@etcsec-com/etc-collector 1.4.0

package/dist/services/audit/detectors/ad/groups.detector.js

@@ -0,0 +1,488 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectGpoModifyRights = detectGpoModifyRights;
+exports.detectDnsAdminsMember = detectDnsAdminsMember;
+exports.detectPreWindows2000Access = detectPreWindows2000Access;
+exports.detectOversizedGroupCritical = detectOversizedGroupCritical;
+exports.detectOversizedGroupHigh = detectOversizedGroupHigh;
+exports.detectOversizedGroup = detectOversizedGroup;
+exports.detectDangerousGroupNesting = detectDangerousGroupNesting;
+exports.detectGroupEmptyPrivileged = detectGroupEmptyPrivileged;
+exports.detectGroupCircularNesting = detectGroupCircularNesting;
+exports.detectGroupExcessiveMembers = detectGroupExcessiveMembers;
+exports.detectBuiltinModified = detectBuiltinModified;
+exports.detectGroupEveryoneInPrivileged = detectGroupEveryoneInPrivileged;
+exports.detectGroupAuthenticatedUsersPrivileged = detectGroupAuthenticatedUsersPrivileged;
+exports.detectGroupProtectedUsersEmpty = detectGroupProtectedUsersEmpty;
+exports.detectExcessivePrivilegedAccounts = detectExcessivePrivilegedAccounts;
+exports.detectGroupsVulnerabilities = detectGroupsVulnerabilities;
+const entity_converter_1 = require("../../../../utils/entity-converter");
+function detectGpoModifyRights(users, includeDetails) {
+    const affected = users.filter((u) => {
+        if (!u.memberOf)
+            return false;
+        return u.memberOf.some((dn) => dn.includes('CN=Group Policy Creator Owners'));
+    });
+    return {
+        type: 'GPO_MODIFY_RIGHTS',
+        severity: 'high',
+        category: 'groups',
+        title: 'Group Policy Creator Owners Member',
+        description: 'Users in Group Policy Creator Owners group. Can create/modify GPOs and execute code on domain machines.',
+        count: affected.length,
+        affectedEntities: includeDetails ? (0, entity_converter_1.toAffectedUserEntities)(affected) : undefined,
+    };
+}
+function detectDnsAdminsMember(users, includeDetails) {
+    const affected = users.filter((u) => {
+        if (!u.memberOf)
+            return false;
+        return u.memberOf.some((dn) => dn.includes('CN=DnsAdmins'));
+    });
+    return {
+        type: 'DNS_ADMINS_MEMBER',
+        severity: 'high',
+        category: 'groups',
+        title: 'DnsAdmins Member',
+        description: 'Users in DnsAdmins group. Can load arbitrary DLLs on domain controllers (escalation to Domain Admin).',
+        count: affected.length,
+        affectedEntities: includeDetails ? (0, entity_converter_1.toAffectedUserEntities)(affected) : undefined,
+    };
+}
+function detectPreWindows2000Access(users, includeDetails) {
+    const affected = users.filter((u) => {
+        if (!u.memberOf)
+            return false;
+        return u.memberOf.some((dn) => dn.includes('CN=Pre-Windows 2000 Compatible Access'));
+    });
+    return {
+        type: 'PRE_WINDOWS_2000_ACCESS',
+        severity: 'medium',
+        category: 'groups',
+        title: 'Pre-Windows 2000 Compatible Access',
+        description: 'Pre-Windows 2000 Compatible Access group has members. Overly permissive read access to AD objects.',
+        count: affected.length,
+        affectedEntities: includeDetails ? (0, entity_converter_1.toAffectedUserEntities)(affected) : undefined,
+    };
+}
+function detectOversizedGroupCritical(groups, includeDetails) {
+    const affected = groups.filter((g) => {
+        if (!g.member)
+            return false;
+        return g.member.length > 500;
+    });
+    return {
+        type: 'OVERSIZED_GROUP_CRITICAL',
+        severity: 'high',
+        category: 'groups',
+        title: 'Oversized Group (Critical)',
+        description: 'Groups with 500+ members. Management/audit difficulty, excessive privileges, performance issues.',
+        count: affected.length,
+        affectedEntities: includeDetails ? (0, entity_converter_1.toAffectedADGroupEntities)(affected) : undefined,
+    };
+}
+function detectOversizedGroupHigh(groups, includeDetails) {
+    const affected = groups.filter((g) => {
+        if (!g.member)
+            return false;
+        return g.member.length > 200 && g.member.length <= 500;
+    });
+    return {
+        type: 'OVERSIZED_GROUP_HIGH',
+        severity: 'medium',
+        category: 'groups',
+        title: 'Oversized Group (High)',
+        description: 'Groups with 200-500 members. Management difficulty and potential privilege creep.',
+        count: affected.length,
+        affectedEntities: includeDetails ? (0, entity_converter_1.toAffectedADGroupEntities)(affected) : undefined,
+    };
+}
+function detectOversizedGroup(groups, includeDetails) {
+    const affected = groups.filter((g) => {
+        if (!g.member)
+            return false;
+        return g.member.length > 100 && g.member.length <= 500;
+    });
+    return {
+        type: 'OVERSIZED_GROUP',
+        severity: 'medium',
+        category: 'groups',
+        title: 'Oversized Group',
+        description: 'Groups with 100-500 members. May indicate overly broad permissions.',
+        count: affected.length,
+        affectedEntities: includeDetails ? (0, entity_converter_1.toAffectedADGroupEntities)(affected) : undefined,
+    };
+}
+function detectDangerousGroupNesting(groups, includeDetails) {
+    const protectedGroups = [
+        'Domain Admins',
+        'Enterprise Admins',
+        'Schema Admins',
+        'Administrators',
+        'Account Operators',
+        'Backup Operators',
+        'Server Operators',
+        'Print Operators',
+    ];
+    const affected = groups.filter((g) => {
+        if (!g.memberOf)
+            return false;
+        const isProtected = protectedGroups.some((pg) => g.dn.includes(`CN=${pg}`));
+        if (!isProtected)
+            return false;
+        const hasUnexpectedNesting = g.memberOf.some((dn) => {
+            return !protectedGroups.some((pg) => dn.includes(`CN=${pg}`));
+        });
+        return hasUnexpectedNesting;
+    });
+    return {
+        type: 'DANGEROUS_GROUP_NESTING',
