npm - @etcsec-com/etc-collector - Versions diffs - 1.4.0 - Mend

@etcsec-com/etc-collector 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (617) hide show

package/.env.example +60 -0
package/.env.test.example +33 -0
package/.github/workflows/ci.yml +83 -0
package/.github/workflows/release.yml +246 -0
package/.prettierrc.json +10 -0
package/CHANGELOG.md +15 -0
package/Dockerfile +57 -0
package/LICENSE +190 -0
package/README.md +194 -0
package/dist/api/controllers/audit.controller.d.ts +21 -0
package/dist/api/controllers/audit.controller.d.ts.map +1 -0
package/dist/api/controllers/audit.controller.js +179 -0
package/dist/api/controllers/audit.controller.js.map +1 -0
package/dist/api/controllers/auth.controller.d.ts +16 -0
package/dist/api/controllers/auth.controller.d.ts.map +1 -0
package/dist/api/controllers/auth.controller.js +146 -0
package/dist/api/controllers/auth.controller.js.map +1 -0
package/dist/api/controllers/export.controller.d.ts +27 -0
package/dist/api/controllers/export.controller.d.ts.map +1 -0
package/dist/api/controllers/export.controller.js +80 -0
package/dist/api/controllers/export.controller.js.map +1 -0
package/dist/api/controllers/health.controller.d.ts +5 -0
package/dist/api/controllers/health.controller.d.ts.map +1 -0
package/dist/api/controllers/health.controller.js +16 -0
package/dist/api/controllers/health.controller.js.map +1 -0
package/dist/api/controllers/jobs.controller.d.ts +13 -0
package/dist/api/controllers/jobs.controller.d.ts.map +1 -0
package/dist/api/controllers/jobs.controller.js +125 -0
package/dist/api/controllers/jobs.controller.js.map +1 -0
package/dist/api/controllers/providers.controller.d.ts +15 -0
package/dist/api/controllers/providers.controller.d.ts.map +1 -0
package/dist/api/controllers/providers.controller.js +112 -0
package/dist/api/controllers/providers.controller.js.map +1 -0
package/dist/api/dto/AuditRequest.dto.d.ts +6 -0
package/dist/api/dto/AuditRequest.dto.d.ts.map +1 -0
package/dist/api/dto/AuditRequest.dto.js +3 -0
package/dist/api/dto/AuditRequest.dto.js.map +1 -0
package/dist/api/dto/AuditResponse.dto.d.ts +17 -0
package/dist/api/dto/AuditResponse.dto.d.ts.map +1 -0
package/dist/api/dto/AuditResponse.dto.js +3 -0
package/dist/api/dto/AuditResponse.dto.js.map +1 -0
package/dist/api/dto/TokenRequest.dto.d.ts +6 -0
package/dist/api/dto/TokenRequest.dto.d.ts.map +1 -0
package/dist/api/dto/TokenRequest.dto.js +3 -0
package/dist/api/dto/TokenRequest.dto.js.map +1 -0
package/dist/api/dto/TokenResponse.dto.d.ts +12 -0
package/dist/api/dto/TokenResponse.dto.d.ts.map +1 -0
package/dist/api/dto/TokenResponse.dto.js +3 -0
package/dist/api/dto/TokenResponse.dto.js.map +1 -0
package/dist/api/middlewares/authenticate.d.ts +12 -0
package/dist/api/middlewares/authenticate.d.ts.map +1 -0
package/dist/api/middlewares/authenticate.js +141 -0
package/dist/api/middlewares/authenticate.js.map +1 -0
package/dist/api/middlewares/errorHandler.d.ts +3 -0
package/dist/api/middlewares/errorHandler.d.ts.map +1 -0
package/dist/api/middlewares/errorHandler.js +30 -0
package/dist/api/middlewares/errorHandler.js.map +1 -0
package/dist/api/middlewares/rateLimit.d.ts +3 -0
package/dist/api/middlewares/rateLimit.d.ts.map +1 -0
package/dist/api/middlewares/rateLimit.js +34 -0
package/dist/api/middlewares/rateLimit.js.map +1 -0
package/dist/api/middlewares/validate.d.ts +4 -0
package/dist/api/middlewares/validate.d.ts.map +1 -0
package/dist/api/middlewares/validate.js +31 -0
package/dist/api/middlewares/validate.js.map +1 -0
package/dist/api/routes/audit.routes.d.ts +5 -0
package/dist/api/routes/audit.routes.d.ts.map +1 -0
package/dist/api/routes/audit.routes.js +24 -0
package/dist/api/routes/audit.routes.js.map +1 -0
package/dist/api/routes/auth.routes.d.ts +6 -0
package/dist/api/routes/auth.routes.d.ts.map +1 -0
package/dist/api/routes/auth.routes.js +22 -0
package/dist/api/routes/auth.routes.js.map +1 -0
package/dist/api/routes/export.routes.d.ts +5 -0
package/dist/api/routes/export.routes.d.ts.map +1 -0
package/dist/api/routes/export.routes.js +16 -0
package/dist/api/routes/export.routes.js.map +1 -0
package/dist/api/routes/health.routes.d.ts +4 -0
package/dist/api/routes/health.routes.d.ts.map +1 -0
package/dist/api/routes/health.routes.js +11 -0
package/dist/api/routes/health.routes.js.map +1 -0
package/dist/api/routes/index.d.ts +10 -0
package/dist/api/routes/index.d.ts.map +1 -0
package/dist/api/routes/index.js +20 -0
package/dist/api/routes/index.js.map +1 -0
package/dist/api/routes/providers.routes.d.ts +5 -0
package/dist/api/routes/providers.routes.d.ts.map +1 -0
package/dist/api/routes/providers.routes.js +13 -0
package/dist/api/routes/providers.routes.js.map +1 -0
package/dist/api/validators/audit.schemas.d.ts +60 -0
package/dist/api/validators/audit.schemas.d.ts.map +1 -0
package/dist/api/validators/audit.schemas.js +55 -0
package/dist/api/validators/audit.schemas.js.map +1 -0
package/dist/api/validators/auth.schemas.d.ts +17 -0
package/dist/api/validators/auth.schemas.d.ts.map +1 -0
package/dist/api/validators/auth.schemas.js +21 -0
package/dist/api/validators/auth.schemas.js.map +1 -0
package/dist/app.d.ts +3 -0
package/dist/app.d.ts.map +1 -0
package/dist/app.js +62 -0
package/dist/app.js.map +1 -0
package/dist/config/config.schema.d.ts +65 -0
package/dist/config/config.schema.d.ts.map +1 -0
package/dist/config/config.schema.js +95 -0
package/dist/config/config.schema.js.map +1 -0
package/dist/config/index.d.ts +4 -0
package/dist/config/index.d.ts.map +1 -0
package/dist/config/index.js +75 -0
package/dist/config/index.js.map +1 -0
package/dist/container.d.ts +47 -0
package/dist/container.d.ts.map +1 -0
package/dist/container.js +137 -0
package/dist/container.js.map +1 -0
package/dist/data/database.d.ts +13 -0
package/dist/data/database.d.ts.map +1 -0
package/dist/data/database.js +68 -0
package/dist/data/database.js.map +1 -0
package/dist/data/jobs/token-cleanup.job.d.ts +23 -0
package/dist/data/jobs/token-cleanup.job.d.ts.map +1 -0
package/dist/data/jobs/token-cleanup.job.js +96 -0
package/dist/data/jobs/token-cleanup.job.js.map +1 -0
package/dist/data/migrations/migration.runner.d.ts +13 -0
package/dist/data/migrations/migration.runner.d.ts.map +1 -0
package/dist/data/migrations/migration.runner.js +136 -0
package/dist/data/migrations/migration.runner.js.map +1 -0
package/dist/data/models/Token.model.d.ts +30 -0
package/dist/data/models/Token.model.d.ts.map +1 -0
package/dist/data/models/Token.model.js +3 -0
package/dist/data/models/Token.model.js.map +1 -0
package/dist/data/repositories/token.repository.d.ts +16 -0
package/dist/data/repositories/token.repository.d.ts.map +1 -0
package/dist/data/repositories/token.repository.js +97 -0
package/dist/data/repositories/token.repository.js.map +1 -0
