npm - @etcsec-com/etc-collector - Versions diffs - 1.4.0 - Mend

@etcsec-com/etc-collector 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (617) hide show

package/.env.example +60 -0
package/.env.test.example +33 -0
package/.github/workflows/ci.yml +83 -0
package/.github/workflows/release.yml +246 -0
package/.prettierrc.json +10 -0
package/CHANGELOG.md +15 -0
package/Dockerfile +57 -0
package/LICENSE +190 -0
package/README.md +194 -0
package/dist/api/controllers/audit.controller.d.ts +21 -0
package/dist/api/controllers/audit.controller.d.ts.map +1 -0
package/dist/api/controllers/audit.controller.js +179 -0
package/dist/api/controllers/audit.controller.js.map +1 -0
package/dist/api/controllers/auth.controller.d.ts +16 -0
package/dist/api/controllers/auth.controller.d.ts.map +1 -0
package/dist/api/controllers/auth.controller.js +146 -0
package/dist/api/controllers/auth.controller.js.map +1 -0
package/dist/api/controllers/export.controller.d.ts +27 -0
package/dist/api/controllers/export.controller.d.ts.map +1 -0
package/dist/api/controllers/export.controller.js +80 -0
package/dist/api/controllers/export.controller.js.map +1 -0
package/dist/api/controllers/health.controller.d.ts +5 -0
package/dist/api/controllers/health.controller.d.ts.map +1 -0
package/dist/api/controllers/health.controller.js +16 -0
package/dist/api/controllers/health.controller.js.map +1 -0
package/dist/api/controllers/jobs.controller.d.ts +13 -0
package/dist/api/controllers/jobs.controller.d.ts.map +1 -0
package/dist/api/controllers/jobs.controller.js +125 -0
package/dist/api/controllers/jobs.controller.js.map +1 -0
package/dist/api/controllers/providers.controller.d.ts +15 -0
package/dist/api/controllers/providers.controller.d.ts.map +1 -0
package/dist/api/controllers/providers.controller.js +112 -0
package/dist/api/controllers/providers.controller.js.map +1 -0
package/dist/api/dto/AuditRequest.dto.d.ts +6 -0
package/dist/api/dto/AuditRequest.dto.d.ts.map +1 -0
package/dist/api/dto/AuditRequest.dto.js +3 -0
package/dist/api/dto/AuditRequest.dto.js.map +1 -0
package/dist/api/dto/AuditResponse.dto.d.ts +17 -0
package/dist/api/dto/AuditResponse.dto.d.ts.map +1 -0
package/dist/api/dto/AuditResponse.dto.js +3 -0
package/dist/api/dto/AuditResponse.dto.js.map +1 -0
package/dist/api/dto/TokenRequest.dto.d.ts +6 -0
package/dist/api/dto/TokenRequest.dto.d.ts.map +1 -0
package/dist/api/dto/TokenRequest.dto.js +3 -0
package/dist/api/dto/TokenRequest.dto.js.map +1 -0
package/dist/api/dto/TokenResponse.dto.d.ts +12 -0
package/dist/api/dto/TokenResponse.dto.d.ts.map +1 -0
package/dist/api/dto/TokenResponse.dto.js +3 -0
package/dist/api/dto/TokenResponse.dto.js.map +1 -0
package/dist/api/middlewares/authenticate.d.ts +12 -0
package/dist/api/middlewares/authenticate.d.ts.map +1 -0
package/dist/api/middlewares/authenticate.js +141 -0
package/dist/api/middlewares/authenticate.js.map +1 -0
package/dist/api/middlewares/errorHandler.d.ts +3 -0
package/dist/api/middlewares/errorHandler.d.ts.map +1 -0
package/dist/api/middlewares/errorHandler.js +30 -0
package/dist/api/middlewares/errorHandler.js.map +1 -0
package/dist/api/middlewares/rateLimit.d.ts +3 -0
package/dist/api/middlewares/rateLimit.d.ts.map +1 -0
package/dist/api/middlewares/rateLimit.js +34 -0
package/dist/api/middlewares/rateLimit.js.map +1 -0
package/dist/api/middlewares/validate.d.ts +4 -0
package/dist/api/middlewares/validate.d.ts.map +1 -0
package/dist/api/middlewares/validate.js +31 -0
package/dist/api/middlewares/validate.js.map +1 -0
package/dist/api/routes/audit.routes.d.ts +5 -0
package/dist/api/routes/audit.routes.d.ts.map +1 -0
package/dist/api/routes/audit.routes.js +24 -0
package/dist/api/routes/audit.routes.js.map +1 -0
package/dist/api/routes/auth.routes.d.ts +6 -0
package/dist/api/routes/auth.routes.d.ts.map +1 -0
package/dist/api/routes/auth.routes.js +22 -0
package/dist/api/routes/auth.routes.js.map +1 -0
package/dist/api/routes/export.routes.d.ts +5 -0
package/dist/api/routes/export.routes.d.ts.map +1 -0
package/dist/api/routes/export.routes.js +16 -0
package/dist/api/routes/export.routes.js.map +1 -0
package/dist/api/routes/health.routes.d.ts +4 -0
package/dist/api/routes/health.routes.d.ts.map +1 -0
package/dist/api/routes/health.routes.js +11 -0
package/dist/api/routes/health.routes.js.map +1 -0
package/dist/api/routes/index.d.ts +10 -0
package/dist/api/routes/index.d.ts.map +1 -0
package/dist/api/routes/index.js +20 -0
package/dist/api/routes/index.js.map +1 -0
package/dist/api/routes/providers.routes.d.ts +5 -0
package/dist/api/routes/providers.routes.d.ts.map +1 -0
package/dist/api/routes/providers.routes.js +13 -0
package/dist/api/routes/providers.routes.js.map +1 -0
package/dist/api/validators/audit.schemas.d.ts +60 -0
package/dist/api/validators/audit.schemas.d.ts.map +1 -0
package/dist/api/validators/audit.schemas.js +55 -0
package/dist/api/validators/audit.schemas.js.map +1 -0
package/dist/api/validators/auth.schemas.d.ts +17 -0
package/dist/api/validators/auth.schemas.d.ts.map +1 -0
package/dist/api/validators/auth.schemas.js +21 -0
package/dist/api/validators/auth.schemas.js.map +1 -0
package/dist/app.d.ts +3 -0
package/dist/app.d.ts.map +1 -0
package/dist/app.js +62 -0
package/dist/app.js.map +1 -0
package/dist/config/config.schema.d.ts +65 -0
package/dist/config/config.schema.d.ts.map +1 -0
package/dist/config/config.schema.js +95 -0
package/dist/config/config.schema.js.map +1 -0
package/dist/config/index.d.ts +4 -0
package/dist/config/index.d.ts.map +1 -0
package/dist/config/index.js +75 -0
package/dist/config/index.js.map +1 -0
package/dist/container.d.ts +47 -0
package/dist/container.d.ts.map +1 -0
package/dist/container.js +137 -0
package/dist/container.js.map +1 -0
package/dist/data/database.d.ts +13 -0
package/dist/data/database.d.ts.map +1 -0
package/dist/data/database.js +68 -0
package/dist/data/database.js.map +1 -0
package/dist/data/jobs/token-cleanup.job.d.ts +23 -0
package/dist/data/jobs/token-cleanup.job.d.ts.map +1 -0
package/dist/data/jobs/token-cleanup.job.js +96 -0
package/dist/data/jobs/token-cleanup.job.js.map +1 -0
package/dist/data/migrations/migration.runner.d.ts +13 -0
package/dist/data/migrations/migration.runner.d.ts.map +1 -0
package/dist/data/migrations/migration.runner.js +136 -0
package/dist/data/migrations/migration.runner.js.map +1 -0
package/dist/data/models/Token.model.d.ts +30 -0
package/dist/data/models/Token.model.d.ts.map +1 -0
package/dist/data/models/Token.model.js +3 -0
package/dist/data/models/Token.model.js.map +1 -0
package/dist/data/repositories/token.repository.d.ts +16 -0
package/dist/data/repositories/token.repository.d.ts.map +1 -0
package/dist/data/repositories/token.repository.js +97 -0
package/dist/data/repositories/token.repository.js.map +1 -0