+        severity: 'medium',
+        category: 'groups',
+        title: 'Dangerous Group Nesting',
+        description: 'Sensitive group nested in less sensitive group. Unintended privilege escalation path.',
+        count: affected.length,
+        affectedEntities: includeDetails ? (0, entity_converter_1.toAffectedADGroupEntities)(affected) : undefined,
+    };
+}
+function detectGroupEmptyPrivileged(groups, includeDetails) {
+    const privilegedGroups = [
+        'Domain Admins',
+        'Enterprise Admins',
+        'Schema Admins',
+        'Administrators',
+        'Account Operators',
+        'Server Operators',
+        'Backup Operators',
+        'Print Operators',
+        'DnsAdmins',
+        'Group Policy Creator Owners',
+    ];
+    const affected = groups.filter((g) => {
+        const name = g.sAMAccountName || g.displayName || '';
+        const isPrivileged = privilegedGroups.some((pg) => name.toLowerCase() === pg.toLowerCase() || g.dn.toLowerCase().includes(`cn=${pg.toLowerCase()}`));
+        if (!isPrivileged)
+            return false;
+        const memberCount = g.member?.length ?? 0;
+        return memberCount === 0;
+    });
+    return {
+        type: 'GROUP_EMPTY_PRIVILEGED',
+        severity: 'low',
+        category: 'groups',
+        title: 'Empty Privileged Group',
+        description: 'Privileged groups with no members. While not a vulnerability, empty admin groups may indicate misconfiguration or unused infrastructure.',
+        count: affected.length,
+        affectedEntities: includeDetails ? (0, entity_converter_1.toAffectedADGroupEntities)(affected) : undefined,
+        details: affected.length > 0
+            ? {
+                groups: affected.map((g) => g.sAMAccountName || g.dn),
+                recommendation: 'Document intentionally empty groups or remove if unused.',
+            }
+            : undefined,
+    };
+}
+function detectGroupCircularNesting(groups, includeDetails) {
+    const groupDnMap = new Map();
+    for (const g of groups) {
+        groupDnMap.set(g.dn.toLowerCase(), g);
+    }
+    const circularGroups = [];
+    const visited = new Set();
+    const detectCycle = (groupDn, path) => {
+        const normalizedDn = groupDn.toLowerCase();
+        if (path.has(normalizedDn))
+            return true;
+        if (visited.has(normalizedDn))
+            return false;
+        visited.add(normalizedDn);
+        path.add(normalizedDn);
+        const group = groupDnMap.get(normalizedDn);
+        if (group?.memberOf) {
+            for (const parentDn of group.memberOf) {
+                if (groupDnMap.has(parentDn.toLowerCase())) {
+                    if (detectCycle(parentDn, path)) {
+                        return true;
+                    }
+                }
+            }
+        }
+        path.delete(normalizedDn);
+        return false;
+    };
+    for (const group of groups) {
+        visited.clear();
+        if (detectCycle(group.dn, new Set())) {
+            circularGroups.push(group);
+        }
+    }
+    return {
+        type: 'GROUP_CIRCULAR_NESTING',
+        severity: 'medium',
+        category: 'groups',
+        title: 'Circular Group Nesting',
+        description: 'Groups contain circular membership references. This can cause authentication issues and makes privilege analysis unreliable.',
+        count: circularGroups.length,
+        affectedEntities: includeDetails ? (0, entity_converter_1.toAffectedADGroupEntities)(circularGroups) : undefined,
+        details: circularGroups.length > 0
+            ? {
+                recommendation: 'Remove circular nesting by reviewing and restructuring group membership.',
+                impact: 'May cause token bloat, authentication failures, and unreliable access control.',
+            }
+            : undefined,
+    };
+}
+function detectGroupExcessiveMembers(groups, includeDetails) {
+    const EXCESSIVE_THRESHOLD = 100;
+    const affected = groups.filter((g) => {
+        const memberCount = g.member?.length ?? 0;
+        return memberCount > EXCESSIVE_THRESHOLD;
+    });
+    affected.sort((a, b) => (b.member?.length ?? 0) - (a.member?.length ?? 0));
+    return {
+        type: 'GROUP_EXCESSIVE_MEMBERS',
+        severity: 'medium',
+        category: 'groups',
+        title: 'Group with Excessive Members',
+        description: `Groups with more than ${EXCESSIVE_THRESHOLD} direct members. Large groups are difficult to audit and may grant unintended access.`,
+        count: affected.length,
+        affectedEntities: includeDetails ? (0, entity_converter_1.toAffectedADGroupEntities)(affected) : undefined,
+        details: affected.length > 0
+            ? {
+                threshold: EXCESSIVE_THRESHOLD,
+                largestGroups: affected.slice(0, 5).map((g) => ({
+                    name: g.sAMAccountName || g.dn,
+                    memberCount: g.member?.length ?? 0,
+                })),
+                recommendation: 'Review large groups and consider breaking into smaller, role-based groups for better access control.',
+            }
+            : undefined,
+    };
+}
+function detectBuiltinModified(groups, includeDetails) {
+    const builtinDefaults = {
+        Administrators: ['Administrator', 'Domain Admins', 'Enterprise Admins'],
+        Users: ['Domain Users', 'Authenticated Users', 'INTERACTIVE'],
+        Guests: ['Guest', 'Domain Guests'],
+        'Remote Desktop Users': [],
+        'Network Configuration Operators': [],
+        'Performance Monitor Users': [],
+        'Performance Log Users': [],
+        'Distributed COM Users': [],
+        'IIS_IUSRS': [],
+        'Cryptographic Operators': [],
+        'Event Log Readers': [],
+        'Certificate Service DCOM Access': [],
+    };
+    const affected = groups.filter((g) => {
+        const name = g.sAMAccountName || '';
+        if (!builtinDefaults[name])
+            return false;
+        const expectedMembers = builtinDefaults[name];
+        const actualMembers = g.member ?? [];
+        const hasUnexpectedMembers = actualMembers.some((memberDn) => {
