npm - @etcsec-com/etc-collector - Versions diffs - 1.4.0 - Mend

@etcsec-com/etc-collector 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (617) hide show

package/.env.example +60 -0
package/.env.test.example +33 -0
package/.github/workflows/ci.yml +83 -0
package/.github/workflows/release.yml +246 -0
package/.prettierrc.json +10 -0
package/CHANGELOG.md +15 -0
package/Dockerfile +57 -0
package/LICENSE +190 -0
package/README.md +194 -0
package/dist/api/controllers/audit.controller.d.ts +21 -0
package/dist/api/controllers/audit.controller.d.ts.map +1 -0
package/dist/api/controllers/audit.controller.js +179 -0
package/dist/api/controllers/audit.controller.js.map +1 -0
package/dist/api/controllers/auth.controller.d.ts +16 -0
package/dist/api/controllers/auth.controller.d.ts.map +1 -0
package/dist/api/controllers/auth.controller.js +146 -0
package/dist/api/controllers/auth.controller.js.map +1 -0
package/dist/api/controllers/export.controller.d.ts +27 -0
package/dist/api/controllers/export.controller.d.ts.map +1 -0
package/dist/api/controllers/export.controller.js +80 -0
package/dist/api/controllers/export.controller.js.map +1 -0
package/dist/api/controllers/health.controller.d.ts +5 -0
package/dist/api/controllers/health.controller.d.ts.map +1 -0
package/dist/api/controllers/health.controller.js +16 -0
package/dist/api/controllers/health.controller.js.map +1 -0
package/dist/api/controllers/jobs.controller.d.ts +13 -0
package/dist/api/controllers/jobs.controller.d.ts.map +1 -0
package/dist/api/controllers/jobs.controller.js +125 -0
package/dist/api/controllers/jobs.controller.js.map +1 -0
package/dist/api/controllers/providers.controller.d.ts +15 -0
package/dist/api/controllers/providers.controller.d.ts.map +1 -0
package/dist/api/controllers/providers.controller.js +112 -0
package/dist/api/controllers/providers.controller.js.map +1 -0
package/dist/api/dto/AuditRequest.dto.d.ts +6 -0
package/dist/api/dto/AuditRequest.dto.d.ts.map +1 -0
package/dist/api/dto/AuditRequest.dto.js +3 -0
package/dist/api/dto/AuditRequest.dto.js.map +1 -0
package/dist/api/dto/AuditResponse.dto.d.ts +17 -0
package/dist/api/dto/AuditResponse.dto.d.ts.map +1 -0
package/dist/api/dto/AuditResponse.dto.js +3 -0
package/dist/api/dto/AuditResponse.dto.js.map +1 -0
package/dist/api/dto/TokenRequest.dto.d.ts +6 -0
package/dist/api/dto/TokenRequest.dto.d.ts.map +1 -0
package/dist/api/dto/TokenRequest.dto.js +3 -0
package/dist/api/dto/TokenRequest.dto.js.map +1 -0
package/dist/api/dto/TokenResponse.dto.d.ts +12 -0
package/dist/api/dto/TokenResponse.dto.d.ts.map +1 -0
package/dist/api/dto/TokenResponse.dto.js +3 -0
package/dist/api/dto/TokenResponse.dto.js.map +1 -0
package/dist/api/middlewares/authenticate.d.ts +12 -0
package/dist/api/middlewares/authenticate.d.ts.map +1 -0
package/dist/api/middlewares/authenticate.js +141 -0
package/dist/api/middlewares/authenticate.js.map +1 -0
package/dist/api/middlewares/errorHandler.d.ts +3 -0
package/dist/api/middlewares/errorHandler.d.ts.map +1 -0
package/dist/api/middlewares/errorHandler.js +30 -0
package/dist/api/middlewares/errorHandler.js.map +1 -0
package/dist/api/middlewares/rateLimit.d.ts +3 -0
package/dist/api/middlewares/rateLimit.d.ts.map +1 -0
package/dist/api/middlewares/rateLimit.js +34 -0
package/dist/api/middlewares/rateLimit.js.map +1 -0
package/dist/api/middlewares/validate.d.ts +4 -0
package/dist/api/middlewares/validate.d.ts.map +1 -0
package/dist/api/middlewares/validate.js +31 -0
package/dist/api/middlewares/validate.js.map +1 -0
package/dist/api/routes/audit.routes.d.ts +5 -0
package/dist/api/routes/audit.routes.d.ts.map +1 -0
