runner.d.ts +64 -0
- package/dist/services/jobs/job-runner.d.ts.map +1 -0
- package/dist/services/jobs/job-runner.js +952 -0
- package/dist/services/jobs/job-runner.js.map +1 -0
- package/dist/services/jobs/job-store.d.ts +27 -0
- package/dist/services/jobs/job-store.d.ts.map +1 -0
- package/dist/services/jobs/job-store.js +261 -0
- package/dist/services/jobs/job-store.js.map +1 -0
- package/dist/services/jobs/job.types.d.ts +67 -0
- package/dist/services/jobs/job.types.d.ts.map +1 -0
- package/dist/services/jobs/job.types.js +36 -0
- package/dist/services/jobs/job.types.js.map +1 -0
- package/dist/types/ad.types.d.ts +74 -0
- package/dist/types/ad.types.d.ts.map +1 -0
- package/dist/types/ad.types.js +3 -0
- package/dist/types/ad.types.js.map +1 -0
- package/dist/types/adcs.types.d.ts +58 -0
- package/dist/types/adcs.types.d.ts.map +1 -0
- package/dist/types/adcs.types.js +38 -0
- package/dist/types/adcs.types.js.map +1 -0
- package/dist/types/attack-graph.types.d.ts +135 -0
- package/dist/types/attack-graph.types.d.ts.map +1 -0
- package/dist/types/attack-graph.types.js +58 -0
- package/dist/types/attack-graph.types.js.map +1 -0
- package/dist/types/audit.types.d.ts +34 -0
- package/dist/types/audit.types.d.ts.map +1 -0
- package/dist/types/audit.types.js +3 -0
- package/dist/types/audit.types.js.map +1 -0
- package/dist/types/azure.types.d.ts +61 -0
- package/dist/types/azure.types.d.ts.map +1 -0
- package/dist/types/azure.types.js +3 -0
- package/dist/types/azure.types.js.map +1 -0
- package/dist/types/config.types.d.ts +63 -0
- package/dist/types/config.types.d.ts.map +1 -0
- package/dist/types/config.types.js +3 -0
- package/dist/types/config.types.js.map +1 -0
- package/dist/types/error.types.d.ts +33 -0
- package/dist/types/error.types.d.ts.map +1 -0
- package/dist/types/error.types.js +70 -0
- package/dist/types/error.types.js.map +1 -0
- package/dist/types/finding.types.d.ts +133 -0
- package/dist/types/finding.types.d.ts.map +1 -0
- package/dist/types/finding.types.js +3 -0
- package/dist/types/finding.types.js.map +1 -0
- package/dist/types/gpo.types.d.ts +39 -0
- package/dist/types/gpo.types.d.ts.map +1 -0
- package/dist/types/gpo.types.js +15 -0
- package/dist/types/gpo.types.js.map +1 -0
- package/dist/types/token.types.d.ts +26 -0
- package/dist/types/token.types.d.ts.map +1 -0
- package/dist/types/token.types.js +3 -0
- package/dist/types/token.types.js.map +1 -0
- package/dist/types/trust.types.d.ts +45 -0
- package/dist/types/trust.types.d.ts.map +1 -0
- package/dist/types/trust.types.js +71 -0
- package/dist/types/trust.types.js.map +1 -0
- package/dist/utils/entity-converter.d.ts +17 -0
- package/dist/utils/entity-converter.d.ts.map +1 -0
- package/dist/utils/entity-converter.js +285 -0
- package/dist/utils/entity-converter.js.map +1 -0
- package/dist/utils/graph.util.d.ts +66 -0
- package/dist/utils/graph.util.d.ts.map +1 -0
- package/dist/utils/graph.util.js +382 -0
- package/dist/utils/graph.util.js.map +1 -0
- package/dist/utils/logger.d.ts +7 -0
- package/dist/utils/logger.d.ts.map +1 -0
- package/dist/utils/logger.js +86 -0
- package/dist/utils/logger.js.map +1 -0
- package/dist/utils/type-name-normalizer.d.ts +5 -0
- package/dist/utils/type-name-normalizer.d.ts.map +1 -0
- package/dist/utils/type-name-normalizer.js +218 -0
- package/dist/utils/type-name-normalizer.js.map +1 -0
- package/docker-compose.yml +26 -0
- package/docs/api/README.md +178 -0
- package/docs/api/openapi.yaml +1524 -0
- package/eslint.config.js +54 -0
- package/jest.config.js +38 -0
- package/package.json +97 -0
- package/scripts/fetch-ad-cert.sh +142 -0
- package/src/.gitkeep +0 -0
- package/src/api/.gitkeep +0 -0
- package/src/api/controllers/.gitkeep +0 -0
- package/src/api/controllers/audit.controller.ts +313 -0
- package/src/api/controllers/auth.controller.ts +258 -0
- package/src/api/controllers/export.controller.ts +153 -0
- package/src/api/controllers/health.controller.ts +16 -0
- package/src/api/controllers/jobs.controller.ts +187 -0
- package/src/api/controllers/providers.controller.ts +165 -0
- package/src/api/dto/.gitkeep +0 -0
- package/src/api/dto/AuditRequest.dto.ts +8 -0
- package/src/api/dto/AuditResponse.dto.ts +19 -0
- package/src/api/dto/TokenRequest.dto.ts +8 -0
- package/src/api/dto/TokenResponse.dto.ts +14 -0
- package/src/api/middlewares/.gitkeep +0 -0
- package/src/api/middlewares/authenticate.ts +203 -0
- package/src/api/middlewares/errorHandler.ts +54 -0
- package/src/api/middlewares/rateLimit.ts +35 -0
- package/src/api/middlewares/validate.ts +32 -0
- package/src/api/routes/.gitkeep +0 -0
- package/src/api/routes/audit.routes.ts +77 -0
- package/src/api/routes/auth.routes.ts +71 -0
- package/src/api/routes/export.routes.ts +34 -0
- package/src/api/routes/health.routes.ts +14 -0
- package/src/api/routes/index.ts +40 -0
- package/src/api/routes/providers.routes.ts +24 -0
- package/src/api/validators/.gitkeep +0 -0
- package/src/api/validators/audit.schemas.ts +59 -0
- package/src/api/validators/auth.schemas.ts +59 -0
- package/src/app.ts +87 -0
- package/src/config/.gitkeep +0 -0
- package/src/config/config.schema.ts +108 -0