package/dist/providers/azure/auth.provider.d.ts +5 -0
package/dist/providers/azure/auth.provider.d.ts.map +1 -0
package/dist/providers/azure/auth.provider.js +13 -0
package/dist/providers/azure/auth.provider.js.map +1 -0
package/dist/providers/azure/azure-errors.d.ts +40 -0
package/dist/providers/azure/azure-errors.d.ts.map +1 -0
package/dist/providers/azure/azure-errors.js +121 -0
package/dist/providers/azure/azure-errors.js.map +1 -0
package/dist/providers/azure/azure-retry.d.ts +41 -0
package/dist/providers/azure/azure-retry.d.ts.map +1 -0
package/dist/providers/azure/azure-retry.js +85 -0
package/dist/providers/azure/azure-retry.js.map +1 -0
package/dist/providers/azure/graph-client.d.ts +26 -0
package/dist/providers/azure/graph-client.d.ts.map +1 -0
package/dist/providers/azure/graph-client.js +146 -0
package/dist/providers/azure/graph-client.js.map +1 -0
package/dist/providers/azure/graph.provider.d.ts +23 -0
package/dist/providers/azure/graph.provider.d.ts.map +1 -0
package/dist/providers/azure/graph.provider.js +161 -0
package/dist/providers/azure/graph.provider.js.map +1 -0
package/dist/providers/azure/queries/app.queries.d.ts +6 -0
package/dist/providers/azure/queries/app.queries.d.ts.map +1 -0
package/dist/providers/azure/queries/app.queries.js +9 -0
package/dist/providers/azure/queries/app.queries.js.map +1 -0
package/dist/providers/azure/queries/policy.queries.d.ts +6 -0
package/dist/providers/azure/queries/policy.queries.d.ts.map +1 -0
package/dist/providers/azure/queries/policy.queries.js +9 -0
package/dist/providers/azure/queries/policy.queries.js.map +1 -0
package/dist/providers/azure/queries/user.queries.d.ts +7 -0
package/dist/providers/azure/queries/user.queries.d.ts.map +1 -0
package/dist/providers/azure/queries/user.queries.js +10 -0
package/dist/providers/azure/queries/user.queries.js.map +1 -0
package/dist/providers/interfaces/IGraphProvider.d.ts +31 -0
package/dist/providers/interfaces/IGraphProvider.d.ts.map +1 -0
package/dist/providers/interfaces/IGraphProvider.js +3 -0
package/dist/providers/interfaces/IGraphProvider.js.map +1 -0
package/dist/providers/interfaces/ILDAPProvider.d.ts +37 -0
package/dist/providers/interfaces/ILDAPProvider.d.ts.map +1 -0
package/dist/providers/interfaces/ILDAPProvider.js +3 -0
package/dist/providers/interfaces/ILDAPProvider.js.map +1 -0
package/dist/providers/ldap/acl-parser.d.ts +8 -0
package/dist/providers/ldap/acl-parser.d.ts.map +1 -0
package/dist/providers/ldap/acl-parser.js +157 -0
package/dist/providers/ldap/acl-parser.js.map +1 -0
package/dist/providers/ldap/ad-mappers.d.ts +8 -0
package/dist/providers/ldap/ad-mappers.d.ts.map +1 -0
package/dist/providers/ldap/ad-mappers.js +162 -0
package/dist/providers/ldap/ad-mappers.js.map +1 -0
package/dist/providers/ldap/ldap-client.d.ts +33 -0
package/dist/providers/ldap/ldap-client.d.ts.map +1 -0
package/dist/providers/ldap/ldap-client.js +195 -0
package/dist/providers/ldap/ldap-client.js.map +1 -0
package/dist/providers/ldap/ldap-errors.d.ts +48 -0
package/dist/providers/ldap/ldap-errors.d.ts.map +1 -0
package/dist/providers/ldap/ldap-errors.js +120 -0
package/dist/providers/ldap/ldap-errors.js.map +1 -0
package/dist/providers/ldap/ldap-retry.d.ts +14 -0
package/dist/providers/ldap/ldap-retry.d.ts.map +1 -0
package/dist/providers/ldap/ldap-retry.js +102 -0
package/dist/providers/ldap/ldap-retry.js.map +1 -0
package/dist/providers/ldap/ldap-sanitizer.d.ts +12 -0
package/dist/providers/ldap/ldap-sanitizer.d.ts.map +1 -0
package/dist/providers/ldap/ldap-sanitizer.js +104 -0
package/dist/providers/ldap/ldap-sanitizer.js.map +1 -0
package/dist/providers/ldap/ldap.provider.d.ts +21 -0
package/dist/providers/ldap/ldap.provider.d.ts.map +1 -0
package/dist/providers/ldap/ldap.provider.js +165 -0
package/dist/providers/ldap/ldap.provider.js.map +1 -0
package/dist/providers/ldap/queries/computer.queries.d.ts +6 -0
package/dist/providers/ldap/queries/computer.queries.d.ts.map +1 -0
package/dist/providers/ldap/queries/computer.queries.js +9 -0
package/dist/providers/ldap/queries/computer.queries.js.map +1 -0
package/dist/providers/ldap/queries/group.queries.d.ts +6 -0
package/dist/providers/ldap/queries/group.queries.d.ts.map +1 -0
package/dist/providers/ldap/queries/group.queries.js +9 -0
package/dist/providers/ldap/queries/group.queries.js.map +1 -0
package/dist/providers/ldap/queries/user.queries.d.ts +7 -0
package/dist/providers/ldap/queries/user.queries.d.ts.map +1 -0
package/dist/providers/ldap/queries/user.queries.js +10 -0
package/dist/providers/ldap/queries/user.queries.js.map +1 -0
package/dist/providers/smb/smb.provider.d.ts +68 -0
package/dist/providers/smb/smb.provider.d.ts.map +1 -0
package/dist/providers/smb/smb.provider.js +382 -0
package/dist/providers/smb/smb.provider.js.map +1 -0
package/dist/server.d.ts +2 -0
package/dist/server.d.ts.map +1 -0
package/dist/server.js +44 -0
package/dist/server.js.map +1 -0
package/dist/services/audit/ad-audit.service.d.ts +70 -0
package/dist/services/audit/ad-audit.service.d.ts.map +1 -0
package/dist/services/audit/ad-audit.service.js +1019 -0
package/dist/services/audit/ad-audit.service.js.map +1 -0
package/dist/services/audit/attack-graph.service.d.ts +62 -0
package/dist/services/audit/attack-graph.service.d.ts.map +1 -0
package/dist/services/audit/attack-graph.service.js +702 -0
package/dist/services/audit/attack-graph.service.js.map +1 -0
package/dist/services/audit/audit.service.d.ts +4 -0
package/dist/services/audit/audit.service.d.ts.map +1 -0
package/dist/services/audit/audit.service.js +10 -0
package/dist/services/audit/audit.service.js.map +1 -0
package/dist/services/audit/azure-audit.service.d.ts +37 -0
package/dist/services/audit/azure-audit.service.d.ts.map +1 -0
package/dist/services/audit/azure-audit.service.js +153 -0
package/dist/services/audit/azure-audit.service.js.map +1 -0
package/dist/services/audit/detectors/ad/accounts.detector.d.ts +37 -0
package/dist/services/audit/detectors/ad/accounts.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/accounts.detector.js +881 -0
package/dist/services/audit/detectors/ad/accounts.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/adcs.detector.d.ts +21 -0
package/dist/services/audit/detectors/ad/adcs.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/adcs.detector.js +227 -0
package/dist/services/audit/detectors/ad/adcs.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/advanced.detector.d.ts +63 -0
package/dist/services/audit/detectors/ad/advanced.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/advanced.detector.js +867 -0
package/dist/services/audit/detectors/ad/advanced.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/attack-paths.detector.d.ts +16 -0
