@etcsec-com/etc-collector 1.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.env.example +60 -0
- package/.env.test.example +33 -0
- package/.github/workflows/ci.yml +83 -0
- package/.github/workflows/release.yml +246 -0
- package/.prettierrc.json +10 -0
- package/CHANGELOG.md +15 -0
- package/Dockerfile +57 -0
- package/LICENSE +190 -0
- package/README.md +194 -0
- package/dist/api/controllers/audit.controller.d.ts +21 -0
- package/dist/api/controllers/audit.controller.d.ts.map +1 -0
- package/dist/api/controllers/audit.controller.js +179 -0
- package/dist/api/controllers/audit.controller.js.map +1 -0
- package/dist/api/controllers/auth.controller.d.ts +16 -0
- package/dist/api/controllers/auth.controller.d.ts.map +1 -0
- package/dist/api/controllers/auth.controller.js +146 -0
- package/dist/api/controllers/auth.controller.js.map +1 -0
- package/dist/api/controllers/export.controller.d.ts +27 -0
- package/dist/api/controllers/export.controller.d.ts.map +1 -0
- package/dist/api/controllers/export.controller.js +80 -0
- package/dist/api/controllers/export.controller.js.map +1 -0
- package/dist/api/controllers/health.controller.d.ts +5 -0
- package/dist/api/controllers/health.controller.d.ts.map +1 -0
- package/dist/api/controllers/health.controller.js +16 -0
- package/dist/api/controllers/health.controller.js.map +1 -0
- package/dist/api/controllers/jobs.controller.d.ts +13 -0
- package/dist/api/controllers/jobs.controller.d.ts.map +1 -0
- package/dist/api/controllers/jobs.controller.js +125 -0
- package/dist/api/controllers/jobs.controller.js.map +1 -0
- package/dist/api/controllers/providers.controller.d.ts +15 -0
- package/dist/api/controllers/providers.controller.d.ts.map +1 -0
- package/dist/api/controllers/providers.controller.js +112 -0
- package/dist/api/controllers/providers.controller.js.map +1 -0
- package/dist/api/dto/AuditRequest.dto.d.ts +6 -0
- package/dist/api/dto/AuditRequest.dto.d.ts.map +1 -0
- package/dist/api/dto/AuditRequest.dto.js +3 -0
- package/dist/api/dto/AuditRequest.dto.js.map +1 -0
- package/dist/api/dto/AuditResponse.dto.d.ts +17 -0
- package/dist/api/dto/AuditResponse.dto.d.ts.map +1 -0
- package/dist/api/dto/AuditResponse.dto.js +3 -0
- package/dist/api/dto/AuditResponse.dto.js.map +1 -0
- package/dist/api/dto/TokenRequest.dto.d.ts +6 -0
- package/dist/api/dto/TokenRequest.dto.d.ts.map +1 -0
- package/dist/api/dto/TokenRequest.dto.js +3 -0
- package/dist/api/dto/TokenRequest.dto.js.map +1 -0
- package/dist/api/dto/TokenResponse.dto.d.ts +12 -0
- package/dist/api/dto/TokenResponse.dto.d.ts.map +1 -0
- package/dist/api/dto/TokenResponse.dto.js +3 -0
- package/dist/api/dto/TokenResponse.dto.js.map +1 -0
- package/dist/api/middlewares/authenticate.d.ts +12 -0
- package/dist/api/middlewares/authenticate.d.ts.map +1 -0
- package/dist/api/middlewares/authenticate.js +141 -0
- package/dist/api/middlewares/authenticate.js.map +1 -0
- package/dist/api/middlewares/errorHandler.d.ts +3 -0
- package/dist/api/middlewares/errorHandler.d.ts.map +1 -0
- package/dist/api/middlewares/errorHandler.js +30 -0
- package/dist/api/middlewares/errorHandler.js.map +1 -0
- package/dist/api/middlewares/rateLimit.d.ts +3 -0
- package/dist/api/middlewares/rateLimit.d.ts.map +1 -0
- package/dist/api/middlewares/rateLimit.js +34 -0
- package/dist/api/middlewares/rateLimit.js.map +1 -0
- package/dist/api/middlewares/validate.d.ts +4 -0
- package/dist/api/middlewares/validate.d.ts.map +1 -0
- package/dist/api/middlewares/validate.js +31 -0
- package/dist/api/middlewares/validate.js.map +1 -0
- package/dist/api/routes/audit.routes.d.ts +5 -0
- package/dist/api/routes/audit.routes.d.ts.map +1 -0
- package/dist/api/routes/audit.routes.js +24 -0
- package/dist/api/routes/audit.routes.js.map +1 -0
- package/dist/api/routes/auth.routes.d.ts +6 -0
- package/dist/api/routes/auth.routes.d.ts.map +1 -0
- package/dist/api/routes/auth.routes.js +22 -0
- package/dist/api/routes/auth.routes.js.map +1 -0
- package/dist/api/routes/export.routes.d.ts +5 -0
- package/dist/api/routes/export.routes.d.ts.map +1 -0
- package/dist/api/routes/export.routes.js +16 -0
- package/dist/api/routes/export.routes.js.map +1 -0
- package/dist/api/routes/health.routes.d.ts +4 -0
- package/dist/api/routes/health.routes.d.ts.map +1 -0
- package/dist/api/routes/health.routes.js +11 -0
- package/dist/api/routes/health.routes.js.map +1 -0
- package/dist/api/routes/index.d.ts +10 -0
- package/dist/api/routes/index.d.ts.map +1 -0
- package/dist/api/routes/index.js +20 -0
- package/dist/api/routes/index.js.map +1 -0
- package/dist/api/routes/providers.routes.d.ts +5 -0
- package/dist/api/routes/providers.routes.d.ts.map +1 -0
- package/dist/api/routes/providers.routes.js +13 -0
- package/dist/api/routes/providers.routes.js.map +1 -0
- package/dist/api/validators/audit.schemas.d.ts +60 -0
- package/dist/api/validators/audit.schemas.d.ts.map +1 -0
- package/dist/api/validators/audit.schemas.js +55 -0
- package/dist/api/validators/audit.schemas.js.map +1 -0
- package/dist/api/validators/auth.schemas.d.ts +17 -0
- package/dist/api/validators/auth.schemas.d.ts.map +1 -0
- package/dist/api/validators/auth.schemas.js +21 -0
- package/dist/api/validators/auth.schemas.js.map +1 -0
- package/dist/app.d.ts +3 -0
- package/dist/app.d.ts.map +1 -0
- package/dist/app.js +62 -0
- package/dist/app.js.map +1 -0
- package/dist/config/config.schema.d.ts +65 -0
- package/dist/config/config.schema.d.ts.map +1 -0
- package/dist/config/config.schema.js +95 -0
- package/dist/config/config.schema.js.map +1 -0
- package/dist/config/index.d.ts +4 -0
- package/dist/config/index.d.ts.map +1 -0
- package/dist/config/index.js +75 -0
- package/dist/config/index.js.map +1 -0
- package/dist/container.d.ts +47 -0
- package/dist/container.d.ts.map +1 -0
- package/dist/container.js +137 -0
- package/dist/container.js.map +1 -0
- package/dist/data/database.d.ts +13 -0
- package/dist/data/database.d.ts.map +1 -0
- package/dist/data/database.js +68 -0
- package/dist/data/database.js.map +1 -0
- package/dist/data/jobs/token-cleanup.job.d.ts +23 -0
- package/dist/data/jobs/token-cleanup.job.d.ts.map +1 -0
- package/dist/data/jobs/token-cleanup.job.js +96 -0
- package/dist/data/jobs/token-cleanup.job.js.map +1 -0
- package/dist/data/migrations/migration.runner.d.ts +13 -0
- package/dist/data/migrations/migration.runner.d.ts.map +1 -0
- package/dist/data/migrations/migration.runner.js +136 -0
- package/dist/data/migrations/migration.runner.js.map +1 -0
- package/dist/data/models/Token.model.d.ts +30 -0
- package/dist/data/models/Token.model.d.ts.map +1 -0
- package/dist/data/models/Token.model.js +3 -0
- package/dist/data/models/Token.model.js.map +1 -0
- package/dist/data/repositories/token.repository.d.ts +16 -0
- package/dist/data/repositories/token.repository.d.ts.map +1 -0
- package/dist/data/repositories/token.repository.js +97 -0
- package/dist/data/repositories/token.repository.js.map +1 -0
- package/dist/providers/azure/auth.provider.d.ts +5 -0
- package/dist/providers/azure/auth.provider.d.ts.map +1 -0
- package/dist/providers/azure/auth.provider.js +13 -0
- package/dist/providers/azure/auth.provider.js.map +1 -0
- package/dist/providers/azure/azure-errors.d.ts +40 -0
- package/dist/providers/azure/azure-errors.d.ts.map +1 -0
- package/dist/providers/azure/azure-errors.js +121 -0
- package/dist/providers/azure/azure-errors.js.map +1 -0
- package/dist/providers/azure/azure-retry.d.ts +41 -0
- package/dist/providers/azure/azure-retry.d.ts.map +1 -0
- package/dist/providers/azure/azure-retry.js +85 -0
- package/dist/providers/azure/azure-retry.js.map +1 -0
- package/dist/providers/azure/graph-client.d.ts +26 -0
- package/dist/providers/azure/graph-client.d.ts.map +1 -0
- package/dist/providers/azure/graph-client.js +146 -0
- package/dist/providers/azure/graph-client.js.map +1 -0
- package/dist/providers/azure/graph.provider.d.ts +23 -0
- package/dist/providers/azure/graph.provider.d.ts.map +1 -0
- package/dist/providers/azure/graph.provider.js +161 -0
- package/dist/providers/azure/graph.provider.js.map +1 -0
- package/dist/providers/azure/queries/app.queries.d.ts +6 -0
- package/dist/providers/azure/queries/app.queries.d.ts.map +1 -0
- package/dist/providers/azure/queries/app.queries.js +9 -0
- package/dist/providers/azure/queries/app.queries.js.map +1 -0
- package/dist/providers/azure/queries/policy.queries.d.ts +6 -0
- package/dist/providers/azure/queries/policy.queries.d.ts.map +1 -0
- package/dist/providers/azure/queries/policy.queries.js +9 -0
- package/dist/providers/azure/queries/policy.queries.js.map +1 -0
- package/dist/providers/azure/queries/user.queries.d.ts +7 -0
- package/dist/providers/azure/queries/user.queries.d.ts.map +1 -0
- package/dist/providers/azure/queries/user.queries.js +10 -0
- package/dist/providers/azure/queries/user.queries.js.map +1 -0
- package/dist/providers/interfaces/IGraphProvider.d.ts +31 -0
- package/dist/providers/interfaces/IGraphProvider.d.ts.map +1 -0
- package/dist/providers/interfaces/IGraphProvider.js +3 -0
- package/dist/providers/interfaces/IGraphProvider.js.map +1 -0
- package/dist/providers/interfaces/ILDAPProvider.d.ts +37 -0
- package/dist/providers/interfaces/ILDAPProvider.d.ts.map +1 -0
- package/dist/providers/interfaces/ILDAPProvider.js +3 -0
- package/dist/providers/interfaces/ILDAPProvider.js.map +1 -0
- package/dist/providers/ldap/acl-parser.d.ts +8 -0
- package/dist/providers/ldap/acl-parser.d.ts.map +1 -0
- package/dist/providers/ldap/acl-parser.js +157 -0
- package/dist/providers/ldap/acl-parser.js.map +1 -0
- package/dist/providers/ldap/ad-mappers.d.ts +8 -0
- package/dist/providers/ldap/ad-mappers.d.ts.map +1 -0
- package/dist/providers/ldap/ad-mappers.js +162 -0
- package/dist/providers/ldap/ad-mappers.js.map +1 -0
- package/dist/providers/ldap/ldap-client.d.ts +33 -0
