npm - @etcsec-com/etc-collector - Versions diffs - 1.4.0 - Mend

@etcsec-com/etc-collector 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (617) hide show

package/.env.example +60 -0
package/.env.test.example +33 -0
package/.github/workflows/ci.yml +83 -0
package/.github/workflows/release.yml +246 -0
package/.prettierrc.json +10 -0
package/CHANGELOG.md +15 -0
package/Dockerfile +57 -0
package/LICENSE +190 -0
package/README.md +194 -0
package/dist/api/controllers/audit.controller.d.ts +21 -0
package/dist/api/controllers/audit.controller.d.ts.map +1 -0
package/dist/api/controllers/audit.controller.js +179 -0
package/dist/api/controllers/audit.controller.js.map +1 -0
package/dist/api/controllers/auth.controller.d.ts +16 -0
package/dist/api/controllers/auth.controller.d.ts.map +1 -0
package/dist/api/controllers/auth.controller.js +146 -0
package/dist/api/controllers/auth.controller.js.map +1 -0
package/dist/api/controllers/export.controller.d.ts +27 -0
package/dist/api/controllers/export.controller.d.ts.map +1 -0
package/dist/api/controllers/export.controller.js +80 -0
package/dist/api/controllers/export.controller.js.map +1 -0
package/dist/api/controllers/health.controller.d.ts +5 -0
package/dist/api/controllers/health.controller.d.ts.map +1 -0
package/dist/api/controllers/health.controller.js +16 -0
package/dist/api/controllers/health.controller.js.map +1 -0
package/dist/api/controllers/jobs.controller.d.ts +13 -0
package/dist/api/controllers/jobs.controller.d.ts.map +1 -0
package/dist/api/controllers/jobs.controller.js +125 -0
package/dist/api/controllers/jobs.controller.js.map +1 -0
package/dist/api/controllers/providers.controller.d.ts +15 -0
package/dist/api/controllers/providers.controller.d.ts.map +1 -0
package/dist/api/controllers/providers.controller.js +112 -0
package/dist/api/controllers/providers.controller.js.map +1 -0
package/dist/api/dto/AuditRequest.dto.d.ts +6 -0
package/dist/api/dto/AuditRequest.dto.d.ts.map +1 -0
package/dist/api/dto/AuditRequest.dto.js +3 -0
package/dist/api/dto/AuditRequest.dto.js.map +1 -0
package/dist/api/dto/AuditResponse.dto.d.ts +17 -0
package/dist/api/dto/AuditResponse.dto.d.ts.map +1 -0
package/dist/api/dto/AuditResponse.dto.js +3 -0
package/dist/api/dto/AuditResponse.dto.js.map +1 -0
package/dist/api/dto/TokenRequest.dto.d.ts +6 -0
package/dist/api/dto/TokenRequest.dto.d.ts.map +1 -0
package/dist/api/dto/TokenRequest.dto.js +3 -0
package/dist/api/dto/TokenRequest.dto.js.map +1 -0
package/dist/api/dto/TokenResponse.dto.d.ts +12 -0
package/dist/api/dto/TokenResponse.dto.d.ts.map +1 -0
package/dist/api/dto/TokenResponse.dto.js +3 -0
package/dist/api/dto/TokenResponse.dto.js.map +1 -0
package/dist/api/middlewares/authenticate.d.ts +12 -0
package/dist/api/middlewares/authenticate.d.ts.map +1 -0
package/dist/api/middlewares/authenticate.js +141 -0
package/dist/api/middlewares/authenticate.js.map +1 -0
package/dist/api/middlewares/errorHandler.d.ts +3 -0
package/dist/api/middlewares/errorHandler.d.ts.map +1 -0
package/dist/api/middlewares/errorHandler.js +30 -0
package/dist/api/middlewares/errorHandler.js.map +1 -0
package/dist/api/middlewares/rateLimit.d.ts +3 -0
package/dist/api/middlewares/rateLimit.d.ts.map +1 -0
package/dist/api/middlewares/rateLimit.js +34 -0
package/dist/api/middlewares/rateLimit.js.map +1 -0
package/dist/api/middlewares/validate.d.ts +4 -0
package/dist/api/middlewares/validate.d.ts.map +1 -0
package/dist/api/middlewares/validate.js +31 -0
package/dist/api/middlewares/validate.js.map +1 -0
package/dist/api/routes/audit.routes.d.ts +5 -0
package/dist/api/routes/audit.routes.d.ts.map +1 -0
package/dist/api/routes/audit.routes.js +24 -0
package/dist/api/routes/audit.routes.js.map +1 -0
package/dist/api/routes/auth.routes.d.ts +6 -0
package/dist/api/routes/auth.routes.d.ts.map +1 -0
package/dist/api/routes/auth.routes.js +22 -0
package/dist/api/routes/auth.routes.js.map +1 -0
package/dist/api/routes/export.routes.d.ts +5 -0
package/dist/api/routes/export.routes.d.ts.map +1 -0
package/dist/api/routes/export.routes.js +16 -0
package/dist/api/routes/export.routes.js.map +1 -0
package/dist/api/routes/health.routes.d.ts +4 -0
package/dist/api/routes/health.routes.d.ts.map +1 -0
package/dist/api/routes/health.routes.js +11 -0
package/dist/api/routes/health.routes.js.map +1 -0
package/dist/api/routes/index.d.ts +10 -0
package/dist/api/routes/index.d.ts.map +1 -0
package/dist/api/routes/index.js +20 -0
package/dist/api/routes/index.js.map +1 -0
package/dist/api/routes/providers.routes.d.ts +5 -0
package/dist/api/routes/providers.routes.d.ts.map +1 -0
package/dist/api/routes/providers.routes.js +13 -0
package/dist/api/routes/providers.routes.js.map +1 -0
package/dist/api/validators/audit.schemas.d.ts +60 -0
package/dist/api/validators/audit.schemas.d.ts.map +1 -0
package/dist/api/validators/audit.schemas.js +55 -0
package/dist/api/validators/audit.schemas.js.map +1 -0
package/dist/api/validators/auth.schemas.d.ts +17 -0
package/dist/api/validators/auth.schemas.d.ts.map +1 -0
package/dist/api/validators/auth.schemas.js +21 -0
package/dist/api/validators/auth.schemas.js.map +1 -0
package/dist/app.d.ts +3 -0
package/dist/app.d.ts.map +1 -0
package/dist/app.js +62 -0
package/dist/app.js.map +1 -0
package/dist/config/config.schema.d.ts +65 -0
package/dist/config/config.schema.d.ts.map +1 -0
package/dist/config/config.schema.js +95 -0
package/dist/config/config.schema.js.map +1 -0
package/dist/config/index.d.ts +4 -0
package/dist/config/index.d.ts.map +1 -0
package/dist/config/index.js +75 -0
package/dist/config/index.js.map +1 -0
package/dist/container.d.ts +47 -0
package/dist/container.d.ts.map +1 -0
package/dist/container.js +137 -0
package/dist/container.js.map +1 -0
package/dist/data/database.d.ts +13 -0
package/dist/data/database.d.ts.map +1 -0
package/dist/data/database.js +68 -0
package/dist/data/database.js.map +1 -0
package/dist/data/jobs/token-cleanup.job.d.ts +23 -0
package/dist/data/jobs/token-cleanup.job.d.ts.map +1 -0
package/dist/data/jobs/token-cleanup.job.js +96 -0
package/dist/data/jobs/token-cleanup.job.js.map +1 -0
package/dist/data/migrations/migration.runner.d.ts +13 -0
package/dist/data/migrations/migration.runner.d.ts.map +1 -0
package/dist/data/migrations/migration.runner.js +136 -0
package/dist/data/migrations/migration.runner.js.map +1 -0
package/dist/data/models/Token.model.d.ts +30 -0
package/dist/data/models/Token.model.d.ts.map +1 -0
package/dist/data/models/Token.model.js +3 -0
package/dist/data/models/Token.model.js.map +1 -0
package/dist/data/repositories/token.repository.d.ts +16 -0
package/dist/data/repositories/token.repository.d.ts.map +1 -0
package/dist/data/repositories/token.repository.js +97 -0
package/dist/data/repositories/token.repository.js.map +1 -0
package/dist/providers/azure/auth.provider.d.ts +5 -0
package/dist/providers/azure/auth.provider.d.ts.map +1 -0
package/dist/providers/azure/auth.provider.js +13 -0