+            const memberCn = memberDn.match(/CN=([^,]+)/i)?.[1] || '';
+            return !expectedMembers.some((exp) => memberCn.toLowerCase().includes(exp.toLowerCase()));
+        });
+        return hasUnexpectedMembers;
+    });
+    return {
+        type: 'BUILTIN_MODIFIED',
+        severity: 'high',
+        category: 'groups',
+        title: 'Builtin Group Modified',
+        description: 'Builtin groups contain non-standard members. This may indicate privilege escalation or backdoor access.',
+        count: affected.length,
+        affectedEntities: includeDetails ? (0, entity_converter_1.toAffectedADGroupEntities)(affected) : undefined,
+        details: affected.length > 0
+            ? {
+                groups: affected.map((g) => g.sAMAccountName || g.dn),
+                recommendation: 'Review membership of builtin groups and remove unexpected members. Document any intentional additions.',
+                risk: 'Attackers often add accounts to builtin groups for persistent access.',
+            }
+            : undefined,
+    };
+}
+function detectGroupEveryoneInPrivileged(groups, includeDetails) {
+    const privilegedGroups = [
+        'Domain Admins',
+        'Enterprise Admins',
+        'Schema Admins',
+        'Administrators',
+        'Account Operators',
+        'Server Operators',
+        'Backup Operators',
+        'Print Operators',
+    ];
+    const affected = groups.filter((g) => {
+        const groupName = g.sAMAccountName || g.cn || '';
+        const isPrivileged = privilegedGroups.some((pg) => groupName.toLowerCase() === pg.toLowerCase());
+        if (!isPrivileged || !g.member)
+            return false;
+        return g.member.some((m) => m.toLowerCase().includes('everyone') ||
+            m.includes('S-1-1-0') ||
+            m.toLowerCase().includes('world'));
+    });
+    return {
+        type: 'GROUP_EVERYONE_IN_PRIVILEGED',
+        severity: 'critical',
+        category: 'groups',
+        title: 'Everyone in Privileged Group',
+        description: 'The Everyone principal is a member of a privileged group. ' +
+            'This grants ALL users (including anonymous) administrative privileges.',
+        count: affected.length,
+        affectedEntities: includeDetails ? (0, entity_converter_1.toAffectedADGroupEntities)(affected) : undefined,
+        details: {
+            recommendation: 'Immediately remove Everyone from privileged groups.',
+            risk: 'Complete domain compromise - anyone can authenticate as admin.',
+        },
+    };
+}
+function detectGroupAuthenticatedUsersPrivileged(groups, includeDetails) {
+    const privilegedGroups = [
+        'Domain Admins',
+        'Enterprise Admins',
+        'Schema Admins',
+        'Administrators',
+        'Account Operators',
+        'Server Operators',
+        'Backup Operators',
+    ];
+    const affected = groups.filter((g) => {
+        const groupName = g.sAMAccountName || g.cn || '';
+        const isPrivileged = privilegedGroups.some((pg) => groupName.toLowerCase() === pg.toLowerCase());
+        if (!isPrivileged || !g.member)
+            return false;
+        return g.member.some((m) => m.toLowerCase().includes('authenticated users') ||
+            m.includes('S-1-5-11') ||
+            m.toLowerCase().includes('utilisateurs authentifiés'));
+    });
+    return {
+        type: 'GROUP_AUTHENTICATED_USERS_PRIVILEGED',
+        severity: 'high',
+        category: 'groups',
+        title: 'Authenticated Users in Privileged Group',
+        description: 'Authenticated Users principal is a member of a privileged group. ' +
+            'This grants ALL authenticated domain users administrative privileges.',
+        count: affected.length,
+        affectedEntities: includeDetails ? (0, entity_converter_1.toAffectedADGroupEntities)(affected) : undefined,
+        details: {
+            recommendation: 'Remove Authenticated Users from privileged groups immediately.',
+            risk: 'Any domain user can perform administrative actions.',
+        },
+    };
+}
+function detectGroupProtectedUsersEmpty(groups, _includeDetails) {
+    const protectedUsersGroup = groups.find((g) => (g.sAMAccountName || g.cn || '').toLowerCase() === 'protected users');
+    const isEmpty = !protectedUsersGroup ||
+        !protectedUsersGroup.member ||
+        protectedUsersGroup.member.length === 0;
+    return {
+        type: 'GROUP_PROTECTED_USERS_EMPTY',
+        severity: 'medium',
+        category: 'groups',
+        title: 'Protected Users Group Empty',
+        description: 'The Protected Users group has no members. ' +
+            'Privileged accounts should be added to this group for enhanced security (NTLM disabled, Kerberos delegation blocked, credential caching prevented).',
+        count: isEmpty ? 1 : 0,
+        details: {
+            memberCount: protectedUsersGroup?.member?.length || 0,
+            recommendation: 'Add Domain Admins, Enterprise Admins, and other privileged accounts to Protected Users group.',
+            benefits: [
+                'NTLM authentication disabled',
+                'Kerberos delegation blocked',
+                'Credential caching prevented',
+                'DES/RC4 encryption disabled',
+            ],
+        },
+    };
+}
+function detectExcessivePrivilegedAccounts(users, groups, includeDetails) {
+    const privilegedGroupNames = [
+        'Domain Admins',
+        'Enterprise Admins',
+        'Schema Admins',
+        'Administrators',
+        'Account Operators',
+        'Backup Operators',
+        'Server Operators',
+        'Print Operators',
+    ];
+    const privilegedUsers = new Set();
+    const groupCounts = {};
+    for (const user of users) {
+        if (!user.memberOf)
+            continue;
+        for (const groupDn of user.memberOf) {
+            for (const groupName of privilegedGroupNames) {
+                if (groupDn.toUpperCase().includes(`CN=${groupName.toUpperCase()}`)) {
+                    privilegedUsers.add(user.dn);
+                    groupCounts[groupName] = (groupCounts[groupName] || 0) + 1;