- package/src/config/index.ts +82 -0
- package/src/container.ts +221 -0
- package/src/data/.gitkeep +0 -0
- package/src/data/database.ts +78 -0
- package/src/data/jobs/token-cleanup.job.ts +166 -0
- package/src/data/migrations/.gitkeep +0 -0
- package/src/data/migrations/001_initial_schema.sql +47 -0
- package/src/data/migrations/migration.runner.ts +125 -0
- package/src/data/models/.gitkeep +0 -0
- package/src/data/models/Token.model.ts +35 -0
- package/src/data/repositories/.gitkeep +0 -0
- package/src/data/repositories/token.repository.ts +160 -0
- package/src/providers/.gitkeep +0 -0
- package/src/providers/azure/.gitkeep +0 -0
- package/src/providers/azure/auth.provider.ts +14 -0
- package/src/providers/azure/azure-errors.ts +189 -0
- package/src/providers/azure/azure-retry.ts +168 -0
- package/src/providers/azure/graph-client.ts +315 -0
- package/src/providers/azure/graph.provider.ts +294 -0
- package/src/providers/azure/queries/app.queries.ts +9 -0
- package/src/providers/azure/queries/policy.queries.ts +9 -0
- package/src/providers/azure/queries/user.queries.ts +10 -0
- package/src/providers/interfaces/.gitkeep +0 -0
- package/src/providers/interfaces/IGraphProvider.ts +117 -0
- package/src/providers/interfaces/ILDAPProvider.ts +142 -0
- package/src/providers/ldap/.gitkeep +0 -0
- package/src/providers/ldap/acl-parser.ts +231 -0
- package/src/providers/ldap/ad-mappers.ts +280 -0
- package/src/providers/ldap/ldap-client.ts +259 -0
- package/src/providers/ldap/ldap-errors.ts +188 -0
- package/src/providers/ldap/ldap-retry.ts +267 -0
- package/src/providers/ldap/ldap-sanitizer.ts +273 -0
- package/src/providers/ldap/ldap.provider.ts +293 -0
- package/src/providers/ldap/queries/computer.queries.ts +9 -0
- package/src/providers/ldap/queries/group.queries.ts +9 -0
- package/src/providers/ldap/queries/user.queries.ts +10 -0
- package/src/providers/smb/smb.provider.ts +653 -0
- package/src/server.ts +60 -0
- package/src/services/.gitkeep +0 -0
- package/src/services/audit/.gitkeep +0 -0
- package/src/services/audit/ad-audit.service.ts +1481 -0
- package/src/services/audit/attack-graph.service.ts +1104 -0
- package/src/services/audit/audit.service.ts +12 -0
- package/src/services/audit/azure-audit.service.ts +286 -0
- package/src/services/audit/detectors/ad/accounts.detector.ts +1232 -0
- package/src/services/audit/detectors/ad/adcs.detector.ts +449 -0
- package/src/services/audit/detectors/ad/advanced.detector.ts +1270 -0
- package/src/services/audit/detectors/ad/attack-paths.detector.ts +600 -0
- package/src/services/audit/detectors/ad/compliance.detector.ts +1421 -0
- package/src/services/audit/detectors/ad/computers.detector.ts +1188 -0
- package/src/services/audit/detectors/ad/gpo.detector.ts +485 -0
- package/src/services/audit/detectors/ad/groups.detector.ts +685 -0
- package/src/services/audit/detectors/ad/index.ts +84 -0
- package/src/services/audit/detectors/ad/kerberos.detector.ts +424 -0
- package/src/services/audit/detectors/ad/monitoring.detector.ts +501 -0
- package/src/services/audit/detectors/ad/network.detector.ts +538 -0
- package/src/services/audit/detectors/ad/password.detector.ts +324 -0
- package/src/services/audit/detectors/ad/permissions.detector.ts +637 -0
- package/src/services/audit/detectors/ad/trusts.detector.ts +315 -0
- package/src/services/audit/detectors/azure/app-security.detector.ts +246 -0
- package/src/services/audit/detectors/azure/conditional-access.detector.ts +186 -0
- package/src/services/audit/detectors/azure/privilege-security.detector.ts +176 -0
- package/src/services/audit/detectors/azure/user-security.detector.ts +280 -0
- package/src/services/audit/detectors/index.ts +18 -0
- package/src/services/audit/response-formatter.ts +604 -0
- package/src/services/audit/scoring.service.ts +234 -0
- package/src/services/auth/.gitkeep +0 -0
- package/src/services/auth/crypto.service.ts +230 -0
- package/src/services/auth/errors.ts +47 -0
- package/src/services/auth/token.service.ts +420 -0
- package/src/services/config/.gitkeep +0 -0
- package/src/services/config/config.service.ts +75 -0
- package/src/services/export/.gitkeep +0 -0
- package/src/services/export/export.service.ts +99 -0
- package/src/services/export/formatters/csv.formatter.ts +124 -0
- package/src/services/export/formatters/json.formatter.ts +160 -0
- package/src/services/jobs/azure-job-runner.ts +312 -0
- package/src/services/jobs/index.ts +9 -0
- package/src/services/jobs/job-runner.ts +1280 -0
- package/src/services/jobs/job-store.ts +384 -0
- package/src/services/jobs/job.types.ts +182 -0
- package/src/types/.gitkeep +0 -0
- package/src/types/ad.types.ts +91 -0
- package/src/types/adcs.types.ts +107 -0
- package/src/types/attack-graph.types.ts +260 -0
- package/src/types/audit.types.ts +42 -0
- package/src/types/azure.types.ts +68 -0
- package/src/types/config.types.ts +79 -0
- package/src/types/error.types.ts +69 -0
- package/src/types/finding.types.ts +284 -0
- package/src/types/gpo.types.ts +72 -0
- package/src/types/smb2.d.ts +73 -0
- package/src/types/token.types.ts +32 -0
- package/src/types/trust.types.ts +140 -0
- package/src/utils/.gitkeep +0 -0