package/dist/providers/azure/auth.provider.js.map +1 -0
package/dist/providers/azure/azure-errors.d.ts +40 -0
package/dist/providers/azure/azure-errors.d.ts.map +1 -0
package/dist/providers/azure/azure-errors.js +121 -0
package/dist/providers/azure/azure-errors.js.map +1 -0
package/dist/providers/azure/azure-retry.d.ts +41 -0
package/dist/providers/azure/azure-retry.d.ts.map +1 -0
package/dist/providers/azure/azure-retry.js +85 -0
package/dist/providers/azure/azure-retry.js.map +1 -0
package/dist/providers/azure/graph-client.d.ts +26 -0
package/dist/providers/azure/graph-client.d.ts.map +1 -0
package/dist/providers/azure/graph-client.js +146 -0
package/dist/providers/azure/graph-client.js.map +1 -0
package/dist/providers/azure/graph.provider.d.ts +23 -0
package/dist/providers/azure/graph.provider.d.ts.map +1 -0
package/dist/providers/azure/graph.provider.js +161 -0
package/dist/providers/azure/graph.provider.js.map +1 -0
package/dist/providers/azure/queries/app.queries.d.ts +6 -0
package/dist/providers/azure/queries/app.queries.d.ts.map +1 -0
package/dist/providers/azure/queries/app.queries.js +9 -0
package/dist/providers/azure/queries/app.queries.js.map +1 -0
package/dist/providers/azure/queries/policy.queries.d.ts +6 -0
package/dist/providers/azure/queries/policy.queries.d.ts.map +1 -0
package/dist/providers/azure/queries/policy.queries.js +9 -0
package/dist/providers/azure/queries/policy.queries.js.map +1 -0
package/dist/providers/azure/queries/user.queries.d.ts +7 -0
package/dist/providers/azure/queries/user.queries.d.ts.map +1 -0
package/dist/providers/azure/queries/user.queries.js +10 -0
package/dist/providers/azure/queries/user.queries.js.map +1 -0
package/dist/providers/interfaces/IGraphProvider.d.ts +31 -0
package/dist/providers/interfaces/IGraphProvider.d.ts.map +1 -0
package/dist/providers/interfaces/IGraphProvider.js +3 -0
package/dist/providers/interfaces/IGraphProvider.js.map +1 -0
package/dist/providers/interfaces/ILDAPProvider.d.ts +37 -0
package/dist/providers/interfaces/ILDAPProvider.d.ts.map +1 -0
package/dist/providers/interfaces/ILDAPProvider.js +3 -0
package/dist/providers/interfaces/ILDAPProvider.js.map +1 -0
package/dist/providers/ldap/acl-parser.d.ts +8 -0
package/dist/providers/ldap/acl-parser.d.ts.map +1 -0
package/dist/providers/ldap/acl-parser.js +157 -0
package/dist/providers/ldap/acl-parser.js.map +1 -0
package/dist/providers/ldap/ad-mappers.d.ts +8 -0
package/dist/providers/ldap/ad-mappers.d.ts.map +1 -0
package/dist/providers/ldap/ad-mappers.js +162 -0
package/dist/providers/ldap/ad-mappers.js.map +1 -0
package/dist/providers/ldap/ldap-client.d.ts +33 -0
package/dist/providers/ldap/ldap-client.d.ts.map +1 -0
package/dist/providers/ldap/ldap-client.js +195 -0
package/dist/providers/ldap/ldap-client.js.map +1 -0
package/dist/providers/ldap/ldap-errors.d.ts +48 -0
package/dist/providers/ldap/ldap-errors.d.ts.map +1 -0
package/dist/providers/ldap/ldap-errors.js +120 -0
package/dist/providers/ldap/ldap-errors.js.map +1 -0
package/dist/providers/ldap/ldap-retry.d.ts +14 -0
package/dist/providers/ldap/ldap-retry.d.ts.map +1 -0
package/dist/providers/ldap/ldap-retry.js +102 -0
package/dist/providers/ldap/ldap-retry.js.map +1 -0
package/dist/providers/ldap/ldap-sanitizer.d.ts +12 -0
package/dist/providers/ldap/ldap-sanitizer.d.ts.map +1 -0
package/dist/providers/ldap/ldap-sanitizer.js +104 -0
package/dist/providers/ldap/ldap-sanitizer.js.map +1 -0
package/dist/providers/ldap/ldap.provider.d.ts +21 -0
package/dist/providers/ldap/ldap.provider.d.ts.map +1 -0
package/dist/providers/ldap/ldap.provider.js +165 -0
package/dist/providers/ldap/ldap.provider.js.map +1 -0
package/dist/providers/ldap/queries/computer.queries.d.ts +6 -0
package/dist/providers/ldap/queries/computer.queries.d.ts.map +1 -0
package/dist/providers/ldap/queries/computer.queries.js +9 -0
package/dist/providers/ldap/queries/computer.queries.js.map +1 -0
package/dist/providers/ldap/queries/group.queries.d.ts +6 -0
package/dist/providers/ldap/queries/group.queries.d.ts.map +1 -0
package/dist/providers/ldap/queries/group.queries.js +9 -0
package/dist/providers/ldap/queries/group.queries.js.map +1 -0
package/dist/providers/ldap/queries/user.queries.d.ts +7 -0
package/dist/providers/ldap/queries/user.queries.d.ts.map +1 -0
package/dist/providers/ldap/queries/user.queries.js +10 -0
package/dist/providers/ldap/queries/user.queries.js.map +1 -0
package/dist/providers/smb/smb.provider.d.ts +68 -0
package/dist/providers/smb/smb.provider.d.ts.map +1 -0
package/dist/providers/smb/smb.provider.js +382 -0
package/dist/providers/smb/smb.provider.js.map +1 -0
package/dist/server.d.ts +2 -0
package/dist/server.d.ts.map +1 -0
package/dist/server.js +44 -0
package/dist/server.js.map +1 -0
package/dist/services/audit/ad-audit.service.d.ts +70 -0
package/dist/services/audit/ad-audit.service.d.ts.map +1 -0
package/dist/services/audit/ad-audit.service.js +1019 -0
package/dist/services/audit/ad-audit.service.js.map +1 -0
package/dist/services/audit/attack-graph.service.d.ts +62 -0
package/dist/services/audit/attack-graph.service.d.ts.map +1 -0
package/dist/services/audit/attack-graph.service.js +702 -0
package/dist/services/audit/attack-graph.service.js.map +1 -0
package/dist/services/audit/audit.service.d.ts +4 -0
package/dist/services/audit/audit.service.d.ts.map +1 -0
package/dist/services/audit/audit.service.js +10 -0
package/dist/services/audit/audit.service.js.map +1 -0
package/dist/services/audit/azure-audit.service.d.ts +37 -0
package/dist/services/audit/azure-audit.service.d.ts.map +1 -0
package/dist/services/audit/azure-audit.service.js +153 -0
package/dist/services/audit/azure-audit.service.js.map +1 -0
package/dist/services/audit/detectors/ad/accounts.detector.d.ts +37 -0
package/dist/services/audit/detectors/ad/accounts.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/accounts.detector.js +881 -0
package/dist/services/audit/detectors/ad/accounts.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/adcs.detector.d.ts +21 -0
package/dist/services/audit/detectors/ad/adcs.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/adcs.detector.js +227 -0
package/dist/services/audit/detectors/ad/adcs.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/advanced.detector.d.ts +63 -0
package/dist/services/audit/detectors/ad/advanced.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/advanced.detector.js +867 -0
package/dist/services/audit/detectors/ad/advanced.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/attack-paths.detector.d.ts +16 -0
package/dist/services/audit/detectors/ad/attack-paths.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/attack-paths.detector.js +369 -0
package/dist/services/audit/detectors/ad/attack-paths.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/compliance.detector.d.ts +28 -0
package/dist/services/audit/detectors/ad/compliance.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/compliance.detector.js +896 -0