+                }
+            }
+        }
+    }
+    for (const group of groups) {
+        const groupName = privilegedGroupNames.find((name) => group.sAMAccountName?.toUpperCase() === name.toUpperCase() ||
+            group.dn?.toUpperCase().includes(`CN=${name.toUpperCase()}`));
+        if (groupName && group.member) {
+            groupCounts[groupName] = Math.max(groupCounts[groupName] || 0, group.member.length);
+        }
+    }
+    const totalPrivileged = privilegedUsers.size;
+    const domainAdmins = groupCounts['Domain Admins'] || 0;
+    const enterpriseAdmins = groupCounts['Enterprise Admins'] || 0;
+    const isExcessive = domainAdmins > 10 || totalPrivileged > 50;
+    return {
+        type: 'EXCESSIVE_PRIVILEGED_ACCOUNTS',
+        severity: isExcessive ? 'medium' : 'low',
+        category: 'groups',
+        title: 'Excessive Privileged Accounts',
+        description: 'Large number of accounts with administrative privileges increases attack surface. ' +
+            'Each privileged account is a potential target for credential theft.',
+        count: isExcessive ? totalPrivileged : 0,
+        affectedEntities: includeDetails && isExcessive
+            ? Array.from(privilegedUsers).map((dn) => {
+                const user = users.find((u) => u.dn === dn);
+                if (user) {
+                    const entities = (0, entity_converter_1.toAffectedUserEntities)([user]);
+                    return entities[0] || dn;
+                }
+                return dn;
+            })
+            : undefined,
+        details: {
+            totalPrivilegedUsers: totalPrivileged,
+            domainAdmins,
+            enterpriseAdmins,
+            schemaAdmins: groupCounts['Schema Admins'] || 0,
+            administrators: groupCounts['Administrators'] || 0,
+            accountOperators: groupCounts['Account Operators'] || 0,
+            backupOperators: groupCounts['Backup Operators'] || 0,
+            serverOperators: groupCounts['Server Operators'] || 0,
+            printOperators: groupCounts['Print Operators'] || 0,
+            threshold: 'Domain Admins > 10 or total privileged > 50',
+            recommendation: 'Review privileged group memberships and apply least privilege principle.',
+        },
+    };
+}
+function detectGroupsVulnerabilities(users, groups, includeDetails) {
+    return [
+        detectGpoModifyRights(users, includeDetails),
+        detectDnsAdminsMember(users, includeDetails),
+        detectPreWindows2000Access(users, includeDetails),
+        detectOversizedGroupCritical(groups, includeDetails),
+        detectOversizedGroupHigh(groups, includeDetails),
+        detectOversizedGroup(groups, includeDetails),
+        detectDangerousGroupNesting(groups, includeDetails),
+        detectGroupEmptyPrivileged(groups, includeDetails),
+        detectGroupCircularNesting(groups, includeDetails),
+        detectGroupExcessiveMembers(groups, includeDetails),
+        detectBuiltinModified(groups, includeDetails),
+        detectGroupEveryoneInPrivileged(groups, includeDetails),
+        detectGroupAuthenticatedUsersPrivileged(groups, includeDetails),
+        detectGroupProtectedUsersEmpty(groups, includeDetails),
+        detectExcessivePrivilegedAccounts(users, groups, includeDetails),
+    ].filter((finding) => finding.count > 0);
+}
+//# sourceMappingURL=groups.detector.js.map

package/dist/services/audit/detectors/ad/groups.detector.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"groups.detector.js","sourceRoot":"","sources":["../../../../../src/services/audit/detectors/ad/groups.detector.ts"],"names":[],"mappings":";;AA8BA,sDAeC;AAKD,sDAeC;AAKD,gEAeC;AAMD,oEAeC;AAKD,4DAeC;AAKD,oDAeC;AAKD,kEAoCC;AAQD,gEA4CC;AAMD,gEAwDC;AAMD,kEAgCC;AAMD,sDAuDC;AAYD,0EA8CC;AAYD,0FA6CC;AAYD,wEAmCC;AAOD,8EAmFC;AAKD,kEA2BC;AAnpBD,yEAAuG;AAKvG,SAAgB,qBAAqB,CAAC,KAAe,EAAE,cAAuB;IAC5E,MAAM,QAAQ,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QAClC,IAAI,CAAC,CAAC,CAAC,QAAQ;YAAE,OAAO,KAAK,CAAC;QAC9B,OAAO,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,QAAQ,CAAC,gCAAgC,CAAC,CAAC,CAAC;IAChF,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,IAAI,EAAE,mBAAmB;QACzB,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EAAE,yGAAyG;QACtH,KAAK,EAAE,QAAQ,CAAC,MAAM;QACtB,gBAAgB,EAAE,cAAc,CAAC,CAAC,CAAC,IAAA,yCAAsB,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;KAChF,CAAC;AACJ,CAAC;AAKD,SAAgB,qBAAqB,CAAC,KAAe,EAAE,cAAuB;IAC5E,MAAM,QAAQ,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QAClC,IAAI,CAAC,CAAC,CAAC,QAAQ;YAAE,OAAO,KAAK,CAAC;QAC9B,OAAO,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,IAAI,EAAE,mBAAmB;QACzB,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,kBAAkB;QACzB,WAAW,EAAE,uGAAuG;QACpH,KAAK,EAAE,QAAQ,CAAC,MAAM;QACtB,gBAAgB,EAAE,cAAc,CAAC,CAAC,CAAC,IAAA,yCAAsB,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;KAChF,CAAC;AACJ,CAAC;AAKD,SAAgB,0BAA0B,CAAC,KAAe,EAAE,cAAuB;IACjF,MAAM,QAAQ,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QAClC,IAAI,CAAC,CAAC,CAAC,QAAQ;YAAE,OAAO,KAAK,CAAC;QAC9B,OAAO,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,QAAQ,CAAC,uCAAuC,CAAC,CAAC,CAAC;IACvF,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,IAAI,EAAE,yBAAyB;QAC/B,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EAAE,oGAAoG;QACjH,KAAK,EAAE,QAAQ,CAAC,MAAM;QACtB,gBAAgB,EAAE,cAAc,CAAC,CAAC,CAAC,IAAA,yCAAsB,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;KAChF,CAAC;AACJ,CAAC;AAMD,SAAgB,4BAA4B,CAAC,MAAiB,EAAE,cAAuB;IACrF,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QACnC,IAAI,CAAC,CAAC,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QAC5B,OAAO,CAAC,CAAC,MAAM,CAAC,MAAM,GAAG,GAAG,CAAC;IAC/B,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,4BAA4B;QACnC,WAAW,EAAE,kGAAkG;QAC/G,KAAK,EAAE,QAAQ,CAAC,MAAM;QACtB,gBAAgB,EAAE,cAAc,CAAC,CAAC,CAAC,IAAA,4CAAyB,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;KACnF,CAAC;AACJ,CAAC;AAKD,SAAgB,wBAAwB,CAAC,MAAiB,EAAE,cAAuB;IACjF,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QACnC,IAAI,CAAC,CAAC,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QAC5B,OAAO,CAAC,CAAC,MAAM,CAAC,