- package/src/utils/entity-converter.ts +453 -0
- package/src/utils/graph.util.ts +609 -0
- package/src/utils/logger.ts +111 -0
- package/src/utils/type-name-normalizer.ts +302 -0
- package/tests/.gitkeep +0 -0
- package/tests/e2e/.gitkeep +0 -0
- package/tests/fixtures/.gitkeep +0 -0
- package/tests/integration/.gitkeep +0 -0
- package/tests/integration/README.md +156 -0
- package/tests/integration/ad-audit.integration.test.ts +216 -0
- package/tests/integration/api/.gitkeep +0 -0
- package/tests/integration/api/endpoints.integration.test.ts +431 -0
- package/tests/integration/auth/jwt-authentication.integration.test.ts +358 -0
- package/tests/integration/providers/.gitkeep +0 -0
- package/tests/integration/providers/azure-basic.integration.test.ts +167 -0
- package/tests/integration/providers/ldap-basic.integration.test.ts +152 -0
- package/tests/integration/providers/ldap-connectivity.test.ts +44 -0
- package/tests/integration/providers/ldap-provider.integration.test.ts +347 -0
- package/tests/mocks/.gitkeep +0 -0
- package/tests/setup.ts +16 -0
- package/tests/unit/.gitkeep +0 -0
- package/tests/unit/api/middlewares/authenticate.test.ts +446 -0
- package/tests/unit/providers/.gitkeep +0 -0
- package/tests/unit/providers/azure/azure-errors.test.ts +193 -0
- package/tests/unit/providers/azure/azure-retry.test.ts +254 -0
- package/tests/unit/providers/azure/graph-provider.test.ts +313 -0
- package/tests/unit/providers/ldap/ad-mappers.test.ts +392 -0
- package/tests/unit/providers/ldap/ldap-provider.test.ts +376 -0
- package/tests/unit/providers/ldap/ldap-retry.test.ts +377 -0
- package/tests/unit/providers/ldap/ldap-sanitizer.test.ts +301 -0
- package/tests/unit/sample.test.ts +19 -0
- package/tests/unit/services/.gitkeep +0 -0
- package/tests/unit/services/audit/detectors/ad/accounts.detector.test.ts +393 -0
- package/tests/unit/services/audit/detectors/ad/advanced.detector.test.ts +380 -0
- package/tests/unit/services/audit/detectors/ad/computers.detector.test.ts +440 -0
- package/tests/unit/services/audit/detectors/ad/groups.detector.test.ts +276 -0
- package/tests/unit/services/audit/detectors/ad/kerberos.detector.test.ts +215 -0
- package/tests/unit/services/audit/detectors/ad/password.detector.test.ts +226 -0
- package/tests/unit/services/audit/detectors/ad/permissions.detector.test.ts +244 -0
- package/tests/unit/services/audit/detectors/azure/app-security.detector.test.ts +349 -0
- package/tests/unit/services/audit/detectors/azure/conditional-access.detector.test.ts +374 -0
- package/tests/unit/services/audit/detectors/azure/privilege-security.detector.test.ts +374 -0
- package/tests/unit/services/audit/detectors/azure/user-security.detector.test.ts +297 -0
- package/tests/unit/services/auth/crypto.service.test.ts +296 -0
- package/tests/unit/services/auth/token.service.test.ts +579 -0
- package/tests/unit/services/export/export.service.test.ts +241 -0
- package/tests/unit/services/export/formatters/csv.formatter.test.ts +270 -0
- package/tests/unit/services/export/formatters/json.formatter.test.ts +258 -0
- package/tests/unit/utils/.gitkeep +0 -0
- package/tsconfig.json +50 -0
|
@@ -0,0 +1,702 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.AttackGraphService = void 0;
|
|
4
|
+
exports.computeAttackGraph = computeAttackGraph;
|
|
5
|
+
const attack_graph_types_1 = require("../../types/attack-graph.types");
|
|
6
|
+
const logger_1 = require("../../utils/logger");
|
|
7
|
+
class AttackGraphService {
|
|
8
|
+
users;
|
|
9
|
+
groups;
|
|
10
|
+
computers;
|
|
11
|
+
aclEntries;
|
|
12
|
+
nodes = new Map();
|
|
13
|
+
edges = new Map();
|
|
14
|
+
reverseEdges = new Map();
|
|
15
|
+
privilegedTargets = new Map();
|
|
16
|
+
dnToId = new Map();
|
|
17
|
+
domainSid = '';
|
|
18
|
+
domainName = '';
|
|
19
|
+
constructor(users, groups, computers, aclEntries, _certTemplates = [], _gpos = [], domain) {
|
|
20
|
+
this.users = users;
|
|
21
|
+
this.groups = groups;
|
|
22
|
+
this.computers = computers;
|
|
23
|
+
this.aclEntries = aclEntries;
|
|
24
|
+
this.domainName = domain?.name || '';
|
|
25
|
+
this.domainSid = domain?.sid || this.extractDomainSid();
|
|
26
|
+
logger_1.logger.debug(`AttackGraphService initialized with domain SID: ${this.domainSid}`);
|
|
27
|
+
}
|
|
28
|
+
export(maxPaths = 500) {
|
|
29
|
+
const startTime = Date.now();
|
|
30
|
+
this.buildGraph();
|
|
31
|
+
this.identifyPrivilegedTargets();
|
|
32
|
+
const paths = this.findAllAttackPaths(maxPaths);
|
|
33
|
+
const stats = this.computeStats(paths);
|
|
34
|
+
const uniqueNodes = this.getUniqueNodes(paths);
|
|
35
|
+
const duration = Date.now() - startTime;
|
|
36
|
+
logger_1.logger.info(`Attack graph exported: ${paths.length} paths, ${uniqueNodes.length} unique nodes in ${duration}ms`);
|
|
37
|
+
return {
|
|
38
|
+
version: '1.0',
|
|
39
|
+
generatedAt: new Date().toISOString(),
|
|
40
|
+
domain: this.domainName,
|
|
41
|
+
targets: Array.from(this.privilegedTargets.values()),
|
|
42
|
+
paths,
|
|
43
|
+
stats,
|
|
44
|
+
uniqueNodes,
|
|
45
|
+
};
|
|
46
|
+
}
|
|
47
|
+
buildGraph() {
|
|
48
|
+
this.addUserNodes();
|
|
49
|
+
this.addGroupNodes();