package/dist/services/audit/detectors/ad/compliance.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/computers.detector.d.ts +30 -0
package/dist/services/audit/detectors/ad/computers.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/computers.detector.js +799 -0
package/dist/services/audit/detectors/ad/computers.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/gpo.detector.d.ts +17 -0
package/dist/services/audit/detectors/ad/gpo.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/gpo.detector.js +257 -0
package/dist/services/audit/detectors/ad/gpo.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/groups.detector.d.ts +19 -0
package/dist/services/audit/detectors/ad/groups.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/groups.detector.js +488 -0
package/dist/services/audit/detectors/ad/groups.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/index.d.ts +15 -0
package/dist/services/audit/detectors/ad/index.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/index.js +51 -0
package/dist/services/audit/detectors/ad/index.js.map +1 -0
package/dist/services/audit/detectors/ad/kerberos.detector.d.ts +17 -0
package/dist/services/audit/detectors/ad/kerberos.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/kerberos.detector.js +293 -0
package/dist/services/audit/detectors/ad/kerberos.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/monitoring.detector.d.ts +23 -0
package/dist/services/audit/detectors/ad/monitoring.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/monitoring.detector.js +328 -0
package/dist/services/audit/detectors/ad/monitoring.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/network.detector.d.ts +39 -0
package/dist/services/audit/detectors/ad/network.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/network.detector.js +257 -0
package/dist/services/audit/detectors/ad/network.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/password.detector.d.ts +14 -0
package/dist/services/audit/detectors/ad/password.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/password.detector.js +235 -0
package/dist/services/audit/detectors/ad/password.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/permissions.detector.d.ts +20 -0
package/dist/services/audit/detectors/ad/permissions.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/permissions.detector.js +392 -0
package/dist/services/audit/detectors/ad/permissions.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/trusts.detector.d.ts +11 -0
package/dist/services/audit/detectors/ad/trusts.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/trusts.detector.js +186 -0
package/dist/services/audit/detectors/ad/trusts.detector.js.map +1 -0
package/dist/services/audit/detectors/azure/app-security.detector.d.ts +11 -0
package/dist/services/audit/detectors/azure/app-security.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/azure/app-security.detector.js +184 -0
package/dist/services/audit/detectors/azure/app-security.detector.js.map +1 -0
package/dist/services/audit/detectors/azure/conditional-access.detector.d.ts +10 -0
package/dist/services/audit/detectors/azure/conditional-access.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/azure/conditional-access.detector.js +130 -0
package/dist/services/audit/detectors/azure/conditional-access.detector.js.map +1 -0
package/dist/services/audit/detectors/azure/privilege-security.detector.d.ts +8 -0
package/dist/services/audit/detectors/azure/privilege-security.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/azure/privilege-security.detector.js +113 -0
package/dist/services/audit/detectors/azure/privilege-security.detector.js.map +1 -0
package/dist/services/audit/detectors/azure/user-security.detector.d.ts +14 -0
package/dist/services/audit/detectors/azure/user-security.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/azure/user-security.detector.js +198 -0
package/dist/services/audit/detectors/azure/user-security.detector.js.map +1 -0
package/dist/services/audit/detectors/index.d.ts +2 -0
package/dist/services/audit/detectors/index.d.ts.map +1 -0
package/dist/services/audit/detectors/index.js +38 -0
package/dist/services/audit/detectors/index.js.map +1 -0
package/dist/services/audit/response-formatter.d.ts +176 -0
package/dist/services/audit/response-formatter.d.ts.map +1 -0
package/dist/services/audit/response-formatter.js +240 -0
package/dist/services/audit/response-formatter.js.map +1 -0
package/dist/services/audit/scoring.service.d.ts +15 -0
package/dist/services/audit/scoring.service.d.ts.map +1 -0
package/dist/services/audit/scoring.service.js +139 -0
package/dist/services/audit/scoring.service.js.map +1 -0
package/dist/services/auth/crypto.service.d.ts +19 -0
package/dist/services/auth/crypto.service.d.ts.map +1 -0
package/dist/services/auth/crypto.service.js +135 -0
package/dist/services/auth/crypto.service.js.map +1 -0
package/dist/services/auth/errors.d.ts +19 -0
package/dist/services/auth/errors.d.ts.map +1 -0
package/dist/services/auth/errors.js +46 -0
package/dist/services/auth/errors.js.map +1 -0
package/dist/services/auth/token.service.d.ts +41 -0
package/dist/services/auth/token.service.d.ts.map +1 -0
package/dist/services/auth/token.service.js +208 -0
package/dist/services/auth/token.service.js.map +1 -0
package/dist/services/config/config.service.d.ts +6 -0
package/dist/services/config/config.service.d.ts.map +1 -0
package/dist/services/config/config.service.js +64 -0
package/dist/services/config/config.service.js.map +1 -0
package/dist/services/export/export.service.d.ts +28 -0
package/dist/services/export/export.service.d.ts.map +1 -0
package/dist/services/export/export.service.js +28 -0
package/dist/services/export/export.service.js.map +1 -0
package/dist/services/export/formatters/csv.formatter.d.ts +8 -0
package/dist/services/export/formatters/csv.formatter.d.ts.map +1 -0
package/dist/services/export/formatters/csv.formatter.js +46 -0
package/dist/services/export/formatters/csv.formatter.js.map +1 -0
package/dist/services/export/formatters/json.formatter.d.ts +40 -0
package/dist/services/export/formatters/json.formatter.d.ts.map +1 -0
package/dist/services/export/formatters/json.formatter.js +58 -0
package/dist/services/export/formatters/json.formatter.js.map +1 -0
package/dist/services/jobs/azure-job-runner.d.ts +38 -0
package/dist/services/jobs/azure-job-runner.d.ts.map +1 -0
package/dist/services/jobs/azure-job-runner.js +199 -0
package/dist/services/jobs/azure-job-runner.js.map +1 -0
package/dist/services/jobs/index.d.ts +4 -0
package/dist/services/jobs/index.d.ts.map +1 -0
package/dist/services/jobs/index.js +20 -0
package/dist/services/jobs/index.js.map +1 -0
package/dist/services/jobs/job-runner.d.ts +64 -0
package/dist/services/jobs/job-runner.d.ts.map +1 -0
package/dist/services/jobs/job-runner.js +952 -0
package/dist/services/jobs/job-runner.js.map +1 -0
package/dist/services/jobs/job-store.d.ts +27 -0
package/dist/services/jobs/job-store.d.ts.map +1 -0