- package/dist/providers/ldap/ldap-client.d.ts.map +1 -0
- package/dist/providers/ldap/ldap-client.js +195 -0
- package/dist/providers/ldap/ldap-client.js.map +1 -0
- package/dist/providers/ldap/ldap-errors.d.ts +48 -0
- package/dist/providers/ldap/ldap-errors.d.ts.map +1 -0
- package/dist/providers/ldap/ldap-errors.js +120 -0
- package/dist/providers/ldap/ldap-errors.js.map +1 -0
- package/dist/providers/ldap/ldap-retry.d.ts +14 -0
- package/dist/providers/ldap/ldap-retry.d.ts.map +1 -0
- package/dist/providers/ldap/ldap-retry.js +102 -0
- package/dist/providers/ldap/ldap-retry.js.map +1 -0
- package/dist/providers/ldap/ldap-sanitizer.d.ts +12 -0
- package/dist/providers/ldap/ldap-sanitizer.d.ts.map +1 -0
- package/dist/providers/ldap/ldap-sanitizer.js +104 -0
- package/dist/providers/ldap/ldap-sanitizer.js.map +1 -0
- package/dist/providers/ldap/ldap.provider.d.ts +21 -0
- package/dist/providers/ldap/ldap.provider.d.ts.map +1 -0
- package/dist/providers/ldap/ldap.provider.js +165 -0
- package/dist/providers/ldap/ldap.provider.js.map +1 -0
- package/dist/providers/ldap/queries/computer.queries.d.ts +6 -0
- package/dist/providers/ldap/queries/computer.queries.d.ts.map +1 -0
- package/dist/providers/ldap/queries/computer.queries.js +9 -0
- package/dist/providers/ldap/queries/computer.queries.js.map +1 -0
- package/dist/providers/ldap/queries/group.queries.d.ts +6 -0
- package/dist/providers/ldap/queries/group.queries.d.ts.map +1 -0
- package/dist/providers/ldap/queries/group.queries.js +9 -0
- package/dist/providers/ldap/queries/group.queries.js.map +1 -0
- package/dist/providers/ldap/queries/user.queries.d.ts +7 -0
- package/dist/providers/ldap/queries/user.queries.d.ts.map +1 -0
- package/dist/providers/ldap/queries/user.queries.js +10 -0
- package/dist/providers/ldap/queries/user.queries.js.map +1 -0
- package/dist/providers/smb/smb.provider.d.ts +68 -0
- package/dist/providers/smb/smb.provider.d.ts.map +1 -0
- package/dist/providers/smb/smb.provider.js +382 -0
- package/dist/providers/smb/smb.provider.js.map +1 -0
- package/dist/server.d.ts +2 -0
- package/dist/server.d.ts.map +1 -0
- package/dist/server.js +44 -0
- package/dist/server.js.map +1 -0
- package/dist/services/audit/ad-audit.service.d.ts +70 -0
- package/dist/services/audit/ad-audit.service.d.ts.map +1 -0
- package/dist/services/audit/ad-audit.service.js +1019 -0
- package/dist/services/audit/ad-audit.service.js.map +1 -0
- package/dist/services/audit/attack-graph.service.d.ts +62 -0
- package/dist/services/audit/attack-graph.service.d.ts.map +1 -0
- package/dist/services/audit/attack-graph.service.js +702 -0
- package/dist/services/audit/attack-graph.service.js.map +1 -0
- package/dist/services/audit/audit.service.d.ts +4 -0
- package/dist/services/audit/audit.service.d.ts.map +1 -0
- package/dist/services/audit/audit.service.js +10 -0
- package/dist/services/audit/audit.service.js.map +1 -0
- package/dist/services/audit/azure-audit.service.d.ts +37 -0
- package/dist/services/audit/azure-audit.service.d.ts.map +1 -0
- package/dist/services/audit/azure-audit.service.js +153 -0
- package/dist/services/audit/azure-audit.service.js.map +1 -0
- package/dist/services/audit/detectors/ad/accounts.detector.d.ts +37 -0
- package/dist/services/audit/detectors/ad/accounts.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/accounts.detector.js +881 -0
- package/dist/services/audit/detectors/ad/accounts.detector.js.map +1 -0
- package/dist/services/audit/detectors/ad/adcs.detector.d.ts +21 -0
- package/dist/services/audit/detectors/ad/adcs.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/adcs.detector.js +227 -0
- package/dist/services/audit/detectors/ad/adcs.detector.js.map +1 -0
- package/dist/services/audit/detectors/ad/advanced.detector.d.ts +63 -0
- package/dist/services/audit/detectors/ad/advanced.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/advanced.detector.js +867 -0
- package/dist/services/audit/detectors/ad/advanced.detector.js.map +1 -0
- package/dist/services/audit/detectors/ad/attack-paths.detector.d.ts +16 -0
- package/dist/services/audit/detectors/ad/attack-paths.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/attack-paths.detector.js +369 -0
- package/dist/services/audit/detectors/ad/attack-paths.detector.js.map +1 -0
- package/dist/services/audit/detectors/ad/compliance.detector.d.ts +28 -0
- package/dist/services/audit/detectors/ad/compliance.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/compliance.detector.js +896 -0
- package/dist/services/audit/detectors/ad/compliance.detector.js.map +1 -0
- package/dist/services/audit/detectors/ad/computers.detector.d.ts +30 -0
- package/dist/services/audit/detectors/ad/computers.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/computers.detector.js +799 -0
- package/dist/services/audit/detectors/ad/computers.detector.js.map +1 -0
- package/dist/services/audit/detectors/ad/gpo.detector.d.ts +17 -0
- package/dist/services/audit/detectors/ad/gpo.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/gpo.detector.js +257 -0
- package/dist/services/audit/detectors/ad/gpo.detector.js.map +1 -0
- package/dist/services/audit/detectors/ad/groups.detector.d.ts +19 -0
- package/dist/services/audit/detectors/ad/groups.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/groups.detector.js +488 -0
- package/dist/services/audit/detectors/ad/groups.detector.js.map +1 -0
- package/dist/services/audit/detectors/ad/index.d.ts +15 -0
- package/dist/services/audit/detectors/ad/index.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/index.js +51 -0
- package/dist/services/audit/detectors/ad/index.js.map +1 -0
- package/dist/services/audit/detectors/ad/kerberos.detector.d.ts +17 -0
- package/dist/services/audit/detectors/ad/kerberos.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/kerberos.detector.js +293 -0
- package/dist/services/audit/detectors/ad/kerberos.detector.js.map +1 -0
- package/dist/services/audit/detectors/ad/monitoring.detector.d.ts +23 -0
- package/dist/services/audit/detectors/ad/monitoring.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/monitoring.detector.js +328 -0
- package/dist/services/audit/detectors/ad/monitoring.detector.js.map +1 -0
- package/dist/services/audit/detectors/ad/network.detector.d.ts +39 -0
- package/dist/services/audit/detectors/ad/network.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/network.detector.js +257 -0
- package/dist/services/audit/detectors/ad/network.detector.js.map +1 -0
- package/dist/services/audit/detectors/ad/password.detector.d.ts +14 -0
- package/dist/services/audit/detectors/ad/password.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/password.detector.js +235 -0
- package/dist/services/audit/detectors/ad/password.detector.js.map +1 -0
- package/dist/services/audit/detectors/ad/permissions.detector.d.ts +20 -0
- package/dist/services/audit/detectors/ad/permissions.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/permissions.detector.js +392 -0
- package/dist/services/audit/detectors/ad/permissions.detector.js.map +1 -0
- package/dist/services/audit/detectors/ad/trusts.detector.d.ts +11 -0
- package/dist/services/audit/detectors/ad/trusts.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/ad/trusts.detector.js +186 -0
- package/dist/services/audit/detectors/ad/trusts.detector.js.map +1 -0
- package/dist/services/audit/detectors/azure/app-security.detector.d.ts +11 -0
- package/dist/services/audit/detectors/azure/app-security.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/azure/app-security.detector.js +184 -0
- package/dist/services/audit/detectors/azure/app-security.detector.js.map +1 -0
- package/dist/services/audit/detectors/azure/conditional-access.detector.d.ts +10 -0
- package/dist/services/audit/detectors/azure/conditional-access.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/azure/conditional-access.detector.js +130 -0
- package/dist/services/audit/detectors/azure/conditional-access.detector.js.map +1 -0
- package/dist/services/audit/detectors/azure/privilege-security.detector.d.ts +8 -0
- package/dist/services/audit/detectors/azure/privilege-security.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/azure/privilege-security.detector.js +113 -0
- package/dist/services/audit/detectors/azure/privilege-security.detector.js.map +1 -0
- package/dist/services/audit/detectors/azure/user-security.detector.d.ts +14 -0
- package/dist/services/audit/detectors/azure/user-security.detector.d.ts.map +1 -0
- package/dist/services/audit/detectors/azure/user-security.detector.js +198 -0
- package/dist/services/audit/detectors/azure/user-security.detector.js.map +1 -0
- package/dist/services/audit/detectors/index.d.ts +2 -0
- package/dist/services/audit/detectors/index.d.ts.map +1 -0
- package/dist/services/audit/detectors/index.js +38 -0
- package/dist/services/audit/detectors/index.js.map +1 -0
- package/dist/services/audit/response-formatter.d.ts +176 -0
- package/dist/services/audit/response-formatter.d.ts.map +1 -0
- package/dist/services/audit/response-formatter.js +240 -0
- package/dist/services/audit/response-formatter.js.map +1 -0
- package/dist/services/audit/scoring.service.d.ts +15 -0
- package/dist/services/audit/scoring.service.d.ts.map +1 -0
- package/dist/services/audit/scoring.service.js +139 -0
- package/dist/services/audit/scoring.service.js.map +1 -0
- package/dist/services/auth/crypto.service.d.ts +19 -0
- package/dist/services/auth/crypto.service.d.ts.map +1 -0
- package/dist/services/auth/crypto.service.js +135 -0
- package/dist/services/auth/crypto.service.js.map +1 -0
- package/dist/services/auth/errors.d.ts +19 -0
- package/dist/services/auth/errors.d.ts.map +1 -0
- package/dist/services/auth/errors.js +46 -0
- package/dist/services/auth/errors.js.map +1 -0