|
|
50
|
+
this.addComputerNodes();
|
|
51
|
+
this.addMembershipEdges();
|
|
52
|
+
this.addAclEdges();
|
|
53
|
+
this.addDelegationEdges();
|
|
54
|
+
this.addKerberosEdges();
|
|
55
|
+
logger_1.logger.debug(`Graph built: ${this.nodes.size} nodes, ${this.countEdges()} edges`);
|
|
56
|
+
}
|
|
57
|
+
addUserNodes() {
|
|
58
|
+
for (const user of this.users) {
|
|
59
|
+
const sid = this.extractSid(user);
|
|
60
|
+
const id = sid || this.dnToId.get(user.dn.toLowerCase()) || this.generateId(user.dn);
|
|
61
|
+
const node = {
|
|
62
|
+
id,
|
|
63
|
+
dn: user.dn,
|
|
64
|
+
name: user.sAMAccountName || user.displayName || user.dn,
|
|
65
|
+
type: 'user',
|
|
66
|
+
sid,
|
|
67
|
+
isEnabled: user.enabled,
|
|
68
|
+
isPrivileged: user.adminCount === 1,
|
|
69
|
+
adminCount: user.adminCount,
|
|
70
|
+
memberOf: user.memberOf || [],
|
|
71
|
+
servicePrincipalName: this.getSpn(user),
|
|
72
|
+
userAccountControl: user.userAccountControl,
|
|
73
|
+
delegateTo: this.getDelegationTargets(user),
|
|
74
|
+
};
|
|
75
|
+
this.nodes.set(id, node);
|
|
76
|
+
this.dnToId.set(user.dn.toLowerCase(), id);
|
|
77
|
+
this.edges.set(id, []);
|
|
78
|
+
this.reverseEdges.set(id, []);
|
|
79
|
+
}
|
|
80
|
+
}
|
|
81
|
+
addGroupNodes() {
|
|
82
|
+
for (const group of this.groups) {
|
|
83
|
+
const sid = this.extractSid(group);
|
|
84
|
+
const id = sid || this.generateId(group.dn);
|
|
85
|
+
const isPrivileged = this.isPrivilegedBySid(sid);
|
|
86
|
+
const node = {
|
|
87
|
+
id,
|
|
88
|
+
dn: group.dn,
|
|
89
|
+
name: group.sAMAccountName || group.displayName || group.cn || group.dn,
|
|
90
|
+
type: 'group',
|
|
91
|
+
sid,
|
|
92
|
+
isEnabled: true,
|
|
93
|
+
isPrivileged,
|
|
94
|
+
memberOf: group.memberOf || [],
|
|
95
|
+
};
|
|
96
|
+
this.nodes.set(id, node);
|
|
97
|
+
this.dnToId.set(group.dn.toLowerCase(), id);
|
|
98
|
+
this.edges.set(id, []);
|
|
99
|
+
this.reverseEdges.set(id, []);
|
|
100
|
+
}
|
|
101
|
+
}
|
|
102
|
+
addComputerNodes() {
|
|
103
|
+
for (const computer of this.computers) {
|
|
104
|
+
const sid = this.extractSid(computer);
|
|
105
|
+
const id = sid || this.generateId(computer.dn);
|
|
106
|
+
const memberOf = computer.memberOf || [];
|
|
107
|
+
const isDC = memberOf.some((m) => m.toLowerCase().includes('cn=domain controllers') ||
|
|
108
|
+
m.toLowerCase().includes('cn=contrôleurs de domaine'));
|
|
109
|
+
const node = {
|
|
110
|
+
id,
|
|
111
|
+
dn: computer.dn,
|
|
112
|
+
name: computer.sAMAccountName || computer.dNSHostName || computer.cn || computer.dn,
|
|
113
|
+
type: 'computer',
|
|
114
|
+
sid,
|
|
115
|
+
isEnabled: computer.enabled,
|
|
116
|
+
isPrivileged: isDC,
|
|
117
|
+
memberOf: memberOf,
|
|
118
|
+
delegateTo: this.getDelegationTargets(computer),
|
|
119
|
+
rbcdFrom: this.getRbcdPrincipals(computer),
|
|
120
|
+
};
|
|
121
|
+
this.nodes.set(id, node);
|
|
122
|
+
this.dnToId.set(computer.dn.toLowerCase(), id);
|
|
123
|
+
this.edges.set(id, []);
|
|
124
|
+
this.reverseEdges.set(id, []);
|
|
125
|
+
}
|
|
126
|
+
}
|
|
127
|
+
addMembershipEdges() {
|
|
128
|
+
for (const [nodeId, node] of this.nodes) {
|
|
129
|
+
for (const groupDn of node.memberOf) {
|
|
130
|
+
const targetId = this.dnToId.get(groupDn.toLowerCase());
|
|
131
|
+
if (targetId) {
|
|
132
|
+
this.addEdge({
|
|
133
|
+
source: nodeId,
|
|
134
|
+
target: targetId,
|
|
135
|
+
relation: 'MemberOf',
|
|
136
|
+
isAbusable: false,
|
|
137
|
+
});
|
|
138
|
+
}
|
|
139
|
+
}
|
|
140
|
+
}
|
|
141
|
+
}
|
|
142
|
+
addAclEdges() {
|
|
143
|
+
for (const acl of this.aclEntries) {
|
|
144
|
+
if (acl.aceType !== '0' && acl.aceType !== 'ACCESS_ALLOWED_ACE_TYPE') {
|
|
145
|
+
continue;
|
|
146
|
+
}
|
|
147
|
+
const sourceId = this.resolveAclTrustee(acl.trustee);
|
|
148
|
+
const targetId = this.dnToId.get(acl.objectDn.toLowerCase());
|
|
149
|
+
if (!sourceId || !targetId)
|
|
150
|
+
continue;
|
|
151
|
+
const relations = this.classifyAclRelation(acl);
|
|
152
|
+
for (const relation of relations) {
|
|
153
|
+
this.addEdge({
|
|
154
|
+
source: sourceId,
|
|
155
|
+
target: targetId,
|
|
156
|
+
relation: relation.type,
|
|
157
|
+
accessMask: acl.accessMask,
|
|
158
|
+
objectType: acl.objectType,
|
|
159
|
+
isAbusable: relation.isAbusable,
|
|
160
|
+
});
|
|
161
|
+
}
|
|
162
|
+
}
|
|
163
|
+
}
|
|
164
|
+
addDelegationEdges() {
|
|
165
|
+
for (const [nodeId, node] of this.nodes) {
|
|
166
|
+
if (node.delegateTo && node.delegateTo.length > 0) {
|
|
167
|
+
for (const spn of node.delegateTo) {
|
|
168
|
+
const targetId = this.resolveSPNTarget(spn);
|
|
169
|
+
if (targetId) {
|
|
170
|
+
this.addEdge({
|
|
171
|
+
source: nodeId,
|
|
172
|
+
target: targetId,
|
|
173
|
+
relation: 'AllowedToDelegate',
|
|
174
|
+
isAbusable: true,
|
|
175
|
+
});
|
|
176
|
+
}
|
|
177
|
+
}
|
|
178
|
+
}
|
|
179
|
+
if (node.rbcdFrom && node.rbcdFrom.length > 0) {
|
|
180
|
+
for (const principalSid of node.rbcdFrom) {
|
|
181
|
+
const sourceId = this.nodes.has(principalSid)
|
|
182
|
+
? principalSid
|
|
183
|
+
: this.findNodeBySid(principalSid);
|
|
184
|
+
if (sourceId) {
|
|
185
|
+
this.addEdge({
|
|
186
|
+