package/dist/services/jobs/job-store.js +261 -0
package/dist/services/jobs/job-store.js.map +1 -0
package/dist/services/jobs/job.types.d.ts +67 -0
package/dist/services/jobs/job.types.d.ts.map +1 -0
package/dist/services/jobs/job.types.js +36 -0
package/dist/services/jobs/job.types.js.map +1 -0
package/dist/types/ad.types.d.ts +74 -0
package/dist/types/ad.types.d.ts.map +1 -0
package/dist/types/ad.types.js +3 -0
package/dist/types/ad.types.js.map +1 -0
package/dist/types/adcs.types.d.ts +58 -0
package/dist/types/adcs.types.d.ts.map +1 -0
package/dist/types/adcs.types.js +38 -0
package/dist/types/adcs.types.js.map +1 -0
package/dist/types/attack-graph.types.d.ts +135 -0
package/dist/types/attack-graph.types.d.ts.map +1 -0
package/dist/types/attack-graph.types.js +58 -0
package/dist/types/attack-graph.types.js.map +1 -0
package/dist/types/audit.types.d.ts +34 -0
package/dist/types/audit.types.d.ts.map +1 -0
package/dist/types/audit.types.js +3 -0
package/dist/types/audit.types.js.map +1 -0
package/dist/types/azure.types.d.ts +61 -0
package/dist/types/azure.types.d.ts.map +1 -0
package/dist/types/azure.types.js +3 -0
package/dist/types/azure.types.js.map +1 -0
package/dist/types/config.types.d.ts +63 -0
package/dist/types/config.types.d.ts.map +1 -0
package/dist/types/config.types.js +3 -0
package/dist/types/config.types.js.map +1 -0
package/dist/types/error.types.d.ts +33 -0
package/dist/types/error.types.d.ts.map +1 -0
package/dist/types/error.types.js +70 -0
package/dist/types/error.types.js.map +1 -0
package/dist/types/finding.types.d.ts +133 -0
package/dist/types/finding.types.d.ts.map +1 -0
package/dist/types/finding.types.js +3 -0
package/dist/types/finding.types.js.map +1 -0
package/dist/types/gpo.types.d.ts +39 -0
package/dist/types/gpo.types.d.ts.map +1 -0
package/dist/types/gpo.types.js +15 -0
package/dist/types/gpo.types.js.map +1 -0
package/dist/types/token.types.d.ts +26 -0
package/dist/types/token.types.d.ts.map +1 -0
package/dist/types/token.types.js +3 -0
package/dist/types/token.types.js.map +1 -0
package/dist/types/trust.types.d.ts +45 -0
package/dist/types/trust.types.d.ts.map +1 -0
package/dist/types/trust.types.js +71 -0
package/dist/types/trust.types.js.map +1 -0
package/dist/utils/entity-converter.d.ts +17 -0
package/dist/utils/entity-converter.d.ts.map +1 -0
package/dist/utils/entity-converter.js +285 -0
package/dist/utils/entity-converter.js.map +1 -0
package/dist/utils/graph.util.d.ts +66 -0
package/dist/utils/graph.util.d.ts.map +1 -0
package/dist/utils/graph.util.js +382 -0
package/dist/utils/graph.util.js.map +1 -0
package/dist/utils/logger.d.ts +7 -0
package/dist/utils/logger.d.ts.map +1 -0
package/dist/utils/logger.js +86 -0
package/dist/utils/logger.js.map +1 -0
package/dist/utils/type-name-normalizer.d.ts +5 -0
package/dist/utils/type-name-normalizer.d.ts.map +1 -0
package/dist/utils/type-name-normalizer.js +218 -0
package/dist/utils/type-name-normalizer.js.map +1 -0
package/docker-compose.yml +26 -0
package/docs/api/README.md +178 -0
package/docs/api/openapi.yaml +1524 -0
package/eslint.config.js +54 -0
package/jest.config.js +38 -0
package/package.json +97 -0
package/scripts/fetch-ad-cert.sh +142 -0
package/src/.gitkeep +0 -0
package/src/api/.gitkeep +0 -0
package/src/api/controllers/.gitkeep +0 -0
package/src/api/controllers/audit.controller.ts +313 -0
package/src/api/controllers/auth.controller.ts +258 -0
package/src/api/controllers/export.controller.ts +153 -0
package/src/api/controllers/health.controller.ts +16 -0
package/src/api/controllers/jobs.controller.ts +187 -0
package/src/api/controllers/providers.controller.ts +165 -0
package/src/api/dto/.gitkeep +0 -0
package/src/api/dto/AuditRequest.dto.ts +8 -0
package/src/api/dto/AuditResponse.dto.ts +19 -0
package/src/api/dto/TokenRequest.dto.ts +8 -0
package/src/api/dto/TokenResponse.dto.ts +14 -0
package/src/api/middlewares/.gitkeep +0 -0
package/src/api/middlewares/authenticate.ts +203 -0
package/src/api/middlewares/errorHandler.ts +54 -0
package/src/api/middlewares/rateLimit.ts +35 -0
package/src/api/middlewares/validate.ts +32 -0
package/src/api/routes/.gitkeep +0 -0
package/src/api/routes/audit.routes.ts +77 -0
package/src/api/routes/auth.routes.ts +71 -0
package/src/api/routes/export.routes.ts +34 -0
package/src/api/routes/health.routes.ts +14 -0
package/src/api/routes/index.ts +40 -0
package/src/api/routes/providers.routes.ts +24 -0
package/src/api/validators/.gitkeep +0 -0
package/src/api/validators/audit.schemas.ts +59 -0
package/src/api/validators/auth.schemas.ts +59 -0
package/src/app.ts +87 -0
package/src/config/.gitkeep +0 -0
package/src/config/config.schema.ts +108 -0
package/src/config/index.ts +82 -0
package/src/container.ts +221 -0
package/src/data/.gitkeep +0 -0
package/src/data/database.ts +78 -0
package/src/data/jobs/token-cleanup.job.ts +166 -0
package/src/data/migrations/.gitkeep +0 -0
package/src/data/migrations/001_initial_schema.sql +47 -0
package/src/data/migrations/migration.runner.ts +125 -0
package/src/data/models/.gitkeep +0 -0
package/src/data/models/Token.model.ts +35 -0
package/src/data/repositories/.gitkeep +0 -0
package/src/data/repositories/token.repository.ts +160 -0
package/src/providers/.gitkeep +0 -0
package/src/providers/azure/.gitkeep +0 -0
package/src/providers/azure/auth.provider.ts +14 -0
package/src/providers/azure/azure-errors.ts +189 -0
package/src/providers/azure/azure-retry.ts +168 -0
package/src/providers/azure/graph-client.ts +315 -0
package/src/providers/azure/graph.provider.ts +294 -0
package/src/providers/azure/queries/app.queries.ts +9 -0
package/src/providers/azure/queries/policy.queries.ts +9 -0
package/src/providers/azure/queries/user.queries.ts +10 -0
package/src/providers/interfaces/.gitkeep +0 -0
package/src/providers/interfaces/IGraphProvider.ts +117 -0
package/src/providers/interfaces/ILDAPProvider.ts +142 -0
package/src/providers/ldap/.gitkeep +0 -0
package/src/providers/ldap/acl-parser.ts +231 -0
package/src/providers/ldap/ad-mappers.ts +280 -0
package/src/providers/ldap/ldap-client.ts +259 -0
package/src/providers/ldap/ldap-errors.ts +188 -0
package/src/providers/ldap/ldap-retry.ts +267 -0
package/src/providers/ldap/ldap-sanitizer.ts +273 -0
package/src/providers/ldap/ldap.provider.ts +293 -0
package/src/providers/ldap/queries/computer.queries.ts +9 -0
package/src/providers/ldap/queries/group.queries.ts +9 -0
package/src/providers/ldap/queries/user.queries.ts +10 -0
package/src/providers/smb/smb.provider.ts +653 -0
package/src/server.ts +60 -0
package/src/services/.gitkeep +0 -0
package/src/services/audit/.gitkeep +0 -0
package/src/services/audit/ad-audit.service.ts +1481 -0
package/src/services/audit/attack-graph.service.ts +1104 -0
package/src/services/audit/audit.service.ts +12 -0
package/src/services/audit/azure-audit.service.ts +286 -0
package/src/services/audit/detectors/ad/accounts.detector.ts +1232 -0
package/src/services/audit/detectors/ad/adcs.detector.ts +449 -0