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,MAAM,CAAC,MAAM,IAAI,GAAG,CAAC;IACzD,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,wBAAwB;QAC/B,WAAW,EAAE,mFAAmF;QAChG,KAAK,EAAE,QAAQ,CAAC,MAAM;QACtB,gBAAgB,EAAE,cAAc,CAAC,CAAC,CAAC,IAAA,4CAAyB,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;KACnF,CAAC;AACJ,CAAC;AAKD,SAAgB,oBAAoB,CAAC,MAAiB,EAAE,cAAuB;IAC7E,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QACnC,IAAI,CAAC,CAAC,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QAC5B,OAAO,CAAC,CAAC,MAAM,CAAC,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,MAAM,CAAC,MAAM,IAAI,GAAG,CAAC;IACzD,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,IAAI,EAAE,iBAAiB;QACvB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,iBAAiB;QACxB,WAAW,EAAE,qEAAqE;QAClF,KAAK,EAAE,QAAQ,CAAC,MAAM;QACtB,gBAAgB,EAAE,cAAc,CAAC,CAAC,CAAC,IAAA,4CAAyB,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;KACnF,CAAC;AACJ,CAAC;AAKD,SAAgB,2BAA2B,CAAC,MAAiB,EAAE,cAAuB;IACpF,MAAM,eAAe,GAAG;QACtB,eAAe;QACf,mBAAmB;QACnB,eAAe;QACf,gBAAgB;QAChB,mBAAmB;QACnB,kBAAkB;QAClB,kBAAkB;QAClB,iBAAiB;KAClB,CAAC;IAEF,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QACnC,IAAI,CAAC,CAAC,CAAC,QAAQ;YAAE,OAAO,KAAK,CAAC;QAG9B,MAAM,WAAW,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,CAAC;QAC5E,IAAI,CAAC,WAAW;YAAE,OAAO,KAAK,CAAC;QAG/B,MAAM,oBAAoB,GAAG,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE;YAClD,OAAO,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,CAAC;QAChE,CAAC,CAAC,CAAC;QAEH,OAAO,oBAAoB,CAAC;IAC9B,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,IAAI,EAAE,yBAAyB;QAC/B,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,yBAAyB;QAChC,WAAW,EAAE,uFAAuF;QACpG,KAAK,EAAE,QAAQ,CAAC,MAAM;QACtB,gBAAgB,EAAE,cAAc,CAAC,CAAC,CAAC,IAAA,4CAAyB,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;KACnF,CAAC;AACJ,CAAC;AAQD,SAAgB,0BAA0B,CAAC,MAAiB,EAAE,cAAuB;IACnF,MAAM,gBAAgB,GAAG;QACvB,eAAe;QACf,mBAAmB;QACnB,eAAe;QACf,gBAAgB;QAChB,mBAAmB;QACnB,kBAAkB;QAClB,kBAAkB;QAClB,iBAAiB;QACjB,WAAW;QACX,6BAA6B;KAC9B,CAAC;IAEF,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QACnC,MAAM,IAAI,GAAG,CAAC,CAAC,cAAc,IAAI,CAAC,CAAC,WAAW,IAAI,EAAE,CAAC;QACrD,MAAM,YAAY,GAAG,gBAAgB,CAAC,IAAI,CACxC,CAAC,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,EAAE,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC,EAAE,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC,CACzG,CAAC;QAEF,IAAI,CAAC,YAAY;YAAE,OAAO,KAAK,CAAC;QAGhC,MAAM,WAAW,GAAG,CAAC,CAAC,MAAM,EAAE,MAAM,IAAI,CAAC,CAAC;QAC1C,OAAO,WAAW,KAAK,CAAC,CAAC;IAC3B,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,KAAK;QACf,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,wBAAwB;QAC/B,WAAW,EACT,0IAA0I;QAC5I,KAAK,EAAE,QAAQ,CAAC,MAAM;QACtB,gBAAgB,EAAE,cAAc,CAAC,CAAC,CAAC,IAAA,4CAAyB,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;QAClF,OAAO,EACL,QAAQ,CAAC,MAAM,GAAG,CAAC;YACjB,CAAC,CAAC;gBACE,MAAM,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,cAAc,IAAI,CAAC,CAAC,EAAE,CAAC;gBACrD,cAAc,EAAE,0DAA0D;aAC3E;YACH,CAAC,CAAC,SAAS;KAChB,CAAC;AACJ,CAAC;AAMD,SAAgB,0BAA0B,CAAC,MAAiB,EAAE,cAAuB;IACnF,MAAM,UAAU,GAAG,IAAI,GAAG,EAAmB,CAAC;IAC9C,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;QACvB,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC,CAAC;IACxC,CAAC;IAED,MAAM,cAAc,GAAc,EAAE,CAAC;IACrC,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;IAElC,MAAM,WAAW,GAAG,CAAC,OAAe,EAAE,IAAiB,EAAW,EAAE;QAClE,MAAM,YAAY,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;QAC3C,IAAI,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC;YAAE,OAAO,IAAI,CAAC;QACxC,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;YAAE,OAAO,KAAK,CAAC;QAE5C,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QAC1B,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QAEvB,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QAC3C,IAAI,KAAK,EAAE,QAAQ,EAAE,CAAC;YACpB,KAAK,MAAM,QAAQ,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;gBACtC,IAAI,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;oBAC3C,IAAI,WAAW,CAAC,QAAQ,EAAE,IAAI,CAAC,EAAE,CAAC;wBAChC,OAAO,IAAI,CAAC;oBACd,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;QAC1B,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;IAEF,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,OAAO,CAAC,KAAK,EAAE,CAAC;QAChB,IAAI,WAAW,CAAC,KAAK,CAAC,EAAE,EAAE,IAAI,GAAG,EAAE,CAAC,EAAE,CAAC;YACrC,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;IAED,OAAO;QACL,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,wBAAwB;QAC/B,WAAW,EACT,8HAA8H;QAChI,KAAK,EAAE,cAAc,CAAC,MAAM;QAC5B,gBAAgB,EAAE,cAAc,CAAC,CAAC,CAAC,IAAA,4CAAyB,EAAC,cAAc,CAAC,CAAC,CAAC,CAAC,SAAS;QACxF,OAAO,EACL,cAAc,CAAC,MAAM,GAAG,CAAC;YACvB,CAAC,CAAC;gBACE,cAAc,EAAE,0EAA0E;gBAC1F,MAAM,EAAE,gFAAgF;aACzF;YACH,CAAC,CAAC,SAAS;KAChB,CAAC;AACJ,CAAC;AAMD,SAAgB,2BAA2B,CAAC,MAAiB,EAAE,cAAuB;IACpF,MAAM,mBAAmB,GAAG,GAAG,CAAC;IAEhC,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QACnC,MAAM,WAAW,GAAG,CAAC,CAAC,MAAM,EAAE,MAAM,IAAI,CAAC,CAAC;QAC1C,OAAO,WAAW,GAAG,mBAAmB,CAAC;IAC3C,CAAC,CAAC,CAAC;IAGH,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,MAAM,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,EAAE,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC;IAE3E,OAAO;QACL,IAAI,EAAE,yBAAyB;QAC/B,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,8BAA8B;QACrC,WAAW,EAAE,yBAAyB,mBAAmB,uFAAuF;QAChJ,KAAK,EAAE,QAAQ,CAAC,MAAM;QACtB,gBAAgB,EAAE,cAAc,CAAC,CAAC,CAAC,IAAA,4CAAyB,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;QAClF,OAAO,EACL,QAAQ,CAAC,MAAM,GAAG,CAAC;YACjB,CAAC,CAAC;gBACE,SAAS,EAAE,mBAAmB;gBAC9B,aAAa,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;oBAC9C,IAAI,EAAE,CAAC,CAAC,cAAc,IAAI,CAAC,CAAC,EAAE;oBAC9B,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,MAAM,IAAI,CAAC;iBACnC,CAAC,CAAC;gBACH,cAAc,EACZ,sGAAsG;aACzG;YACH,CAAC,CAAC,SAAS;KAChB,CAAC;AACJ,CAAC;AAMD,SAAgB,qBAAqB,CAAC,MAAiB,EAAE,cAAuB;IAE9E,MAAM,eAAe,GAAgC;QACnD,cAAc,EAAE,CAAC,eAAe,EAAE,eAAe,EAAE,mBAAmB,CAAC;QACvE,KAAK,EAAE,CAAC,cAAc,EAAE,qBAAqB,EAAE,aAAa,CAAC;QAC7D,MAAM,EAAE,CAAC,OAAO,EAAE,eAAe,CAAC;QAClC,sBAAsB,EAAE,EAAE;QAC1B,iCAAiC,EAAE,EAAE;QACrC,2BAA2B,EAAE,EAAE;QAC/B,uBAAuB,EAAE,EAAE;QAC