source: sourceId,
|
|
187
|
+
target: nodeId,
|
|
188
|
+
relation: 'AllowedToAct',
|
|
189
|
+
isAbusable: true,
|
|
190
|
+
});
|
|
191
|
+
}
|
|
192
|
+
}
|
|
193
|
+
}
|
|
194
|
+
}
|
|
195
|
+
}
|
|
196
|
+
addKerberosEdges() {
|
|
197
|
+
}
|
|
198
|
+
identifyPrivilegedTargets() {
|
|
199
|
+
for (const [nodeId, node] of this.nodes) {
|
|
200
|
+
let reason = null;
|
|
201
|
+
if (node.sid) {
|
|
202
|
+
if (node.sid.endsWith(attack_graph_types_1.PRIVILEGED_SID_SUFFIXES.DOMAIN_ADMINS)) {
|
|
203
|
+
reason = 'Domain Admins';
|
|
204
|
+
}
|
|
205
|
+
else if (node.sid.endsWith(attack_graph_types_1.PRIVILEGED_SID_SUFFIXES.ENTERPRISE_ADMINS)) {
|
|
206
|
+
reason = 'Enterprise Admins';
|
|
207
|
+
}
|
|
208
|
+
else if (node.sid.endsWith(attack_graph_types_1.PRIVILEGED_SID_SUFFIXES.SCHEMA_ADMINS)) {
|
|
209
|
+
reason = 'Schema Admins';
|
|
210
|
+
}
|
|
211
|
+
else if (node.sid.endsWith(attack_graph_types_1.PRIVILEGED_SID_SUFFIXES.ADMINISTRATORS)) {
|
|
212
|
+
reason = 'Administrators';
|
|
213
|
+
}
|
|
214
|
+
else if (node.sid.endsWith(attack_graph_types_1.PRIVILEGED_SID_SUFFIXES.DOMAIN_CONTROLLERS)) {
|
|
215
|
+
reason = 'Domain Controllers';
|
|
216
|
+
}
|
|
217
|
+
else if (node.sid.endsWith(attack_graph_types_1.PRIVILEGED_SID_SUFFIXES.ACCOUNT_OPERATORS)) {
|
|
218
|
+
reason = 'Account Operators';
|
|
219
|
+
}
|
|
220
|
+
else if (node.sid.endsWith(attack_graph_types_1.PRIVILEGED_SID_SUFFIXES.BACKUP_OPERATORS)) {
|
|
221
|
+
reason = 'Backup Operators';
|
|
222
|
+
}
|
|
223
|
+
}
|
|
224
|
+
if (!reason && node.adminCount === 1) {
|
|
225
|
+
reason = 'adminCount=1';
|
|
226
|
+
}
|
|
227
|
+
if (!reason && node.type === 'group') {
|
|
228
|
+
const nameLower = node.name.toLowerCase();
|
|
229
|
+
if (nameLower === 'domain admins' ||
|
|
230
|
+
nameLower === 'admins du domaine' ||
|
|
231
|
+
nameLower === 'administrateurs du domaine') {
|
|
232
|
+
reason = 'Domain Admins';
|
|
233
|
+
}
|
|
234
|
+
else if (nameLower === 'enterprise admins' ||
|
|
235
|
+
nameLower === 'administrateurs de l\'entreprise') {
|
|
236
|
+
reason = 'Enterprise Admins';
|
|
237
|
+
}
|
|
238
|
+
else if (nameLower === 'administrators' || nameLower === 'administrateurs') {
|
|
239
|
+
reason = 'Administrators';
|
|
240
|
+
}
|
|
241
|
+
}
|
|
242
|
+
if (!reason && node.type === 'computer' && node.isPrivileged) {
|
|
243
|
+
reason = 'Domain Controller';
|
|
244
|
+
}
|
|
245
|
+
if (reason) {
|
|
246
|
+
node.isPrivileged = true;
|
|
247
|
+
this.privilegedTargets.set(nodeId, {
|
|
248
|
+
id: nodeId,
|
|
249
|
+
name: node.name,
|
|
250
|
+
type: node.type,
|
|
251
|
+
sid: node.sid,
|
|
252
|
+
dn: node.dn,
|
|
253
|
+
reason,
|
|
254
|
+
});
|
|
255
|
+
}
|
|
256
|
+
}
|
|
257
|
+
logger_1.logger.debug(`Identified ${this.privilegedTargets.size} privileged targets`);
|
|
258
|
+
}
|
|
259
|
+
findAllAttackPaths(maxPaths) {
|
|
260
|
+
const paths = [];
|
|
261
|
+
const targetIds = Array.from(this.privilegedTargets.keys());
|
|
262
|
+
for (const [sourceId, sourceNode] of this.nodes) {
|
|
263
|
+
if (sourceNode.isPrivileged)
|
|
264
|
+
continue;
|
|
265
|
+
if (sourceNode.type === 'user' && !sourceNode.isEnabled)
|
|
266
|
+
continue;
|
|
267
|
+
const path = this.bfsShortestPath(sourceId, targetIds);
|
|
268
|
+
if (path && path.nodes.length > 1) {
|
|
269
|
+
const attackPath = this.buildAttackPath(path, sourceNode, paths.length + 1);
|
|
270
|
+
if (attackPath) {
|
|
271
|
+
paths.push(attackPath);
|
|
272
|
+
if (paths.length >= maxPaths) {
|
|
273
|
+
logger_1.logger.debug(`Reached max paths limit: ${maxPaths}`);
|
|
274
|
+
break;
|
|
275
|
+
}
|
|
276
|
+
}
|
|
277
|
+
}
|
|
278
|
+
}
|
|
279
|
+
paths.sort((a, b) => {
|
|
280
|
+
const riskOrder = {
|
|
281
|
+
critical: 0,
|
|
282
|
+
high: 1,
|
|
283
|
+
medium: 2,
|
|
284
|
+
low: 3,
|
|
285
|
+
};
|
|
286
|
+
if (riskOrder[a.risk] !== riskOrder[b.risk]) {
|
|
287
|
+
return riskOrder[a.risk] - riskOrder[b.risk];
|
|
288
|
+
}
|
|
289
|
+
return a.hops - b.hops;
|
|
290
|
+
});
|
|
291
|
+
return paths;
|
|
292
|
+
}
|
|
293
|
+
bfsShortestPath(sourceId, targetIds) {
|
|
294
|
+
const targetSet = new Set(targetIds);
|
|
295
|
+
const visited = new Set([sourceId]);
|
|
296
|
+
const queue = [
|
|
297
|
+
{ nodeId: sourceId, path: { nodes: [sourceId], edges: [] } },
|
|
298
|
+
];
|
|
299
|
+
while (queue.length > 0) {
|
|
300
|
+
const current = queue.shift();
|
|
301
|
+
if (targetSet.has(current.nodeId) && current.path.nodes.length > 1) {
|
|
302
|
+
return current.path;
|
|
303
|
+
}
|
|
304
|
+
if (current.path.nodes.length > 6)
|
|
305
|
+
continue;
|
|
306
|
+
const outEdges = this.edges.get(current.nodeId) || [];
|
|
307
|
+
for (const edge of outEdges) {
|
|
308
|
+
if (visited.has(edge.target))
|
|
309
|
+
continue;
|
|
310
|
+
visited.add(edge.target);
|
|
311
|
+
const newPath = {
|
|
312
|
+
nodes: [...current.path.nodes, edge.target],
|
|
313
|
+
edges: [...current.path.edges, edge],
|
|
314
|
+
};
|
|
315
|
+
if (targetSet.has(edge.target)) {
|
|
316
|
+
return newPath;
|
|
317
|
+
}
|
|
318
|
+
queue.push({ nodeId: edge.target, path: newPath });
|
|
319
|
+
}
|
|
320
|
+
}
|
|
321
|