package/src/services/audit/detectors/ad/advanced.detector.ts +1270 -0
package/src/services/audit/detectors/ad/attack-paths.detector.ts +600 -0
package/src/services/audit/detectors/ad/compliance.detector.ts +1421 -0
package/src/services/audit/detectors/ad/computers.detector.ts +1188 -0
package/src/services/audit/detectors/ad/gpo.detector.ts +485 -0
package/src/services/audit/detectors/ad/groups.detector.ts +685 -0
package/src/services/audit/detectors/ad/index.ts +84 -0
package/src/services/audit/detectors/ad/kerberos.detector.ts +424 -0
package/src/services/audit/detectors/ad/monitoring.detector.ts +501 -0
package/src/services/audit/detectors/ad/network.detector.ts +538 -0
package/src/services/audit/detectors/ad/password.detector.ts +324 -0
package/src/services/audit/detectors/ad/permissions.detector.ts +637 -0
package/src/services/audit/detectors/ad/trusts.detector.ts +315 -0
package/src/services/audit/detectors/azure/app-security.detector.ts +246 -0
package/src/services/audit/detectors/azure/conditional-access.detector.ts +186 -0
package/src/services/audit/detectors/azure/privilege-security.detector.ts +176 -0
package/src/services/audit/detectors/azure/user-security.detector.ts +280 -0
package/src/services/audit/detectors/index.ts +18 -0
package/src/services/audit/response-formatter.ts +604 -0
package/src/services/audit/scoring.service.ts +234 -0
package/src/services/auth/.gitkeep +0 -0
package/src/services/auth/crypto.service.ts +230 -0
package/src/services/auth/errors.ts +47 -0
package/src/services/auth/token.service.ts +420 -0
package/src/services/config/.gitkeep +0 -0
package/src/services/config/config.service.ts +75 -0
package/src/services/export/.gitkeep +0 -0
package/src/services/export/export.service.ts +99 -0
package/src/services/export/formatters/csv.formatter.ts +124 -0
package/src/services/export/formatters/json.formatter.ts +160 -0
package/src/services/jobs/azure-job-runner.ts +312 -0
package/src/services/jobs/index.ts +9 -0
package/src/services/jobs/job-runner.ts +1280 -0
package/src/services/jobs/job-store.ts +384 -0
package/src/services/jobs/job.types.ts +182 -0
package/src/types/.gitkeep +0 -0
package/src/types/ad.types.ts +91 -0
package/src/types/adcs.types.ts +107 -0
package/src/types/attack-graph.types.ts +260 -0
package/src/types/audit.types.ts +42 -0
package/src/types/azure.types.ts +68 -0
package/src/types/config.types.ts +79 -0
package/src/types/error.types.ts +69 -0
package/src/types/finding.types.ts +284 -0
package/src/types/gpo.types.ts +72 -0
package/src/types/smb2.d.ts +73 -0
package/src/types/token.types.ts +32 -0
package/src/types/trust.types.ts +140 -0
package/src/utils/.gitkeep +0 -0
package/src/utils/entity-converter.ts +453 -0
package/src/utils/graph.util.ts +609 -0
package/src/utils/logger.ts +111 -0
package/src/utils/type-name-normalizer.ts +302 -0
package/tests/.gitkeep +0 -0
package/tests/e2e/.gitkeep +0 -0
package/tests/fixtures/.gitkeep +0 -0
package/tests/integration/.gitkeep +0 -0
package/tests/integration/README.md +156 -0
package/tests/integration/ad-audit.integration.test.ts +216 -0
package/tests/integration/api/.gitkeep +0 -0
package/tests/integration/api/endpoints.integration.test.ts +431 -0
package/tests/integration/auth/jwt-authentication.integration.test.ts +358 -0
package/tests/integration/providers/.gitkeep +0 -0
package/tests/integration/providers/azure-basic.integration.test.ts +167 -0
package/tests/integration/providers/ldap-basic.integration.test.ts +152 -0
package/tests/integration/providers/ldap-connectivity.test.ts +44 -0
package/tests/integration/providers/ldap-provider.integration.test.ts +347 -0
package/tests/mocks/.gitkeep +0 -0
package/tests/setup.ts +16 -0
package/tests/unit/.gitkeep +0 -0
package/tests/unit/api/middlewares/authenticate.test.ts +446 -0
package/tests/unit/providers/.gitkeep +0 -0
package/tests/unit/providers/azure/azure-errors.test.ts +193 -0
package/tests/unit/providers/azure/azure-retry.test.ts +254 -0
package/tests/unit/providers/azure/graph-provider.test.ts +313 -0
package/tests/unit/providers/ldap/ad-mappers.test.ts +392 -0
package/tests/unit/providers/ldap/ldap-provider.test.ts +376 -0
package/tests/unit/providers/ldap/ldap-retry.test.ts +377 -0
package/tests/unit/providers/ldap/ldap-sanitizer.test.ts +301 -0
package/tests/unit/sample.test.ts +19 -0
package/tests/unit/services/.gitkeep +0 -0
package/tests/unit/services/audit/detectors/ad/accounts.detector.test.ts +393 -0
package/tests/unit/services/audit/detectors/ad/advanced.detector.test.ts +380 -0
package/tests/unit/services/audit/detectors/ad/computers.detector.test.ts +440 -0
package/tests/unit/services/audit/detectors/ad/groups.detector.test.ts +276 -0
package/tests/unit/services/audit/detectors/ad/kerberos.detector.test.ts +215 -0
package/tests/unit/services/audit/detectors/ad/password.detector.test.ts +226 -0
package/tests/unit/services/audit/detectors/ad/permissions.detector.test.ts +244 -0
package/tests/unit/services/audit/detectors/azure/app-security.detector.test.ts +349 -0
package/tests/unit/services/audit/detectors/azure/conditional-access.detector.test.ts +374 -0
package/tests/unit/services/audit/detectors/azure/privilege-security.detector.test.ts +374 -0
package/tests/unit/services/audit/detectors/azure/user-security.detector.test.ts +297 -0
package/tests/unit/services/auth/crypto.service.test.ts +296 -0
package/tests/unit/services/auth/token.service.test.ts +579 -0
package/tests/unit/services/export/export.service.test.ts +241 -0
package/tests/unit/services/export/formatters/csv.formatter.test.ts +270 -0
package/tests/unit/services/export/formatters/json.formatter.test.ts +258 -0
package/tests/unit/utils/.gitkeep +0 -0
package/tsconfig.json +50 -0

package/src/services/audit/detectors/ad/attack-paths.detector.ts ADDED Viewed

@@ -0,0 +1,600 @@
+/**
+ * Attack Paths Vulnerability Detector
+ *
+ * Analyzes privilege escalation paths in Active Directory by combining:
+ * - Group membership chains
+ * - ACL-based attack vectors
+ * - Delegation relationships
+ * - Service account risks
+ *
+ * Phase 2: Attack Paths Detection
+ *
+ * Vulnerabilities detected (10):
+ * CRITICAL (4):
+ * - PATH_KERBEROASTING_TO_DA: Kerberoastable user in DA path
+ * - PATH_ACL_TO_DA: ACL chain to Domain Admin
+ * - PATH_SERVICE_TO_DA: Service account with path to DA
+ * - PATH_CERTIFICATE_ESC: ADCS template vulnerability to DA
+ *
+ * HIGH (5):
+ * - PATH_ASREP_TO_ADMIN: AS-REP roastable user in admin group
+ * - PATH_DELEGATION_CHAIN: Delegation chain to privileged target
+ * - PATH_NESTED_ADMIN: Excessive group nesting to admin
+ * - PATH_COMPUTER_TAKEOVER: RBCD attack path
+ * - PATH_GPO_TO_DA: GPO modification leads to DA
+ *
+ * MEDIUM (1):
+ * - PATH_TRUST_LATERAL: Trust enables lateral movement
+ */
+import { ADUser, ADGroup, ADComputer, AclEntry } from '../../../../types/ad.types';
+import { Finding } from '../../../../types/finding.types';
+import { toAffectedUserEntities } from '../../../../utils/entity-converter';