package/dist/providers/azure/auth.provider.d.ts +5 -0
package/dist/providers/azure/auth.provider.d.ts.map +1 -0
package/dist/providers/azure/auth.provider.js +13 -0
package/dist/providers/azure/auth.provider.js.map +1 -0
package/dist/providers/azure/azure-errors.d.ts +40 -0
package/dist/providers/azure/azure-errors.d.ts.map +1 -0
package/dist/providers/azure/azure-errors.js +121 -0
package/dist/providers/azure/azure-errors.js.map +1 -0
package/dist/providers/azure/azure-retry.d.ts +41 -0
package/dist/providers/azure/azure-retry.d.ts.map +1 -0
package/dist/providers/azure/azure-retry.js +85 -0
package/dist/providers/azure/azure-retry.js.map +1 -0
package/dist/providers/azure/graph-client.d.ts +26 -0
package/dist/providers/azure/graph-client.d.ts.map +1 -0
package/dist/providers/azure/graph-client.js +146 -0
package/dist/providers/azure/graph-client.js.map +1 -0
package/dist/providers/azure/graph.provider.d.ts +23 -0
package/dist/providers/azure/graph.provider.d.ts.map +1 -0
package/dist/providers/azure/graph.provider.js +161 -0
package/dist/providers/azure/graph.provider.js.map +1 -0
package/dist/providers/azure/queries/app.queries.d.ts +6 -0
package/dist/providers/azure/queries/app.queries.d.ts.map +1 -0
package/dist/providers/azure/queries/app.queries.js +9 -0
package/dist/providers/azure/queries/app.queries.js.map +1 -0
package/dist/providers/azure/queries/policy.queries.d.ts +6 -0
package/dist/providers/azure/queries/policy.queries.d.ts.map +1 -0
package/dist/providers/azure/queries/policy.queries.js +9 -0
package/dist/providers/azure/queries/policy.queries.js.map +1 -0
package/dist/providers/azure/queries/user.queries.d.ts +7 -0
package/dist/providers/azure/queries/user.queries.d.ts.map +1 -0
package/dist/providers/azure/queries/user.queries.js +10 -0
package/dist/providers/azure/queries/user.queries.js.map +1 -0
package/dist/providers/interfaces/IGraphProvider.d.ts +31 -0
package/dist/providers/interfaces/IGraphProvider.d.ts.map +1 -0
package/dist/providers/interfaces/IGraphProvider.js +3 -0
package/dist/providers/interfaces/IGraphProvider.js.map +1 -0
package/dist/providers/interfaces/ILDAPProvider.d.ts +37 -0
package/dist/providers/interfaces/ILDAPProvider.d.ts.map +1 -0
package/dist/providers/interfaces/ILDAPProvider.js +3 -0
package/dist/providers/interfaces/ILDAPProvider.js.map +1 -0
package/dist/providers/ldap/acl-parser.d.ts +8 -0
package/dist/providers/ldap/acl-parser.d.ts.map +1 -0
package/dist/providers/ldap/acl-parser.js +157 -0
package/dist/providers/ldap/acl-parser.js.map +1 -0
package/dist/providers/ldap/ad-mappers.d.ts +8 -0
package/dist/providers/ldap/ad-mappers.d.ts.map +1 -0
package/dist/providers/ldap/ad-mappers.js +162 -0
package/dist/providers/ldap/ad-mappers.js.map +1 -0
package/dist/providers/ldap/ldap-client.d.ts +33 -0
package/dist/providers/ldap/ldap-client.d.ts.map +1 -0
package/dist/providers/ldap/ldap-client.js +195 -0
package/dist/providers/ldap/ldap-client.js.map +1 -0
package/dist/providers/ldap/ldap-errors.d.ts +48 -0
package/dist/providers/ldap/ldap-errors.d.ts.map +1 -0
package/dist/providers/ldap/ldap-errors.js +120 -0
package/dist/providers/ldap/ldap-errors.js.map +1 -0
package/dist/providers/ldap/ldap-retry.d.ts +14 -0
package/dist/providers/ldap/ldap-retry.d.ts.map +1 -0
package/dist/providers/ldap/ldap-retry.js +102 -0
package/dist/providers/ldap/ldap-retry.js.map +1 -0
package/dist/providers/ldap/ldap-sanitizer.d.ts +12 -0
package/dist/providers/ldap/ldap-sanitizer.d.ts.map +1 -0
package/dist/providers/ldap/ldap-sanitizer.js +104 -0
package/dist/providers/ldap/ldap-sanitizer.js.map +1 -0
package/dist/providers/ldap/ldap.provider.d.ts +21 -0
package/dist/providers/ldap/ldap.provider.d.ts.map +1 -0
package/dist/providers/ldap/ldap.provider.js +165 -0
package/dist/providers/ldap/ldap.provider.js.map +1 -0
package/dist/providers/ldap/queries/computer.queries.d.ts +6 -0
package/dist/providers/ldap/queries/computer.queries.d.ts.map +1 -0
package/dist/providers/ldap/queries/computer.queries.js +9 -0
package/dist/providers/ldap/queries/computer.queries.js.map +1 -0
package/dist/providers/ldap/queries/group.queries.d.ts +6 -0
package/dist/providers/ldap/queries/group.queries.d.ts.map +1 -0
package/dist/providers/ldap/queries/group.queries.js +9 -0
package/dist/providers/ldap/queries/group.queries.js.map +1 -0
package/dist/providers/ldap/queries/user.queries.d.ts +7 -0
package/dist/providers/ldap/queries/user.queries.d.ts.map +1 -0
package/dist/providers/ldap/queries/user.queries.js +10 -0
package/dist/providers/ldap/queries/user.queries.js.map +1 -0
package/dist/providers/smb/smb.provider.d.ts +68 -0
package/dist/providers/smb/smb.provider.d.ts.map +1 -0
package/dist/providers/smb/smb.provider.js +382 -0
package/dist/providers/smb/smb.provider.js.map +1 -0
package/dist/server.d.ts +2 -0
package/dist/server.d.ts.map +1 -0
package/dist/server.js +44 -0
package/dist/server.js.map +1 -0
package/dist/services/audit/ad-audit.service.d.ts +70 -0
package/dist/services/audit/ad-audit.service.d.ts.map +1 -0
package/dist/services/audit/ad-audit.service.js +1019 -0
package/dist/services/audit/ad-audit.service.js.map +1 -0
package/dist/services/audit/attack-graph.service.d.ts +62 -0
package/dist/services/audit/attack-graph.service.d.ts.map +1 -0
package/dist/services/audit/attack-graph.service.js +702 -0
package/dist/services/audit/attack-graph.service.js.map +1 -0
package/dist/services/audit/audit.service.d.ts +4 -0
package/dist/services/audit/audit.service.d.ts.map +1 -0
package/dist/services/audit/audit.service.js +10 -0
package/dist/services/audit/audit.service.js.map +1 -0
package/dist/services/audit/azure-audit.service.d.ts +37 -0
package/dist/services/audit/azure-audit.service.d.ts.map +1 -0
package/dist/services/audit/azure-audit.service.js +153 -0
package/dist/services/audit/azure-audit.service.js.map +1 -0
package/dist/services/audit/detectors/ad/accounts.detector.d.ts +37 -0
package/dist/services/audit/detectors/ad/accounts.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/accounts.detector.js +881 -0
package/dist/services/audit/detectors/ad/accounts.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/adcs.detector.d.ts +21 -0
package/dist/services/audit/detectors/ad/adcs.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/adcs.detector.js +227 -0
package/dist/services/audit/detectors/ad/adcs.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/advanced.detector.d.ts +63 -0
package/dist/services/audit/detectors/ad/advanced.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/advanced.detector.js +867 -0
package/dist/services/audit/detectors/ad/advanced.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/attack-paths.detector.d.ts +16 -0