- package/dist/services/auth/token.service.d.ts +41 -0
- package/dist/services/auth/token.service.d.ts.map +1 -0
- package/dist/services/auth/token.service.js +208 -0
- package/dist/services/auth/token.service.js.map +1 -0
- package/dist/services/config/config.service.d.ts +6 -0
- package/dist/services/config/config.service.d.ts.map +1 -0
- package/dist/services/config/config.service.js +64 -0
- package/dist/services/config/config.service.js.map +1 -0
- package/dist/services/export/export.service.d.ts +28 -0
- package/dist/services/export/export.service.d.ts.map +1 -0
- package/dist/services/export/export.service.js +28 -0
- package/dist/services/export/export.service.js.map +1 -0
- package/dist/services/export/formatters/csv.formatter.d.ts +8 -0
- package/dist/services/export/formatters/csv.formatter.d.ts.map +1 -0
- package/dist/services/export/formatters/csv.formatter.js +46 -0
- package/dist/services/export/formatters/csv.formatter.js.map +1 -0
- package/dist/services/export/formatters/json.formatter.d.ts +40 -0
- package/dist/services/export/formatters/json.formatter.d.ts.map +1 -0
- package/dist/services/export/formatters/json.formatter.js +58 -0
- package/dist/services/export/formatters/json.formatter.js.map +1 -0
- package/dist/services/jobs/azure-job-runner.d.ts +38 -0
- package/dist/services/jobs/azure-job-runner.d.ts.map +1 -0
- package/dist/services/jobs/azure-job-runner.js +199 -0
- package/dist/services/jobs/azure-job-runner.js.map +1 -0
- package/dist/services/jobs/index.d.ts +4 -0
- package/dist/services/jobs/index.d.ts.map +1 -0
- package/dist/services/jobs/index.js +20 -0
- package/dist/services/jobs/index.js.map +1 -0
- package/dist/services/jobs/job-runner.d.ts +64 -0
- package/dist/services/jobs/job-runner.d.ts.map +1 -0
- package/dist/services/jobs/job-runner.js +952 -0
- package/dist/services/jobs/job-runner.js.map +1 -0
- package/dist/services/jobs/job-store.d.ts +27 -0
- package/dist/services/jobs/job-store.d.ts.map +1 -0
- package/dist/services/jobs/job-store.js +261 -0
- package/dist/services/jobs/job-store.js.map +1 -0
- package/dist/services/jobs/job.types.d.ts +67 -0
- package/dist/services/jobs/job.types.d.ts.map +1 -0
- package/dist/services/jobs/job.types.js +36 -0
- package/dist/services/jobs/job.types.js.map +1 -0
- package/dist/types/ad.types.d.ts +74 -0
- package/dist/types/ad.types.d.ts.map +1 -0
- package/dist/types/ad.types.js +3 -0
- package/dist/types/ad.types.js.map +1 -0
- package/dist/types/adcs.types.d.ts +58 -0
- package/dist/types/adcs.types.d.ts.map +1 -0
- package/dist/types/adcs.types.js +38 -0
- package/dist/types/adcs.types.js.map +1 -0
- package/dist/types/attack-graph.types.d.ts +135 -0
- package/dist/types/attack-graph.types.d.ts.map +1 -0
- package/dist/types/attack-graph.types.js +58 -0
- package/dist/types/attack-graph.types.js.map +1 -0
- package/dist/types/audit.types.d.ts +34 -0
- package/dist/types/audit.types.d.ts.map +1 -0
- package/dist/types/audit.types.js +3 -0
- package/dist/types/audit.types.js.map +1 -0
- package/dist/types/azure.types.d.ts +61 -0
- package/dist/types/azure.types.d.ts.map +1 -0
- package/dist/types/azure.types.js +3 -0
- package/dist/types/azure.types.js.map +1 -0
- package/dist/types/config.types.d.ts +63 -0
- package/dist/types/config.types.d.ts.map +1 -0
- package/dist/types/config.types.js +3 -0
- package/dist/types/config.types.js.map +1 -0
- package/dist/types/error.types.d.ts +33 -0
- package/dist/types/error.types.d.ts.map +1 -0
- package/dist/types/error.types.js +70 -0
- package/dist/types/error.types.js.map +1 -0
- package/dist/types/finding.types.d.ts +133 -0
- package/dist/types/finding.types.d.ts.map +1 -0
- package/dist/types/finding.types.js +3 -0
- package/dist/types/finding.types.js.map +1 -0
- package/dist/types/gpo.types.d.ts +39 -0
- package/dist/types/gpo.types.d.ts.map +1 -0
- package/dist/types/gpo.types.js +15 -0
- package/dist/types/gpo.types.js.map +1 -0
- package/dist/types/token.types.d.ts +26 -0
- package/dist/types/token.types.d.ts.map +1 -0
- package/dist/types/token.types.js +3 -0
- package/dist/types/token.types.js.map +1 -0
- package/dist/types/trust.types.d.ts +45 -0
- package/dist/types/trust.types.d.ts.map +1 -0
- package/dist/types/trust.types.js +71 -0
- package/dist/types/trust.types.js.map +1 -0
- package/dist/utils/entity-converter.d.ts +17 -0
- package/dist/utils/entity-converter.d.ts.map +1 -0
- package/dist/utils/entity-converter.js +285 -0
- package/dist/utils/entity-converter.js.map +1 -0
- package/dist/utils/graph.util.d.ts +66 -0
- package/dist/utils/graph.util.d.ts.map +1 -0
- package/dist/utils/graph.util.js +382 -0
- package/dist/utils/graph.util.js.map +1 -0
- package/dist/utils/logger.d.ts +7 -0
- package/dist/utils/logger.d.ts.map +1 -0
- package/dist/utils/logger.js +86 -0
- package/dist/utils/logger.js.map +1 -0
- package/dist/utils/type-name-normalizer.d.ts +5 -0
- package/dist/utils/type-name-normalizer.d.ts.map +1 -0
- package/dist/utils/type-name-normalizer.js +218 -0
- package/dist/utils/type-name-normalizer.js.map +1 -0
- package/docker-compose.yml +26 -0
- package/docs/api/README.md +178 -0
- package/docs/api/openapi.yaml +1524 -0
- package/eslint.config.js +54 -0
- package/jest.config.js +38 -0
- package/package.json +97 -0
- package/scripts/fetch-ad-cert.sh +142 -0
- package/src/.gitkeep +0 -0
- package/src/api/.gitkeep +0 -0
- package/src/api/controllers/.gitkeep +0 -0
- package/src/api/controllers/audit.controller.ts +313 -0
- package/src/api/controllers/auth.controller.ts +258 -0
- package/src/api/controllers/export.controller.ts +153 -0
- package/src/api/controllers/health.controller.ts +16 -0
- package/src/api/controllers/jobs.controller.ts +187 -0
- package/src/api/controllers/providers.controller.ts +165 -0
- package/src/api/dto/.gitkeep +0 -0
- package/src/api/dto/AuditRequest.dto.ts +8 -0
- package/src/api/dto/AuditResponse.dto.ts +19 -0
- package/src/api/dto/TokenRequest.dto.ts +8 -0
- package/src/api/dto/TokenResponse.dto.ts +14 -0
- package/src/api/middlewares/.gitkeep +0 -0
- package/src/api/middlewares/authenticate.ts +203 -0
- package/src/api/middlewares/errorHandler.ts +54 -0
- package/src/api/middlewares/rateLimit.ts +35 -0
- package/src/api/middlewares/validate.ts +32 -0
- package/src/api/routes/.gitkeep +0 -0
- package/src/api/routes/audit.routes.ts +77 -0
- package/src/api/routes/auth.routes.ts +71 -0
- package/src/api/routes/export.routes.ts +34 -0
- package/src/api/routes/health.routes.ts +14 -0
- package/src/api/routes/index.ts +40 -0
- package/src/api/routes/providers.routes.ts +24 -0
- package/src/api/validators/.gitkeep +0 -0
- package/src/api/validators/audit.schemas.ts +59 -0
- package/src/api/validators/auth.schemas.ts +59 -0
- package/src/app.ts +87 -0
- package/src/config/.gitkeep +0 -0
- package/src/config/config.schema.ts +108 -0
- package/src/config/index.ts +82 -0
- package/src/container.ts +221 -0
- package/src/data/.gitkeep +0 -0
- package/src/data/database.ts +78 -0
- package/src/data/jobs/token-cleanup.job.ts +166 -0
- package/src/data/migrations/.gitkeep +0 -0
- package/src/data/migrations/001_initial_schema.sql +47 -0
- package/src/data/migrations/migration.runner.ts +125 -0
- package/src/data/models/.gitkeep +0 -0
- package/src/data/models/Token.model.ts +35 -0
- package/src/data/repositories/.gitkeep +0 -0
- package/src/data/repositories/token.repository.ts +160 -0
- package/src/providers/.gitkeep +0 -0
- package/src/providers/azure/.gitkeep +0 -0
- package/src/providers/azure/auth.provider.ts +14 -0
- package/src/providers/azure/azure-errors.ts +189 -0
- package/src/providers/azure/azure-retry.ts +168 -0
- package/src/providers/azure/graph-client.ts +315 -0
- package/src/providers/azure/graph.provider.ts +294 -0
- package/src/providers/azure/queries/app.queries.ts +9 -0
- package/src/providers/azure/queries/policy.queries.ts +9 -0
- package/src/providers/azure/queries/user.queries.ts +10 -0
- package/src/providers/interfaces/.gitkeep +0 -0
- package/src/providers/interfaces/IGraphProvider.ts +117 -0
- package/src/providers/interfaces/ILDAPProvider.ts +142 -0
- package/src/providers/ldap/.gitkeep +0 -0
- package/src/providers/ldap/acl-parser.ts +231 -0
- package/src/providers/ldap/ad-mappers.ts +280 -0
- package/src/providers/ldap/ldap-client.ts +259 -0
- package/src/providers/ldap/ldap-errors.ts +188 -0
- package/src/providers/ldap/ldap-retry.ts +267 -0
- package/src/providers/ldap/ldap-sanitizer.ts +273 -0
- package/src/providers/ldap/ldap.provider.ts +293 -0
- package/src/providers/ldap/queries/computer.queries.ts +9 -0
- package/src/providers/ldap/queries/group.queries.ts +9 -0
- package/src/providers/ldap/queries/user.queries.ts +10 -0
- package/src/providers/smb/smb.provider.ts +653 -0
- package/src/server.ts +60 -0
- package/src/services/.gitkeep +0 -0
- package/src/services/audit/.gitkeep +0 -0
- package/src/services/audit/ad-audit.service.ts +1481 -0
- package/src/services/audit/attack-graph.service.ts +1104 -0
- package/src/services/audit/audit.service.ts +12 -0
- package/src/services/audit/azure-audit.service.ts +286 -0
- package/src/services/audit/detectors/ad/accounts.detector.ts +1232 -0
- package/src/services/audit/detectors/ad/adcs.detector.ts +449 -0
- package/src/services/audit/detectors/ad/advanced.detector.ts +1270 -0
- package/src/services/audit/detectors/ad/attack-paths.detector.ts +600 -0
- package/src/services/audit/detectors/ad/compliance.detector.ts +1421 -0
- package/src/services/audit/detectors/ad/computers.detector.ts +1188 -0
- package/src/services/audit/detectors/ad/gpo.detector.ts +485 -0
- package/src/services/audit/detectors/ad/groups.detector.ts +685 -0
- package/src/services/audit/detectors/ad/index.ts +84 -0
- package/src/services/audit/detectors/ad/kerberos.detector.ts +424 -0
- package/src/services/audit/detectors/ad/monitoring.detector.ts +501 -0