package/dist/api/routes/audit.routes.js +24 -0
package/dist/api/routes/audit.routes.js.map +1 -0
package/dist/api/routes/auth.routes.d.ts +6 -0
package/dist/api/routes/auth.routes.d.ts.map +1 -0
package/dist/api/routes/auth.routes.js +22 -0
package/dist/api/routes/auth.routes.js.map +1 -0
package/dist/api/routes/export.routes.d.ts +5 -0
package/dist/api/routes/export.routes.d.ts.map +1 -0
package/dist/api/routes/export.routes.js +16 -0
package/dist/api/routes/export.routes.js.map +1 -0
package/dist/api/routes/health.routes.d.ts +4 -0
package/dist/api/routes/health.routes.d.ts.map +1 -0
package/dist/api/routes/health.routes.js +11 -0
package/dist/api/routes/health.routes.js.map +1 -0
package/dist/api/routes/index.d.ts +10 -0
package/dist/api/routes/index.d.ts.map +1 -0
package/dist/api/routes/index.js +20 -0
package/dist/api/routes/index.js.map +1 -0
package/dist/api/routes/providers.routes.d.ts +5 -0
package/dist/api/routes/providers.routes.d.ts.map +1 -0
package/dist/api/routes/providers.routes.js +13 -0
package/dist/api/routes/providers.routes.js.map +1 -0
package/dist/api/validators/audit.schemas.d.ts +60 -0
package/dist/api/validators/audit.schemas.d.ts.map +1 -0
package/dist/api/validators/audit.schemas.js +55 -0
package/dist/api/validators/audit.schemas.js.map +1 -0
package/dist/api/validators/auth.schemas.d.ts +17 -0
package/dist/api/validators/auth.schemas.d.ts.map +1 -0
package/dist/api/validators/auth.schemas.js +21 -0
package/dist/api/validators/auth.schemas.js.map +1 -0
package/dist/app.d.ts +3 -0
package/dist/app.d.ts.map +1 -0
package/dist/app.js +62 -0
package/dist/app.js.map +1 -0
package/dist/config/config.schema.d.ts +65 -0
package/dist/config/config.schema.d.ts.map +1 -0
package/dist/config/config.schema.js +95 -0
package/dist/config/config.schema.js.map +1 -0
package/dist/config/index.d.ts +4 -0
package/dist/config/index.d.ts.map +1 -0
package/dist/config/index.js +75 -0
package/dist/config/index.js.map +1 -0
package/dist/container.d.ts +47 -0
package/dist/container.d.ts.map +1 -0
package/dist/container.js +137 -0
package/dist/container.js.map +1 -0
package/dist/data/database.d.ts +13 -0
package/dist/data/database.d.ts.map +1 -0
package/dist/data/database.js +68 -0
package/dist/data/database.js.map +1 -0
package/dist/data/jobs/token-cleanup.job.d.ts +23 -0
package/dist/data/jobs/token-cleanup.job.d.ts.map +1 -0
package/dist/data/jobs/token-cleanup.job.js +96 -0
package/dist/data/jobs/token-cleanup.job.js.map +1 -0
package/dist/data/migrations/migration.runner.d.ts +13 -0
package/dist/data/migrations/migration.runner.d.ts.map +1 -0
package/dist/data/migrations/migration.runner.js +136 -0
package/dist/data/migrations/migration.runner.js.map +1 -0
package/dist/data/models/Token.model.d.ts +30 -0
package/dist/data/models/Token.model.d.ts.map +1 -0
package/dist/data/models/Token.model.js +3 -0
package/dist/data/models/Token.model.js.map +1 -0
package/dist/data/repositories/token.repository.d.ts +16 -0
package/dist/data/repositories/token.repository.d.ts.map +1 -0
package/dist/data/repositories/token.repository.js +97 -0
package/dist/data/repositories/token.repository.js.map +1 -0
package/dist/providers/azure/auth.provider.d.ts +5 -0
package/dist/providers/azure/auth.provider.d.ts.map +1 -0
package/dist/providers/azure/auth.provider.js +13 -0
package/dist/providers/azure/auth.provider.js.map +1 -0
package/dist/providers/azure/azure-errors.d.ts +40 -0
package/dist/providers/azure/azure-errors.d.ts.map +1 -0
package/dist/providers/azure/azure-errors.js +121 -0
package/dist/providers/azure/azure-errors.js.map +1 -0