package/dist/services/audit/detectors/ad/attack-paths.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/attack-paths.detector.js +369 -0
package/dist/services/audit/detectors/ad/attack-paths.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/compliance.detector.d.ts +28 -0
package/dist/services/audit/detectors/ad/compliance.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/compliance.detector.js +896 -0
package/dist/services/audit/detectors/ad/compliance.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/computers.detector.d.ts +30 -0
package/dist/services/audit/detectors/ad/computers.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/computers.detector.js +799 -0
package/dist/services/audit/detectors/ad/computers.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/gpo.detector.d.ts +17 -0
package/dist/services/audit/detectors/ad/gpo.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/gpo.detector.js +257 -0
package/dist/services/audit/detectors/ad/gpo.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/groups.detector.d.ts +19 -0
package/dist/services/audit/detectors/ad/groups.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/groups.detector.js +488 -0
package/dist/services/audit/detectors/ad/groups.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/index.d.ts +15 -0
package/dist/services/audit/detectors/ad/index.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/index.js +51 -0
package/dist/services/audit/detectors/ad/index.js.map +1 -0
package/dist/services/audit/detectors/ad/kerberos.detector.d.ts +17 -0
package/dist/services/audit/detectors/ad/kerberos.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/kerberos.detector.js +293 -0
package/dist/services/audit/detectors/ad/kerberos.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/monitoring.detector.d.ts +23 -0
package/dist/services/audit/detectors/ad/monitoring.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/monitoring.detector.js +328 -0
package/dist/services/audit/detectors/ad/monitoring.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/network.detector.d.ts +39 -0
package/dist/services/audit/detectors/ad/network.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/network.detector.js +257 -0
package/dist/services/audit/detectors/ad/network.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/password.detector.d.ts +14 -0
package/dist/services/audit/detectors/ad/password.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/password.detector.js +235 -0
package/dist/services/audit/detectors/ad/password.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/permissions.detector.d.ts +20 -0
package/dist/services/audit/detectors/ad/permissions.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/permissions.detector.js +392 -0
package/dist/services/audit/detectors/ad/permissions.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/trusts.detector.d.ts +11 -0
package/dist/services/audit/detectors/ad/trusts.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/trusts.detector.js +186 -0
package/dist/services/audit/detectors/ad/trusts.detector.js.map +1 -0
package/dist/services/audit/detectors/azure/app-security.detector.d.ts +11 -0
package/dist/services/audit/detectors/azure/app-security.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/azure/app-security.detector.js +184 -0
package/dist/services/audit/detectors/azure/app-security.detector.js.map +1 -0
package/dist/services/audit/detectors/azure/conditional-access.detector.d.ts +10 -0
package/dist/services/audit/detectors/azure/conditional-access.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/azure/conditional-access.detector.js +130 -0
package/dist/services/audit/detectors/azure/conditional-access.detector.js.map +1 -0
package/dist/services/audit/detectors/azure/privilege-security.detector.d.ts +8 -0
package/dist/services/audit/detectors/azure/privilege-security.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/azure/privilege-security.detector.js +113 -0
package/dist/services/audit/detectors/azure/privilege-security.detector.js.map +1 -0
package/dist/services/audit/detectors/azure/user-security.detector.d.ts +14 -0
package/dist/services/audit/detectors/azure/user-security.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/azure/user-security.detector.js +198 -0
package/dist/services/audit/detectors/azure/user-security.detector.js.map +1 -0
package/dist/services/audit/detectors/index.d.ts +2 -0
package/dist/services/audit/detectors/index.d.ts.map +1 -0
package/dist/services/audit/detectors/index.js +38 -0
package/dist/services/audit/detectors/index.js.map +1 -0
package/dist/services/audit/response-formatter.d.ts +176 -0
package/dist/services/audit/response-formatter.d.ts.map +1 -0
package/dist/services/audit/response-formatter.js +240 -0
package/dist/services/audit/response-formatter.js.map +1 -0
package/dist/services/audit/scoring.service.d.ts +15 -0
package/dist/services/audit/scoring.service.d.ts.map +1 -0
package/dist/services/audit/scoring.service.js +139 -0
package/dist/services/audit/scoring.service.js.map +1 -0
package/dist/services/auth/crypto.service.d.ts +19 -0
package/dist/services/auth/crypto.service.d.ts.map +1 -0
package/dist/services/auth/crypto.service.js +135 -0
package/dist/services/auth/crypto.service.js.map +1 -0
package/dist/services/auth/errors.d.ts +19 -0
package/dist/services/auth/errors.d.ts.map +1 -0
package/dist/services/auth/errors.js +46 -0
package/dist/services/auth/errors.js.map +1 -0
package/dist/services/auth/token.service.d.ts +41 -0
package/dist/services/auth/token.service.d.ts.map +1 -0
package/dist/services/auth/token.service.js +208 -0
package/dist/services/auth/token.service.js.map +1 -0
package/dist/services/config/config.service.d.ts +6 -0
package/dist/services/config/config.service.d.ts.map +1 -0
package/dist/services/config/config.service.js +64 -0
package/dist/services/config/config.service.js.map +1 -0
package/dist/services/export/export.service.d.ts +28 -0
package/dist/services/export/export.service.d.ts.map +1 -0
package/dist/services/export/export.service.js +28 -0
package/dist/services/export/export.service.js.map +1 -0
package/dist/services/export/formatters/csv.formatter.d.ts +8 -0
package/dist/services/export/formatters/csv.formatter.d.ts.map +1 -0
package/dist/services/export/formatters/csv.formatter.js +46 -0
package/dist/services/export/formatters/csv.formatter.js.map +1 -0
package/dist/services/export/formatters/json.formatter.d.ts +40 -0
package/dist/services/export/formatters/json.formatter.d.ts.map +1 -0
package/dist/services/export/formatters/json.formatter.js +58 -0
package/dist/services/export/formatters/json.formatter.js.map +1 -0
package/dist/services/jobs/azure-job-runner.d.ts +38 -0