- package/src/services/audit/detectors/ad/network.detector.ts +538 -0
- package/src/services/audit/detectors/ad/password.detector.ts +324 -0
- package/src/services/audit/detectors/ad/permissions.detector.ts +637 -0
- package/src/services/audit/detectors/ad/trusts.detector.ts +315 -0
- package/src/services/audit/detectors/azure/app-security.detector.ts +246 -0
- package/src/services/audit/detectors/azure/conditional-access.detector.ts +186 -0
- package/src/services/audit/detectors/azure/privilege-security.detector.ts +176 -0
- package/src/services/audit/detectors/azure/user-security.detector.ts +280 -0
- package/src/services/audit/detectors/index.ts +18 -0
- package/src/services/audit/response-formatter.ts +604 -0
- package/src/services/audit/scoring.service.ts +234 -0
- package/src/services/auth/.gitkeep +0 -0
- package/src/services/auth/crypto.service.ts +230 -0
- package/src/services/auth/errors.ts +47 -0
- package/src/services/auth/token.service.ts +420 -0
- package/src/services/config/.gitkeep +0 -0
- package/src/services/config/config.service.ts +75 -0
- package/src/services/export/.gitkeep +0 -0
- package/src/services/export/export.service.ts +99 -0
- package/src/services/export/formatters/csv.formatter.ts +124 -0
- package/src/services/export/formatters/json.formatter.ts +160 -0
- package/src/services/jobs/azure-job-runner.ts +312 -0
- package/src/services/jobs/index.ts +9 -0
- package/src/services/jobs/job-runner.ts +1280 -0
- package/src/services/jobs/job-store.ts +384 -0
- package/src/services/jobs/job.types.ts +182 -0
- package/src/types/.gitkeep +0 -0
- package/src/types/ad.types.ts +91 -0
- package/src/types/adcs.types.ts +107 -0
- package/src/types/attack-graph.types.ts +260 -0
- package/src/types/audit.types.ts +42 -0
- package/src/types/azure.types.ts +68 -0
- package/src/types/config.types.ts +79 -0
- package/src/types/error.types.ts +69 -0
- package/src/types/finding.types.ts +284 -0
- package/src/types/gpo.types.ts +72 -0
- package/src/types/smb2.d.ts +73 -0
- package/src/types/token.types.ts +32 -0
- package/src/types/trust.types.ts +140 -0
- package/src/utils/.gitkeep +0 -0
- package/src/utils/entity-converter.ts +453 -0
- package/src/utils/graph.util.ts +609 -0
- package/src/utils/logger.ts +111 -0
- package/src/utils/type-name-normalizer.ts +302 -0
- package/tests/.gitkeep +0 -0
- package/tests/e2e/.gitkeep +0 -0
- package/tests/fixtures/.gitkeep +0 -0
- package/tests/integration/.gitkeep +0 -0
- package/tests/integration/README.md +156 -0
- package/tests/integration/ad-audit.integration.test.ts +216 -0
- package/tests/integration/api/.gitkeep +0 -0
- package/tests/integration/api/endpoints.integration.test.ts +431 -0
- package/tests/integration/auth/jwt-authentication.integration.test.ts +358 -0
- package/tests/integration/providers/.gitkeep +0 -0
- package/tests/integration/providers/azure-basic.integration.test.ts +167 -0
- package/tests/integration/providers/ldap-basic.integration.test.ts +152 -0
- package/tests/integration/providers/ldap-connectivity.test.ts +44 -0
- package/tests/integration/providers/ldap-provider.integration.test.ts +347 -0
- package/tests/mocks/.gitkeep +0 -0
- package/tests/setup.ts +16 -0
- package/tests/unit/.gitkeep +0 -0
- package/tests/unit/api/middlewares/authenticate.test.ts +446 -0
- package/tests/unit/providers/.gitkeep +0 -0
- package/tests/unit/providers/azure/azure-errors.test.ts +193 -0
- package/tests/unit/providers/azure/azure-retry.test.ts +254 -0
- package/tests/unit/providers/azure/graph-provider.test.ts +313 -0
- package/tests/unit/providers/ldap/ad-mappers.test.ts +392 -0
- package/tests/unit/providers/ldap/ldap-provider.test.ts +376 -0
- package/tests/unit/providers/ldap/ldap-retry.test.ts +377 -0
- package/tests/unit/providers/ldap/ldap-sanitizer.test.ts +301 -0
- package/tests/unit/sample.test.ts +19 -0
- package/tests/unit/services/.gitkeep +0 -0
- package/tests/unit/services/audit/detectors/ad/accounts.detector.test.ts +393 -0
- package/tests/unit/services/audit/detectors/ad/advanced.detector.test.ts +380 -0
- package/tests/unit/services/audit/detectors/ad/computers.detector.test.ts +440 -0
- package/tests/unit/services/audit/detectors/ad/groups.detector.test.ts +276 -0
- package/tests/unit/services/audit/detectors/ad/kerberos.detector.test.ts +215 -0
- package/tests/unit/services/audit/detectors/ad/password.detector.test.ts +226 -0
- package/tests/unit/services/audit/detectors/ad/permissions.detector.test.ts +244 -0
- package/tests/unit/services/audit/detectors/azure/app-security.detector.test.ts +349 -0
- package/tests/unit/services/audit/detectors/azure/conditional-access.detector.test.ts +374 -0
- package/tests/unit/services/audit/detectors/azure/privilege-security.detector.test.ts +374 -0
- package/tests/unit/services/audit/detectors/azure/user-security.detector.test.ts +297 -0
- package/tests/unit/services/auth/crypto.service.test.ts +296 -0
- package/tests/unit/services/auth/token.service.test.ts +579 -0
- package/tests/unit/services/export/export.service.test.ts +241 -0
- package/tests/unit/services/export/formatters/csv.formatter.test.ts +270 -0
- package/tests/unit/services/export/formatters/json.formatter.test.ts +258 -0
- package/tests/unit/utils/.gitkeep +0 -0
- package/tsconfig.json +50 -0
|
@@ -0,0 +1,293 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.detectAsrepRoastingRisk = detectAsrepRoastingRisk;
|
|
4
|
+
exports.detectUnconstrainedDelegation = detectUnconstrainedDelegation;
|
|
5
|
+
exports.detectGoldenTicketRisk = detectGoldenTicketRisk;
|
|
6
|
+
exports.detectKerberoastingRisk = detectKerberoastingRisk;
|
|
7
|
+
exports.detectConstrainedDelegation = detectConstrainedDelegation;
|
|
8
|
+
exports.detectWeakEncryptionDES = detectWeakEncryptionDES;
|
|
9
|
+
exports.detectAdminAsrepRoastable = detectAdminAsrepRoastable;
|
|
10
|
+
exports.detectWeakEncryptionRC4 = detectWeakEncryptionRC4;
|
|
11
|
+
exports.detectWeakEncryptionFlag = detectWeakEncryptionFlag;
|
|
12
|
+
exports.detectKerberosAesDisabled = detectKerberosAesDisabled;
|
|
13
|
+
exports.detectKerberosRc4Fallback = detectKerberosRc4Fallback;
|
|
14
|
+
exports.detectKerberosTicketLifetimeLong = detectKerberosTicketLifetimeLong;
|
|
15
|
+
exports.detectKerberosRenewableTicketLong = detectKerberosRenewableTicketLong;
|
|
16
|
+
exports.detectKerberosVulnerabilities = detectKerberosVulnerabilities;
|
|
17
|
+
const entity_converter_1 = require("../../../../utils/entity-converter");
|
|
18
|
+
function detectAsrepRoastingRisk(users, includeDetails) {
|
|
19
|
+
const affected = users.filter((u) => {
|
|
20
|
+
if (!u.userAccountControl)
|
|
21
|
+
return false;
|
|
22
|
+
return (u.userAccountControl & 0x400000) !== 0;
|
|
23
|
+
});
|
|
24
|
+
return {
|
|
25
|
+
type: 'ASREP_ROASTING_RISK',
|
|
26
|
+
severity: 'critical',
|
|
27
|
+
category: 'kerberos',
|
|
28
|
+
title: 'AS-REP Roasting Risk',
|
|
29
|
+
description: 'User accounts without Kerberos pre-authentication required (UAC 0x400000). Vulnerable to AS-REP roasting attacks.',
|
|
30
|
+
count: affected.length,
|
|
31
|
+
affectedEntities: includeDetails ? (0, entity_converter_1.toAffectedUserEntities)(affected) : undefined,
|
|
32
|
+
};
|
|
33
|
+
}
|
|
34
|
+
function detectUnconstrainedDelegation(users, includeDetails) {
|
|
35
|
+
const affected = users.filter((u) => {
|
|
36
|
+
if (!u.userAccountControl)
|
|
37
|
+
return false;
|
|
38
|
+
return (u.userAccountControl & 0x80000) !== 0;
|
|
39
|
+
});
|
|
40
|
+
return {
|
|
41
|
+
type: 'UNCONSTRAINED_DELEGATION',
|
|
42
|
+
severity: 'critical',
|
|
43
|
+
category: 'kerberos',
|
|
44
|
+
title: 'Unconstrained Delegation',
|
|
45
|
+
description: 'User accounts with unconstrained Kerberos delegation enabled (UAC 0x80000). Can impersonate any user.',
|
|
46
|
+
count: affected.length,
|
|
47
|
+
affectedEntities: includeDetails ? (0, entity_converter_1.toAffectedUserEntities)(affected) : undefined,
|
|
48
|
+
};
|
|
49
|
+
}
|
|
50
|
+
function detectGoldenTicketRisk(users, includeDetails) {
|
|
51
|
+
const krbtgtAccount = users.find((u) => u.sAMAccountName === 'krbtgt');
|
|
52
|
+
if (!krbtgtAccount || !krbtgtAccount.passwordLastSet) {
|
|
53
|
+
return {
|
|
54
|
+
type: 'GOLDEN_TICKET_RISK',
|
|
55
|
+
severity: 'critical',
|
|
56
|
+
category: 'kerberos',
|
|
57
|
+
title: 'Golden Ticket Risk',
|
|
58
|
+
description: 'krbtgt account password unchanged for 180+ days or password date unavailable. Enables persistent Golden Ticket attacks.',
|
|
59
|
+
count: 0,
|
|
60
|
+
};
|
|
61
|
+
}
|
|
62
|
+
const now = Date.now();
|
|
63
|
+
const sixMonthsAgo = now - 180 * 24 * 60 * 60 * 1000;
|
|
64
|
+
const passwordAge = krbtgtAccount.passwordLastSet.getTime();
|
|
65
|
+
const isOld = passwordAge < sixMonthsAgo;
|
|
66
|
+
return {
|
|
67
|
+
type: 'GOLDEN_TICKET_RISK',
|
|
68
|
+
severity: 'critical',
|
|
69
|
+
category: 'kerberos',
|
|
70
|
+
title: 'Golden Ticket Risk',
|
|
71
|
+
description: `krbtgt account password unchanged for 180+ days. Enables persistent Golden Ticket attacks.`,
|
|
72
|
+
count: isOld ? 1 : 0,
|
|
73
|
+
affectedEntities: includeDetails && isOld ? [krbtgtAccount.dn] : undefined,
|
|
74
|
+
};
|
|
75
|
+
}
|
|
76
|
+
function detectKerberoastingRisk(users, includeDetails) {
|
|
77
|
+
const affected = users.filter((u) => {
|
|
78
|
+
const spns = u['servicePrincipalName'];
|
|
79
|
+
return spns && Array.isArray(spns) && spns.length > 0;
|
|
80
|
+
});
|
|
81
|
+
return {
|
|
82
|
+
type: 'KERBEROASTING_RISK',
|
|
83
|
+
severity: 'high',
|
|
84
|
+
category: 'kerberos',
|
|
85
|
+
title: 'Kerberoasting Risk',
|
|
86
|
+
description: 'User accounts with Service Principal Names (SPNs). Vulnerable to Kerberoasting attacks to crack service account passwords.',
|
|
87
|
+
count: affected.length,
|
|
88
|
+