package/dist/providers/azure/azure-retry.d.ts +41 -0
package/dist/providers/azure/azure-retry.d.ts.map +1 -0
package/dist/providers/azure/azure-retry.js +85 -0
package/dist/providers/azure/azure-retry.js.map +1 -0
package/dist/providers/azure/graph-client.d.ts +26 -0
package/dist/providers/azure/graph-client.d.ts.map +1 -0
package/dist/providers/azure/graph-client.js +146 -0
package/dist/providers/azure/graph-client.js.map +1 -0
package/dist/providers/azure/graph.provider.d.ts +23 -0
package/dist/providers/azure/graph.provider.d.ts.map +1 -0
package/dist/providers/azure/graph.provider.js +161 -0
package/dist/providers/azure/graph.provider.js.map +1 -0
package/dist/providers/azure/queries/app.queries.d.ts +6 -0
package/dist/providers/azure/queries/app.queries.d.ts.map +1 -0
package/dist/providers/azure/queries/app.queries.js +9 -0
package/dist/providers/azure/queries/app.queries.js.map +1 -0
package/dist/providers/azure/queries/policy.queries.d.ts +6 -0
package/dist/providers/azure/queries/policy.queries.d.ts.map +1 -0
package/dist/providers/azure/queries/policy.queries.js +9 -0
package/dist/providers/azure/queries/policy.queries.js.map +1 -0
package/dist/providers/azure/queries/user.queries.d.ts +7 -0
package/dist/providers/azure/queries/user.queries.d.ts.map +1 -0
package/dist/providers/azure/queries/user.queries.js +10 -0
package/dist/providers/azure/queries/user.queries.js.map +1 -0
package/dist/providers/interfaces/IGraphProvider.d.ts +31 -0
package/dist/providers/interfaces/IGraphProvider.d.ts.map +1 -0
package/dist/providers/interfaces/IGraphProvider.js +3 -0
package/dist/providers/interfaces/IGraphProvider.js.map +1 -0
package/dist/providers/interfaces/ILDAPProvider.d.ts +37 -0
package/dist/providers/interfaces/ILDAPProvider.d.ts.map +1 -0
package/dist/providers/interfaces/ILDAPProvider.js +3 -0
package/dist/providers/interfaces/ILDAPProvider.js.map +1 -0
package/dist/providers/ldap/acl-parser.d.ts +8 -0
package/dist/providers/ldap/acl-parser.d.ts.map +1 -0
package/dist/providers/ldap/acl-parser.js +157 -0
package/dist/providers/ldap/acl-parser.js.map +1 -0
package/dist/providers/ldap/ad-mappers.d.ts +8 -0
package/dist/providers/ldap/ad-mappers.d.ts.map +1 -0
package/dist/providers/ldap/ad-mappers.js +162 -0
package/dist/providers/ldap/ad-mappers.js.map +1 -0
package/dist/providers/ldap/ldap-client.d.ts +33 -0
package/dist/providers/ldap/ldap-client.d.ts.map +1 -0
package/dist/providers/ldap/ldap-client.js +195 -0
package/dist/providers/ldap/ldap-client.js.map +1 -0
package/dist/providers/ldap/ldap-errors.d.ts +48 -0
package/dist/providers/ldap/ldap-errors.d.ts.map +1 -0
package/dist/providers/ldap/ldap-errors.js +120 -0
package/dist/providers/ldap/ldap-errors.js.map +1 -0
package/dist/providers/ldap/ldap-retry.d.ts +14 -0
package/dist/providers/ldap/ldap-retry.d.ts.map +1 -0
package/dist/providers/ldap/ldap-retry.js +102 -0
package/dist/providers/ldap/ldap-retry.js.map +1 -0
package/dist/providers/ldap/ldap-sanitizer.d.ts +12 -0
package/dist/providers/ldap/ldap-sanitizer.d.ts.map +1 -0
package/dist/providers/ldap/ldap-sanitizer.js +104 -0
package/dist/providers/ldap/ldap-sanitizer.js.map +1 -0
package/dist/providers/ldap/ldap.provider.d.ts +21 -0
package/dist/providers/ldap/ldap.provider.d.ts.map +1 -0
package/dist/providers/ldap/ldap.provider.js +165 -0
package/dist/providers/ldap/ldap.provider.js.map +1 -0
package/dist/providers/ldap/queries/computer.queries.d.ts +6 -0
package/dist/providers/ldap/queries/computer.queries.d.ts.map +1 -0
package/dist/providers/ldap/queries/computer.queries.js +9 -0