package/dist/services/jobs/azure-job-runner.d.ts.map +1 -0
package/dist/services/jobs/azure-job-runner.js +199 -0
package/dist/services/jobs/azure-job-runner.js.map +1 -0
package/dist/services/jobs/index.d.ts +4 -0
package/dist/services/jobs/index.d.ts.map +1 -0
package/dist/services/jobs/index.js +20 -0
package/dist/services/jobs/index.js.map +1 -0
package/dist/services/jobs/job-runner.d.ts +64 -0
package/dist/services/jobs/job-runner.d.ts.map +1 -0
package/dist/services/jobs/job-runner.js +952 -0
package/dist/services/jobs/job-runner.js.map +1 -0
package/dist/services/jobs/job-store.d.ts +27 -0
package/dist/services/jobs/job-store.d.ts.map +1 -0
package/dist/services/jobs/job-store.js +261 -0
package/dist/services/jobs/job-store.js.map +1 -0
package/dist/services/jobs/job.types.d.ts +67 -0
package/dist/services/jobs/job.types.d.ts.map +1 -0
package/dist/services/jobs/job.types.js +36 -0
package/dist/services/jobs/job.types.js.map +1 -0
package/dist/types/ad.types.d.ts +74 -0
package/dist/types/ad.types.d.ts.map +1 -0
package/dist/types/ad.types.js +3 -0
package/dist/types/ad.types.js.map +1 -0
package/dist/types/adcs.types.d.ts +58 -0
package/dist/types/adcs.types.d.ts.map +1 -0
package/dist/types/adcs.types.js +38 -0
package/dist/types/adcs.types.js.map +1 -0
package/dist/types/attack-graph.types.d.ts +135 -0
package/dist/types/attack-graph.types.d.ts.map +1 -0
package/dist/types/attack-graph.types.js +58 -0
package/dist/types/attack-graph.types.js.map +1 -0
package/dist/types/audit.types.d.ts +34 -0
package/dist/types/audit.types.d.ts.map +1 -0
package/dist/types/audit.types.js +3 -0
package/dist/types/audit.types.js.map +1 -0
package/dist/types/azure.types.d.ts +61 -0
package/dist/types/azure.types.d.ts.map +1 -0
package/dist/types/azure.types.js +3 -0
package/dist/types/azure.types.js.map +1 -0
package/dist/types/config.types.d.ts +63 -0
package/dist/types/config.types.d.ts.map +1 -0
package/dist/types/config.types.js +3 -0
package/dist/types/config.types.js.map +1 -0
package/dist/types/error.types.d.ts +33 -0
package/dist/types/error.types.d.ts.map +1 -0
package/dist/types/error.types.js +70 -0
package/dist/types/error.types.js.map +1 -0
package/dist/types/finding.types.d.ts +133 -0
package/dist/types/finding.types.d.ts.map +1 -0
package/dist/types/finding.types.js +3 -0
package/dist/types/finding.types.js.map +1 -0
package/dist/types/gpo.types.d.ts +39 -0
package/dist/types/gpo.types.d.ts.map +1 -0
package/dist/types/gpo.types.js +15 -0
package/dist/types/gpo.types.js.map +1 -0
package/dist/types/token.types.d.ts +26 -0
package/dist/types/token.types.d.ts.map +1 -0
package/dist/types/token.types.js +3 -0
package/dist/types/token.types.js.map +1 -0
package/dist/types/trust.types.d.ts +45 -0
package/dist/types/trust.types.d.ts.map +1 -0
package/dist/types/trust.types.js +71 -0
package/dist/types/trust.types.js.map +1 -0
package/dist/utils/entity-converter.d.ts +17 -0
package/dist/utils/entity-converter.d.ts.map +1 -0
package/dist/utils/entity-converter.js +285 -0
package/dist/utils/entity-converter.js.map +1 -0
package/dist/utils/graph.util.d.ts +66 -0
package/dist/utils/graph.util.d.ts.map +1 -0
package/dist/utils/graph.util.js +382 -0
package/dist/utils/graph.util.js.map +1 -0
package/dist/utils/logger.d.ts +7 -0
package/dist/utils/logger.d.ts.map +1 -0
package/dist/utils/logger.js +86 -0
package/dist/utils/logger.js.map +1 -0
package/dist/utils/type-name-normalizer.d.ts +5 -0
package/dist/utils/type-name-normalizer.d.ts.map +1 -0
package/dist/utils/type-name-normalizer.js +218 -0
package/dist/utils/type-name-normalizer.js.map +1 -0
package/docker-compose.yml +26 -0
package/docs/api/README.md +178 -0
package/docs/api/openapi.yaml +1524 -0
package/eslint.config.js +54 -0
package/jest.config.js +38 -0
package/package.json +97 -0
package/scripts/fetch-ad-cert.sh +142 -0
package/src/.gitkeep +0 -0
package/src/api/.gitkeep +0 -0
package/src/api/controllers/.gitkeep +0 -0
package/src/api/controllers/audit.controller.ts +313 -0
package/src/api/controllers/auth.controller.ts +258 -0
package/src/api/controllers/export.controller.ts +153 -0
package/src/api/controllers/health.controller.ts +16 -0
package/src/api/controllers/jobs.controller.ts +187 -0
package/src/api/controllers/providers.controller.ts +165 -0
package/src/api/dto/.gitkeep +0 -0
package/src/api/dto/AuditRequest.dto.ts +8 -0
package/src/api/dto/AuditResponse.dto.ts +19 -0
package/src/api/dto/TokenRequest.dto.ts +8 -0
package/src/api/dto/TokenResponse.dto.ts +14 -0
package/src/api/middlewares/.gitkeep +0 -0
package/src/api/middlewares/authenticate.ts +203 -0
package/src/api/middlewares/errorHandler.ts +54 -0
package/src/api/middlewares/rateLimit.ts +35 -0
package/src/api/middlewares/validate.ts +32 -0
package/src/api/routes/.gitkeep +0 -0
package/src/api/routes/audit.routes.ts +77 -0
package/src/api/routes/auth.routes.ts +71 -0
package/src/api/routes/export.routes.ts +34 -0
package/src/api/routes/health.routes.ts +14 -0
package/src/api/routes/index.ts +40 -0
package/src/api/routes/providers.routes.ts +24 -0
package/src/api/validators/.gitkeep +0 -0
package/src/api/validators/audit.schemas.ts +59 -0
package/src/api/validators/auth.schemas.ts +59 -0
package/src/app.ts +87 -0
package/src/config/.gitkeep +0 -0
package/src/config/config.schema.ts +108 -0
package/src/config/index.ts +82 -0
package/src/container.ts +221 -0
package/src/data/.gitkeep +0 -0
package/src/data/database.ts +78 -0
package/src/data/jobs/token-cleanup.job.ts +166 -0
package/src/data/migrations/.gitkeep +0 -0
package/src/data/migrations/001_initial_schema.sql +47 -0
package/src/data/migrations/migration.runner.ts +125 -0
package/src/data/models/.gitkeep +0 -0
package/src/data/models/Token.model.ts +35 -0
package/src/data/repositories/.gitkeep +0 -0
package/src/data/repositories/token.repository.ts +160 -0
package/src/providers/.gitkeep +0 -0
package/src/providers/azure/.gitkeep +0 -0
package/src/providers/azure/auth.provider.ts +14 -0
package/src/providers/azure/azure-errors.ts +189 -0
package/src/providers/azure/azure-retry.ts +168 -0
package/src/providers/azure/graph-client.ts +315 -0
package/src/providers/azure/graph.provider.ts +294 -0
package/src/providers/azure/queries/app.queries.ts +9 -0
package/src/providers/azure/queries/policy.queries.ts +9 -0
package/src/providers/azure/queries/user.queries.ts +10 -0
package/src/providers/interfaces/.gitkeep +0 -0
package/src/providers/interfaces/IGraphProvider.ts +117 -0
package/src/providers/interfaces/ILDAPProvider.ts +142 -0
package/src/providers/ldap/.gitkeep +0 -0
package/src/providers/ldap/acl-parser.ts +231 -0
package/src/providers/ldap/ad-mappers.ts +280 -0
package/src/providers/ldap/ldap-client.ts +259 -0
package/src/providers/ldap/ldap-errors.ts +188 -0