3B,uBAAuB,EAAE,EAAE;QAC3B,WAAW,EAAE,EAAE;QACf,yBAAyB,EAAE,EAAE;QAC7B,mBAAmB,EAAE,EAAE;QACvB,iCAAiC,EAAE,EAAE;KACtC,CAAC;IAEF,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QACnC,MAAM,IAAI,GAAG,CAAC,CAAC,cAAc,IAAI,EAAE,CAAC;QAGpC,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC;YAAE,OAAO,KAAK,CAAC;QAEzC,MAAM,eAAe,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;QAC9C,MAAM,aAAa,GAAG,CAAC,CAAC,MAAM,IAAI,EAAE,CAAC;QAGrC,MAAM,oBAAoB,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,EAAE;YAC3D,MAAM,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,aAAa,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAE1D,OAAO,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;QAC5F,CAAC,CAAC,CAAC;QAEH,OAAO,oBAAoB,CAAC;IAC9B,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,IAAI,EAAE,kBAAkB;QACxB,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,wBAAwB;QAC/B,WAAW,EACT,yGAAyG;QAC3G,KAAK,EAAE,QAAQ,CAAC,MAAM;QACtB,gBAAgB,EAAE,cAAc,CAAC,CAAC,CAAC,IAAA,4CAAyB,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;QAClF,OAAO,EACL,QAAQ,CAAC,MAAM,GAAG,CAAC;YACjB,CAAC,CAAC;gBACE,MAAM,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,cAAc,IAAI,CAAC,CAAC,EAAE,CAAC;gBACrD,cAAc,EACZ,wGAAwG;gBAC1G,IAAI,EAAE,uEAAuE;aAC9E;YACH,CAAC,CAAC,SAAS;KAChB,CAAC;AACJ,CAAC;AAYD,SAAgB,+BAA+B,CAC7C,MAAiB,EACjB,cAAuB;IAEvB,MAAM,gBAAgB,GAAG;QACvB,eAAe;QACf,mBAAmB;QACnB,eAAe;QACf,gBAAgB;QAChB,mBAAmB;QACnB,kBAAkB;QAClB,kBAAkB;QAClB,iBAAiB;KAClB,CAAC;IAEF,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QACnC,MAAM,SAAS,GAAG,CAAC,CAAC,cAAc,IAAI,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC;QACjD,MAAM,YAAY,GAAG,gBAAgB,CAAC,IAAI,CACxC,CAAC,EAAE,EAAE,EAAE,CAAC,SAAS,CAAC,WAAW,EAAE,KAAK,EAAE,CAAC,WAAW,EAAE,CACrD,CAAC;QACF,IAAI,CAAC,YAAY,IAAI,CAAC,CAAC,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QAG7C,OAAO,CAAC,CAAC,MAAM,CAAC,IAAI,CAClB,CAAC,CAAC,EAAE,EAAE,CACJ,CAAC,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC;YACpC,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC;YACrB,CAAC,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,CACpC,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,8BAA8B;QACrC,WAAW,EACT,4DAA4D;YAC5D,wEAAwE;QAC1E,KAAK,EAAE,QAAQ,CAAC,MAAM;QACtB,gBAAgB,EAAE,cAAc,CAAC,CAAC,CAAC,IAAA,4CAAyB,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;QAClF,OAAO,EAAE;YACP,cAAc,EAAE,qDAAqD;YACrE,IAAI,EAAE,gEAAgE;SACvE;KACF,CAAC;AACJ,CAAC;AAYD,SAAgB,uCAAuC,CACrD,MAAiB,EACjB,cAAuB;IAEvB,MAAM,gBAAgB,GAAG;QACvB,eAAe;QACf,mBAAmB;QACnB,eAAe;QACf,gBAAgB;QAChB,mBAAmB;QACnB,kBAAkB;QAClB,kBAAkB;KACnB,CAAC;IAEF,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QACnC,MAAM,SAAS,GAAG,CAAC,CAAC,cAAc,IAAI,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC;QACjD,MAAM,YAAY,GAAG,gBAAgB,CAAC,IAAI,CACxC,CAAC,EAAE,EAAE,EAAE,CAAC,SAAS,CAAC,WAAW,EAAE,KAAK,EAAE,CAAC,WAAW,EAAE,CACrD,CAAC;QACF,IAAI,CAAC,YAAY,IAAI,CAAC,CAAC,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QAG7C,OAAO,CAAC,CAAC,MAAM,CAAC,IAAI,CAClB,CAAC,CAAC,EAAE,EAAE,CACJ,CAAC,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,qBAAqB,CAAC;YAC/C,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC;YACtB,CAAC,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,2BAA2B,CAAC,CACxD,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,IAAI,EAAE,sCAAsC;QAC5C,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,yCAAyC;QAChD,WAAW,EACT,mEAAmE;YACnE,uEAAuE;QACzE,KAAK,EAAE,QAAQ,CAAC,MAAM;QACtB,gBAAgB,EAAE,cAAc,CAAC,CAAC,CAAC,IAAA,4CAAyB,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;QAClF,OAAO,EAAE;YACP,cAAc,EAAE,gEAAgE;YAChF,IAAI,EAAE,qDAAqD;SAC5D;KACF,CAAC;AACJ,CAAC;AAYD,SAAgB,8BAA8B,CAC5C,MAAiB,EACjB,eAAwB;IAExB,MAAM,mBAAmB,GAAG,MAAM,CAAC,IAAI,CACrC,CAAC,CAAC,EAAE,EAAE,CACJ,CAAC,CAAC,CAAC,cAAc,IAAI,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,KAAK,iBAAiB,CACvE,CAAC;IAEF,MAAM,OAAO,GACX,CAAC,mBAAmB;QACpB,CAAC,mBAAmB,CAAC,MAAM;QAC3B,mBAAmB,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC,CAAC;IAE1C,OAAO;QACL,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,6BAA6B;QACpC,WAAW,EACT,4CAA4C;YAC5C,qJAAqJ;QACvJ,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACtB,OAAO,EAAE;YACP,WAAW,EAAE,mBAAmB,EAAE,MAAM,EAAE,MAAM,IAAI,CAAC;YACrD,cAAc,EACZ,+FAA+F;YACjG,QAAQ,EAAE;gBACR,8BAA8B;gBAC9B,6BAA6B;gBAC7B,8BAA8B;gBAC9B,6BAA6B;aAC9B;SACF;KACF,CAAC;AACJ,CAAC;AAOD,SAAgB,iCAAiC,CAC/C,KAAe,EACf,MAAiB,EACjB,cAAuB;IAEvB,MAAM,oBAAoB,GAAG;QAC3B,eAAe;QACf,mBAAmB;QACnB,eAAe;QACf,gBAAgB;QAChB,mBAAmB;QACnB,kBAAkB;QAClB,kBAAkB;QAClB,iBAAiB;KAClB,CAAC;IAGF,MAAM,eAAe,GAAG,IAAI,GAAG,EAAU,CAAC;IAC1C,MAAM,WAAW,GAA2B,EAAE,CAAC;IAE/C,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,CAAC,IAAI,CAAC,QAAQ;YAAE,SAAS;QAC7B,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YACpC,KAAK,MAAM,SAAS,IAAI,oBAAoB,EAAE,CAAC;gBAC7C,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,MAAM,SAAS,CAAC,WAAW,EAAE,EAAE,CAAC,EAAE,CAAC;oBACpE,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;oBAC7B,WAAW,CAAC,SAAS,CAAC,GAAG,CAAC,WAAW,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;gBAC7D,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAGD,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,SAAS,GAAG,oBAAoB,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CACnD,KAAK,CAAC,cAAc,EAAE,WAAW,EAAE,KAAK,IAAI,CAAC,WAAW,EAAE;YAC1D,KAAK,CAAC,EAAE,EAAE,WAAW,EAAE,CAAC,QAAQ,CAAC,MAAM,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC,CAC7D,CAAC;QACF,IAAI,SAAS,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;YAC9B,WAAW,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACtF,CAAC;IACH,CAAC;IAED,MAAM,eAAe,GAAG,eAAe,CAAC,IAAI,CAAC;IAC7C,MAAM,YAAY,GAAG,WAAW,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;IACvD,MAAM,gBAAgB,GAAG,WAAW,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC;IAG/D,MAAM,WAAW,GAAG,YAAY,GAAG,EAAE,IAAI,eAAe,GAAG,EAAE,CAAC;IAE9D,OAAO;QACL,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,WAAW,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,KAAK;QACxC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,+BAA+B;QACtC,WAAW,EACT,oFAAoF;YACpF,qEAAqE;QACvE,KAAK,EAAE,WAAW,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QACxC,gBAAgB,EAAE,cAAc,IAAI,WAAW;YAC7C,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE;gBACrC,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;gBAC5C,IAAI,IAAI,EAAE,CAAC;oBACT,MAAM,QAAQ,GAAG,IAAA,yCAAsB,EAAC,CAAC,IAAI,CAAC,CAAC,CAAC;oBAChD,OAAO,QAAQ,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC3B,CAAC;gBACD,OAAO,EAAE,CAAC;YACZ,CAAC,CAAC;YACJ,CAAC,CAAC,SAAS;QACb,OAAO,EAAE;YACP,oBAAoB,EAAE,eAAe;YACrC,YAAY;YACZ,gBAAgB;YAChB,YAAY,EAAE,WAAW,CAAC,eAAe,CAAC,IAAI,CAAC;YAC/C,cAAc,EAAE,WAAW,CAAC,gBAAgB,CAAC,IAAI,CAAC;YAClD,gBAAgB,EAAE,WAAW,CAAC,mBAAmB,CAAC,IAAI,CAAC;YACvD,eAAe,EAAE,WAAW,CAAC,kBAAkB,CAAC,IAAI,CAAC;YACrD,eAAe,EAAE,WAAW,CAAC,kBAAkB,CAAC,IAAI,CAAC;YACrD,cAAc,EAAE,WAAW,CAAC,iBAAiB,CAAC,IAAI,CAAC;YACnD,SAAS,EAAE,6CAA6C;YACxD,cAAc,EAAE,0EAA0E;SAC3F;KACF,CAAC;AACJ,CAAC;AAKD,SAAgB,2BAA2B,CACzC,KAAe,EACf,MAAiB,EACjB,cAAuB;IAEvB,OAAO;QAEL,qBAAqB,CAAC,KAAK,EAAE,cAAc,CAAC;QAC5C,qBAAqB,CAAC,KAAK,EAAE,cAAc,CAAC;QAC5C,0BAA0B,CAAC,KAAK,EAAE,cAAc,CAAC;QAEjD,4BAA4B,CAAC,MAAM,EAAE,cAAc,CAAC;QACpD,wBAAwB,CAAC,MAAM,EAAE,cAAc,CAAC;QAChD,oBAAoB,CAAC,MAAM,EAAE,cAAc,CAAC;QAC5C,2BAA2B,CAAC,MAAM,EAAE,cAAc,CAAC;QAEnD,0BAA0B,CAAC,MAAM,EAAE,cAAc,CAAC;QAClD,0BAA0B,CAAC,MAAM,EAAE,cAAc,CAAC;QAClD,2BAA2B,CAAC,MAAM,EAAE,cAAc,CAAC;QACnD,qBAAqB,CAAC,MAAM,EAAE,cAAc,CAAC;QAE7C,+BAA+B,CAAC,MAAM,EAAE,cAAc,CAAC;QACvD,uCAAuC,CAAC,MAAM,EAAE,cAAc,CAAC;QAC/D,8BAA8B,CAAC,MAAM,EAAE,cAAc,CAAC;QAEtD,iCAAiC,CAAC,KAAK,EAAE,MAAM,EAAE,cAAc,CAAC;KACjE,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;AAC3C,CAAC"}

package/dist/services/audit/detectors/ad/index.d.ts

@@ -0,0 +1,15 @@
+export * from './password.detector';
+export * from './kerberos.detector';
+export * from './accounts.detector';
+export * from './groups.detector';
+export * from './computers.detector';
+export { detectShadowCredentials, detectRbcdAbuse, detectLapsNotDeployed, detectLapsPasswordReadable, detectLapsLegacyAttribute, detectLapsPasswordSet, detectLapsPasswordLeaked, detectDuplicateSpn, detectWeakPasswordPolicy, detectWeakKerberosPolicy, detectMachineAccountQuotaAbuse, detectDelegationPrivilege, detectAdcsWeakPermissions, detectDangerousLogonScripts, detectForeignSecurityPrincipals, detectReplicationRights, detectDcsyncCapable, detectNtlmRelayOpportunity, detectAdvancedVulnerabilities, } from './advanced.detector';
+export * from './permissions.detector';
+export * from './adcs.detector';
+export * from './gpo.detector';
+export * from './trusts.detector';
+export * from './attack-paths.detector';
+export * from './monitoring.detector';
+export * from './compliance.detector';
+export * from './network.detector';
+//# sourceMappingURL=index.d.ts.map

package/dist/services/audit/detectors/ad/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/services/audit/detectors/ad/index.ts"],"names":[],"mappings":"AAwBA,cAAc,qBAAqB,CAAC;AAGpC,cAAc,qBAAqB,CAAC;AAGpC,cAAc,qBAAqB,CAAC;AAGpC,cAAc,mBAAmB,CAAC;AAGlC,cAAc,sBAAsB,CAAC;AAGrC,OAAO,EACL,uBAAuB,EACvB,eAAe,EACf,qBAAqB,EACrB,0BAA0B,EAC1B,yBAAyB,EACzB,qBAAqB,EACrB,wBAAwB,EACxB,kBAAkB,EAClB,wBAAwB,EACxB,wBAAwB,EACxB,8BAA8B,EAC9B,yBAAyB,EACzB,yBAAyB,EACzB,2BAA2B,EAC3B,+BAA+B,EAC/B,uBAAuB,EACvB,mBAAmB,EACnB,0BAA0B,EAC1B,6BAA6B,GAC9B,MAAM,qBAAqB,CAAC;AAG7B,cAAc,wBAAwB,CAAC;AAGvC,cAAc,iBAAiB,CAAC;AAGhC,cAAc,gBAAgB,CAAC;AAG/B,cAAc,mBAAmB,CAAC;AAGlC,cAAc,yBAAyB,CAAC;AAGxC,cAAc,uBAAuB,CAAC;AAGtC,cAAc,uBAAuB,CAAC;AAGtC,cAAc,oBAAoB,CAAC"}

package/dist/services/audit/detectors/ad/index.js

@@ -0,0 +1,51 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectAdvancedVulnerabilities = exports.detectNtlmRelayOpportunity = exports.detectDcsyncCapable = exports.detectReplicationRights = exports.detectForeignSecurityPrincipals = exports.detectDangerousLogonScripts = exports.detectAdcsWeakPermissions = exports.detectDelegationPrivilege = exports.detectMachineAccountQuotaAbuse = exports.detectWeakKerberosPolicy = exports.detectWeakPasswordPolicy = exports.detectDuplicateSpn = exports.detectLapsPasswordLeaked = exports.detectLapsPasswordSet = exports.detectLapsLegacyAttribute = exports.detectLapsPasswordReadable = exports.detectLapsNotDeployed = exports.detectRbcdAbuse = exports.detectShadowCredentials = void 0;
+__exportStar(require("./password.detector"), exports);
+__exportStar(require("./kerberos.detector"), exports);
+__exportStar(require("./accounts.detector"), exports);
+__exportStar(require("./groups.detector"), exports);
+__exportStar(require("./computers.detector"), exports);
+var advanced_detector_1 = require("./advanced.detector");
+Object.defineProperty(exports, "detectShadowCredentials", { enumerable: true, get: function () { return advanced_detector_1.detectShadowCredentials; } });
+Object.defineProperty(exports, "detectRbcdAbuse", { enumerable: true, get: function () { return advanced_detector_1.detectRbcdAbuse; } });
+Object.defineProperty(exports, "detectLapsNotDeployed", { enumerable: true, get: function () { return advanced_detector_1.detectLapsNotDeployed; } });
+Object.defineProperty(exports, "detectLapsPasswordReadable", { enumerable: true, get: function () { return advanced_detector_1.detectLapsPasswordReadable; } });
+Object.defineProperty(exports, "detectLapsLegacyAttribute", { enumerable: true, get: function () { return advanced_detector_1.detectLapsLegacyAttribute; } });
+Object.defineProperty(exports, "detectLapsPasswordSet", { enumerable: true, get: function () { return advanced_detector_1.detectLapsPasswordSet; } });
+Object.defineProperty(exports, "detectLapsPasswordLeaked", { enumerable: true, get: function () { return advanced_detector_1.detectLapsPasswordLeaked; } });
+Object.defineProperty(exports, "detectDuplicateSpn", { enumerable: true, get: function () { return advanced_detector_1.detectDuplicateSpn; } });
+Object.defineProperty(exports, "detectWeakPasswordPolicy", { enumerable: true, get: function () { return advanced_detector_1.detectWeakPasswordPolicy; } });
+Object.defineProperty(exports, "detectWeakKerberosPolicy", { enumerable: true, get: function () { return advanced_detector_1.detectWeakKerberosPolicy; } });
+Object.defineProperty(exports, "detectMachineAccountQuotaAbuse", { enumerable: true, get: function () { return advanced_detector_1.detectMachineAccountQuotaAbuse; } });