package/dist/providers/ldap/queries/computer.queries.js.map +1 -0
package/dist/providers/ldap/queries/group.queries.d.ts +6 -0
package/dist/providers/ldap/queries/group.queries.d.ts.map +1 -0
package/dist/providers/ldap/queries/group.queries.js +9 -0
package/dist/providers/ldap/queries/group.queries.js.map +1 -0
package/dist/providers/ldap/queries/user.queries.d.ts +7 -0
package/dist/providers/ldap/queries/user.queries.d.ts.map +1 -0
package/dist/providers/ldap/queries/user.queries.js +10 -0
package/dist/providers/ldap/queries/user.queries.js.map +1 -0
package/dist/providers/smb/smb.provider.d.ts +68 -0
package/dist/providers/smb/smb.provider.d.ts.map +1 -0
package/dist/providers/smb/smb.provider.js +382 -0
package/dist/providers/smb/smb.provider.js.map +1 -0
package/dist/server.d.ts +2 -0
package/dist/server.d.ts.map +1 -0
package/dist/server.js +44 -0
package/dist/server.js.map +1 -0
package/dist/services/audit/ad-audit.service.d.ts +70 -0
package/dist/services/audit/ad-audit.service.d.ts.map +1 -0
package/dist/services/audit/ad-audit.service.js +1019 -0
package/dist/services/audit/ad-audit.service.js.map +1 -0
package/dist/services/audit/attack-graph.service.d.ts +62 -0
package/dist/services/audit/attack-graph.service.d.ts.map +1 -0
package/dist/services/audit/attack-graph.service.js +702 -0
package/dist/services/audit/attack-graph.service.js.map +1 -0
package/dist/services/audit/audit.service.d.ts +4 -0
package/dist/services/audit/audit.service.d.ts.map +1 -0
package/dist/services/audit/audit.service.js +10 -0
package/dist/services/audit/audit.service.js.map +1 -0
package/dist/services/audit/azure-audit.service.d.ts +37 -0
package/dist/services/audit/azure-audit.service.d.ts.map +1 -0
package/dist/services/audit/azure-audit.service.js +153 -0
package/dist/services/audit/azure-audit.service.js.map +1 -0
package/dist/services/audit/detectors/ad/accounts.detector.d.ts +37 -0
package/dist/services/audit/detectors/ad/accounts.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/accounts.detector.js +881 -0
package/dist/services/audit/detectors/ad/accounts.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/adcs.detector.d.ts +21 -0
package/dist/services/audit/detectors/ad/adcs.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/adcs.detector.js +227 -0
package/dist/services/audit/detectors/ad/adcs.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/advanced.detector.d.ts +63 -0
package/dist/services/audit/detectors/ad/advanced.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/advanced.detector.js +867 -0
package/dist/services/audit/detectors/ad/advanced.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/attack-paths.detector.d.ts +16 -0
package/dist/services/audit/detectors/ad/attack-paths.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/attack-paths.detector.js +369 -0
package/dist/services/audit/detectors/ad/attack-paths.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/compliance.detector.d.ts +28 -0
package/dist/services/audit/detectors/ad/compliance.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/compliance.detector.js +896 -0
package/dist/services/audit/detectors/ad/compliance.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/computers.detector.d.ts +30 -0
package/dist/services/audit/detectors/ad/computers.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/computers.detector.js +799 -0
package/dist/services/audit/detectors/ad/computers.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/gpo.detector.d.ts +17 -0
package/dist/services/audit/detectors/ad/gpo.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/gpo.detector.js +257 -0