affectedEntities: includeDetails ? (0, entity_converter_1.toAffectedUserEntities)(affected) : undefined,
|
|
89
|
+
};
|
|
90
|
+
}
|
|
91
|
+
function detectConstrainedDelegation(users, includeDetails) {
|
|
92
|
+
const affected = users.filter((u) => {
|
|
93
|
+
if (!u.userAccountControl)
|
|
94
|
+
return false;
|
|
95
|
+
return (u.userAccountControl & 0x1000000) !== 0;
|
|
96
|
+
});
|
|
97
|
+
return {
|
|
98
|
+
type: 'CONSTRAINED_DELEGATION',
|
|
99
|
+
severity: 'high',
|
|
100
|
+
category: 'kerberos',
|
|
101
|
+
title: 'Constrained Delegation',
|
|
102
|
+
description: 'User accounts with constrained Kerberos delegation configured (UAC 0x1000000). Can impersonate users to specific services.',
|
|
103
|
+
count: affected.length,
|
|
104
|
+
affectedEntities: includeDetails ? (0, entity_converter_1.toAffectedUserEntities)(affected) : undefined,
|
|
105
|
+
};
|
|
106
|
+
}
|
|
107
|
+
function detectWeakEncryptionDES(users, includeDetails) {
|
|
108
|
+
const DES_TYPES = 0x3;
|
|
109
|
+
const affected = users.filter((u) => {
|
|
110
|
+
if (u.userAccountControl && (u.userAccountControl & 0x200000) !== 0) {
|
|
111
|
+
return true;
|
|
112
|
+
}
|
|
113
|
+
const encTypes = u['msDS-SupportedEncryptionTypes'];
|
|
114
|
+
if (typeof encTypes === 'number' && (encTypes & DES_TYPES) !== 0) {
|
|
115
|
+
return true;
|
|
116
|
+
}
|
|
117
|
+
return false;
|
|
118
|
+
});
|
|
119
|
+
return {
|
|
120
|
+
type: 'WEAK_ENCRYPTION_DES',
|
|
121
|
+
severity: 'high',
|
|
122
|
+
category: 'kerberos',
|
|
123
|
+
title: 'Weak DES Encryption',
|
|
124
|
+
description: 'User accounts with DES encryption algorithms enabled (UAC 0x200000 or msDS-SupportedEncryptionTypes). DES is cryptographically broken.',
|
|
125
|
+
count: affected.length,
|
|
126
|
+
affectedEntities: includeDetails ? (0, entity_converter_1.toAffectedUserEntities)(affected) : undefined,
|
|
127
|
+
};
|
|
128
|
+
}
|
|
129
|
+
function detectAdminAsrepRoastable(users, includeDetails) {
|
|
130
|
+
const privilegedGroups = [
|
|
131
|
+
'Domain Admins',
|
|
132
|
+
'Enterprise Admins',
|
|
133
|
+
'Schema Admins',
|
|
134
|
+
'Administrators',
|
|
135
|
+
'Account Operators',
|
|
136
|
+
'Backup Operators',
|
|
137
|
+
'Server Operators',
|
|
138
|
+
];
|
|
139
|
+
const affected = users.filter((u) => {
|
|
140
|
+
if (!u.userAccountControl || (u.userAccountControl & 0x400000) === 0) {
|
|
141
|
+
return false;
|
|
142
|
+
}
|
|
143
|
+
if (!u.memberOf)
|
|
144
|
+
return false;
|
|
145
|
+
return u.memberOf.some((dn) => privilegedGroups.some((group) => dn.toUpperCase().includes(`CN=${group.toUpperCase()}`)));
|
|
146
|
+
});
|
|
147
|
+
return {
|
|
148
|
+
type: 'ADMIN_ASREP_ROASTABLE',
|
|
149
|
+
severity: 'critical',
|
|
150
|
+
category: 'kerberos',
|
|
151
|
+
title: 'Privileged Account AS-REP Roastable',
|
|
152
|
+
description: 'Privileged accounts (Domain Admins, Enterprise Admins, etc.) without Kerberos pre-authentication. ' +
|
|
153
|
+
'High-value targets for AS-REP roasting attacks - immediate domain compromise risk.',
|
|
154
|
+
count: affected.length,
|
|
155
|
+
affectedEntities: includeDetails ? (0, entity_converter_1.toAffectedUserEntities)(affected) : undefined,
|
|
156
|
+
details: affected.length > 0 ? {
|
|
157
|
+
risk: 'CRITICAL - Privileged account password hash can be obtained offline',
|
|
158
|
+
recommendation: 'Enable Kerberos pre-authentication immediately for all privileged accounts',
|
|
159
|
+
} : undefined,
|
|
160
|
+
};
|
|
161
|
+
}
|
|
162
|
+
function detectWeakEncryptionRC4(users, includeDetails) {
|
|
163
|
+
const affected = users.filter((u) => {
|
|
164
|
+
const encTypes = u['msDS-SupportedEncryptionTypes'];
|
|
165
|
+
if (typeof encTypes !== 'number')
|
|
166
|
+
return false;
|
|
167
|
+
return (encTypes & 4) !== 0 && (encTypes & 24) === 0;
|
|
168
|
+
});
|
|
169
|
+
return {
|
|
170
|
+
type: 'WEAK_ENCRYPTION_RC4',
|
|
171
|
+
severity: 'medium',
|
|
172
|
+
category: 'kerberos',
|
|
173
|
+
title: 'Weak RC4 Encryption',
|
|
174
|
+
description: 'User accounts supporting RC4 encryption without AES. RC4 is deprecated and vulnerable to attacks.',
|
|
175
|
+
count: affected.length,
|
|
176
|
+
affectedEntities: includeDetails ? (0, entity_converter_1.toAffectedUserEntities)(affected) : undefined,
|
|
177
|
+
};
|
|
178
|
+
}
|
|
179
|
+
function detectWeakEncryptionFlag(users, includeDetails) {
|
|
180
|
+
const affected = users.filter((u) => {
|
|
181
|
+
if (!u.userAccountControl)
|
|
182
|
+
return false;
|
|
183
|
+
return (u.userAccountControl & 0x200000) !== 0;
|
|
184
|
+
});
|
|
185
|
+
return {
|
|
186
|
+
type: 'WEAK_ENCRYPTION_FLAG',
|
|
187
|
+
severity: 'medium',
|
|
188
|
+
category: 'kerberos',
|
|
189
|
+
title: 'Weak Encryption Flag',
|
|
190
|
+
description: 'User accounts with USE_DES_KEY_ONLY flag enabled (UAC 0x200000). Forces weak DES encryption.',
|
|
191
|
+
count: affected.length,
|
|
192
|
+
affectedEntities: includeDetails ? (0, entity_converter_1.toAffectedUserEntities)(affected) : undefined,
|
|
193
|
+
};
|
|
194
|
+
}
|
|
195
|
+
function detectKerberosAesDisabled(users, includeDetails) {
|
|
196
|
+
const AES_SUPPORT = 0x18;
|
|
197
|
+
const affected = users.filter((u) => {
|
|
198
|
+
if (!u.enabled)
|
|
199
|
+
return false;
|
|
200
|
+
const encTypes = u['msDS-SupportedEncryptionTypes'];
|
|
201
|
+
if (encTypes !== undefined && (encTypes & AES_SUPPORT) === 0) {
|
|
202
|
+
return true;
|
|
203
|
+
}
|
|
204
|
+
if (u.userAccountControl && (u.userAccountControl & 0x200000) !== 0) {
|
|
205
|
+
return true;
|
|
206
|
+
}
|
|
207
|
+
return false;
|
|
208
|
+
});
|
|
209
|
+
return {
|
|
210
|
+
type: 'KERBEROS_AES_DISABLED',
|
|
211
|
+
severity: 'high',
|
|
212
|
+
category: 'kerberos',
|
|
213
|
+
title: 'AES Encryption Disabled',
|
|
214
|
+
description: 'User accounts with AES Kerberos encryption disabled. ' +
|
|
215
|
+
'Forces use of weaker DES/RC4 encryption vulnerable to offline attacks.',
|
|
216
|
+
count: affected.length,
|
|
217
|
+
affectedEntities: includeDetails ? (0, entity_converter_1.toAffectedUserEntities)(affected) : undefined,
|
|
218
|
+
};
|
|
219
|
+
}
|
|
220
|
+
function detectKerberosRc4Fallback(users, includeDetails) {
|
|
221
|
+
const RC4_SUPPORT = 0x4;
|
|
222
|
+
const AES_SUPPORT = 0x18;
|
|
223
|
+
const affected = users.filter((u) => {
|
|
224
|
+
if (!u.enabled)
|
|
225
|
+
return false;
|
|
226
|
+
const encTypes = u['msDS-SupportedEncryptionTypes'];
|
|
227
|
+
if (encTypes === undefined)
|
|
228
|
+
return false;
|
|
229
|
+
const hasAes = (encTypes & AES_SUPPORT) !== 0;
|
|
230
|
+
const hasRc4 = (encTypes & RC4_SUPPORT) !== 0;
|
|
231
|
+
return hasAes && hasRc4;
|
|
232
|
+
});
|
|
233
|
+
return {
|
|
234
|
+
type: 'KERBEROS_RC4_FALLBACK',
|
|
235
|
+
severity: 'medium',
|
|
236
|
+
category: 'kerberos',
|
|
237
|
+
title: 'RC4 Fallback Enabled',
|
|
238
|
+
description: 'User accounts support both AES and RC4 encryption. ' +
|
|
239
|
+
'RC4 fallback enables downgrade attacks even when AES is available.',
|
|
240
|
+
count: affected.length,
|
|
241
|
+
affectedEntities: includeDetails ? (0, entity_converter_1.toAffectedUserEntities)(affected) : undefined,
|
|
242
|
+
details: {
|
|
243
|
+
recommendation: 'Disable RC4 support when AES is available.',
|
|
244
|
+
},
|
|
245
|
+
};
|
|
246
|
+
}
|
|
247
|
+
function detectKerberosTicketLifetimeLong(_users, _includeDetails) {
|
|
248
|
+
return {
|
|
249
|
+
type: 'KERBEROS_TICKET_LIFETIME_LONG',
|
|
250
|
+
severity: 'medium',
|
|
251
|
+
category: 'kerberos',
|
|
252
|
+
title: 'Kerberos Ticket Lifetime Review',
|
|
253
|
+
description: 'Kerberos ticket lifetime should be reviewed. ' +
|
|
254
|
+
'Default of 10 hours is reasonable; longer lifetimes increase attack window.',
|
|
255
|
+
count: 0,
|
|
256
|
+
details: {
|
|
257
|
+
recommendation: 'TGT lifetime should not exceed 10 hours. Service tickets should not exceed 600 minutes.',
|
|
258
|
+
checkCommand: 'gpresult /r or check Default Domain Policy',
|
|
259
|
+
},
|
|
260
|
+
};
|
|
261
|
+
}
|
|
262
|
+
function detectKerberosRenewableTicketLong(_users, _includeDetails) {
|
|
263
|
+
return {
|
|
264
|
+
type: 'KERBEROS_RENEWABLE_TICKET_LONG',
|
|
265
|
+
severity: 'low',
|
|
266
|
+
category: 'kerberos',
|
|
267
|
+
title: 'Kerberos Renewable Ticket Lifetime Review',
|
|
268
|
+
description: 'Renewable ticket lifetime should be reviewed. ' +
|
|
269
|
+
'Default of 7 days is reasonable; longer allows persistent access with stolen tickets.',
|
|
270
|
+
count: 0,
|
|
271
|
+
details: {
|
|
272
|
+
recommendation: 'Renewable TGT lifetime should not exceed 7 days.',
|
|
273
|
+
},
|
|
274
|
+
};
|
|
275
|
+
}
|
|
276
|
+
function detectKerberosVulnerabilities(users, includeDetails) {
|
|
277
|
+
return [
|
|
278
|
+
detectAsrepRoastingRisk(users, includeDetails),
|
|
279
|
+
detectAdminAsrepRoastable(users, includeDetails),
|
|
280
|
+
detectUnconstrainedDelegation(users, includeDetails),
|
|
281
|
+
detectGoldenTicketRisk(users, includeDetails),
|
|
282
|
+
detectKerberoastingRisk(users, includeDetails),
|
|
283
|
+
detectConstrainedDelegation(users, includeDetails),
|
|
284
|
+
detectWeakEncryptionDES(users, includeDetails),
|
|
285
|
+
detectWeakEncryptionRC4(users, includeDetails),
|
|
286
|
+
detectWeakEncryptionFlag(users, includeDetails),
|
|
287
|
+
detectKerberosAesDisabled(users, includeDetails),
|
|
288
|
+
detectKerberosRc4Fallback(users, includeDetails),
|
|
289
|
+
detectKerberosTicketLifetimeLong(users, includeDetails),
|
|
290
|
+
detectKerberosRenewableTicketLong(users, includeDetails),
|
|
291
|
+
].filter((finding) => finding.count > 0);
|
|
292
|
+
}
|
|
293
|
+