package/src/providers/ldap/ldap-retry.ts +267 -0
package/src/providers/ldap/ldap-sanitizer.ts +273 -0
package/src/providers/ldap/ldap.provider.ts +293 -0
package/src/providers/ldap/queries/computer.queries.ts +9 -0
package/src/providers/ldap/queries/group.queries.ts +9 -0
package/src/providers/ldap/queries/user.queries.ts +10 -0
package/src/providers/smb/smb.provider.ts +653 -0
package/src/server.ts +60 -0
package/src/services/.gitkeep +0 -0
package/src/services/audit/.gitkeep +0 -0
package/src/services/audit/ad-audit.service.ts +1481 -0
package/src/services/audit/attack-graph.service.ts +1104 -0
package/src/services/audit/audit.service.ts +12 -0
package/src/services/audit/azure-audit.service.ts +286 -0
package/src/services/audit/detectors/ad/accounts.detector.ts +1232 -0
package/src/services/audit/detectors/ad/adcs.detector.ts +449 -0
package/src/services/audit/detectors/ad/advanced.detector.ts +1270 -0
package/src/services/audit/detectors/ad/attack-paths.detector.ts +600 -0
package/src/services/audit/detectors/ad/compliance.detector.ts +1421 -0
package/src/services/audit/detectors/ad/computers.detector.ts +1188 -0
package/src/services/audit/detectors/ad/gpo.detector.ts +485 -0
package/src/services/audit/detectors/ad/groups.detector.ts +685 -0
package/src/services/audit/detectors/ad/index.ts +84 -0
package/src/services/audit/detectors/ad/kerberos.detector.ts +424 -0
package/src/services/audit/detectors/ad/monitoring.detector.ts +501 -0
package/src/services/audit/detectors/ad/network.detector.ts +538 -0
package/src/services/audit/detectors/ad/password.detector.ts +324 -0
package/src/services/audit/detectors/ad/permissions.detector.ts +637 -0
package/src/services/audit/detectors/ad/trusts.detector.ts +315 -0
package/src/services/audit/detectors/azure/app-security.detector.ts +246 -0
package/src/services/audit/detectors/azure/conditional-access.detector.ts +186 -0
package/src/services/audit/detectors/azure/privilege-security.detector.ts +176 -0
package/src/services/audit/detectors/azure/user-security.detector.ts +280 -0
package/src/services/audit/detectors/index.ts +18 -0
package/src/services/audit/response-formatter.ts +604 -0
package/src/services/audit/scoring.service.ts +234 -0
package/src/services/auth/.gitkeep +0 -0
package/src/services/auth/crypto.service.ts +230 -0
package/src/services/auth/errors.ts +47 -0
package/src/services/auth/token.service.ts +420 -0
package/src/services/config/.gitkeep +0 -0
package/src/services/config/config.service.ts +75 -0
package/src/services/export/.gitkeep +0 -0
package/src/services/export/export.service.ts +99 -0
package/src/services/export/formatters/csv.formatter.ts +124 -0
package/src/services/export/formatters/json.formatter.ts +160 -0
package/src/services/jobs/azure-job-runner.ts +312 -0
package/src/services/jobs/index.ts +9 -0
package/src/services/jobs/job-runner.ts +1280 -0
package/src/services/jobs/job-store.ts +384 -0
package/src/services/jobs/job.types.ts +182 -0
package/src/types/.gitkeep +0 -0
package/src/types/ad.types.ts +91 -0
package/src/types/adcs.types.ts +107 -0
package/src/types/attack-graph.types.ts +260 -0
package/src/types/audit.types.ts +42 -0
package/src/types/azure.types.ts +68 -0
package/src/types/config.types.ts +79 -0
package/src/types/error.types.ts +69 -0
package/src/types/finding.types.ts +284 -0
package/src/types/gpo.types.ts +72 -0
package/src/types/smb2.d.ts +73 -0
package/src/types/token.types.ts +32 -0
package/src/types/trust.types.ts +140 -0
package/src/utils/.gitkeep +0 -0
package/src/utils/entity-converter.ts +453 -0
package/src/utils/graph.util.ts +609 -0
package/src/utils/logger.ts +111 -0
package/src/utils/type-name-normalizer.ts +302 -0
package/tests/.gitkeep +0 -0
package/tests/e2e/.gitkeep +0 -0
package/tests/fixtures/.gitkeep +0 -0
package/tests/integration/.gitkeep +0 -0
package/tests/integration/README.md +156 -0
package/tests/integration/ad-audit.integration.test.ts +216 -0
package/tests/integration/api/.gitkeep +0 -0
package/tests/integration/api/endpoints.integration.test.ts +431 -0
package/tests/integration/auth/jwt-authentication.integration.test.ts +358 -0
package/tests/integration/providers/.gitkeep +0 -0
package/tests/integration/providers/azure-basic.integration.test.ts +167 -0
package/tests/integration/providers/ldap-basic.integration.test.ts +152 -0
package/tests/integration/providers/ldap-connectivity.test.ts +44 -0
package/tests/integration/providers/ldap-provider.integration.test.ts +347 -0
package/tests/mocks/.gitkeep +0 -0
package/tests/setup.ts +16 -0
package/tests/unit/.gitkeep +0 -0
package/tests/unit/api/middlewares/authenticate.test.ts +446 -0
package/tests/unit/providers/.gitkeep +0 -0
package/tests/unit/providers/azure/azure-errors.test.ts +193 -0
package/tests/unit/providers/azure/azure-retry.test.ts +254 -0
package/tests/unit/providers/azure/graph-provider.test.ts +313 -0
package/tests/unit/providers/ldap/ad-mappers.test.ts +392 -0
package/tests/unit/providers/ldap/ldap-provider.test.ts +376 -0
package/tests/unit/providers/ldap/ldap-retry.test.ts +377 -0
package/tests/unit/providers/ldap/ldap-sanitizer.test.ts +301 -0
package/tests/unit/sample.test.ts +19 -0
package/tests/unit/services/.gitkeep +0 -0
package/tests/unit/services/audit/detectors/ad/accounts.detector.test.ts +393 -0
package/tests/unit/services/audit/detectors/ad/advanced.detector.test.ts +380 -0
package/tests/unit/services/audit/detectors/ad/computers.detector.test.ts +440 -0
package/tests/unit/services/audit/detectors/ad/groups.detector.test.ts +276 -0
package/tests/unit/services/audit/detectors/ad/kerberos.detector.test.ts +215 -0
package/tests/unit/services/audit/detectors/ad/password.detector.test.ts +226 -0
package/tests/unit/services/audit/detectors/ad/permissions.detector.test.ts +244 -0
package/tests/unit/services/audit/detectors/azure/app-security.detector.test.ts +349 -0
package/tests/unit/services/audit/detectors/azure/conditional-access.detector.test.ts +374 -0
package/tests/unit/services/audit/detectors/azure/privilege-security.detector.test.ts +374 -0
package/tests/unit/services/audit/detectors/azure/user-security.detector.test.ts +297 -0
package/tests/unit/services/auth/crypto.service.test.ts +296 -0
package/tests/unit/services/auth/token.service.test.ts +579 -0
package/tests/unit/services/export/export.service.test.ts +241 -0
package/tests/unit/services/export/formatters/csv.formatter.test.ts +270 -0
package/tests/unit/services/export/formatters/json.formatter.test.ts +258 -0
package/tests/unit/utils/.gitkeep +0 -0
package/tsconfig.json +50 -0

package/src/services/audit/detectors/ad/groups.detector.ts ADDED Viewed

@@ -0,0 +1,685 @@
+/**
+ * Groups Security Vulnerability Detector
+ *
+ * Detects group-related vulnerabilities in AD.