+
return null;
|
|
322
|
+
}
|
|
323
|
+
buildAttackPath(bfsPath, sourceNode, pathIndex) {
|
|
324
|
+
const chain = [];
|
|
325
|
+
for (let i = 0; i < bfsPath.nodes.length; i++) {
|
|
326
|
+
const nodeId = bfsPath.nodes[i];
|
|
327
|
+
if (!nodeId)
|
|
328
|
+
continue;
|
|
329
|
+
const node = this.nodes.get(nodeId);
|
|
330
|
+
if (!node)
|
|
331
|
+
continue;
|
|
332
|
+
chain.push(this.toAttackGraphNode(node));
|
|
333
|
+
if (i < bfsPath.edges.length) {
|
|
334
|
+
const edge = bfsPath.edges[i];
|
|
335
|
+
if (edge) {
|
|
336
|
+
chain.push(this.toAttackGraphRelation(edge));
|
|
337
|
+
}
|
|
338
|
+
}
|
|
339
|
+
}
|
|
340
|
+
const targetId = bfsPath.nodes[bfsPath.nodes.length - 1];
|
|
341
|
+
if (!targetId)
|
|
342
|
+
return null;
|
|
343
|
+
const targetNode = this.nodes.get(targetId);
|
|
344
|
+
if (!targetNode)
|
|
345
|
+
return null;
|
|
346
|
+
const pathType = this.classifyPathType(bfsPath);
|
|
347
|
+
const risk = this.calculatePathRisk(bfsPath, pathType);
|
|
348
|
+
const description = this.generateDescription(bfsPath, pathType, sourceNode, targetNode);
|
|
349
|
+
const mitigation = this.generateMitigation(bfsPath, pathType);
|
|
350
|
+
return {
|
|
351
|
+
id: `path-${String(pathIndex).padStart(3, '0')}`,
|
|
352
|
+
risk,
|
|
353
|
+
type: pathType,
|
|
354
|
+
hops: bfsPath.edges.length,
|
|
355
|
+
description,
|
|
356
|
+
chain,
|
|
357
|
+
entryPoint: this.toEntryPoint(sourceNode),
|
|
358
|
+
target: this.toAttackGraphNode(targetNode),
|
|
359
|
+
mitigation,
|
|
360
|
+
};
|
|
361
|
+
}
|
|
362
|
+
classifyPathType(path) {
|
|
363
|
+
const relations = path.edges.map((e) => e.relation);
|
|
364
|
+
if (relations.includes('DCSync')) {
|
|
365
|
+
return 'DCSYNC';
|
|
366
|
+
}
|
|
367
|
+
if (relations.includes('AllowedToDelegate') || relations.includes('AllowedToAct')) {
|
|
368
|
+
return 'DELEGATION_ABUSE';
|
|
369
|
+
}
|
|
370
|
+
const firstNodeId = path.nodes[0];
|
|
371
|
+
const sourceNode = firstNodeId ? this.nodes.get(firstNodeId) : undefined;
|
|
372
|
+
if (sourceNode?.type === 'user' &&
|
|
373
|
+
sourceNode.servicePrincipalName &&
|
|
374
|
+
sourceNode.servicePrincipalName.length > 0) {
|
|
375
|
+
return 'KERBEROASTING';
|
|
376
|
+
}
|
|
377
|
+
if (sourceNode?.userAccountControl &&
|
|
378
|
+
(sourceNode.userAccountControl & 0x400000) !== 0) {
|
|
379
|
+
return 'ASREP_ROASTING';
|
|
380
|
+
}
|
|
381
|
+
if (relations.includes('Owns')) {
|
|
382
|
+
return 'OWNERSHIP_ABUSE';
|
|
383
|
+
}
|
|
384
|
+
const aclRelations = [
|
|
385
|
+
'GenericAll',
|
|
386
|
+
'WriteDacl',
|
|
387
|
+
'WriteOwner',
|
|
388
|
+
'GenericWrite',
|
|
389
|
+
'ForceChangePassword',
|
|
390
|
+
'AddMember',
|
|
391
|
+
];
|
|
392
|
+
if (relations.some((r) => aclRelations.includes(r))) {
|
|
393
|
+
return 'ACL_ABUSE';
|
|
394
|
+
}
|
|
395
|
+
if (relations.every((r) => r === 'MemberOf')) {
|
|
396
|
+
return 'GROUP_MEMBERSHIP';
|
|
397
|
+
}
|
|
398
|
+
return 'ACL_ABUSE';
|
|
399
|
+
}
|
|
400
|
+
calculatePathRisk(path, pathType) {
|
|
401
|
+
const hops = path.edges.length;
|
|
402
|
+
const hasAbusableEdge = path.edges.some((e) => e.isAbusable);
|
|
403
|
+
if (pathType === 'DCSYNC')
|
|
404
|
+
return 'critical';
|
|
405
|
+
if (hops <= 2 && hasAbusableEdge)
|
|
406
|
+
return 'critical';
|
|
407
|
+
if (pathType === 'DELEGATION_ABUSE')
|
|
408
|
+
return 'high';
|
|
409
|
+
if (hops <= 2)
|
|
410
|
+
return 'high';
|
|
411
|
+
if (hops <= 4)
|
|
412
|
+
return 'medium';
|
|
413
|
+
return 'low';
|
|
414
|
+
}
|
|
415
|
+
generateDescription(path, pathType, source, target) {
|
|
416
|
+
const typeDescriptions = {
|
|
417
|
+
ACL_ABUSE: 'can abuse ACL permissions to reach',
|
|
418
|
+
KERBEROASTING: 'has an SPN and can be Kerberoasted to reach',
|
|
419
|
+
ASREP_ROASTING: 'has no pre-authentication and can be AS-REP roasted to reach',
|
|
420
|
+
DELEGATION_ABUSE: 'can abuse delegation to reach',
|
|
421
|
+
LATERAL_MOVEMENT: 'can move laterally to reach',
|
|
422
|
+
CERTIFICATE_ABUSE: 'can abuse certificate services to reach',
|
|
423
|
+
GROUP_MEMBERSHIP: 'is a member of groups leading to',
|
|
424
|
+
DCSYNC: 'has DCSync rights to',
|
|
425
|
+
OWNERSHIP_ABUSE: 'owns objects leading to',
|
|
426
|
+
};
|
|
427
|
+
return `${source.name} ${typeDescriptions[pathType]} ${target.name} in ${path.edges.length} hop(s)`;
|
|
428
|
+
}
|
|
429
|
+
generateMitigation(_path, pathType) {
|
|
430
|
+
const mitigations = {
|
|
431
|
+
ACL_ABUSE: 'Review and remove unnecessary ACL permissions. Apply least privilege principle.',
|
|
432
|
+
KERBEROASTING: 'Remove unnecessary SPNs from user accounts. Use Group Managed Service Accounts (gMSA) or strong passwords for service accounts.',
|
|
433
|
+
ASREP_ROASTING: 'Enable Kerberos pre-authentication for all user accounts.',
|
|
434
|
+
DELEGATION_ABUSE: 'Review and restrict delegation settings. Use resource-based constrained delegation with explicit trusts.',
|
|
435
|
+
LATERAL_MOVEMENT: 'Segment networks and restrict local admin access. Implement LAPS for local administrator passwords.',
|
|
436
|
+
CERTIFICATE_ABUSE: 'Review certificate template permissions. Disable vulnerable enrollment patterns.',