+import {
+  buildGroupMembershipGraph,
+  buildAclGraph,
+  addDelegationEdges,
+  detectNestingDepth,
+  isPrivilegedMember,
+  PRIVILEGED_GROUPS,
+} from '../../../../utils/graph.util';
+import { ADGPO } from '../../../../types/gpo.types';
+import { ADTrustExtended } from '../../../../types/trust.types';
+/**
+ * Detect kerberoastable users with path to Domain Admin
+ * Users with SPNs that are members (direct or nested) of privileged groups
+ */
+export function detectPathKerberoastingToDA(
+  users: ADUser[],
+  groups: ADGroup[],
+  computers: ADComputer[],
+  includeDetails: boolean
+): Finding {
+  const graph = buildGroupMembershipGraph(users, groups, computers);
+  // Find kerberoastable users (have SPN and are enabled)
+  const kerberoastableUsers = users.filter((u) => {
+    const spn = u['servicePrincipalName'];
+    const hasSPN = spn && Array.isArray(spn) && spn.length > 0;
+    return hasSPN && u.enabled;
+  });
+  // Check which ones have path to privileged groups
+  const affected = kerberoastableUsers.filter((u) => isPrivilegedMember(u.dn, graph));
+  return {
+    type: 'PATH_KERBEROASTING_TO_DA',
+    severity: 'critical',
+    category: 'attack-paths',
+    title: 'Kerberoasting Path to Domain Admin',
+    description:
+      'User with SPN is member of privileged group. Kerberoasting this account and cracking the password leads to Domain Admin compromise.',
+    count: affected.length,
+    affectedEntities: includeDetails ? toAffectedUserEntities(affected) : undefined,
+    details:
+      affected.length > 0
+        ? {
+            attackVector: 'Request TGS ticket → Offline crack → Domain Admin access',
+            mitigation: 'Use gMSA for service accounts, remove from privileged groups, use long complex passwords',
+          }
+        : undefined,
+  };
+}
+/**
+ * Detect AS-REP roastable users with path to admin groups
+ * Users without Kerberos pre-auth that are in admin groups
+ */
+export function detectPathAsrepToAdmin(
+  users: ADUser[],
+  groups: ADGroup[],
+  computers: ADComputer[],
+  includeDetails: boolean
+): Finding {
+  const graph = buildGroupMembershipGraph(users, groups, computers);
+  // Find AS-REP roastable users (DONT_REQUIRE_PREAUTH flag)
+  const asrepUsers = users.filter((u) => {
+    const hasNoPreauth = u.userAccountControl ? (u.userAccountControl & 0x400000) !== 0 : false;
+    return hasNoPreauth && u.enabled;
+  });
+  // Check which ones have path to privileged groups
+  const affected = asrepUsers.filter((u) => isPrivilegedMember(u.dn, graph));
+  return {
+    type: 'PATH_ASREP_TO_ADMIN',
+    severity: 'high',
+    category: 'attack-paths',
+    title: 'AS-REP Roasting Path to Admin',
+    description:
+      'User without Kerberos pre-authentication is member of admin group. AS-REP roasting can lead to admin compromise.',
+    count: affected.length,
+    affectedEntities: includeDetails ? toAffectedUserEntities(affected) : undefined,
+    details:
+      affected.length > 0
+        ? {
+            attackVector: 'Request AS-REP → Offline crack → Admin access',
+            mitigation: 'Enable Kerberos pre-authentication, remove from admin groups',
+          }
+        : undefined,
+  };
+}
+/**
+ * Detect ACL-based privilege escalation paths to Domain Admin
+ * Non-privileged users with write access chain to admin objects
+ */
+export function detectPathAclToDA(
+  users: ADUser[],
+  groups: ADGroup[],
+  computers: ADComputer[],
+  aclEntries: AclEntry[],
+  includeDetails: boolean
+): Finding {
+  // Build combined graph
+  const graph = buildGroupMembershipGraph(users, groups, computers);
+  buildAclGraph(aclEntries, graph);
+  // Find non-privileged users with paths to privileged targets
+  const nonPrivilegedUsers = users.filter((u) => u.enabled && u.adminCount !== 1);
+  const pathsFound: { user: ADUser; pathLength: number }[] = [];
+  for (const user of nonPrivilegedUsers) {
+    const path = graph.findShortestPathToPrivileged(user.dn, 4);
+    if (path && path.edges.some((e) => e.type === 'canModify')) {
+      pathsFound.push({ user, pathLength: path.length });
+    }
+  }
+  // Sort by path length (shorter = more dangerous)
+  pathsFound.sort((a, b) => a.pathLength - b.pathLength);
+  const affected = pathsFound.map((p) => p.user);
+  return {
+    type: 'PATH_ACL_TO_DA',
+    severity: 'critical',
+    category: 'attack-paths',
+    title: 'ACL-Based Privilege Escalation to Domain Admin',
+    description:
+      'Non-privileged users can escalate to Domain Admin through ACL chain (WriteDACL, GenericAll, WriteOwner).',
+    count: affected.length,
+    affectedEntities: includeDetails ? toAffectedUserEntities(affected.slice(0, 50)) : undefined,
+    details:
+      affected.length > 0
+        ? {
+            attackVector: 'Modify ACL → Take ownership → Add to DA group',
+            shortestPath: pathsFound[0]?.pathLength,
+            totalPaths: pathsFound.length,
+            mitigation: 'Review and restrict dangerous ACL permissions',
+          }
+        : undefined,
+  };
+}
+/**
+ * Detect delegation chains to privileged targets
+ * Users/computers with constrained delegation to privileged services
+ */
+export function detectPathDelegationChain(
+  users: ADUser[],
+  computers: ADComputer[],
+  groups: ADGroup[],
+  includeDetails: boolean
+): Finding {
+  const graph = buildGroupMembershipGraph(users, groups, computers);
+  addDelegationEdges(users, computers, graph);
+  // Find users with delegation rights
+  const usersWithDelegation = users.filter((u) => {
+    const allowedTo = (u as any)['msDS-AllowedToDelegateTo'];
+    return allowedTo && Array.isArray(allowedTo) && allowedTo.length > 0;
+  });
+  // Find computers with delegation rights
+  const computersWithDelegation = computers.filter((c) => {
+    const allowedTo = (c as any)['msDS-AllowedToDelegateTo'];
+    return allowedTo && Array.isArray(allowedTo) && allowedTo.length > 0;
+  });
+  // Check if delegation targets include privileged services (DC services, admin workstations)
+  const dcServicePatterns = ['ldap/', 'cifs/', 'host/', 'krbtgt/'];
+  const affectedUsers: ADUser[] = [];
+  for (const user of usersWithDelegation) {
+    const targets = (user as any)['msDS-AllowedToDelegateTo'] as string[];
+    const hasDCTarget = targets.some((t) =>
+      dcServicePatterns.some((p) => t.toLowerCase().startsWith(p.toLowerCase()))
+    );
+    if (hasDCTarget) {
+      affectedUsers.push(user);
+    }
+  }
+  return {
+    type: 'PATH_DELEGATION_CHAIN',
+    severity: 'high',
+    category: 'attack-paths',
+    title: 'Delegation Chain to Privileged Target',
+    description:
+      'Accounts with constrained delegation to domain controller services. Can be exploited to impersonate privileged users.',
+    count: affectedUsers.length + computersWithDelegation.length,
+    affectedEntities: includeDetails ? toAffectedUserEntities(affectedUsers) : undefined,