//# sourceMappingURL=kerberos.detector.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"kerberos.detector.js","sourceRoot":"","sources":["../../../../../src/services/audit/detectors/ad/kerberos.detector.ts"],"names":[],"mappings":";;AA6BA,0DAeC;AAMD,sEAeC;AAKD,wDA4BC;AAKD,0DAeC;AAMD,kEAeC;AAOD,0DAyBC;AAMD,8DAsCC;AAKD,0DAgBC;AAKD,4DAeC;AAYD,8DA+BC;AAWD,8DA+BC;AAWD,4EAoBC;AAWD,8EAkBC;AAKD,sEAiBC;AAhZD,yEAA4E;AAM5E,SAAgB,uBAAuB,CAAC,KAAe,EAAE,cAAuB;IAC9E,MAAM,QAAQ,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QAClC,IAAI,CAAC,CAAC,CAAC,kBAAkB;YAAE,OAAO,KAAK,CAAC;QACxC,OAAO,CAAC,CAAC,CAAC,kBAAkB,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,IAAI,EAAE,qBAAqB;QAC3B,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,sBAAsB;QAC7B,WAAW,EAAE,mHAAmH;QAChI,KAAK,EAAE,QAAQ,CAAC,MAAM;QACtB,gBAAgB,EAAE,cAAc,CAAC,CAAC,CAAC,IAAA,yCAAsB,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;KAChF,CAAC;AACJ,CAAC;AAMD,SAAgB,6BAA6B,CAAC,KAAe,EAAE,cAAuB;IACpF,MAAM,QAAQ,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QAClC,IAAI,CAAC,CAAC,CAAC,kBAAkB;YAAE,OAAO,KAAK,CAAC;QACxC,OAAO,CAAC,CAAC,CAAC,kBAAkB,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC;IAChD,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,0BAA0B;QACjC,WAAW,EAAE,uGAAuG;QACpH,KAAK,EAAE,QAAQ,CAAC,MAAM;QACtB,gBAAgB,EAAE,cAAc,CAAC,CAAC,CAAC,IAAA,yCAAsB,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;KAChF,CAAC;AACJ,CAAC;AAKD,SAAgB,sBAAsB,CAAC,KAAe,EAAE,cAAuB;IAC7E,MAAM,aAAa,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,QAAQ,CAAC,CAAC;IAEvE,IAAI,CAAC,aAAa,IAAI,CAAC,aAAa,CAAC,eAAe,EAAE,CAAC;QACrD,OAAO;YACL,IAAI,EAAE,oBAAoB;YAC1B,QAAQ,EAAE,UAAU;YACpB,QAAQ,EAAE,UAAU;YACpB,KAAK,EAAE,oBAAoB;YAC3B,WAAW,EAAE,yHAAyH;YACtI,KAAK,EAAE,CAAC;SACT,CAAC;IACJ,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,YAAY,GAAG,GAAG,GAAG,GAAG,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;IACrD,MAAM,WAAW,GAAG,aAAa,CAAC,eAAe,CAAC,OAAO,EAAE,CAAC;IAC5D,MAAM,KAAK,GAAG,WAAW,GAAG,YAAY,CAAC;IAEzC,OAAO;QACL,IAAI,EAAE,oBAAoB;QAC1B,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EAAE,4FAA4F;QACzG,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACpB,gBAAgB,EAAE,cAAc,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS;KAC3E,CAAC;AACJ,CAAC;AAKD,SAAgB,uBAAuB,CAAC,KAAe,EAAE,cAAuB;IAC9E,MAAM,QAAQ,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QAClC,MAAM,IAAI,GAAI,CAAS,CAAC,sBAAsB,CAAC,CAAC;QAChD,OAAO,IAAI,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC;IACxD,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,IAAI,EAAE,oBAAoB;QAC1B,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EAAE,4HAA4H;QACzI,KAAK,EAAE,QAAQ,CAAC,MAAM;QACtB,gBAAgB,EAAE,cAAc,CAAC,CAAC,CAAC,IAAA,yCAAsB,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;KAChF,CAAC;AACJ,CAAC;AAMD,SAAgB,2BAA2B,CAAC,KAAe,EAAE,cAAuB;IAClF,MAAM,QAAQ,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QAClC,IAAI,CAAC,CAAC,CAAC,kBAAkB;YAAE,OAAO,KAAK,CAAC;QACxC,OAAO,CAAC,CAAC,CAAC,kBAAkB,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,wBAAwB;QAC/B,WAAW,EAAE,4HAA4H;QACzI,KAAK,EAAE,QAAQ,CAAC,MAAM;QACtB,gBAAgB,EAAE,cAAc,CAAC,CAAC,CAAC,IAAA,yCAAsB,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;KAChF,CAAC;AACJ,CAAC;AAOD,SAAgB,uBAAuB,CAAC,KAAe,EAAE,cAAuB;IAC9E,MAAM,SAAS,GAAG,GAAG,CAAC;IAEtB,MAAM,QAAQ,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QAElC,IAAI,CAAC,CAAC,kBAAkB,IAAI,CAAC,CAAC,CAAC,kBAAkB,GAAG,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YACpE,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,QAAQ,GAAI,CAAS,CAAC,+BAA+B,CAAC,CAAC;QAC7D,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,CAAC,QAAQ,GAAG,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC;YACjE,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,IAAI,EAAE,qBAAqB;QAC3B,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,qBAAqB;QAC5B,WAAW,EAAE,wIAAwI;QACrJ,KAAK,EAAE,QAAQ,CAAC,MAAM;QACtB,gBAAgB,EAAE,cAAc,CAAC,CAAC,CAAC,IAAA,yCAAsB,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;KAChF,CAAC;AACJ,CAAC;AAMD,SAAgB,yBAAyB,CAAC,KAAe,EAAE,cAAuB;IAChF,MAAM,gBAAgB,GAAG;QACvB,eAAe;QACf,mBAAmB;QACnB,eAAe;QACf,gBAAgB;QAChB,mBAAmB;QACnB,kBAAkB;QAClB,kBAAkB;KACnB,CAAC;IAEF,MAAM,QAAQ,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QAElC,IAAI,CAAC,CAAC,CAAC,kBAAkB,IAAI,CAAC,CAAC,CAAC,kBAAkB,GAAG,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YACrE,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,CAAC,CAAC,CAAC,QAAQ;YAAE,OAAO,KAAK,CAAC;QAC9B,OAAO,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAC5B,gBAAgB,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,EAAE,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC,CACzF,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,IAAI,EAAE,uBAAuB;QAC7B,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,qCAAqC;QAC5C,WAAW,EACT,oGAAoG;YACpG,oFAAoF;QACtF,KAAK,EAAE,QAAQ,CAAC,MAAM;QACtB,gBAAgB,EAAE,cAAc,CAAC,CAAC,CAAC,IAAA,yCAAsB,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;QAC/E,OAAO,EAAE,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC;YAC7B,IAAI,EAAE,qEAAqE;YAC3E,cAAc,EAAE,4EAA4E;SAC7F,CAAC,CAAC,CAAC,SAAS;KACd,CAAC;AACJ,CAAC;AAKD,SAAgB,uBAAuB,CAAC,KAAe,EAAE,cAAuB;IAC9E,MAAM,QAAQ,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QAClC,MAAM,QAAQ,GAAI,CAAS,CAAC,+BAA+B,CAAC,CAAC;QAC7D,IAAI,OAAO,QAAQ,KAAK,QAAQ;YAAE,OAAO,KAAK,CAAC;QAC/C,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC;IACvD,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,IAAI,EAAE,qBAAqB;QAC3B,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,qBAAqB;QAC5B,WAAW,EAAE,mGAAmG;QAChH,KAAK,EAAE,QAAQ,CAAC,MAAM;QACtB,gBAAgB,EAAE,cAAc,CAAC,CAAC,CAAC,IAAA,yCAAsB,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;KAChF,CAAC;AACJ,CAAC;AAKD,SAAgB,wBAAwB,CAAC,KAAe,EAAE,cAAuB;IAC/E,MAAM,QAAQ,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QAClC,IAAI,CAAC,CAAC,CAAC,kBAAkB;YAAE,OAAO,KAAK,CAAC;QACxC,OAAO,CAAC,CAAC,CAAC,kBAAkB,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,sBAAsB;QAC7B,WAAW,EAAE,8FAA8F;QAC3G,KAAK,EAAE,QAAQ,CAAC,MAAM;QACtB,gBAAgB,EAAE,cAAc,CAAC,CAAC,CAAC,IAAA,yCAAsB,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;KAChF,CAAC;AACJ,CAAC;AAYD,SAAgB,yBAAyB,CAAC,KAAe,EAAE,cAAuB;IAEhF,MAAM,WAAW,GAAG,IAAI,CAAC;IAEzB,MAAM,QAAQ,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QAClC,IAAI,CAAC,CAAC,CAAC,OAAO;YAAE,OAAO,KAAK,CAAC;QAC7B,MAAM,QAAQ,GAAI,CAA6B,CAAC,+BAA+B,CAElE,CAAC;QAEd,IAAI,QAAQ,KAAK,SAAS,IAAI,CAAC,QAAQ,GAAG,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC;YAC7D,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,CAAC,CAAC,kBAAkB,IAAI,CAAC,CAAC,CAAC,kBAAkB,GAAG,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YACpE,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,IAAI,EAAE,uBAAuB;QAC7B,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,yBAAyB;QAChC,WAAW,EACT,uDAAuD;YACvD,wEAAwE;QAC1E,KAAK,EAAE,QAAQ,CAAC,MAAM;QACtB,gBAAgB,EAAE,cAAc,CAAC,CAAC,CAAC,IAAA,yCAAsB,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;KAChF,CAAC;AACJ,CAAC;AAWD,SAAgB,yBAAyB,CAAC,KAAe,EAAE,cAAuB;IAEhF,MAAM,WAAW,GAAG,GAAG,CAAC;IACxB,MAAM,WAAW,GAAG,IAAI,CAAC;IAEzB,MAAM,QAAQ,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QAClC,IAAI,CAAC,CAAC,CAAC,OAAO;YAAE,OAAO,KAAK,CAAC;QAC7B,MAAM,QAAQ,GAAI,CAA6B,CAAC,+BAA+B,CAElE,CAAC;QACd,IAAI,QAAQ,KAAK,SAAS;YAAE,OAAO,KAAK,CAAC;QAEzC,MAAM,MAAM,GAAG,CAAC,QAAQ,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC;QAC9C,MAAM,MAAM,GAAG,CAAC,QAAQ,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC;QAC9C,OAAO,MAAM,IAAI,MAAM,CAAC;IAC1B,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,IAAI,EAAE,uBAAuB;QAC7B,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,sBAAsB;QAC7B,WAAW,EACT,qDAAqD;YACrD,oEAAoE;QACtE,KAAK,EAAE,QAAQ,CAAC,MAAM;QACtB,gBAAgB,EAAE,cAAc,CAAC,CAAC,CAAC,IAAA,yCAAsB,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;QAC/E,OAAO,EAAE;YACP,cAAc,EAAE,4CAA4C;SAC7D;KACF,CAAC;AACJ,CAAC;AAWD,SAAgB,gCAAgC,CAC9C,MAAgB,EAChB,eAAwB;IAIxB,OAAO;QACL,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,iCAAiC;QACxC,WAAW,EACT,+CAA+C;YAC/C,6EAA6E;QAC/E,KAAK,EAAE,CAAC;QACR,OAAO,EAAE;YACP,cAAc,EAAE,yFAAyF;YACzG,YAAY,EAAE,4CAA4C;SAC3D;KACF,CAAC;AACJ,CAAC;AAWD,SAAgB,iCAAiC,CAC/C,MAAgB,EAChB,eAAwB;IAGxB,OAAO;QACL,IAAI,EAAE,gCAAgC;QACtC,QAAQ,EAAE,KAAK;QACf,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,2CAA2C;QAClD,WAAW,EACT,gDAAgD;YAChD,uFAAuF;QACzF,KAAK,EAAE,CAAC;QACR,OAAO,EAAE;YACP,cAAc,EAAE,kDAAkD;SACnE;KACF,CAAC;AACJ,CAAC;AAKD,SAAgB,6BAA6B,CAAC,KAAe,EAAE,cAAuB;IACpF,OAAO;QACL,uBAAuB,CAAC,KAAK,EAAE,cAAc,CAAC;QAC9C,yBAAyB,CAAC,KAAK,EAAE,cAAc,CAAC;QAChD,6BAA6B,CAAC,KAAK,EAAE,cAAc,CAAC;QACpD,sBAAsB,CAAC,KAAK,EAAE,cAAc,CAAC;QAC7C,uBAAuB,CAAC,KAAK,EAAE,cAAc,CAAC;QAC9C,2BAA2B,CAAC,KAAK,EAAE,cAAc,CAAC;QAClD,uBAAuB,CAAC,KAAK,EAAE,cAAc,CAAC;QAC9C,uBAAuB,CAAC,KAAK,EAAE,cAAc,CAAC;QAC9C,wBAAwB,CAAC,KAAK,EAAE,cAAc,CAAC;QAE/C,yBAAyB,CAAC,KAAK,EAAE,cAAc,CAAC;QAChD,yBAAyB,CAAC,KAAK,EAAE,cAAc,CAAC;QAChD,gCAAgC,CAAC,KAAK,EAAE,cAAc,CAAC;QACvD,iCAAiC,CAAC,KAAK,EAAE,cAAc,CAAC;KACzD,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;AAC3C,CAAC"}
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
import { ADUser, ADGroup, ADDomain } from '../../../../types/ad.types';
|
|
2
|
+
import { Finding } from '../../../../types/finding.types';
|
|
3
|
+
import { GpoSecuritySettings } from '../../../../providers/smb/smb.provider';
|
|
4
|
+
export interface MonitoringGpoSettings extends GpoSecuritySettings {
|
|
5
|
+
eventLogSettings?: {
|
|
6
|
+
securityLogMaxSize?: number;
|
|
7
|
+
systemLogMaxSize?: number;
|
|
8
|
+
applicationLogMaxSize?: number;
|
|
9
|
+
};
|
|
10
|
+
}
|
|
11
|
+
export declare function detectAuditLogonEventsDisabled(gpoSettings: GpoSecuritySettings | null, domain: ADDomain | null, includeDetails: boolean): Finding;
|
|
12
|
+
export declare function detectAuditAccountMgmtDisabled(gpoSettings: GpoSecuritySettings | null, domain: ADDomain | null, includeDetails: boolean): Finding;
|
|
13
|
+
export declare function detectAuditPolicyChangeDisabled(gpoSettings: GpoSecuritySettings | null, domain: ADDomain | null, includeDetails: boolean): Finding;