|
|
437
|
+
GROUP_MEMBERSHIP: 'Review nested group memberships. Remove unnecessary members from privileged groups.',
|
|
438
|
+
DCSYNC: 'Remove DCSync rights from non-DC accounts. Monitor for DCSync activity.',
|
|
439
|
+
OWNERSHIP_ABUSE: 'Review object ownership. Ensure privileged objects are owned by appropriate administrators.',
|
|
440
|
+
};
|
|
441
|
+
return mitigations[pathType];
|
|
442
|
+
}
|
|
443
|
+
toAttackGraphNode(node) {
|
|
444
|
+
return {
|
|
445
|
+
id: node.id,
|
|
446
|
+
name: node.name,
|
|
447
|
+
type: node.type,
|
|
448
|
+
sid: node.sid,
|
|
449
|
+
dn: node.dn,
|
|
450
|
+
domain: this.domainName,
|
|
451
|
+
isEnabled: node.isEnabled,
|
|
452
|
+
isPrivileged: node.isPrivileged,
|
|
453
|
+
};
|
|
454
|
+
}
|
|
455
|
+
toAttackGraphRelation(edge) {
|
|
456
|
+
return {
|
|
457
|
+
relation: edge.relation,
|
|
458
|
+
isAbusable: edge.isAbusable,
|
|
459
|
+
accessMask: edge.accessMask,
|
|
460
|
+
objectType: edge.objectType,
|
|
461
|
+
};
|
|
462
|
+
}
|
|
463
|
+
toEntryPoint(node) {
|
|
464
|
+
return {
|
|
465
|
+
id: node.id,
|
|
466
|
+
name: node.name,
|
|
467
|
+
type: node.type,
|
|
468
|
+
properties: {
|
|
469
|
+
hasSPN: node.servicePrincipalName && node.servicePrincipalName.length > 0,
|
|
470
|
+
noPreauth: node.userAccountControl
|
|
471
|
+
? (node.userAccountControl & 0x400000) !== 0
|
|
472
|
+
: false,
|
|
473
|
+
passwordNotExpire: node.userAccountControl
|
|
474
|
+
? (node.userAccountControl & 0x10000) !== 0
|
|
475
|
+
: false,
|
|
476
|
+
unconstrained: node.userAccountControl
|
|
477
|
+
? (node.userAccountControl & 0x80000) !== 0
|
|
478
|
+
: false,
|
|
479
|
+
constrained: node.delegateTo && node.delegateTo.length > 0,
|
|
480
|
+
rbcd: node.rbcdFrom && node.rbcdFrom.length > 0,
|
|
481
|
+
adminCount: node.adminCount === 1,
|
|
482
|
+
enabled: node.isEnabled,
|
|
483
|
+
},
|
|
484
|
+
};
|
|
485
|
+
}
|
|
486
|
+
computeStats(paths) {
|
|
487
|
+
const byRisk = { critical: 0, high: 0, medium: 0, low: 0 };
|
|
488
|
+
const byType = {
|
|
489
|
+
ACL_ABUSE: 0,
|
|
490
|
+
KERBEROASTING: 0,
|
|
491
|
+
ASREP_ROASTING: 0,
|
|
492
|
+
DELEGATION_ABUSE: 0,
|
|
493
|
+
LATERAL_MOVEMENT: 0,
|
|
494
|
+
CERTIFICATE_ABUSE: 0,
|
|
495
|
+
GROUP_MEMBERSHIP: 0,
|
|
496
|
+
DCSYNC: 0,
|
|
497
|
+
OWNERSHIP_ABUSE: 0,
|
|
498
|
+
};
|
|
499
|
+
let totalHops = 0;
|
|
500
|
+
let shortestPath = Infinity;
|
|
501
|
+
let longestPath = 0;
|
|
502
|
+
for (const path of paths) {
|
|
503
|
+
byRisk[path.risk]++;
|
|
504
|
+
byType[path.type]++;
|
|
505
|
+
totalHops += path.hops;
|
|
506
|
+
shortestPath = Math.min(shortestPath, path.hops);
|
|
507
|
+
longestPath = Math.max(longestPath, path.hops);
|
|
508
|
+
}
|
|
509
|
+
return {
|
|
510
|
+
totalPaths: paths.length,
|
|
511
|
+
byRisk,
|
|
512
|
+
byType,
|
|
513
|
+
averageHops: paths.length > 0 ? Math.round((totalHops / paths.length) * 100) / 100 : 0,
|
|
514
|
+
shortestPath: paths.length > 0 ? shortestPath : 0,
|
|
515
|
+
longestPath: paths.length > 0 ? longestPath : 0,
|
|
516
|
+
};
|
|
517
|
+
}
|
|
518
|
+
getUniqueNodes(paths) {
|
|
519
|
+
const nodeCount = new Map();
|
|
520
|
+
for (const path of paths) {
|
|
521
|
+
for (const element of path.chain) {
|
|
522
|
+
if ((0, attack_graph_types_1.isAttackGraphNode)(element)) {
|
|
523
|
+
const existing = nodeCount.get(element.id);
|
|
524
|
+
if (existing) {
|
|
525
|
+
existing.count++;
|
|
526
|
+
}
|
|
527
|
+
else {
|
|
528
|
+
nodeCount.set(element.id, { node: element, count: 1 });
|
|
529
|
+
}
|
|
530
|
+
}
|
|
531
|
+
}
|
|
532
|
+
}
|
|
533
|
+
return Array.from(nodeCount.values())
|
|
534
|
+
.map(({ node, count }) => ({
|
|
535
|
+
id: node.id,
|
|
536
|
+
name: node.name,
|
|
537
|
+
type: node.type,
|
|
538
|
+
pathCount: count,
|
|
539
|
+
sid: node.sid,
|
|
540
|
+
}))
|
|
541
|
+
.sort((a, b) => b.pathCount - a.pathCount);
|
|
542
|
+
}
|
|
543
|
+
addEdge(edge) {
|
|
544
|
+
const sourceEdges = this.edges.get(edge.source);
|
|
545
|
+
if (sourceEdges) {
|
|
546
|
+
sourceEdges.push(edge);
|
|
547
|
+
}
|
|
548
|
+
const targetEdges = this.reverseEdges.get(edge.target);
|
|
549
|
+
if (targetEdges) {
|
|
550
|
+
targetEdges.push(edge);
|
|
551
|
+
}
|
|
552
|
+
}
|
|
553
|
+
countEdges() {
|
|
554
|
+
let count = 0;
|
|
555
|
+
for (const edges of this.edges.values()) {
|
|
556
|
+
count += edges.length;
|
|
557
|
+
}
|
|
558
|
+
return count;
|
|
559
|
+
}
|
|
560
|
+
extractSid(obj) {
|
|
561
|
+
const sid = obj.objectSid || obj.objectSID || obj.sid;
|
|
562
|
+
if (typeof sid === 'string')
|
|
563
|
+
return sid;
|
|
564
|
+
if (Buffer.isBuffer(sid))
|
|
565
|
+
return this.bufferToSid(sid);
|
|
566
|
+
return undefined;
|
|
567
|
+
}
|
|
568
|
+
bufferToSid(buffer) {
|
|
569
|
+
if (buffer.length < 8)
|
|
570
|
+
return '';
|
|
571
|
+
const revision = buffer.readUInt8(0);
|
|
572
|
+
const subAuthCount = buffer.readUInt8(1);
|
|
573
|
+
const authority = buffer.readUInt8(2) * Math.pow(2, 40) +
|
|
574
|
+
buffer.readUInt8(3) * Math.pow(2, 32) +
|
|
575
|
+
buffer.readUInt8(4) * Math.pow(2, 24) +
|
|
576
|
+
buffer.readUInt8(5) * Math.pow(2, 16) +