package/dist/services/audit/detectors/ad/attack-paths.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/attack-paths.detector.js +369 -0
package/dist/services/audit/detectors/ad/attack-paths.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/compliance.detector.d.ts +28 -0
package/dist/services/audit/detectors/ad/compliance.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/compliance.detector.js +896 -0
package/dist/services/audit/detectors/ad/compliance.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/computers.detector.d.ts +30 -0
package/dist/services/audit/detectors/ad/computers.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/computers.detector.js +799 -0
package/dist/services/audit/detectors/ad/computers.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/gpo.detector.d.ts +17 -0
package/dist/services/audit/detectors/ad/gpo.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/gpo.detector.js +257 -0
package/dist/services/audit/detectors/ad/gpo.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/groups.detector.d.ts +19 -0
package/dist/services/audit/detectors/ad/groups.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/groups.detector.js +488 -0
package/dist/services/audit/detectors/ad/groups.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/index.d.ts +15 -0
package/dist/services/audit/detectors/ad/index.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/index.js +51 -0
package/dist/services/audit/detectors/ad/index.js.map +1 -0
package/dist/services/audit/detectors/ad/kerberos.detector.d.ts +17 -0
package/dist/services/audit/detectors/ad/kerberos.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/kerberos.detector.js +293 -0
package/dist/services/audit/detectors/ad/kerberos.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/monitoring.detector.d.ts +23 -0
package/dist/services/audit/detectors/ad/monitoring.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/monitoring.detector.js +328 -0
package/dist/services/audit/detectors/ad/monitoring.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/network.detector.d.ts +39 -0
package/dist/services/audit/detectors/ad/network.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/network.detector.js +257 -0
package/dist/services/audit/detectors/ad/network.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/password.detector.d.ts +14 -0
package/dist/services/audit/detectors/ad/password.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/password.detector.js +235 -0
package/dist/services/audit/detectors/ad/password.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/permissions.detector.d.ts +20 -0
package/dist/services/audit/detectors/ad/permissions.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/permissions.detector.js +392 -0
package/dist/services/audit/detectors/ad/permissions.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/trusts.detector.d.ts +11 -0
package/dist/services/audit/detectors/ad/trusts.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/trusts.detector.js +186 -0
package/dist/services/audit/detectors/ad/trusts.detector.js.map +1 -0
package/dist/services/audit/detectors/azure/app-security.detector.d.ts +11 -0
package/dist/services/audit/detectors/azure/app-security.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/azure/app-security.detector.js +184 -0
package/dist/services/audit/detectors/azure/app-security.detector.js.map +1 -0
package/dist/services/audit/detectors/azure/conditional-access.detector.d.ts +10 -0
package/dist/services/audit/detectors/azure/conditional-access.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/azure/conditional-access.detector.js +130 -0
package/dist/services/audit/detectors/azure/conditional-access.detector.js.map +1 -0
package/dist/services/audit/detectors/azure/privilege-security.detector.d.ts +8 -0
package/dist/services/audit/detectors/azure/privilege-security.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/azure/privilege-security.detector.js +113 -0
package/dist/services/audit/detectors/azure/privilege-security.detector.js.map +1 -0
package/dist/services/audit/detectors/azure/user-security.detector.d.ts +14 -0
package/dist/services/audit/detectors/azure/user-security.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/azure/user-security.detector.js +198 -0
package/dist/services/audit/detectors/azure/user-security.detector.js.map +1 -0
package/dist/services/audit/detectors/index.d.ts +2 -0
package/dist/services/audit/detectors/index.d.ts.map +1 -0
package/dist/services/audit/detectors/index.js +38 -0
package/dist/services/audit/detectors/index.js.map +1 -0
package/dist/services/audit/response-formatter.d.ts +176 -0
package/dist/services/audit/response-formatter.d.ts.map +1 -0
package/dist/services/audit/response-formatter.js +240 -0
package/dist/services/audit/response-formatter.js.map +1 -0
package/dist/services/audit/scoring.service.d.ts +15 -0
package/dist/services/audit/scoring.service.d.ts.map +1 -0
package/dist/services/audit/scoring.service.js +139 -0
package/dist/services/audit/scoring.service.js.map +1 -0
package/dist/services/auth/crypto.service.d.ts +19 -0
package/dist/services/auth/crypto.service.d.ts.map +1 -0
package/dist/services/auth/crypto.service.js +135 -0
package/dist/services/auth/crypto.service.js.map +1 -0
package/dist/services/auth/errors.d.ts +19 -0
package/dist/services/auth/errors.d.ts.map +1 -0
package/dist/services/auth/errors.js +46 -0
package/dist/services/auth/errors.js.map +1 -0
package/dist/services/auth/token.service.d.ts +41 -0
package/dist/services/auth/token.service.d.ts.map +1 -0
package/dist/services/auth/token.service.js +208 -0
package/dist/services/auth/token.service.js.map +1 -0
package/dist/services/config/config.service.d.ts +6 -0
package/dist/services/config/config.service.d.ts.map +1 -0
package/dist/services/config/config.service.js +64 -0
package/dist/services/config/config.service.js.map +1 -0
package/dist/services/export/export.service.d.ts +28 -0
package/dist/services/export/export.service.d.ts.map +1 -0
package/dist/services/export/export.service.js +28 -0
package/dist/services/export/export.service.js.map +1 -0
package/dist/services/export/formatters/csv.formatter.d.ts +8 -0
package/dist/services/export/formatters/csv.formatter.d.ts.map +1 -0
package/dist/services/export/formatters/csv.formatter.js +46 -0
package/dist/services/export/formatters/csv.formatter.js.map +1 -0
package/dist/services/export/formatters/json.formatter.d.ts +40 -0
package/dist/services/export/formatters/json.formatter.d.ts.map +1 -0
package/dist/services/export/formatters/json.formatter.js +58 -0
package/dist/services/export/formatters/json.formatter.js.map +1 -0
package/dist/services/jobs/azure-job-runner.d.ts +38 -0