+ * Story 1.7: AD Vulnerability Detection Engine
+ *
+ * Vulnerabilities detected (14):
+ * - GPO_MODIFY_RIGHTS (High)
+ * - DNS_ADMINS_MEMBER (High)
+ * - OVERSIZED_GROUP_CRITICAL (High)
+ * - OVERSIZED_GROUP_HIGH (Medium)
+ * - OVERSIZED_GROUP (Medium)
+ * - PRE_WINDOWS_2000_ACCESS (Medium)
+ * - DANGEROUS_GROUP_NESTING (Medium)
+ * - GROUP_EMPTY_PRIVILEGED (Low) - Phase 2C
+ * - GROUP_CIRCULAR_NESTING (Medium) - Phase 2C
+ * - GROUP_EXCESSIVE_MEMBERS (Medium) - Phase 2C
+ * - BUILTIN_MODIFIED (High) - Phase 2C
+ * - GROUP_EVERYONE_IN_PRIVILEGED (Critical) - Phase 4
+ * - GROUP_AUTHENTICATED_USERS_PRIVILEGED (High) - Phase 4
+ * - GROUP_PROTECTED_USERS_EMPTY (Medium) - Phase 4
+ */
+import { ADUser, ADGroup } from '../../../../types/ad.types';
+import { Finding } from '../../../../types/finding.types';
+import { toAffectedUserEntities, toAffectedADGroupEntities } from '../../../../utils/entity-converter';
+/**
+ * Check for Group Policy Creator Owners membership
+ */
+export function detectGpoModifyRights(users: ADUser[], includeDetails: boolean): Finding {
+  const affected = users.filter((u) => {
+    if (!u.memberOf) return false;
+    return u.memberOf.some((dn) => dn.includes('CN=Group Policy Creator Owners'));
+  });
+  return {
+    type: 'GPO_MODIFY_RIGHTS',
+    severity: 'high',
+    category: 'groups',
+    title: 'Group Policy Creator Owners Member',
+    description: 'Users in Group Policy Creator Owners group. Can create/modify GPOs and execute code on domain machines.',
+    count: affected.length,
+    affectedEntities: includeDetails ? toAffectedUserEntities(affected) : undefined,
+  };
+}
+/**
+ * Check for DnsAdmins membership
+ */
+export function detectDnsAdminsMember(users: ADUser[], includeDetails: boolean): Finding {
+  const affected = users.filter((u) => {
+    if (!u.memberOf) return false;
+    return u.memberOf.some((dn) => dn.includes('CN=DnsAdmins'));
+  });
+  return {
+    type: 'DNS_ADMINS_MEMBER',
+    severity: 'high',
+    category: 'groups',
+    title: 'DnsAdmins Member',
+    description: 'Users in DnsAdmins group. Can load arbitrary DLLs on domain controllers (escalation to Domain Admin).',
+    count: affected.length,
+    affectedEntities: includeDetails ? toAffectedUserEntities(affected) : undefined,
+  };
+}
+/**
+ * Check for Pre-Windows 2000 Compatible Access membership
+ */
+export function detectPreWindows2000Access(users: ADUser[], includeDetails: boolean): Finding {
+  const affected = users.filter((u) => {
+    if (!u.memberOf) return false;
+    return u.memberOf.some((dn) => dn.includes('CN=Pre-Windows 2000 Compatible Access'));
+  });
+  return {
+    type: 'PRE_WINDOWS_2000_ACCESS',
+    severity: 'medium',
+    category: 'groups',
+    title: 'Pre-Windows 2000 Compatible Access',
+    description: 'Pre-Windows 2000 Compatible Access group has members. Overly permissive read access to AD objects.',
+    count: affected.length,
+    affectedEntities: includeDetails ? toAffectedUserEntities(affected) : undefined,
+  };
+}
+/**
+ * Check for oversized groups (500+ members)
+ * PingCastle threshold: >500 members = critical
+ */
+export function detectOversizedGroupCritical(groups: ADGroup[], includeDetails: boolean): Finding {
+  const affected = groups.filter((g) => {
+    if (!g.member) return false;
+    return g.member.length > 500;
+  });
+  return {
+    type: 'OVERSIZED_GROUP_CRITICAL',
+    severity: 'high',
+    category: 'groups',
+    title: 'Oversized Group (Critical)',
+    description: 'Groups with 500+ members. Management/audit difficulty, excessive privileges, performance issues.',
+    count: affected.length,
+    affectedEntities: includeDetails ? toAffectedADGroupEntities(affected) : undefined,
+  };
+}
+/**
+ * Check for oversized groups (200-500 members)
+ */
+export function detectOversizedGroupHigh(groups: ADGroup[], includeDetails: boolean): Finding {
+  const affected = groups.filter((g) => {
+    if (!g.member) return false;
+    return g.member.length > 200 && g.member.length <= 500;
+  });
+  return {
+    type: 'OVERSIZED_GROUP_HIGH',
+    severity: 'medium',
+    category: 'groups',
+    title: 'Oversized Group (High)',
+    description: 'Groups with 200-500 members. Management difficulty and potential privilege creep.',
+    count: affected.length,
+    affectedEntities: includeDetails ? toAffectedADGroupEntities(affected) : undefined,
+  };
+}
+/**
+ * Check for oversized groups (100-500 members)
+ */
+export function detectOversizedGroup(groups: ADGroup[], includeDetails: boolean): Finding {
+  const affected = groups.filter((g) => {
+    if (!g.member) return false;
+    return g.member.length > 100 && g.member.length <= 500;
+  });
+  return {
+    type: 'OVERSIZED_GROUP',
+    severity: 'medium',
+    category: 'groups',
+    title: 'Oversized Group',
+    description: 'Groups with 100-500 members. May indicate overly broad permissions.',
+    count: affected.length,
+    affectedEntities: includeDetails ? toAffectedADGroupEntities(affected) : undefined,
+  };
+}
+/**
+ * Check for dangerous group nesting (sensitive groups nested in less sensitive groups)
+ */
+export function detectDangerousGroupNesting(groups: ADGroup[], includeDetails: boolean): Finding {
+  const protectedGroups = [
+    'Domain Admins',
+    'Enterprise Admins',
+    'Schema Admins',
+    'Administrators',
+    'Account Operators',
+    'Backup Operators',
+    'Server Operators',
+    'Print Operators',
+  ];
+  const affected = groups.filter((g) => {
+    if (!g.memberOf) return false;
+    // Check if this is a protected group
+    const isProtected = protectedGroups.some((pg) => g.dn.includes(`CN=${pg}`));
+    if (!isProtected) return false;
+    // Check if it's nested in a non-protected group
+    const hasUnexpectedNesting = g.memberOf.some((dn) => {
+      return !protectedGroups.some((pg) => dn.includes(`CN=${pg}`));
+    });
+    return hasUnexpectedNesting;
+  });
+  return {
+    type: 'DANGEROUS_GROUP_NESTING',
+    severity: 'medium',
+    category: 'groups',
+    title: 'Dangerous Group Nesting',
+    description: 'Sensitive group nested in less sensitive group. Unintended privilege escalation path.',
+    count: affected.length,
+    affectedEntities: includeDetails ? toAffectedADGroupEntities(affected) : undefined,
+  };
+}
+// ==================== PHASE 2C DETECTORS ====================
+/**
+ * Detect empty privileged groups
+ * Privileged groups should either be used or documented as intentionally empty
+ */
+export function detectGroupEmptyPrivileged(groups: ADGroup[], includeDetails: boolean): Finding {
+  const privilegedGroups = [
+    'Domain Admins',
+    'Enterprise Admins',
+    'Schema Admins',
+    'Administrators',
+    'Account Operators',
+    'Server Operators',
+    'Backup Operators',
+    'Print Operators',
+    'DnsAdmins',
+    'Group Policy Creator Owners',
+  ];
+  const affected = groups.filter((g) => {
+    const name = g.sAMAccountName || g.displayName || '';
+    const isPrivileged = privilegedGroups.some(
+      (pg) => name.toLowerCase() === pg.toLowerCase() || g.dn.toLowerCase().includes(`cn=${pg.toLowerCase()}`)
+    );
+    if (!isPrivileged) return false;
+    // Check if group is empty
+    const memberCount = g.member?.length ?? 0;
+    return memberCount === 0;
+  });
+  return {
+    type: 'GROUP_EMPTY_PRIVILEGED',
+    severity: 'low',
+    category: 'groups',
+    title: 'Empty Privileged Group',
+    description:
+      'Privileged groups with no members. While not a vulnerability, empty admin groups may indicate misconfiguration or unused infrastructure.',
+    count: affected.length,
+    affectedEntities: includeDetails ? toAffectedADGroupEntities(affected) : undefined,
+    details:
+      affected.length > 0
+        ? {
+            groups: affected.map((g) => g.sAMAccountName || g.dn),