|
|
577
|
+
buffer.readUInt8(6) * Math.pow(2, 8) +
|
|
578
|
+
buffer.readUInt8(7);
|
|
579
|
+
let sid = `S-${revision}-${authority}`;
|
|
580
|
+
for (let i = 0; i < subAuthCount; i++) {
|
|
581
|
+
const offset = 8 + i * 4;
|
|
582
|
+
if (offset + 4 <= buffer.length) {
|
|
583
|
+
const subAuth = buffer.readUInt32LE(offset);
|
|
584
|
+
sid += `-${subAuth}`;
|
|
585
|
+
}
|
|
586
|
+
}
|
|
587
|
+
return sid;
|
|
588
|
+
}
|
|
589
|
+
extractDomainSid() {
|
|
590
|
+
for (const user of this.users) {
|
|
591
|
+
const sid = this.extractSid(user);
|
|
592
|
+
if (sid) {
|
|
593
|
+
const parts = sid.split('-');
|
|
594
|
+
if (parts.length > 4) {
|
|
595
|
+
return parts.slice(0, -1).join('-');
|
|
596
|
+
}
|
|
597
|
+
}
|
|
598
|
+
}
|
|
599
|
+
return '';
|
|
600
|
+
}
|
|
601
|
+
isPrivilegedBySid(sid) {
|
|
602
|
+
if (!sid)
|
|
603
|
+
return false;
|
|
604
|
+
for (const suffix of Object.values(attack_graph_types_1.PRIVILEGED_SID_SUFFIXES)) {
|
|
605
|
+
if (sid.endsWith(suffix))
|
|
606
|
+
return true;
|
|
607
|
+
}
|
|
608
|
+
return false;
|
|
609
|
+
}
|
|
610
|
+
generateId(dn) {
|
|
611
|
+
return `dn:${dn.toLowerCase()}`;
|
|
612
|
+
}
|
|
613
|
+
getSpn(user) {
|
|
614
|
+
const spn = user.servicePrincipalName;
|
|
615
|
+
if (!spn)
|
|
616
|
+
return undefined;
|
|
617
|
+
return Array.isArray(spn) ? spn : [spn];
|
|
618
|
+
}
|
|
619
|
+
getDelegationTargets(obj) {
|
|
620
|
+
const attr = obj['msDS-AllowedToDelegateTo'];
|
|
621
|
+
if (!attr)
|
|
622
|
+
return undefined;
|
|
623
|
+
return Array.isArray(attr) ? attr : [attr];
|
|
624
|
+
}
|
|
625
|
+
getRbcdPrincipals(computer) {
|
|
626
|
+
const attr = computer['msDS-AllowedToActOnBehalfOfOtherIdentity'];
|
|
627
|
+
if (!attr)
|
|
628
|
+
return undefined;
|
|
629
|
+
return [];
|
|
630
|
+
}
|
|
631
|
+
resolveAclTrustee(trustee) {
|
|
632
|
+
if (trustee.startsWith('S-1-')) {
|
|
633
|
+
if (this.nodes.has(trustee)) {
|
|
634
|
+
return trustee;
|
|
635
|
+
}
|
|
636
|
+
return this.findNodeBySid(trustee);
|
|
637
|
+
}
|
|
638
|
+
return this.dnToId.get(trustee.toLowerCase());
|
|
639
|
+
}
|
|
640
|
+
findNodeBySid(sid) {
|
|
641
|
+
for (const [nodeId, node] of this.nodes) {
|
|
642
|
+
if (node.sid === sid)
|
|
643
|
+
return nodeId;
|
|
644
|
+
}
|
|
645
|
+
return undefined;
|
|
646
|
+
}
|
|
647
|
+
resolveSPNTarget(spn) {
|
|
648
|
+
const parts = spn.split('/');
|
|
649
|
+
if (parts.length < 2 || !parts[1])
|
|
650
|
+
return undefined;
|
|
651
|
+
const hostPart = parts[1].split(':')[0];
|
|
652
|
+
if (!hostPart)
|
|
653
|
+
return undefined;
|
|
654
|
+
const host = hostPart.toLowerCase();
|
|
655
|
+
const hostShort = host.split('.')[0] || host;
|
|
656
|
+
for (const [nodeId, node] of this.nodes) {
|
|
657
|
+
if (node.type === 'computer') {
|
|
658
|
+
const nodeName = node.name.toLowerCase().replace(/\$$/, '');
|
|
659
|
+
if (nodeName === host || nodeName.startsWith(hostShort)) {
|
|
660
|
+
return nodeId;
|
|
661
|
+
}
|
|
662
|
+
}
|
|
663
|
+
}
|
|
664
|
+
return undefined;
|
|
665
|
+
}
|
|
666
|
+
classifyAclRelation(acl) {
|
|
667
|
+
const relations = [];
|
|
668
|
+
const mask = acl.accessMask;
|
|
669
|
+
const objectType = acl.objectType?.toLowerCase();
|
|
670
|
+
if (mask & attack_graph_types_1.ACCESS_MASK.GENERIC_ALL) {
|
|
671
|
+
relations.push({ type: 'GenericAll', isAbusable: true });
|
|
672
|
+
}
|
|
673
|
+
if (mask & attack_graph_types_1.ACCESS_MASK.GENERIC_WRITE) {
|
|
674
|
+
relations.push({ type: 'GenericWrite', isAbusable: true });
|
|
675
|
+
}
|
|
676
|
+
if (mask & attack_graph_types_1.ACCESS_MASK.WRITE_DACL) {
|
|
677
|
+
relations.push({ type: 'WriteDacl', isAbusable: true });
|
|
678
|
+
}
|
|
679
|
+
if (mask & attack_graph_types_1.ACCESS_MASK.WRITE_OWNER) {
|
|
680
|
+
relations.push({ type: 'WriteOwner', isAbusable: true });
|
|
681
|
+
}
|
|
682
|
+
if (mask & attack_graph_types_1.ACCESS_MASK.CONTROL_ACCESS && objectType) {
|
|
683
|
+
if (objectType === attack_graph_types_1.ACL_GUIDS.FORCE_CHANGE_PASSWORD.toLowerCase()) {
|
|
684
|
+
relations.push({ type: 'ForceChangePassword', isAbusable: true });
|
|
685
|
+
}
|
|
686
|
+
if (objectType === attack_graph_types_1.ACL_GUIDS.DS_REPLICATION_GET_CHANGES.toLowerCase() ||
|
|
687
|
+
objectType === attack_graph_types_1.ACL_GUIDS.DS_REPLICATION_GET_CHANGES_ALL.toLowerCase()) {
|
|
688
|
+
relations.push({ type: 'DCSync', isAbusable: true });
|
|
689
|
+
}
|
|
690
|
+
}
|
|
691
|
+
if (mask & attack_graph_types_1.ACCESS_MASK.SELF && objectType === attack_graph_types_1.ACL_GUIDS.SELF_MEMBERSHIP.toLowerCase()) {
|
|
692
|
+
relations.push({ type: 'AddMember', isAbusable: true });
|
|
693
|
+
}
|
|
694
|
+
return relations;
|
|
695
|
+
}
|
|
696
|
+
}
|
|
697
|
+
exports.AttackGraphService = AttackGraphService;
|
|
698
|
+
function computeAttackGraph(users, groups, computers, aclEntries, certTemplates = [], gpos = [], domain, maxPaths = 500) {
|
|
699
|
+
const service = new AttackGraphService(users, groups, computers, aclEntries, certTemplates, gpos, domain);
|
|
700
|
+
return service.export(maxPaths);
|
|
701
|
+
}
|
|
702
|
+
//# sourceMappingURL=attack-graph.service.js.map
|