package/dist/services/jobs/azure-job-runner.d.ts.map +1 -0
package/dist/services/jobs/azure-job-runner.js +199 -0
package/dist/services/jobs/azure-job-runner.js.map +1 -0
package/dist/services/jobs/index.d.ts +4 -0
package/dist/services/jobs/index.d.ts.map +1 -0
package/dist/services/jobs/index.js +20 -0
package/dist/services/jobs/index.js.map +1 -0
package/dist/services/jobs/job-runner.d.ts +64 -0
package/dist/services/jobs/job-runner.d.ts.map +1 -0
package/dist/services/jobs/job-runner.js +952 -0
package/dist/services/jobs/job-runner.js.map +1 -0
package/dist/services/jobs/job-store.d.ts +27 -0
package/dist/services/jobs/job-store.d.ts.map +1 -0
package/dist/services/jobs/job-store.js +261 -0
package/dist/services/jobs/job-store.js.map +1 -0
package/dist/services/jobs/job.types.d.ts +67 -0
package/dist/services/jobs/job.types.d.ts.map +1 -0
package/dist/services/jobs/job.types.js +36 -0
package/dist/services/jobs/job.types.js.map +1 -0
package/dist/types/ad.types.d.ts +74 -0
package/dist/types/ad.types.d.ts.map +1 -0
package/dist/types/ad.types.js +3 -0
package/dist/types/ad.types.js.map +1 -0
package/dist/types/adcs.types.d.ts +58 -0
package/dist/types/adcs.types.d.ts.map +1 -0
package/dist/types/adcs.types.js +38 -0
package/dist/types/adcs.types.js.map +1 -0
package/dist/types/attack-graph.types.d.ts +135 -0
package/dist/types/attack-graph.types.d.ts.map +1 -0
package/dist/types/attack-graph.types.js +58 -0
package/dist/types/attack-graph.types.js.map +1 -0
package/dist/types/audit.types.d.ts +34 -0
package/dist/types/audit.types.d.ts.map +1 -0
package/dist/types/audit.types.js +3 -0
package/dist/types/audit.types.js.map +1 -0
package/dist/types/azure.types.d.ts +61 -0
package/dist/types/azure.types.d.ts.map +1 -0
package/dist/types/azure.types.js +3 -0
package/dist/types/azure.types.js.map +1 -0
package/dist/types/config.types.d.ts +63 -0
package/dist/types/config.types.d.ts.map +1 -0
package/dist/types/config.types.js +3 -0
package/dist/types/config.types.js.map +1 -0
package/dist/types/error.types.d.ts +33 -0
package/dist/types/error.types.d.ts.map +1 -0
package/dist/types/error.types.js +70 -0
package/dist/types/error.types.js.map +1 -0
package/dist/types/finding.types.d.ts +133 -0
package/dist/types/finding.types.d.ts.map +1 -0
package/dist/types/finding.types.js +3 -0
package/dist/types/finding.types.js.map +1 -0
package/dist/types/gpo.types.d.ts +39 -0
package/dist/types/gpo.types.d.ts.map +1 -0
package/dist/types/gpo.types.js +15 -0
package/dist/types/gpo.types.js.map +1 -0
package/dist/types/token.types.d.ts +26 -0
package/dist/types/token.types.d.ts.map +1 -0
package/dist/types/token.types.js +3 -0
package/dist/types/token.types.js.map +1 -0
package/dist/types/trust.types.d.ts +45 -0
package/dist/types/trust.types.d.ts.map +1 -0
package/dist/types/trust.types.js +71 -0
package/dist/types/trust.types.js.map +1 -0
package/dist/utils/entity-converter.d.ts +17 -0
package/dist/utils/entity-converter.d.ts.map +1 -0
package/dist/utils/entity-converter.js +285 -0
package/dist/utils/entity-converter.js.map +1 -0
package/dist/utils/graph.util.d.ts +66 -0
package/dist/utils/graph.util.d.ts.map +1 -0
package/dist/utils/graph.util.js +382 -0
package/dist/utils/graph.util.js.map +1 -0
package/dist/utils/logger.d.ts +7 -0
package/dist/utils/logger.d.ts.map +1 -0
package/dist/utils/logger.js +86 -0
package/dist/utils/logger.js.map +1 -0
package/dist/utils/type-name-normalizer.d.ts +5 -0
package/dist/utils/type-name-normalizer.d.ts.map +1 -0
package/dist/utils/type-name-normalizer.js +218 -0
package/dist/utils/type-name-normalizer.js.map +1 -0
package/docker-compose.yml +26 -0
package/docs/api/README.md +178 -0
package/docs/api/openapi.yaml +1524 -0
package/eslint.config.js +54 -0
package/jest.config.js +38 -0
package/package.json +97 -0
package/scripts/fetch-ad-cert.sh +142 -0
package/src/.gitkeep +0 -0
package/src/api/.gitkeep +0 -0
package/src/api/controllers/.gitkeep +0 -0
package/src/api/controllers/audit.controller.ts +313 -0
package/src/api/controllers/auth.controller.ts +258 -0
package/src/api/controllers/export.controller.ts +153 -0
package/src/api/controllers/health.controller.ts +16 -0
package/src/api/controllers/jobs.controller.ts +187 -0
package/src/api/controllers/providers.controller.ts +165 -0
package/src/api/dto/.gitkeep +0 -0
package/src/api/dto/AuditRequest.dto.ts +8 -0
package/src/api/dto/AuditResponse.dto.ts +19 -0
package/src/api/dto/TokenRequest.dto.ts +8 -0
package/src/api/dto/TokenResponse.dto.ts +14 -0
package/src/api/middlewares/.gitkeep +0 -0
package/src/api/middlewares/authenticate.ts +203 -0
package/src/api/middlewares/errorHandler.ts +54 -0
package/src/api/middlewares/rateLimit.ts +35 -0
package/src/api/middlewares/validate.ts +32 -0
package/src/api/routes/.gitkeep +0 -0
package/src/api/routes/audit.routes.ts +77 -0
package/src/api/routes/auth.routes.ts +71 -0
package/src/api/routes/export.routes.ts +34 -0
package/src/api/routes/health.routes.ts +14 -0
package/src/api/routes/index.ts +40 -0
package/src/api/routes/providers.routes.ts +24 -0
package/src/api/validators/.gitkeep +0 -0
package/src/api/validators/audit.schemas.ts +59 -0
package/src/api/validators/auth.schemas.ts +59 -0
package/src/app.ts +87 -0
package/src/config/.gitkeep +0 -0
package/src/config/config.schema.ts +108 -0
package/src/config/index.ts +82 -0
package/src/container.ts +221 -0
package/src/data/.gitkeep +0 -0
package/src/data/database.ts +78 -0
package/src/data/jobs/token-cleanup.job.ts +166 -0
package/src/data/migrations/.gitkeep +0 -0
package/src/data/migrations/001_initial_schema.sql +47 -0
package/src/data/migrations/migration.runner.ts +125 -0
package/src/data/models/.gitkeep +0 -0
package/src/data/models/Token.model.ts +35 -0
package/src/data/repositories/.gitkeep +0 -0
package/src/data/repositories/token.repository.ts +160 -0
package/src/providers/.gitkeep +0 -0
package/src/providers/azure/.gitkeep +0 -0
package/src/providers/azure/auth.provider.ts +14 -0
package/src/providers/azure/azure-errors.ts +189 -0
package/src/providers/azure/azure-retry.ts +168 -0
package/src/providers/azure/graph-client.ts +315 -0
package/src/providers/azure/graph.provider.ts +294 -0
package/src/providers/azure/queries/app.queries.ts +9 -0
package/src/providers/azure/queries/policy.queries.ts +9 -0
package/src/providers/azure/queries/user.queries.ts +10 -0
package/src/providers/interfaces/.gitkeep +0 -0
package/src/providers/interfaces/IGraphProvider.ts +117 -0
package/src/providers/interfaces/ILDAPProvider.ts +142 -0
package/src/providers/ldap/.gitkeep +0 -0
package/src/providers/ldap/acl-parser.ts +231 -0
package/src/providers/ldap/ad-mappers.ts +280 -0
package/src/providers/ldap/ldap-client.ts +259 -0
package/src/providers/ldap/ldap-errors.ts +188 -0