+    details: {
+      usersWithDelegation: usersWithDelegation.length,
+      computersWithDelegation: computersWithDelegation.length,
+      attackVector: 'Request S4U2Self → S4U2Proxy to DC service → Impersonate DA',
+      mitigation: 'Remove unnecessary delegation, use Protected Users group',
+    },
+  };
+}
+/**
+ * Detect excessive group nesting leading to admin access
+ * Groups nested more than 3 levels deep reaching admin groups
+ */
+export function detectPathNestedAdmin(
+  users: ADUser[],
+  groups: ADGroup[],
+  includeDetails: boolean
+): Finding {
+  const EXCESSIVE_DEPTH = 3;
+  // Find privileged groups
+  const privilegedGroupDns = groups
+    .filter((g) =>
+      PRIVILEGED_GROUPS.some(
+        (pg) =>
+          g.sAMAccountName?.toLowerCase().includes(pg.toLowerCase()) ||
+          g.dn.toLowerCase().includes(`cn=${pg.toLowerCase()}`)
+      )
+    )
+    .map((g) => g.dn);
+  // Find users in deeply nested paths to admin
+  const affected: ADUser[] = [];
+  const deepNestingDetails: { user: string; depth: number; group: string }[] = [];
+  for (const user of users) {
+    if (!user.memberOf || user.memberOf.length === 0) continue;
+    for (const groupDn of user.memberOf) {
+      const depth = detectNestingDepth(groupDn, groups);
+      // Check if this chain reaches a privileged group
+      if (depth > EXCESSIVE_DEPTH) {
+        // Check if any parent in chain is privileged
+        const group = groups.find((g) => g.dn.toLowerCase() === groupDn.toLowerCase());
+        if (group?.memberOf?.some((parent) => privilegedGroupDns.includes(parent))) {
+          affected.push(user);
+          deepNestingDetails.push({
+            user: user.sAMAccountName,
+            depth,
+            group: groupDn,
+          });
+          break;
+        }
+      }
+    }
+  }
+  return {
+    type: 'PATH_NESTED_ADMIN',
+    severity: 'high',
+    category: 'attack-paths',
+    title: 'Excessive Group Nesting to Admin',
+    description: `Users reach admin groups through excessive nesting (>${EXCESSIVE_DEPTH} levels). Makes privilege review difficult and may hide admin access.`,
+    count: affected.length,
+    affectedEntities: includeDetails ? toAffectedUserEntities(affected) : undefined,
+    details:
+      affected.length > 0
+        ? {
+            threshold: EXCESSIVE_DEPTH,
+            deepestNesting: Math.max(...deepNestingDetails.map((d) => d.depth), 0),
+            mitigation: 'Flatten group structure, limit nesting to 2-3 levels',
+          }
+        : undefined,
+  };
+}
+/**
+ * Detect service accounts with path to Domain Admin
+ * Service accounts (SPN) that can reach DA through various vectors
+ */
+export function detectPathServiceToDA(
+  users: ADUser[],
+  groups: ADGroup[],
+  computers: ADComputer[],
+  aclEntries: AclEntry[],
+  includeDetails: boolean
+): Finding {
+  const graph = buildGroupMembershipGraph(users, groups, computers);
+  buildAclGraph(aclEntries, graph);
+  addDelegationEdges(users, computers, graph);
+  // Service accounts = users with SPNs
+  const serviceAccounts = users.filter((u) => {
+    const spn = u['servicePrincipalName'];
+    const hasSPN = spn && Array.isArray(spn) && spn.length > 0;
+    return hasSPN && u.enabled;
+  });
+  // Check which have any path to DA (membership, ACL, delegation)
+  const affected = serviceAccounts.filter((sa) => {
+    const path = graph.findShortestPathToPrivileged(sa.dn, 5);
+    return path !== null;
+  });
+  return {
+    type: 'PATH_SERVICE_TO_DA',
+    severity: 'critical',
+    category: 'attack-paths',
+    title: 'Service Account Path to Domain Admin',
+    description:
+      'Service accounts with paths to Domain Admin through membership, ACLs, or delegation. Compromising these accounts leads to DA.',
+    count: affected.length,
+    affectedEntities: includeDetails ? toAffectedUserEntities(affected) : undefined,
+    details:
+      affected.length > 0
+        ? {
+            totalServiceAccounts: serviceAccounts.length,
+            withPathToDA: affected.length,
+            attackVector: 'Kerberoast/Credential theft → Exploit path → Domain Admin',
+            mitigation: 'Use gMSA, minimize service account privileges, regular password rotation',
+          }
+        : undefined,
+  };
+}
+/**
+ * Detect RBCD attack paths
+ * Computers with Resource-Based Constrained Delegation configured
+ */
+export function detectPathComputerTakeover(
+  computers: ADComputer[],
+  users: ADUser[],
+  groups: ADGroup[],
+  includeDetails: boolean
+): Finding {
+  const graph = buildGroupMembershipGraph(users, groups, computers);
+  // Find computers with RBCD configured
+  const rbcdComputers = computers.filter((c) => {
+    const rbcd = (c as any)['msDS-AllowedToActOnBehalfOfOtherIdentity'];
+    return rbcd && rbcd !== '';
+  });
+  // Check which are privileged (DCs, admin workstations)
+  const dcPattern = /^(dc|domain controller)/i;
+  const affected = rbcdComputers.filter((c) => {
+    const computerMemberOf = c['memberOf'] as string[] | undefined;
+    const isDC = dcPattern.test(c.sAMAccountName || '') || computerMemberOf?.some((g: string) => g.includes('Domain Controllers'));
+    const isPrivileged = graph.isPrivileged(c.dn);
+    return isDC || isPrivileged;
+  });
+  return {
+    type: 'PATH_COMPUTER_TAKEOVER',
+    severity: 'high',
+    category: 'attack-paths',
+    title: 'RBCD Computer Takeover Path',
+    description:
+      'Privileged computers have Resource-Based Constrained Delegation configured. Attackers controlling the delegating principal can compromise these computers.',
+    count: affected.length,
+    affectedEntities: includeDetails
+      ? affected.map((c) => ({
+          type: 'computer' as const,
+          id: c.dn,
+          displayName: c.sAMAccountName || c.dn,
+          sAMAccountName: c.sAMAccountName,
+          dNSHostName: c.dNSHostName || null,
+          operatingSystem: c.operatingSystem || null,
+          operatingSystemVersion: c.operatingSystemVersion || null,
+          whenCreated: null,
+          whenChanged: null,
+          lastLogon: null,
+          pwdLastSet: null,
+          enabled: c.enabled ?? true,
+          userAccountControl: 0,
+        }))
+      : undefined,
+    details: {
+      totalRbcdComputers: rbcdComputers.length,
+      privilegedRbcdComputers: affected.length,
+      attackVector: 'Control delegating account → RBCD → Impersonate on target',
+      mitigation: 'Remove RBCD from privileged computers, monitor msDS-AllowedToActOnBehalfOfOtherIdentity',
+    },
+  };
+}
+/**
+ * Detect GPO modification paths to Domain Admin
+ * Non-admins who can modify GPOs applied to privileged users/computers
+ */
+export function detectPathGpoToDA(
+  gpos: ADGPO[],
+  aclEntries: AclEntry[],
+  includeDetails: boolean
+): Finding {
+  // Find GPOs with weak ACLs (non-admin can modify)
+  const adminSids = [
+    'S-1-5-32-544', // Administrators