|
|
14
|
+
export declare function detectAuditPrivilegeUseDisabled(gpoSettings: GpoSecuritySettings | null, domain: ADDomain | null, includeDetails: boolean): Finding;
|
|
15
|
+
export declare function detectNoHoneypotAccounts(users: ADUser[], _includeDetails: boolean): Finding;
|
|
16
|
+
export declare function detectAdminAuditBypass(users: ADUser[], _domain: ADDomain | null, includeDetails: boolean): Finding;
|
|
17
|
+
export declare function detectSecurityLogSizeSmall(gpoSettings: MonitoringGpoSettings | null, domain: ADDomain | null, includeDetails: boolean): Finding;
|
|
18
|
+
export declare function detectNoProtectedUsersMonitoring(users: ADUser[], groups: ADGroup[], includeDetails: boolean): Finding;
|
|
19
|
+
export interface MonitoringDetectorOptions {
|
|
20
|
+
gpoSettings?: MonitoringGpoSettings | null;
|
|
21
|
+
}
|
|
22
|
+
export declare function detectMonitoringVulnerabilities(users: ADUser[], groups: ADGroup[], domain: ADDomain | null, includeDetails: boolean, options?: MonitoringDetectorOptions): Finding[];
|
|
23
|
+
//# sourceMappingURL=monitoring.detector.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"monitoring.detector.d.ts","sourceRoot":"","sources":["../../../../../src/services/audit/detectors/ad/monitoring.detector.ts"],"names":[],"mappings":"AAoBA,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,4BAA4B,CAAC;AACvE,OAAO,EAAE,OAAO,EAAE,MAAM,iCAAiC,CAAC;AAE1D,OAAO,EAAE,mBAAmB,EAAE,MAAM,wCAAwC,CAAC;AAK7E,MAAM,WAAW,qBAAsB,SAAQ,mBAAmB;IAEhE,gBAAgB,CAAC,EAAE;QACjB,kBAAkB,CAAC,EAAE,MAAM,CAAC;QAC5B,gBAAgB,CAAC,EAAE,MAAM,CAAC;QAC1B,qBAAqB,CAAC,EAAE,MAAM,CAAC;KAChC,CAAC;CACH;AAMD,wBAAgB,8BAA8B,CAC5C,WAAW,EAAE,mBAAmB,GAAG,IAAI,EACvC,MAAM,EAAE,QAAQ,GAAG,IAAI,EACvB,cAAc,EAAE,OAAO,GACtB,OAAO,CA8CT;AAKD,wBAAgB,8BAA8B,CAC5C,WAAW,EAAE,mBAAmB,GAAG,IAAI,EACvC,MAAM,EAAE,QAAQ,GAAG,IAAI,EACvB,cAAc,EAAE,OAAO,GACtB,OAAO,CAuCT;AAKD,wBAAgB,+BAA+B,CAC7C,WAAW,EAAE,mBAAmB,GAAG,IAAI,EACvC,MAAM,EAAE,QAAQ,GAAG,IAAI,EACvB,cAAc,EAAE,OAAO,GACtB,OAAO,CAuCT;AAKD,wBAAgB,+BAA+B,CAC7C,WAAW,EAAE,mBAAmB,GAAG,IAAI,EACvC,MAAM,EAAE,QAAQ,GAAG,IAAI,EACvB,cAAc,EAAE,OAAO,GACtB,OAAO,CAuCT;AAMD,wBAAgB,wBAAwB,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,eAAe,EAAE,OAAO,GAAG,OAAO,CAkD3F;AAMD,wBAAgB,sBAAsB,CACpC,KAAK,EAAE,MAAM,EAAE,EACf,OAAO,EAAE,QAAQ,GAAG,IAAI,EACxB,cAAc,EAAE,OAAO,GACtB,OAAO,CA+CT;AAMD,wBAAgB,0BAA0B,CACxC,WAAW,EAAE,qBAAqB,GAAG,IAAI,EACzC,MAAM,EAAE,QAAQ,GAAG,IAAI,EACvB,cAAc,EAAE,OAAO,GACtB,OAAO,CA8CT;AAMD,wBAAgB,gCAAgC,CAC9C,KAAK,EAAE,MAAM,EAAE,EACf,MAAM,EAAE,OAAO,EAAE,EACjB,cAAc,EAAE,OAAO,GACtB,OAAO,CAoDT;AAKD,MAAM,WAAW,yBAAyB;IAExC,WAAW,CAAC,EAAE,qBAAqB,GAAG,IAAI,CAAC;CAC5C;AAKD,wBAAgB,+BAA+B,CAC7C,KAAK,EAAE,MAAM,EAAE,EACf,MAAM,EAAE,OAAO,EAAE,EACjB,MAAM,EAAE,QAAQ,GAAG,IAAI,EACvB,cAAc,EAAE,OAAO,EACvB,OAAO,GAAE,yBAA8B,GACtC,OAAO,EAAE,CAeX"}
|
|
@@ -0,0 +1,328 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.detectAuditLogonEventsDisabled = detectAuditLogonEventsDisabled;
|
|
4
|
+
exports.detectAuditAccountMgmtDisabled = detectAuditAccountMgmtDisabled;
|
|
5
|
+
exports.detectAuditPolicyChangeDisabled = detectAuditPolicyChangeDisabled;
|
|
6
|
+
exports.detectAuditPrivilegeUseDisabled = detectAuditPrivilegeUseDisabled;
|
|
7
|
+
exports.detectNoHoneypotAccounts = detectNoHoneypotAccounts;
|
|
8
|
+
exports.detectAdminAuditBypass = detectAdminAuditBypass;
|
|
9
|
+
exports.detectSecurityLogSizeSmall = detectSecurityLogSizeSmall;
|
|
10
|
+
exports.detectNoProtectedUsersMonitoring = detectNoProtectedUsersMonitoring;
|
|
11
|
+
exports.detectMonitoringVulnerabilities = detectMonitoringVulnerabilities;
|
|
12
|
+
const entity_converter_1 = require("../../../../utils/entity-converter");
|
|
13
|
+
function detectAuditLogonEventsDisabled(gpoSettings, domain, includeDetails) {
|
|
14
|
+
if (gpoSettings?.auditPolicies && gpoSettings.auditPolicies.length > 0) {
|
|
15
|
+
const auditPolicies = gpoSettings.auditPolicies;
|
|
16
|
+
const logonCategories = ['Account Logon', 'Logon/Logoff', 'Logon'];
|
|
17
|
+
const hasLogonAudit = auditPolicies.some((p) => logonCategories.some((cat) => p.category.includes(cat)) && (p.success || p.failure));
|
|
18
|
+
return {
|
|
19
|
+
type: 'AUDIT_LOGON_EVENTS_DISABLED',
|
|
20
|
+
severity: 'high',
|
|
21
|
+
category: 'monitoring',
|
|
22
|
+
title: 'Logon Events Not Audited',
|
|
23
|
+
description: 'Logon events are not being audited. Failed and successful authentication attempts will not be logged, hindering intrusion detection.',
|
|
24
|
+
count: hasLogonAudit ? 0 : 1,
|
|
25
|
+
affectedEntities: includeDetails && !hasLogonAudit && domain ? [domain.dn] : undefined,
|
|
26
|
+
details: !hasLogonAudit
|
|
27
|
+
? {
|
|
28
|
+
recommendation: 'Enable "Audit Logon Events" and "Audit Account Logon Events" for both Success and Failure.',
|
|
29
|
+
missingCategories: logonCategories,
|
|
30
|
+
attacksUndetected: [
|
|
31
|
+
'Brute force attacks',
|
|
32
|
+
'Password spraying',
|
|
33
|
+
'Pass-the-hash',
|
|
34
|
+
'Kerberos ticket attacks',
|
|
35
|
+
],
|
|
36
|
+
}
|
|
37
|
+
: undefined,
|
|
38
|
+
};
|
|
39
|
+
}
|
|
40
|
+
return {
|
|
41
|
+
type: 'AUDIT_LOGON_EVENTS_DISABLED',
|
|
42
|
+
severity: 'high',
|
|
43
|
+
category: 'monitoring',
|
|
44
|
+
title: 'Logon Audit Configuration Unknown',
|
|
45
|
+
description: 'Unable to determine logon audit configuration. Manual review recommended.',
|
|
46
|
+
count: 0,
|
|
47
|
+
details: {
|
|
48
|
+
note: 'GPO audit settings not available. Check Advanced Audit Policy Configuration manually.',
|
|
49
|
+
},
|
|
50
|
+
};
|
|
51
|
+
}
|
|
52
|
+
function detectAuditAccountMgmtDisabled(gpoSettings, domain, includeDetails) {
|
|
53
|
+
if (gpoSettings?.auditPolicies && gpoSettings.auditPolicies.length > 0) {
|
|
54
|
+
const auditPolicies = gpoSettings.auditPolicies;
|
|
55
|
+
const hasAccountMgmtAudit = auditPolicies.some((p) => p.category.includes('Account Management') && (p.success || p.failure));
|
|
56
|
+
return {
|
|
57
|
+
type: 'AUDIT_ACCOUNT_MGMT_DISABLED',
|
|
58
|
+
severity: 'high',
|
|
59
|
+
category: 'monitoring',
|
|
60
|
+
title: 'Account Management Not Audited',
|
|
61
|
+
description: 'Account management events are not being audited. User/group creation, modification, and deletion will not be logged.',
|
|
62
|
+
count: hasAccountMgmtAudit ? 0 : 1,
|
|
63
|
+
affectedEntities: includeDetails && !hasAccountMgmtAudit && domain ? [domain.dn] : undefined,
|
|
64
|
+
details: !hasAccountMgmtAudit
|
|
65
|
+
? {
|
|
66
|
+
recommendation: 'Enable "Audit Account Management" for both Success and Failure.',
|
|
67
|
+
attacksUndetected: [
|
|
68
|
+
'Unauthorized account creation',
|
|
69
|
+
'Privilege escalation via group membership',
|
|
70
|
+
'Backdoor accounts',
|
|
71
|
+
'Account takeover',
|
|
72
|
+
],
|
|
73
|
+
}
|
|
74
|
+
: undefined,
|
|
75
|
+
};
|
|
76
|
+
}
|
|
77
|
+
return {
|
|
78
|
+
type: 'AUDIT_ACCOUNT_MGMT_DISABLED',
|
|
79
|
+
severity: 'high',
|
|
80
|
+
category: 'monitoring',
|
|
81
|
+
title: 'Account Management Audit Configuration Unknown',
|
|
82
|
+
description: 'Unable to determine account management audit configuration.',
|
|
83
|
+
count: 0,
|
|
84
|
+
};
|
|
85
|
+
}
|
|
86
|
+
function detectAuditPolicyChangeDisabled(gpoSettings, domain, includeDetails) {
|
|
87
|
+
if (gpoSettings?.auditPolicies && gpoSettings.auditPolicies.length > 0) {
|
|
88
|
+
const auditPolicies = gpoSettings.auditPolicies;
|
|
89
|
+
const hasPolicyChangeAudit = auditPolicies.some((p) => p.category.includes('Policy Change') && (p.success || p.failure));
|
|
90
|
+
return {
|
|
91
|
+
type: 'AUDIT_POLICY_CHANGE_DISABLED',
|
|
92
|
+
severity: 'high',
|
|
93
|
+
category: 'monitoring',
|
|
94
|
+
title: 'Policy Changes Not Audited',
|
|
95
|
+
description: 'Policy change events are not being audited. GPO modifications and security policy changes will not be logged.',
|
|
96
|
+
count: hasPolicyChangeAudit ? 0 : 1,
|
|
97
|
+
affectedEntities: includeDetails && !hasPolicyChangeAudit && domain ? [domain.dn] : undefined,
|
|
98
|
+
details: !hasPolicyChangeAudit
|
|
99
|
+
? {
|
|
100
|
+
recommendation: 'Enable "Audit Policy Change" for both Success and Failure.',
|
|
101
|
+
attacksUndetected: [
|
|
102
|
+
'GPO poisoning',
|
|
103
|
+
'Security policy weakening',
|
|
104
|
+
'Audit policy tampering',
|
|
105
|
+
'Firewall rule modifications',
|
|
106
|
+
],
|
|
107
|
+
}
|
|
108
|
+
: undefined,
|
|
109
|
+
};
|
|
110
|
+
}
|
|
111
|
+
return {
|
|
112
|
+
type: 'AUDIT_POLICY_CHANGE_DISABLED',
|
|
113
|
+
severity: 'high',
|
|
114
|
+
category: 'monitoring',
|
|
115
|
+
title: 'Policy Change Audit Configuration Unknown',
|
|
116
|
+
description: 'Unable to determine policy change audit configuration.',
|
|
117
|
+
count: 0,
|
|
118
|
+
};
|
|
119
|
+
}
|
|
120
|
+
function detectAuditPrivilegeUseDisabled(gpoSettings, domain, includeDetails) {
|
|
121
|
+
if (gpoSettings?.auditPolicies && gpoSettings.auditPolicies.length > 0) {
|
|
122
|
+
const auditPolicies = gpoSettings.auditPolicies;
|
|
123
|
+
const hasPrivilegeUseAudit = auditPolicies.some((p) => p.category.includes('Privilege Use') && (p.success || p.failure));
|
|
124
|
+
return {
|
|
125
|
+
type: 'AUDIT_PRIVILEGE_USE_DISABLED',
|
|
126
|
+
severity: 'medium',
|
|
127
|
+
category: 'monitoring',
|
|
128
|
+
title: 'Privilege Use Not Audited',
|
|
129
|
+
description: 'Privilege use events are not being audited. Sensitive privilege usage will not be logged.',
|
|
130
|
+
count: hasPrivilegeUseAudit ? 0 : 1,
|
|
131
|
+
affectedEntities: includeDetails && !hasPrivilegeUseAudit && domain ? [domain.dn] : undefined,
|
|
132
|
+
details: !hasPrivilegeUseAudit
|
|
133
|
+
? {
|
|
134
|
+
recommendation: 'Enable "Audit Privilege Use" for Failure events at minimum.',
|
|
135
|
+
attacksUndetected: [