package/src/providers/ldap/ldap-retry.ts +267 -0
package/src/providers/ldap/ldap-sanitizer.ts +273 -0
package/src/providers/ldap/ldap.provider.ts +293 -0
package/src/providers/ldap/queries/computer.queries.ts +9 -0
package/src/providers/ldap/queries/group.queries.ts +9 -0
package/src/providers/ldap/queries/user.queries.ts +10 -0
package/src/providers/smb/smb.provider.ts +653 -0
package/src/server.ts +60 -0
package/src/services/.gitkeep +0 -0
package/src/services/audit/.gitkeep +0 -0
package/src/services/audit/ad-audit.service.ts +1481 -0
package/src/services/audit/attack-graph.service.ts +1104 -0
package/src/services/audit/audit.service.ts +12 -0
package/src/services/audit/azure-audit.service.ts +286 -0
package/src/services/audit/detectors/ad/accounts.detector.ts +1232 -0
package/src/services/audit/detectors/ad/adcs.detector.ts +449 -0
package/src/services/audit/detectors/ad/advanced.detector.ts +1270 -0
package/src/services/audit/detectors/ad/attack-paths.detector.ts +600 -0
package/src/services/audit/detectors/ad/compliance.detector.ts +1421 -0
package/src/services/audit/detectors/ad/computers.detector.ts +1188 -0
package/src/services/audit/detectors/ad/gpo.detector.ts +485 -0
package/src/services/audit/detectors/ad/groups.detector.ts +685 -0
package/src/services/audit/detectors/ad/index.ts +84 -0
package/src/services/audit/detectors/ad/kerberos.detector.ts +424 -0
package/src/services/audit/detectors/ad/monitoring.detector.ts +501 -0
package/src/services/audit/detectors/ad/network.detector.ts +538 -0
package/src/services/audit/detectors/ad/password.detector.ts +324 -0
package/src/services/audit/detectors/ad/permissions.detector.ts +637 -0
package/src/services/audit/detectors/ad/trusts.detector.ts +315 -0
package/src/services/audit/detectors/azure/app-security.detector.ts +246 -0
package/src/services/audit/detectors/azure/conditional-access.detector.ts +186 -0
package/src/services/audit/detectors/azure/privilege-security.detector.ts +176 -0
package/src/services/audit/detectors/azure/user-security.detector.ts +280 -0
package/src/services/audit/detectors/index.ts +18 -0
package/src/services/audit/response-formatter.ts +604 -0
package/src/services/audit/scoring.service.ts +234 -0
package/src/services/auth/.gitkeep +0 -0
package/src/services/auth/crypto.service.ts +230 -0
package/src/services/auth/errors.ts +47 -0
package/src/services/auth/token.service.ts +420 -0
package/src/services/config/.gitkeep +0 -0
package/src/services/config/config.service.ts +75 -0
package/src/services/export/.gitkeep +0 -0
package/src/services/export/export.service.ts +99 -0
package/src/services/export/formatters/csv.formatter.ts +124 -0
package/src/services/export/formatters/json.formatter.ts +160 -0
package/src/services/jobs/azure-job-runner.ts +312 -0
package/src/services/jobs/index.ts +9 -0
package/src/services/jobs/job-runner.ts +1280 -0
package/src/services/jobs/job-store.ts +384 -0
package/src/services/jobs/job.types.ts +182 -0
package/src/types/.gitkeep +0 -0
package/src/types/ad.types.ts +91 -0
package/src/types/adcs.types.ts +107 -0
package/src/types/attack-graph.types.ts +260 -0
package/src/types/audit.types.ts +42 -0
package/src/types/azure.types.ts +68 -0
package/src/types/config.types.ts +79 -0
package/src/types/error.types.ts +69 -0
package/src/types/finding.types.ts +284 -0
package/src/types/gpo.types.ts +72 -0
package/src/types/smb2.d.ts +73 -0
package/src/types/token.types.ts +32 -0
package/src/types/trust.types.ts +140 -0
package/src/utils/.gitkeep +0 -0
package/src/utils/entity-converter.ts +453 -0
package/src/utils/graph.util.ts +609 -0
package/src/utils/logger.ts +111 -0
package/src/utils/type-name-normalizer.ts +302 -0
package/tests/.gitkeep +0 -0
package/tests/e2e/.gitkeep +0 -0
package/tests/fixtures/.gitkeep +0 -0
package/tests/integration/.gitkeep +0 -0
package/tests/integration/README.md +156 -0
package/tests/integration/ad-audit.integration.test.ts +216 -0
package/tests/integration/api/.gitkeep +0 -0
package/tests/integration/api/endpoints.integration.test.ts +431 -0
package/tests/integration/auth/jwt-authentication.integration.test.ts +358 -0
package/tests/integration/providers/.gitkeep +0 -0
package/tests/integration/providers/azure-basic.integration.test.ts +167 -0
package/tests/integration/providers/ldap-basic.integration.test.ts +152 -0
package/tests/integration/providers/ldap-connectivity.test.ts +44 -0
package/tests/integration/providers/ldap-provider.integration.test.ts +347 -0
package/tests/mocks/.gitkeep +0 -0
package/tests/setup.ts +16 -0
package/tests/unit/.gitkeep +0 -0
package/tests/unit/api/middlewares/authenticate.test.ts +446 -0
package/tests/unit/providers/.gitkeep +0 -0
package/tests/unit/providers/azure/azure-errors.test.ts +193 -0
package/tests/unit/providers/azure/azure-retry.test.ts +254 -0
package/tests/unit/providers/azure/graph-provider.test.ts +313 -0
package/tests/unit/providers/ldap/ad-mappers.test.ts +392 -0
package/tests/unit/providers/ldap/ldap-provider.test.ts +376 -0
package/tests/unit/providers/ldap/ldap-retry.test.ts +377 -0
package/tests/unit/providers/ldap/ldap-sanitizer.test.ts +301 -0
package/tests/unit/sample.test.ts +19 -0
package/tests/unit/services/.gitkeep +0 -0
package/tests/unit/services/audit/detectors/ad/accounts.detector.test.ts +393 -0
package/tests/unit/services/audit/detectors/ad/advanced.detector.test.ts +380 -0
package/tests/unit/services/audit/detectors/ad/computers.detector.test.ts +440 -0
package/tests/unit/services/audit/detectors/ad/groups.detector.test.ts +276 -0
package/tests/unit/services/audit/detectors/ad/kerberos.detector.test.ts +215 -0
package/tests/unit/services/audit/detectors/ad/password.detector.test.ts +226 -0
package/tests/unit/services/audit/detectors/ad/permissions.detector.test.ts +244 -0
package/tests/unit/services/audit/detectors/azure/app-security.detector.test.ts +349 -0
package/tests/unit/services/audit/detectors/azure/conditional-access.detector.test.ts +374 -0
package/tests/unit/services/audit/detectors/azure/privilege-security.detector.test.ts +374 -0
package/tests/unit/services/audit/detectors/azure/user-security.detector.test.ts +297 -0
package/tests/unit/services/auth/crypto.service.test.ts +296 -0
package/tests/unit/services/auth/token.service.test.ts +579 -0
package/tests/unit/services/export/export.service.test.ts +241 -0
package/tests/unit/services/export/formatters/csv.formatter.test.ts +270 -0
package/tests/unit/services/export/formatters/json.formatter.test.ts +258 -0
package/tests/unit/utils/.gitkeep +0 -0
package/tsconfig.json +50 -0

package/src/services/audit/detectors/ad/adcs.detector.ts ADDED Viewed

@@ -0,0 +1,449 @@
+/**
+ * ADCS Security Vulnerability Detector
+ *
+ * Detects ESC1-ESC11 vulnerabilities in AD Certificate Services.