+            recommendation: 'Document intentionally empty groups or remove if unused.',
+          }
+        : undefined,
+  };
+}
+/**
+ * Detect circular group nesting
+ * Groups that are members of each other create infinite loops
+ */
+export function detectGroupCircularNesting(groups: ADGroup[], includeDetails: boolean): Finding {
+  const groupDnMap = new Map<string, ADGroup>();
+  for (const g of groups) {
+    groupDnMap.set(g.dn.toLowerCase(), g);
+  }
+  const circularGroups: ADGroup[] = [];
+  const visited = new Set<string>();
+  const detectCycle = (groupDn: string, path: Set<string>): boolean => {
+    const normalizedDn = groupDn.toLowerCase();
+    if (path.has(normalizedDn)) return true; // Cycle detected
+    if (visited.has(normalizedDn)) return false; // Already checked, no cycle
+    visited.add(normalizedDn);
+    path.add(normalizedDn);
+    const group = groupDnMap.get(normalizedDn);
+    if (group?.memberOf) {
+      for (const parentDn of group.memberOf) {
+        if (groupDnMap.has(parentDn.toLowerCase())) {
+          if (detectCycle(parentDn, path)) {
+            return true;
+          }
+        }
+      }
+    }
+    path.delete(normalizedDn);
+    return false;
+  };
+  for (const group of groups) {
+    visited.clear();
+    if (detectCycle(group.dn, new Set())) {
+      circularGroups.push(group);
+    }
+  }
+  return {
+    type: 'GROUP_CIRCULAR_NESTING',
+    severity: 'medium',
+    category: 'groups',
+    title: 'Circular Group Nesting',
+    description:
+      'Groups contain circular membership references. This can cause authentication issues and makes privilege analysis unreliable.',
+    count: circularGroups.length,
+    affectedEntities: includeDetails ? toAffectedADGroupEntities(circularGroups) : undefined,
+    details:
+      circularGroups.length > 0
+        ? {
+            recommendation: 'Remove circular nesting by reviewing and restructuring group membership.',
+            impact: 'May cause token bloat, authentication failures, and unreliable access control.',
+          }
+        : undefined,
+  };
+}
+/**
+ * Detect groups with excessive direct members
+ * Large groups are difficult to manage and review
+ */
+export function detectGroupExcessiveMembers(groups: ADGroup[], includeDetails: boolean): Finding {
+  const EXCESSIVE_THRESHOLD = 100;
+  const affected = groups.filter((g) => {
+    const memberCount = g.member?.length ?? 0;
+    return memberCount > EXCESSIVE_THRESHOLD;
+  });
+  // Sort by member count (most members first)
+  affected.sort((a, b) => (b.member?.length ?? 0) - (a.member?.length ?? 0));
+  return {
+    type: 'GROUP_EXCESSIVE_MEMBERS',
+    severity: 'medium',
+    category: 'groups',
+    title: 'Group with Excessive Members',
+    description: `Groups with more than ${EXCESSIVE_THRESHOLD} direct members. Large groups are difficult to audit and may grant unintended access.`,
+    count: affected.length,
+    affectedEntities: includeDetails ? toAffectedADGroupEntities(affected) : undefined,
+    details:
+      affected.length > 0
+        ? {
+            threshold: EXCESSIVE_THRESHOLD,
+            largestGroups: affected.slice(0, 5).map((g) => ({
+              name: g.sAMAccountName || g.dn,
+              memberCount: g.member?.length ?? 0,
+            })),
+            recommendation:
+              'Review large groups and consider breaking into smaller, role-based groups for better access control.',
+          }
+        : undefined,
+  };
+}
+/**
+ * Detect builtin groups with non-standard members
+ * Builtin groups should only contain expected system accounts
+ */
+export function detectBuiltinModified(groups: ADGroup[], includeDetails: boolean): Finding {
+  // Builtin groups and their expected default members
+  const builtinDefaults: { [key: string]: string[] } = {
+    Administrators: ['Administrator', 'Domain Admins', 'Enterprise Admins'],
+    Users: ['Domain Users', 'Authenticated Users', 'INTERACTIVE'],
+    Guests: ['Guest', 'Domain Guests'],
+    'Remote Desktop Users': [],
+    'Network Configuration Operators': [],
+    'Performance Monitor Users': [],
+    'Performance Log Users': [],
+    'Distributed COM Users': [],
+    'IIS_IUSRS': [],
+    'Cryptographic Operators': [],
+    'Event Log Readers': [],
+    'Certificate Service DCOM Access': [],
+  };
+  const affected = groups.filter((g) => {
+    const name = g.sAMAccountName || '';
+    // Check if it's a builtin group we monitor
+    if (!builtinDefaults[name]) return false;
+    const expectedMembers = builtinDefaults[name];
+    const actualMembers = g.member ?? [];
+    // Check for unexpected members
+    const hasUnexpectedMembers = actualMembers.some((memberDn) => {
+      const memberCn = memberDn.match(/CN=([^,]+)/i)?.[1] || '';
+      // Check if this member is in the expected list
+      return !expectedMembers.some((exp) => memberCn.toLowerCase().includes(exp.toLowerCase()));
+    });
+    return hasUnexpectedMembers;
+  });
+  return {
+    type: 'BUILTIN_MODIFIED',
+    severity: 'high',
+    category: 'groups',
+    title: 'Builtin Group Modified',
+    description:
+      'Builtin groups contain non-standard members. This may indicate privilege escalation or backdoor access.',
+    count: affected.length,
+    affectedEntities: includeDetails ? toAffectedADGroupEntities(affected) : undefined,
+    details:
+      affected.length > 0
+        ? {
+            groups: affected.map((g) => g.sAMAccountName || g.dn),
+            recommendation:
+              'Review membership of builtin groups and remove unexpected members. Document any intentional additions.',
+            risk: 'Attackers often add accounts to builtin groups for persistent access.',
+          }
+        : undefined,
+  };
+}
+/**
+ * Detect Everyone group in privileged groups
+ *
+ * The Everyone principal should never be a member of privileged groups.
+ * This grants all users (including anonymous) privileged access.
+ *
+ * @param groups - Array of AD groups
+ * @param includeDetails - Whether to include affected entity details
+ * @returns Finding for GROUP_EVERYONE_IN_PRIVILEGED
+ */
+export function detectGroupEveryoneInPrivileged(
+  groups: ADGroup[],
+  includeDetails: boolean
+): Finding {
+  const privilegedGroups = [
+    'Domain Admins',
+    'Enterprise Admins',
+    'Schema Admins',
+    'Administrators',
+    'Account Operators',
+    'Server Operators',
+    'Backup Operators',
+    'Print Operators',
+  ];
+  const affected = groups.filter((g) => {
+    const groupName = g.sAMAccountName || g.cn || '';
+    const isPrivileged = privilegedGroups.some(
+      (pg) => groupName.toLowerCase() === pg.toLowerCase()
+    );
+    if (!isPrivileged || !g.member) return false;
+    // Check if Everyone (S-1-1-0) or World is a member
+    return g.member.some(
+      (m) =>
+        m.toLowerCase().includes('everyone') ||
+        m.includes('S-1-1-0') ||
+        m.toLowerCase().includes('world')
+    );
+  });
+  return {
+    type: 'GROUP_EVERYONE_IN_PRIVILEGED',
+    severity: 'critical',
+    category: 'groups',
+    title: 'Everyone in Privileged Group',
+    description:
+      'The Everyone principal is a member of a privileged group. ' +
+      'This grants ALL users (including anonymous) administrative privileges.',
+    count: affected.length,
+    affectedEntities: includeDetails ? toAffectedADGroupEntities(affected) : undefined,
+    details: {
+      recommendation: 'Immediately remove Everyone from privileged groups.',
+      risk: 'Complete domain compromise - anyone can authenticate as admin.',
+    },
+  };
+}
+/**
+ * Detect Authenticated Users in privileged groups
+ *
+ * Authenticated Users should not be members of privileged groups.
+ * This grants all domain users admin access.