|
|
136
|
+
'Privilege abuse',
|
|
137
|
+
'SeDebugPrivilege exploitation',
|
|
138
|
+
'Token manipulation',
|
|
139
|
+
'Impersonation attacks',
|
|
140
|
+
],
|
|
141
|
+
}
|
|
142
|
+
: undefined,
|
|
143
|
+
};
|
|
144
|
+
}
|
|
145
|
+
return {
|
|
146
|
+
type: 'AUDIT_PRIVILEGE_USE_DISABLED',
|
|
147
|
+
severity: 'medium',
|
|
148
|
+
category: 'monitoring',
|
|
149
|
+
title: 'Privilege Use Audit Configuration Unknown',
|
|
150
|
+
description: 'Unable to determine privilege use audit configuration.',
|
|
151
|
+
count: 0,
|
|
152
|
+
};
|
|
153
|
+
}
|
|
154
|
+
function detectNoHoneypotAccounts(users, _includeDetails) {
|
|
155
|
+
const honeypotPatterns = ['honeypot', 'decoy', 'trap', 'canary', 'bait', 'fake'];
|
|
156
|
+
const attractivePatterns = ['svc_', 'admin_backup', 'admin_old', 'sa_', 'sqlsvc', 'backup_admin'];
|
|
157
|
+
const honeypots = users.filter((u) => {
|
|
158
|
+
const rawDesc = u.description;
|
|
159
|
+
const desc = (typeof rawDesc === 'string' ? rawDesc : '').toLowerCase();
|
|
160
|
+
const name = (u.sAMAccountName || '').toLowerCase();
|
|
161
|
+
return honeypotPatterns.some((p) => desc.includes(p) || name.includes(p));
|
|
162
|
+
});
|
|
163
|
+
const potentialBaits = users.filter((u) => {
|
|
164
|
+
const name = (u.sAMAccountName || '').toLowerCase();
|
|
165
|
+
const hasAttractiveNaming = attractivePatterns.some((p) => name.includes(p));
|
|
166
|
+
const neverLoggedIn = !u.lastLogon;
|
|
167
|
+
const isEnabled = u.enabled;
|
|
168
|
+
return hasAttractiveNaming && neverLoggedIn && isEnabled;
|
|
169
|
+
});
|
|
170
|
+
const hasHoneypots = honeypots.length > 0 || potentialBaits.length >= 2;
|
|
171
|
+
return {
|
|
172
|
+
type: 'NO_HONEYPOT_ACCOUNTS',
|
|
173
|
+
severity: 'medium',
|
|
174
|
+
category: 'monitoring',
|
|
175
|
+
title: 'No Honeypot/Decoy Accounts Detected',
|
|
176
|
+
description: 'No honeypot or decoy accounts detected in the directory. These accounts help detect attackers during enumeration phase.',
|
|
177
|
+
count: hasHoneypots ? 0 : 1,
|
|
178
|
+
affectedEntities: undefined,
|
|
179
|
+
details: hasHoneypots
|
|
180
|
+
? {
|
|
181
|
+
honeypotCount: honeypots.length,
|
|
182
|
+
potentialBaitCount: potentialBaits.length,
|
|
183
|
+
status: 'Honeypot accounts detected',
|
|
184
|
+
}
|
|
185
|
+
: {
|
|
186
|
+
recommendation: 'Create honeypot accounts with attractive names (e.g., svc_backup, admin_old) and monitor for any usage.',
|
|
187
|
+
benefits: [
|
|
188
|
+
'Early detection of attacker enumeration',
|
|
189
|
+
'Detect credential stuffing attempts',
|
|
190
|
+
'Alert on lateral movement',
|
|
191
|
+
],
|
|
192
|
+
implementationGuide: 'Create accounts with attractive names but no real permissions. Alert on any authentication attempt.',
|
|
193
|
+
},
|
|
194
|
+
};
|
|
195
|
+
}
|
|
196
|
+
function detectAdminAuditBypass(users, _domain, includeDetails) {
|
|
197
|
+
const adminUsers = users.filter((u) => u.adminCount === 1 && u.enabled);
|
|
198
|
+
const protectedUsersPattern = /protected users/i;
|
|
199
|
+
const adminsNotProtected = adminUsers.filter((u) => {
|
|
200
|
+
const memberOf = u['memberOf'];
|
|
201
|
+
if (!memberOf)
|
|
202
|
+
return true;
|
|
203
|
+
return !memberOf.some((g) => protectedUsersPattern.test(g));
|
|
204
|
+
});
|
|
205
|
+
const auditBypassRisk = adminsNotProtected.filter((u) => {
|
|
206
|
+
const pwdAge = u.pwdLastSet ? Date.now() - new Date(u.pwdLastSet).getTime() : Infinity;
|
|
207
|
+
const pwdAgeMonths = pwdAge / (1000 * 60 * 60 * 24 * 30);
|
|
208
|
+
return pwdAgeMonths > 6;
|
|
209
|
+
});
|
|
210
|
+
const hasRisk = auditBypassRisk.length > 0;
|
|
211
|
+
return {
|
|
212
|
+
type: 'ADMIN_AUDIT_BYPASS',
|
|
213
|
+
severity: 'high',
|
|
214
|
+
category: 'monitoring',
|
|
215
|
+
title: 'Administrators Can Bypass Audit',
|
|
216
|
+
description: 'Privileged accounts not in Protected Users group with old passwords may bypass audit controls.',
|
|
217
|
+
count: auditBypassRisk.length,
|
|
218
|
+
affectedEntities: includeDetails ? (0, entity_converter_1.toAffectedUserEntities)(auditBypassRisk) : undefined,
|
|
219
|
+
details: hasRisk
|
|
220
|
+
? {
|
|
221
|
+
totalAdmins: adminUsers.length,
|
|
222
|
+
adminsNotProtected: adminsNotProtected.length,
|
|
223
|
+
adminsWithOldPasswords: auditBypassRisk.length,
|
|
224
|
+
recommendation: 'Add admin accounts to Protected Users group and enforce regular password rotation.',
|
|
225
|
+
risks: [
|
|
226
|
+
'Admins can clear security logs',
|
|
227
|
+
'Compromised admin credentials may evade detection',
|
|
228
|
+
'Audit policies may be disabled by compromised admin',
|
|
229
|
+
],
|
|
230
|
+
}
|
|
231
|
+
: undefined,
|
|
232
|
+
};
|
|
233
|
+
}
|
|
234
|
+
function detectSecurityLogSizeSmall(gpoSettings, domain, includeDetails) {
|
|
235
|
+
const MINIMUM_LOG_SIZE_KB = 128 * 1024;
|
|
236
|
+
if (gpoSettings?.eventLogSettings?.securityLogMaxSize !== undefined) {
|
|
237
|
+
const logSize = gpoSettings.eventLogSettings.securityLogMaxSize;
|
|
238
|
+
const isTooSmall = logSize < MINIMUM_LOG_SIZE_KB;
|
|
239
|
+
return {
|
|
240
|
+
type: 'SECURITY_LOG_SIZE_SMALL',
|
|
241
|
+
severity: 'medium',
|
|
242
|
+
category: 'monitoring',
|
|
243
|
+
title: 'Security Log Size Insufficient',
|
|
244
|
+
description: `Security event log maximum size is ${Math.round(logSize / 1024)} MB. Small logs cause events to be overwritten quickly, losing forensic data.`,
|
|
245
|
+
count: isTooSmall ? 1 : 0,
|
|
246
|
+
affectedEntities: includeDetails && isTooSmall && domain ? [domain.dn] : undefined,
|
|
247
|
+
details: isTooSmall
|
|
248
|
+
? {
|
|
249
|
+
currentSizeKB: logSize,
|
|
250
|
+
currentSizeMB: Math.round(logSize / 1024),
|
|
251
|
+
recommendedSizeKB: MINIMUM_LOG_SIZE_KB,
|
|
252
|
+
recommendedSizeMB: Math.round(MINIMUM_LOG_SIZE_KB / 1024),
|
|
253
|
+
recommendation: 'Increase Security log maximum size to at least 128 MB via GPO.',
|
|
254
|
+
risks: [
|
|
255
|
+
'Critical events may be lost due to log rotation',
|
|
256
|
+
'Incident response hampered by missing events',
|
|
257
|
+
'Compliance violations for log retention requirements',
|
|
258
|
+
],
|
|
259
|
+
}
|
|
260
|
+
: undefined,
|
|
261
|
+
};
|
|
262
|
+
}
|
|
263
|
+
return {
|
|
264
|
+
type: 'SECURITY_LOG_SIZE_SMALL',
|
|
265
|
+
severity: 'medium',
|
|
266
|
+
category: 'monitoring',
|
|
267
|
+
title: 'Security Log Size Configuration Unknown',
|
|
268
|
+
description: 'Unable to determine security event log size configuration.',
|
|
269
|
+
count: 0,
|
|
270
|
+
details: {
|
|
271
|
+
note: 'GPO event log settings not available. Verify Security log maximum size manually.',
|
|
272
|
+
recommendedSizeMB: Math.round(MINIMUM_LOG_SIZE_KB / 1024),
|
|
273
|
+
},
|
|
274
|
+
};
|
|
275
|
+
}
|
|
276
|
+
function detectNoProtectedUsersMonitoring(users, groups, includeDetails) {
|
|
277
|
+
const protectedUsersGroup = groups.find((g) => {
|
|
278
|
+
const name = (g.sAMAccountName || g.displayName || '').toLowerCase();
|
|
279
|
+
return name === 'protected users' || g.dn.toLowerCase().includes('cn=protected users');
|
|
280
|
+
});
|
|
281
|
+
const privilegedUsers = users.filter((u) => u.adminCount === 1 && u.enabled);
|
|
282
|
+
const notInProtectedUsers = privilegedUsers.filter((u) => {
|
|
283
|
+
const memberOf = u['memberOf'];
|
|
284
|
+
if (!memberOf)
|
|
285
|
+
return true;
|
|
286
|
+
return !memberOf.some((g) => g.toLowerCase().includes('cn=protected users') ||
|
|
287
|
+
(protectedUsersGroup && g.toLowerCase() === protectedUsersGroup.dn.toLowerCase()));
|
|
288
|
+
});
|
|
289
|
+
const groupExists = protectedUsersGroup !== undefined;
|
|
290
|
+
const groupMemberCount = protectedUsersGroup?.member?.length ?? 0;
|
|
291
|
+
return {
|
|
292
|
+
type: 'NO_PROTECTED_USERS_MONITORING',
|
|
293
|
+
severity: 'medium',
|
|
294
|
+
category: 'monitoring',
|
|
295
|
+
title: 'Protected Users Group Not Utilized',
|
|
296
|
+
description: 'Privileged accounts are not members of the Protected Users group. This group provides additional protections against credential theft.',
|
|
297
|
+
count: notInProtectedUsers.length,
|
|
298
|
+
affectedEntities: includeDetails ? (0, entity_converter_1.toAffectedUserEntities)(notInProtectedUsers) : undefined,
|
|
299
|
+
details: {
|
|
300
|
+
groupExists,
|
|
301
|
+
currentMembers: groupMemberCount,
|
|
302
|
+
totalPrivilegedAccounts: privilegedUsers.length,
|
|
303
|
+
notInGroup: notInProtectedUsers.length,
|
|
304
|
+
protections: [
|
|
305
|
+
'NTLM authentication disabled',
|
|
306
|
+
'Kerberos DES/RC4 encryption disabled',
|
|
307
|
+
'Kerberos TGT lifetime reduced to 4 hours',
|
|
308
|
+
'Credential delegation disabled',
|
|
309
|
+
'Cached credentials not stored',
|
|
310
|
+
],
|
|
311
|
+
recommendation: 'Add all privileged/admin accounts to Protected Users group for enhanced credential protection.',
|
|
312
|
+
},
|
|
313
|
+
};
|
|
314
|
+
}
|
|
315
|
+
function detectMonitoringVulnerabilities(users, groups, domain, includeDetails, options = {}) {
|
|
316
|
+
const { gpoSettings = null } = options;
|
|
317
|
+
return [
|
|
318
|
+
detectAuditLogonEventsDisabled(gpoSettings, domain, includeDetails),
|
|
319
|
+
detectAuditAccountMgmtDisabled(gpoSettings, domain, includeDetails),
|
|
320
|
+
detectAuditPolicyChangeDisabled(gpoSettings, domain, includeDetails),
|
|
321
|
+
detectAdminAuditBypass(users, domain, includeDetails),
|
|
322
|
+
detectAuditPrivilegeUseDisabled(gpoSettings, domain, includeDetails),
|
|
323
|
+
detectNoHoneypotAccounts(users, includeDetails),
|
|
324
|
+
detectSecurityLogSizeSmall(gpoSettings, domain, includeDetails),
|
|
325
|
+
detectNoProtectedUsersMonitoring(users, groups, includeDetails),
|
|
326
|
+
].filter((finding) => finding.count > 0);
|
|
327
|
+
}
|
|
328
|
+
//# sourceMappingURL=monitoring.detector.js.map
|