+    'S-1-5-21-*-512', // Domain Admins pattern
+    'S-1-5-21-*-519', // Enterprise Admins pattern
+  ];
+  const vulnerableGpos: ADGPO[] = [];
+  for (const gpo of gpos) {
+    // Find ACLs for this GPO
+    const gpoAcls = aclEntries.filter((acl) => acl.objectDn.toLowerCase() === gpo.dn.toLowerCase());
+    // Check for dangerous write permissions from non-admin principals
+    const hasWeakAcl = gpoAcls.some((acl) => {
+      const isAdmin = adminSids.some((pattern) => {
+        if (pattern.includes('*')) {
+          const regex = new RegExp(pattern.replace('*', '.*'));
+          return regex.test(acl.trustee);
+        }
+        return acl.trustee === pattern;
+      });
+      // Has write permission but not an admin
+      const hasWrite = (acl.accessMask & 0x40000000) !== 0 || (acl.accessMask & 0x10000000) !== 0;
+      // aceType is string '0' for ACCESS_ALLOWED_ACE_TYPE
+      return hasWrite && !isAdmin && String(acl.aceType) === '0';
+    });
+    if (hasWeakAcl) {
+      vulnerableGpos.push(gpo);
+    }
+  }
+  return {
+    type: 'PATH_GPO_TO_DA',
+    severity: 'critical',
+    category: 'attack-paths',
+    title: 'GPO Modification Path to Domain Admin',
+    description:
+      'GPOs can be modified by non-admin users. If these GPOs apply to privileged users or DCs, attackers can achieve Domain Admin.',
+    count: vulnerableGpos.length,
+    affectedEntities: includeDetails ? vulnerableGpos.map((g) => g.dn) : undefined,
+    details:
+      vulnerableGpos.length > 0
+        ? {
+            vulnerableGpos: vulnerableGpos.map((g) => g.displayName || g.cn),
+            attackVector: 'Modify GPO → Add malicious script/scheduled task → Execute on DA logon',
+            mitigation: 'Restrict GPO modification rights, implement GPO change monitoring',
+          }
+        : undefined,
+  };
+}
+/**
+ * Detect ADCS certificate template paths to Domain Admin
+ * Vulnerable ESC templates that enable DA compromise
+ */
+export function detectPathCertificateEsc(
+  templates: any[],
+  users: ADUser[],
+  _groups: ADGroup[],
+  _computers: ADComputer[],
+  includeDetails: boolean
+): Finding {
+  // Note: groups and computers could be used for more complex enrollment permission checks
+  // Find ESC1-like templates (client auth + enrollee supplies subject)
+  const vulnerableTemplates = templates.filter((t) => {
+    const hasClientAuth = t.pKIExtendedKeyUsage?.includes('1.3.6.1.5.5.7.3.2');
+    const enrolleeSupplies = t['msPKI-Certificate-Name-Flag'] && (t['msPKI-Certificate-Name-Flag'] & 0x1) !== 0;
+    return hasClientAuth && enrolleeSupplies;
+  });
+  if (vulnerableTemplates.length === 0) {
+    return {
+      type: 'PATH_CERTIFICATE_ESC',
+      severity: 'critical',
+      category: 'attack-paths',
+      title: 'Certificate Template Escalation to Domain Admin',
+      description: 'No vulnerable certificate templates that enable privilege escalation to Domain Admin.',
+      count: 0,
+    };
+  }
+  // Find non-admin users who can enroll
+  // This is simplified - full check would require CA enrollment permissions
+  const usersWhoCanEnroll = users.filter((u) => u.enabled && u.adminCount !== 1);
+  return {
+    type: 'PATH_CERTIFICATE_ESC',
+    severity: 'critical',
+    category: 'attack-paths',
+    title: 'Certificate Template Escalation to Domain Admin',
+    description:
+      'Vulnerable certificate templates (ESC1-like) allow users to request certificates for any user including Domain Admins.',
+    count: vulnerableTemplates.length,
+    affectedEntities: includeDetails ? vulnerableTemplates.map((t) => t.dn || t.cn) : undefined,
+    details: {
+      vulnerableTemplates: vulnerableTemplates.map((t) => t.cn || t.name),
+      attackVector: 'Enroll in vulnerable template → Request cert as DA → Authenticate as DA',
+      potentialAttackers: usersWhoCanEnroll.length,
+      mitigation:
+        'Disable ENROLLEE_SUPPLIES_SUBJECT flag, restrict enrollment permissions, use Certificate Manager Approval',
+    },
+  };
+}
+/**
+ * Detect trust relationships enabling lateral movement
+ * Trusts without SID filtering or with bidirectional access
+ */
+export function detectPathTrustLateral(trusts: ADTrustExtended[], includeDetails: boolean): Finding {
+  const riskyTrusts = trusts.filter((t) => {
+    // SID filtering disabled = can inject SIDs from trusted domain
+    const noSidFiltering = !t.sidFilteringEnabled;
+    // Bidirectional = both domains can authenticate to each other
+    const bidirectional = t.trustDirection === 3 || t.direction === 'bidirectional';
+    // Forest trust without selective auth
+    const forestNoSelectiveAuth = t.type === 'forest' && !t.selectiveAuthEnabled;
+    return noSidFiltering || (bidirectional && forestNoSelectiveAuth);
+  });
+  return {
+    type: 'PATH_TRUST_LATERAL',
+    severity: 'high',
+    category: 'attack-paths',
+    title: 'Trust Relationship Enables Lateral Movement',
+    description:
+      'Domain trusts configured without proper security controls (SID filtering, selective authentication). Compromising trusted domain can lead to this domain.',
+    count: riskyTrusts.length,
+    affectedEntities: includeDetails ? riskyTrusts.map((t) => t.name) : undefined,
+    details:
+      riskyTrusts.length > 0
+        ? {
+            totalTrusts: trusts.length,
+            riskyTrusts: riskyTrusts.map((t) => ({
+              name: t.name,
+              direction: t.direction,
+              type: t.type,
+              sidFiltering: t.sidFilteringEnabled,
+              selectiveAuth: t.selectiveAuthEnabled,
+            })),
+            attackVector: 'Compromise trusted domain → Exploit trust → Access this domain',
+            mitigation: 'Enable SID filtering, use selective authentication for forest trusts',
+          }
+        : undefined,
+  };
+}
+/**
+ * Detect all attack path vulnerabilities
+ */
+export function detectAttackPathVulnerabilities(
+  users: ADUser[],
+  groups: ADGroup[],
+  computers: ADComputer[],
+  aclEntries: AclEntry[],
+  gpos: ADGPO[],
+  trusts: ADTrustExtended[],
+  templates: any[],
+  includeDetails: boolean
+): Finding[] {
+  return [
+    // Critical
+    detectPathKerberoastingToDA(users, groups, computers, includeDetails),
+    detectPathAclToDA(users, groups, computers, aclEntries, includeDetails),
+    detectPathServiceToDA(users, groups, computers, aclEntries, includeDetails),
+    detectPathCertificateEsc(templates, users, groups, computers, includeDetails),
+    // High
+    detectPathAsrepToAdmin(users, groups, computers, includeDetails),
+    detectPathDelegationChain(users, computers, groups, includeDetails),
+    detectPathNestedAdmin(users, groups, includeDetails),
+    detectPathComputerTakeover(computers, users, groups, includeDetails),
+    detectPathGpoToDA(gpos, aclEntries, includeDetails),
+    // Medium
+    detectPathTrustLateral(trusts, includeDetails),
+  ].filter((finding) => finding.count > 0);
+}