+Object.defineProperty(exports, "detectDelegationPrivilege", { enumerable: true, get: function () { return advanced_detector_1.detectDelegationPrivilege; } });
+Object.defineProperty(exports, "detectAdcsWeakPermissions", { enumerable: true, get: function () { return advanced_detector_1.detectAdcsWeakPermissions; } });
+Object.defineProperty(exports, "detectDangerousLogonScripts", { enumerable: true, get: function () { return advanced_detector_1.detectDangerousLogonScripts; } });
+Object.defineProperty(exports, "detectForeignSecurityPrincipals", { enumerable: true, get: function () { return advanced_detector_1.detectForeignSecurityPrincipals; } });
+Object.defineProperty(exports, "detectReplicationRights", { enumerable: true, get: function () { return advanced_detector_1.detectReplicationRights; } });
+Object.defineProperty(exports, "detectDcsyncCapable", { enumerable: true, get: function () { return advanced_detector_1.detectDcsyncCapable; } });
+Object.defineProperty(exports, "detectNtlmRelayOpportunity", { enumerable: true, get: function () { return advanced_detector_1.detectNtlmRelayOpportunity; } });
+Object.defineProperty(exports, "detectAdvancedVulnerabilities", { enumerable: true, get: function () { return advanced_detector_1.detectAdvancedVulnerabilities; } });
+__exportStar(require("./permissions.detector"), exports);
+__exportStar(require("./adcs.detector"), exports);
+__exportStar(require("./gpo.detector"), exports);
+__exportStar(require("./trusts.detector"), exports);
+__exportStar(require("./attack-paths.detector"), exports);
+__exportStar(require("./monitoring.detector"), exports);
+__exportStar(require("./compliance.detector"), exports);
+__exportStar(require("./network.detector"), exports);
+//# sourceMappingURL=index.js.map

package/dist/services/audit/detectors/ad/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../src/services/audit/detectors/ad/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;AAwBA,sDAAoC;AAGpC,sDAAoC;AAGpC,sDAAoC;AAGpC,oDAAkC;AAGlC,uDAAqC;AAGrC,yDAoB6B;AAnB3B,4HAAA,uBAAuB,OAAA;AACvB,oHAAA,eAAe,OAAA;AACf,0HAAA,qBAAqB,OAAA;AACrB,+HAAA,0BAA0B,OAAA;AAC1B,8HAAA,yBAAyB,OAAA;AACzB,0HAAA,qBAAqB,OAAA;AACrB,6HAAA,wBAAwB,OAAA;AACxB,uHAAA,kBAAkB,OAAA;AAClB,6HAAA,wBAAwB,OAAA;AACxB,6HAAA,wBAAwB,OAAA;AACxB,mIAAA,8BAA8B,OAAA;AAC9B,8HAAA,yBAAyB,OAAA;AACzB,8HAAA,yBAAyB,OAAA;AACzB,gIAAA,2BAA2B,OAAA;AAC3B,oIAAA,+BAA+B,OAAA;AAC/B,4HAAA,uBAAuB,OAAA;AACvB,wHAAA,mBAAmB,OAAA;AACnB,+HAAA,0BAA0B,OAAA;AAC1B,kIAAA,6BAA6B,OAAA;AAI/B,yDAAuC;AAGvC,kDAAgC;AAGhC,iDAA+B;AAG/B,oDAAkC;AAGlC,0DAAwC;AAGxC,wDAAsC;AAGtC,wDAAsC;AAGtC,qDAAmC"}

package/dist/services/audit/detectors/ad/kerberos.detector.d.ts

@@ -0,0 +1,17 @@
+import { ADUser } from '../../../../types/ad.types';
+import { Finding } from '../../../../types/finding.types';
+export declare function detectAsrepRoastingRisk(users: ADUser[], includeDetails: boolean): Finding;
+export declare function detectUnconstrainedDelegation(users: ADUser[], includeDetails: boolean): Finding;
+export declare function detectGoldenTicketRisk(users: ADUser[], includeDetails: boolean): Finding;
+export declare function detectKerberoastingRisk(users: ADUser[], includeDetails: boolean): Finding;
+export declare function detectConstrainedDelegation(users: ADUser[], includeDetails: boolean): Finding;
+export declare function detectWeakEncryptionDES(users: ADUser[], includeDetails: boolean): Finding;
+export declare function detectAdminAsrepRoastable(users: ADUser[], includeDetails: boolean): Finding;
+export declare function detectWeakEncryptionRC4(users: ADUser[], includeDetails: boolean): Finding;
+export declare function detectWeakEncryptionFlag(users: ADUser[], includeDetails: boolean): Finding;
+export declare function detectKerberosAesDisabled(users: ADUser[], includeDetails: boolean): Finding;
+export declare function detectKerberosRc4Fallback(users: ADUser[], includeDetails: boolean): Finding;
+export declare function detectKerberosTicketLifetimeLong(_users: ADUser[], _includeDetails: boolean): Finding;
+export declare function detectKerberosRenewableTicketLong(_users: ADUser[], _includeDetails: boolean): Finding;
+export declare function detectKerberosVulnerabilities(users: ADUser[], includeDetails: boolean): Finding[];
+//# sourceMappingURL=kerberos.detector.d.ts.map

package/dist/services/audit/detectors/ad/kerberos.detector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"kerberos.detector.d.ts","sourceRoot":"","sources":["../../../../../src/services/audit/detectors/ad/kerberos.detector.ts"],"names":[],"mappings":"AAqBA,OAAO,EAAE,MAAM,EAAE,MAAM,4BAA4B,CAAC;AACpD,OAAO,EAAE,OAAO,EAAE,MAAM,iCAAiC,CAAC;AAO1D,wBAAgB,uBAAuB,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,cAAc,EAAE,OAAO,GAAG,OAAO,CAezF;AAMD,wBAAgB,6BAA6B,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,cAAc,EAAE,OAAO,GAAG,OAAO,CAe/F;AAKD,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,cAAc,EAAE,OAAO,GAAG,OAAO,CA4BxF;AAKD,wBAAgB,uBAAuB,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,cAAc,EAAE,OAAO,GAAG,OAAO,CAezF;AAMD,wBAAgB,2BAA2B,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,cAAc,EAAE,OAAO,GAAG,OAAO,CAe7F;AAOD,wBAAgB,uBAAuB,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,cAAc,EAAE,OAAO,GAAG,OAAO,CAyBzF;AAMD,wBAAgB,yBAAyB,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,cAAc,EAAE,OAAO,GAAG,OAAO,CAsC3F;AAKD,wBAAgB,uBAAuB,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,cAAc,EAAE,OAAO,GAAG,OAAO,CAgBzF;AAKD,wBAAgB,wBAAwB,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,cAAc,EAAE,OAAO,GAAG,OAAO,CAe1F;AAYD,wBAAgB,yBAAyB,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,cAAc,EAAE,OAAO,GAAG,OAAO,CA+B3F;AAWD,wBAAgB,yBAAyB,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,cAAc,EAAE,OAAO,GAAG,OAAO,CA+B3F;AAWD,wBAAgB,gCAAgC,CAC9C,MAAM,EAAE,MAAM,EAAE,EAChB,eAAe,EAAE,OAAO,GACvB,OAAO,CAiBT;AAWD,wBAAgB,iCAAiC,CAC/C,MAAM,EAAE,MAAM,EAAE,EAChB,eAAe,EAAE,OAAO,GACvB,OAAO,CAeT;AAKD,wBAAgB,6BAA6B,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,cAAc,EAAE,OAAO,GAAG,OAAO,EAAE,CAiBjG"}