+ *
+ * @param groups - Array of AD groups
+ * @param includeDetails - Whether to include affected entity details
+ * @returns Finding for GROUP_AUTHENTICATED_USERS_PRIVILEGED
+ */
+export function detectGroupAuthenticatedUsersPrivileged(
+  groups: ADGroup[],
+  includeDetails: boolean
+): Finding {
+  const privilegedGroups = [
+    'Domain Admins',
+    'Enterprise Admins',
+    'Schema Admins',
+    'Administrators',
+    'Account Operators',
+    'Server Operators',
+    'Backup Operators',
+  ];
+  const affected = groups.filter((g) => {
+    const groupName = g.sAMAccountName || g.cn || '';
+    const isPrivileged = privilegedGroups.some(
+      (pg) => groupName.toLowerCase() === pg.toLowerCase()
+    );
+    if (!isPrivileged || !g.member) return false;
+    // Check if Authenticated Users (S-1-5-11) is a member
+    return g.member.some(
+      (m) =>
+        m.toLowerCase().includes('authenticated users') ||
+        m.includes('S-1-5-11') ||
+        m.toLowerCase().includes('utilisateurs authentifiés')
+    );
+  });
+  return {
+    type: 'GROUP_AUTHENTICATED_USERS_PRIVILEGED',
+    severity: 'high',
+    category: 'groups',
+    title: 'Authenticated Users in Privileged Group',
+    description:
+      'Authenticated Users principal is a member of a privileged group. ' +
+      'This grants ALL authenticated domain users administrative privileges.',
+    count: affected.length,
+    affectedEntities: includeDetails ? toAffectedADGroupEntities(affected) : undefined,
+    details: {
+      recommendation: 'Remove Authenticated Users from privileged groups immediately.',
+      risk: 'Any domain user can perform administrative actions.',
+    },
+  };
+}
+/**
+ * Detect empty Protected Users group
+ *
+ * The Protected Users group provides enhanced security for privileged accounts.
+ * If empty, privileged accounts lack these protections.
+ *
+ * @param groups - Array of AD groups
+ * @param _includeDetails - Whether to include affected entity details
+ * @returns Finding for GROUP_PROTECTED_USERS_EMPTY
+ */
+export function detectGroupProtectedUsersEmpty(
+  groups: ADGroup[],
+  _includeDetails: boolean
+): Finding {
+  const protectedUsersGroup = groups.find(
+    (g) =>
+      (g.sAMAccountName || g.cn || '').toLowerCase() === 'protected users'
+  );
+  const isEmpty =
+    !protectedUsersGroup ||
+    !protectedUsersGroup.member ||
+    protectedUsersGroup.member.length === 0;
+  return {
+    type: 'GROUP_PROTECTED_USERS_EMPTY',
+    severity: 'medium',
+    category: 'groups',
+    title: 'Protected Users Group Empty',
+    description:
+      'The Protected Users group has no members. ' +
+      'Privileged accounts should be added to this group for enhanced security (NTLM disabled, Kerberos delegation blocked, credential caching prevented).',
+    count: isEmpty ? 1 : 0,
+    details: {
+      memberCount: protectedUsersGroup?.member?.length || 0,
+      recommendation:
+        'Add Domain Admins, Enterprise Admins, and other privileged accounts to Protected Users group.',
+      benefits: [
+        'NTLM authentication disabled',
+        'Kerberos delegation blocked',
+        'Credential caching prevented',
+        'DES/RC4 encryption disabled',
+      ],
+    },
+  };
+}
+/**
+ * Detect excessive privileged accounts
+ * Flags when there are too many accounts in high-privilege groups
+ * PingCastle threshold: > 10 Domain Admins, > 50 total privileged
+ */
+export function detectExcessivePrivilegedAccounts(
+  users: ADUser[],
+  groups: ADGroup[],
+  includeDetails: boolean
+): Finding {
+  const privilegedGroupNames = [
+    'Domain Admins',
+    'Enterprise Admins',
+    'Schema Admins',
+    'Administrators',
+    'Account Operators',
+    'Backup Operators',
+    'Server Operators',
+    'Print Operators',
+  ];
+  // Count unique privileged users
+  const privilegedUsers = new Set<string>();
+  const groupCounts: Record<string, number> = {};
+  for (const user of users) {
+    if (!user.memberOf) continue;
+    for (const groupDn of user.memberOf) {
+      for (const groupName of privilegedGroupNames) {
+        if (groupDn.toUpperCase().includes(`CN=${groupName.toUpperCase()}`)) {
+          privilegedUsers.add(user.dn);
+          groupCounts[groupName] = (groupCounts[groupName] || 0) + 1;
+        }
+      }
+    }
+  }
+  // Also count from group membership directly
+  for (const group of groups) {
+    const groupName = privilegedGroupNames.find((name) =>
+      group.sAMAccountName?.toUpperCase() === name.toUpperCase() ||
+      group.dn?.toUpperCase().includes(`CN=${name.toUpperCase()}`)
+    );
+    if (groupName && group.member) {
+      groupCounts[groupName] = Math.max(groupCounts[groupName] || 0, group.member.length);
+    }
+  }
+  const totalPrivileged = privilegedUsers.size;
+  const domainAdmins = groupCounts['Domain Admins'] || 0;
+  const enterpriseAdmins = groupCounts['Enterprise Admins'] || 0;
+  // Flag if > 10 Domain Admins OR > 50 total privileged (PingCastle thresholds)
+  const isExcessive = domainAdmins > 10 || totalPrivileged > 50;
+  return {
+    type: 'EXCESSIVE_PRIVILEGED_ACCOUNTS',
+    severity: isExcessive ? 'medium' : 'low',
+    category: 'groups',
+    title: 'Excessive Privileged Accounts',
+    description:
+      'Large number of accounts with administrative privileges increases attack surface. ' +
+      'Each privileged account is a potential target for credential theft.',
+    count: isExcessive ? totalPrivileged : 0,
+    affectedEntities: includeDetails && isExcessive
+      ? Array.from(privilegedUsers).map((dn) => {
+          const user = users.find((u) => u.dn === dn);
+          if (user) {
+            const entities = toAffectedUserEntities([user]);
+            return entities[0] || dn;
+          }
+          return dn;
+        })
+      : undefined,
+    details: {
+      totalPrivilegedUsers: totalPrivileged,
+      domainAdmins,
+      enterpriseAdmins,
+      schemaAdmins: groupCounts['Schema Admins'] || 0,
+      administrators: groupCounts['Administrators'] || 0,
+      accountOperators: groupCounts['Account Operators'] || 0,
+      backupOperators: groupCounts['Backup Operators'] || 0,
+      serverOperators: groupCounts['Server Operators'] || 0,
+      printOperators: groupCounts['Print Operators'] || 0,
+      threshold: 'Domain Admins > 10 or total privileged > 50',
+      recommendation: 'Review privileged group memberships and apply least privilege principle.',
+    },
+  };
+}
+/**
+ * Detect all group-related vulnerabilities
+ */
+export function detectGroupsVulnerabilities(
+  users: ADUser[],
+  groups: ADGroup[],
+  includeDetails: boolean
+): Finding[] {
+  return [
+    // User membership checks
+    detectGpoModifyRights(users, includeDetails),
+    detectDnsAdminsMember(users, includeDetails),
+    detectPreWindows2000Access(users, includeDetails),
+    // Group analysis checks
+    detectOversizedGroupCritical(groups, includeDetails),
+    detectOversizedGroupHigh(groups, includeDetails),
+    detectOversizedGroup(groups, includeDetails),
+    detectDangerousGroupNesting(groups, includeDetails),
+    // Phase 2C: Enhanced detections
+    detectGroupEmptyPrivileged(groups, includeDetails),
+    detectGroupCircularNesting(groups, includeDetails),
+    detectGroupExcessiveMembers(groups, includeDetails),
+    detectBuiltinModified(groups, includeDetails),
+    // Phase 4: Advanced detections
+    detectGroupEveryoneInPrivileged(groups, includeDetails),
+    detectGroupAuthenticatedUsersPrivileged(groups, includeDetails),
+    detectGroupProtectedUsersEmpty(groups, includeDetails),
+    // NEW: Excessive privileged accounts
+    detectExcessivePrivilegedAccounts(users, groups, includeDetails),
+  ].filter((finding) => finding.count > 0);
+}