+ *
+ * Vulnerabilities detected (11):
+ * CRITICAL (2):
+ * - ESC1_VULNERABLE_TEMPLATE: Template allows enrollee to supply SAN + has client auth
+ * - ESC4_VULNERABLE_TEMPLATE_ACL: Non-admin can modify vulnerable template
+ *
+ * HIGH (6):
+ * - ESC2_ANY_PURPOSE: Template has "Any Purpose" EKU
+ * - ESC3_ENROLLMENT_AGENT: Template allows enrollment agent certificate
+ * - ESC6_EDITF_FLAG: CA allows requestor-specified SAN (registry flag)
+ * - ESC7_CA_VULNERABLE_ACL: Non-admin can manage CA
+ * - ESC9_NO_SECURITY_EXTENSION: No security extension in certificates (Phase 3)
+ * - ESC10_WEAK_CERTIFICATE_MAPPING: Weak certificate mapping configured (Phase 3)
+ *
+ * MEDIUM (3):
+ * - ESC5_PKI_OBJECT_ACL: Vulnerable PKI object ACLs
+ * - ESC8_HTTP_ENROLLMENT: HTTP web enrollment (NTLM relay risk)
+ * - ESC11_ICERT_REQUEST_ENFORCEMENT: IF_ENFORCEENCRYPTICERTREQUEST disabled (Phase 3)
+ */
+import { Finding } from '../../../../types/finding.types';
+import {
+  ADCSCertificateTemplate,
+  ADCSCertificateAuthority,
+  CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT,
+  CT_FLAG_PEND_ALL_REQUESTS,
+  EKU_CLIENT_AUTH,
+  EKU_PKIINIT_CLIENT_AUTH,
+  EKU_SMART_CARD_LOGON,
+  EKU_ANY_PURPOSE,
+  EKU_CERTIFICATE_REQUEST_AGENT,
+} from '../../../../types/adcs.types';
+/**
+ * Check if template allows authentication (client auth, smartcard, PKINIT)
+ */
+function hasAuthenticationEku(ekus: string[]): boolean {
+  return (
+    ekus.includes(EKU_CLIENT_AUTH) ||
+    ekus.includes(EKU_PKIINIT_CLIENT_AUTH) ||
+    ekus.includes(EKU_SMART_CARD_LOGON) ||
+    ekus.length === 0 // No EKU = any purpose
+  );
+}
+/**
+ * ESC1: Misconfigured Certificate Template
+ * Template allows enrollee to supply subject AND has client authentication EKU
+ */
+export function detectEsc1VulnerableTemplate(
+  templates: ADCSCertificateTemplate[],
+  includeDetails: boolean
+): Finding {
+  const affected = templates.filter((t) => {
+    const nameFlag = t['msPKI-Certificate-Name-Flag'] || 0;
+    const enrollmentFlag = t['msPKI-Enrollment-Flag'] || 0;
+    const ekus = t.pKIExtendedKeyUsage || [];
+    // Enrollee can supply subject
+    const enrolleeSuppliesSubject = (nameFlag & CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT) !== 0;
+    // Has authentication capability
+    const canAuthenticate = hasAuthenticationEku(ekus);
+    // Doesn't require manager approval
+    const noApprovalRequired = (enrollmentFlag & CT_FLAG_PEND_ALL_REQUESTS) === 0;
+    return enrolleeSuppliesSubject && canAuthenticate && noApprovalRequired;
+  });
+  return {
+    type: 'ESC1_VULNERABLE_TEMPLATE',
+    severity: 'critical',
+    category: 'adcs',
+    title: 'ESC1 - Misconfigured Certificate Template',
+    description:
+      'Certificate template allows enrollee to specify Subject Alternative Name (SAN) and has client authentication EKU, enabling privilege escalation to any user/computer.',
+    count: affected.length,
+    affectedEntities: includeDetails ? affected.map((t) => t.name || t.displayName || t.dn) : undefined,
+  };
+}
+/**
+ * ESC2: Any Purpose Certificate Template
+ * Template has "Any Purpose" EKU or SubCA capability
+ */
+export function detectEsc2AnyPurpose(
+  templates: ADCSCertificateTemplate[],
+  includeDetails: boolean
+): Finding {
+  const affected = templates.filter((t) => {
+    const ekus = t.pKIExtendedKeyUsage || [];
+    const enrollmentFlag = t['msPKI-Enrollment-Flag'] || 0;
+    // Has "Any Purpose" EKU
+    const hasAnyPurpose = ekus.includes(EKU_ANY_PURPOSE);
+    // No EKU constraint (implies any purpose)
+    const noEkuConstraint = ekus.length === 0;
+    // Doesn't require manager approval
+    const noApprovalRequired = (enrollmentFlag & CT_FLAG_PEND_ALL_REQUESTS) === 0;
+    return (hasAnyPurpose || noEkuConstraint) && noApprovalRequired;
+  });
+  return {
+    type: 'ESC2_ANY_PURPOSE',
+    severity: 'high',
+    category: 'adcs',
+    title: 'ESC2 - Any Purpose Certificate Template',
+    description:
+      'Certificate template has "Any Purpose" EKU or no EKU constraints, allowing issued certificates to be used for any purpose including client authentication.',
+    count: affected.length,
+    affectedEntities: includeDetails ? affected.map((t) => t.name || t.displayName || t.dn) : undefined,
+  };
+}
+/**
+ * ESC3: Enrollment Agent Certificate Template
+ * Template allows Certificate Request Agent (enrollment agent) certificates
+ */
+export function detectEsc3EnrollmentAgent(
+  templates: ADCSCertificateTemplate[],
+  includeDetails: boolean
+): Finding {
+  const affected = templates.filter((t) => {
+    const ekus = t.pKIExtendedKeyUsage || [];
+    const enrollmentFlag = t['msPKI-Enrollment-Flag'] || 0;
+    // Has Certificate Request Agent EKU
+    const hasEnrollmentAgent = ekus.includes(EKU_CERTIFICATE_REQUEST_AGENT);
+    // Doesn't require manager approval
+    const noApprovalRequired = (enrollmentFlag & CT_FLAG_PEND_ALL_REQUESTS) === 0;
+    return hasEnrollmentAgent && noApprovalRequired;
+  });
+  return {
+    type: 'ESC3_ENROLLMENT_AGENT',
+    severity: 'high',
+    category: 'adcs',
+    title: 'ESC3 - Enrollment Agent Certificate Template',
+    description:
+      'Certificate template allows issuance of enrollment agent certificates, which can be used to enroll certificates on behalf of other users.',
+    count: affected.length,
+    affectedEntities: includeDetails ? affected.map((t) => t.name || t.displayName || t.dn) : undefined,
+  };
+}
+/**
+ * ESC4: Vulnerable Certificate Template ACL
+ * Low-privileged users can modify template properties
+ * Note: Requires ACL parsing - simplified version checks if template has security descriptor
+ */
+export function detectEsc4VulnerableTemplateAcl(
+  templates: ADCSCertificateTemplate[],
+  _includeDetails: boolean
+): Finding {
+  // In a full implementation, this would parse nTSecurityDescriptor and check for
+  // GenericAll, GenericWrite, WriteDacl, WriteOwner, or WriteProperty rights
+  // for non-admin principals
+  // For now, we flag templates that have authentication capability
+  // and mark them as needing manual ACL review
+  const affected = templates.filter((t) => {
+    const ekus = t.pKIExtendedKeyUsage || [];
+    return hasAuthenticationEku(ekus) && t.nTSecurityDescriptor !== undefined;
+  });
+  // This is a placeholder - actual implementation would analyze ACLs
+  return {
+    type: 'ESC4_VULNERABLE_TEMPLATE_ACL',
+    severity: 'critical',
+    category: 'adcs',
+    title: 'ESC4 - Certificate Template ACL Review Required',
+    description:
+      'Certificate templates with authentication capability should be reviewed for overly permissive ACLs that allow non-admins to modify template properties.',
+    count: 0, // Set to 0 until actual ACL analysis is implemented
+    affectedEntities: undefined,
+    details: {
+      note: 'Full ACL analysis requires parsing nTSecurityDescriptor. Manual review recommended.',
+      templatesWithAuthEku: affected.length,
+    },
+  };
+}
+/**
+ * ESC5: PKI Object ACL Vulnerabilities
+ * Vulnerable ACLs on PKI-related AD objects (CA computer, certificates container)
+ * Note: This is a placeholder for ACL analysis
+ */
+export function detectEsc5PkiObjectAcl(
+  _cas: ADCSCertificateAuthority[],
+  _includeDetails: boolean
+): Finding {
+  // This would analyze ACLs on:
+  // - CA computer object
+  // - CN=Public Key Services,CN=Services,CN=Configuration
+  // - CN=Enrollment Services,CN=Public Key Services,...
+  // - CN=Certificate Templates,CN=Public Key Services,...
+  return {
+    type: 'ESC5_PKI_OBJECT_ACL',
+    severity: 'medium',
+    category: 'adcs',
+    title: 'ESC5 - PKI Object ACL Review Required',
+    description:
+      'PKI-related AD objects should be reviewed for overly permissive ACLs that could allow non-admins to modify CA configuration or templates.',
+    count: 0, // Placeholder until ACL analysis implemented
+    affectedEntities: undefined,
+    details: {
+      note: 'Manual review of PKI object ACLs recommended.',
+    },
+  };
+}
+/**
+ * ESC6: EDITF_ATTRIBUTESUBJECTALTNAME2 Flag
+ * CA configured to allow requestor-specified SAN for any template
+ * Note: This flag is in registry, not LDAP - cannot detect via pure LDAP
+ */
+export function detectEsc6EditfFlag(
+  cas: ADCSCertificateAuthority[],
+  includeDetails: boolean
+): Finding {
+  // EDITF_ATTRIBUTESUBJECTALTNAME2 (0x00040000) is stored in registry at:
+  // HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<CA Name>\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\EditFlags
+  // Cannot be detected via LDAP alone
+  return {
+    type: 'ESC6_EDITF_FLAG',
+    severity: 'high',
+    category: 'adcs',
+    title: 'ESC6 - CA Configuration Review Required',
+    description:
+      'Certificate Authorities should be checked for EDITF_ATTRIBUTESUBJECTALTNAME2 flag which allows any certificate requestor to specify a SAN.',
+    count: 0, // Cannot detect via LDAP
+    affectedEntities: includeDetails ? cas.map((ca) => ca.name || ca.dn) : undefined,
+    details: {
+      note: 'Check registry key EditFlags on CA servers. Flag 0x00040000 indicates vulnerability.',
+      casToCheck: cas.length,
+    },
+  };
+}
+/**
+ * ESC7: Vulnerable CA ACL
+ * Non-admin can manage CA (ManageCA or ManageCertificates rights)
+ * Note: Requires ACL parsing
+ */
+export function detectEsc7CaVulnerableAcl(
+  cas: ADCSCertificateAuthority[],
+  includeDetails: boolean
+): Finding {
+  // Would analyze nTSecurityDescriptor on CA enrollment objects for:
+  // - ManageCA right
+  // - ManageCertificates right
+  // granted to non-admin principals
+  return {
+    type: 'ESC7_CA_VULNERABLE_ACL',
+    severity: 'high',
+    category: 'adcs',
+    title: 'ESC7 - CA ACL Review Required',
+    description:
+      'Certificate Authority ACLs should be reviewed for ManageCA or ManageCertificates rights granted to non-administrators.',
+    count: 0, // Placeholder until ACL analysis implemented
+    affectedEntities: includeDetails ? cas.map((ca) => ca.name || ca.dn) : undefined,
+    details: {
+      note: 'Manual review of CA ACLs recommended.',
+      casToReview: cas.length,
+    },
+  };
+}
+/**
+ * ESC8: NTLM Relay to AD CS HTTP Endpoint
+ * Web enrollment enabled over HTTP (allows NTLM relay attacks)
+ * Note: Cannot be fully detected via LDAP - requires network probing
+ */
+export function detectEsc8HttpEnrollment(
+  cas: ADCSCertificateAuthority[],
+  includeDetails: boolean
+): Finding {
+  // HTTP enrollment endpoints are typically at:
+  // http://<CA>/certsrv/
+  // Cannot detect via LDAP alone - would need network connectivity check
+  return {
+    type: 'ESC8_HTTP_ENROLLMENT',
+    severity: 'medium',
+    category: 'adcs',
+    title: 'ESC8 - Web Enrollment Check Required',
+    description:
+      'Certificate Authorities should be checked for HTTP-based web enrollment endpoints which are vulnerable to NTLM relay attacks.',
+    count: 0, // Cannot detect via LDAP
+    affectedEntities: includeDetails ? cas.map((ca) => `${ca.dNSHostName || ca.name}`) : undefined,
+    details: {
+      note: 'Check for http://<CA>/certsrv/ endpoints. HTTPS with Extended Protection mitigates this.',
+      casToCheck: cas.length,
+    },
+  };
+}
+// ==================== PHASE 3 ESC DETECTORS ====================
+/**
+ * ESC9: No Security Extension (szOID_NTDS_CA_SECURITY_EXT)
+ * Certificates without the new security extension are vulnerable to impersonation
+ * when strong certificate mapping is not enforced.
+ * Note: Requires template schema version check
+ */
+export function detectEsc9NoSecurityExtension(
+  templates: ADCSCertificateTemplate[],
+  includeDetails: boolean
+): Finding {
+  // Templates with schema version < 2 don't include security extension
+  // msPKI-Template-Schema-Version attribute determines this
+  const affected = templates.filter((t) => {
+    const schemaVersion = t['msPKI-Template-Schema-Version'] || 1;
+    const ekus = t.pKIExtendedKeyUsage || [];
+    // Vulnerable if: old schema AND can authenticate
+    return schemaVersion < 2 && hasAuthenticationEku(ekus);
+  });
+  return {
+    type: 'ESC9_NO_SECURITY_EXTENSION',
+    severity: 'high',
+    category: 'adcs',
+    title: 'ESC9 - No Security Extension in Certificate Template',
+    description:
+      'Certificate templates using schema version 1 do not include the szOID_NTDS_CA_SECURITY_EXT security extension. Combined with weak certificate mapping, this allows certificate impersonation attacks.',
+    count: affected.length,
+    affectedEntities: includeDetails ? affected.map((t) => t.name || t.displayName || t.dn) : undefined,
+    details:
+      affected.length > 0
+        ? {
+            recommendation:
+              'Upgrade certificate templates to schema version 2 or higher, and enable strong certificate mapping.',
+            vulnerabilityChain: 'ESC9 + weak certificate mapping = impersonation',
+          }
+        : undefined,
+  };
+}
+/**
+ * ESC10: Weak Certificate Mapping
+ * When strong certificate mapping is not enforced, attackers with ESC9 vulnerable
+ * certificates can impersonate other users.
+ * Note: This is a domain-level setting
+ */
+export function detectEsc10WeakCertificateMapping(
+  domain: { dn: string; [key: string]: unknown } | null,
+  _includeDetails: boolean
+): Finding {
+  // Certificate mapping strength is controlled by:
+  // StrongCertificateBindingEnforcement registry key (HKLM\SYSTEM\CurrentControlSet\Services\Kdc)
+  // 0 = Disabled, 1 = Compatibility mode (default), 2 = Full enforcement
+  // Cannot be detected via LDAP - requires registry access
+  // Also affected by CertificateMappingMethods registry key on DCs
+  // UPN mapping without strong binding is vulnerable
+  return {
+    type: 'ESC10_WEAK_CERTIFICATE_MAPPING',
+    severity: 'high',
+    category: 'adcs',
+    title: 'ESC10 - Certificate Mapping Configuration Review Required',
+    description:
+      'Domain controllers should be configured for strong certificate mapping to prevent certificate impersonation attacks. This setting cannot be detected via LDAP.',
+    count: domain ? 1 : 0, // Flag as needing review if domain exists
+    details: {
+      note: 'Check StrongCertificateBindingEnforcement registry key on DCs. Value should be 2 (Full Enforcement).',
+      registryPath:
+        'HKLM\\SYSTEM\\CurrentControlSet\\Services\\Kdc\\StrongCertificateBindingEnforcement',
+      recommendation:
+        'Set StrongCertificateBindingEnforcement to 2 for full enforcement. Test in compatibility mode (1) first.',
+      microsoftDoc:
+        'https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers',
+    },
+  };
+}
+/**
+ * ESC11: IF_ENFORCEENCRYPTICERTREQUEST Not Enforced
+ * When RPC encryption is not enforced on the CA, attackers can relay NTLM
+ * authentication to the CA's RPC endpoint.
+ * Note: This is a CA configuration setting
+ */
+export function detectEsc11IcertRequestEnforcement(
+  cas: ADCSCertificateAuthority[],
+  includeDetails: boolean
+): Finding {
+  // IF_ENFORCEENCRYPTICERTREQUEST is stored in registry at:
+  // HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<CA>\InterfaceFlags
+  // Flag 0x00000200 should be set to enforce RPC encryption
+  // Cannot be detected via LDAP alone
+  return {
+    type: 'ESC11_ICERT_REQUEST_ENFORCEMENT',
+    severity: 'medium',
+    category: 'adcs',
+    title: 'ESC11 - RPC Encryption Enforcement Check Required',
+    description:
+      'Certificate Authorities should enforce RPC encryption (IF_ENFORCEENCRYPTICERTREQUEST flag) to prevent NTLM relay attacks to the ICertPassage RPC interface.',
+    count: cas.length > 0 ? 1 : 0, // Flag as needing review if CAs exist
+    affectedEntities: includeDetails ? cas.map((ca) => ca.name || ca.dn) : undefined,
+    details: {
+      note: 'Check InterfaceFlags registry key on CA servers. Flag 0x00000200 (IF_ENFORCEENCRYPTICERTREQUEST) should be set.',
+      registryPath:
+        'HKLM\\SYSTEM\\CurrentControlSet\\Services\\CertSvc\\Configuration\\<CA>\\InterfaceFlags',
+      casToCheck: cas.length,
+      recommendation:
+        'Set IF_ENFORCEENCRYPTICERTREQUEST flag using: certutil -setreg CA\\InterfaceFlags +IF_ENFORCEENCRYPTICERTREQUEST',
+    },
+  };
+}
+/**
+ * Aggregate function: Detect all ADCS vulnerabilities
+ */
+export function detectAdcsVulnerabilities(
+  templates: ADCSCertificateTemplate[],
+  cas: ADCSCertificateAuthority[],
+  includeDetails: boolean,
+  domain?: { dn: string; [key: string]: unknown } | null
+): Finding[] {
+  return [
+    detectEsc1VulnerableTemplate(templates, includeDetails),
+    detectEsc2AnyPurpose(templates, includeDetails),
+    detectEsc3EnrollmentAgent(templates, includeDetails),
+    detectEsc4VulnerableTemplateAcl(templates, includeDetails),
+    detectEsc5PkiObjectAcl(cas, includeDetails),
+    detectEsc6EditfFlag(cas, includeDetails),
+    detectEsc7CaVulnerableAcl(cas, includeDetails),
+    detectEsc8HttpEnrollment(cas, includeDetails),
+    // Phase 3: ESC9-ESC11
+    detectEsc9NoSecurityExtension(templates, includeDetails),
+    detectEsc10WeakCertificateMapping(domain || null, includeDetails),
+    detectEsc11IcertRequestEnforcement(cas, includeDetails),
+  ].filter((finding) => finding.count > 0 || finding.details?.['note']);
+}