package/dist/services/audit/detectors/ad/gpo.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/groups.detector.d.ts +19 -0
package/dist/services/audit/detectors/ad/groups.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/groups.detector.js +488 -0
package/dist/services/audit/detectors/ad/groups.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/index.d.ts +15 -0
package/dist/services/audit/detectors/ad/index.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/index.js +51 -0
package/dist/services/audit/detectors/ad/index.js.map +1 -0
package/dist/services/audit/detectors/ad/kerberos.detector.d.ts +17 -0
package/dist/services/audit/detectors/ad/kerberos.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/kerberos.detector.js +293 -0
package/dist/services/audit/detectors/ad/kerberos.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/monitoring.detector.d.ts +23 -0
package/dist/services/audit/detectors/ad/monitoring.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/monitoring.detector.js +328 -0
package/dist/services/audit/detectors/ad/monitoring.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/network.detector.d.ts +39 -0
package/dist/services/audit/detectors/ad/network.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/network.detector.js +257 -0
package/dist/services/audit/detectors/ad/network.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/password.detector.d.ts +14 -0
package/dist/services/audit/detectors/ad/password.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/password.detector.js +235 -0
package/dist/services/audit/detectors/ad/password.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/permissions.detector.d.ts +20 -0
package/dist/services/audit/detectors/ad/permissions.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/permissions.detector.js +392 -0
package/dist/services/audit/detectors/ad/permissions.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/trusts.detector.d.ts +11 -0
package/dist/services/audit/detectors/ad/trusts.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/trusts.detector.js +186 -0
package/dist/services/audit/detectors/ad/trusts.detector.js.map +1 -0
package/dist/services/audit/detectors/azure/app-security.detector.d.ts +11 -0
package/dist/services/audit/detectors/azure/app-security.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/azure/app-security.detector.js +184 -0
package/dist/services/audit/detectors/azure/app-security.detector.js.map +1 -0
package/dist/services/audit/detectors/azure/conditional-access.detector.d.ts +10 -0
package/dist/services/audit/detectors/azure/conditional-access.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/azure/conditional-access.detector.js +130 -0
package/dist/services/audit/detectors/azure/conditional-access.detector.js.map +1 -0
package/dist/services/audit/detectors/azure/privilege-security.detector.d.ts +8 -0
package/dist/services/audit/detectors/azure/privilege-security.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/azure/privilege-security.detector.js +113 -0
package/dist/services/audit/detectors/azure/privilege-security.detector.js.map +1 -0
package/dist/services/audit/detectors/azure/user-security.detector.d.ts +14 -0
package/dist/services/audit/detectors/azure/user-security.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/azure/user-security.detector.js +198 -0
package/dist/services/audit/detectors/azure/user-security.detector.js.map +1 -0
package/dist/services/audit/detectors/index.d.ts +2 -0
package/dist/services/audit/detectors/index.d.ts.map +1 -0
package/dist/services/audit/detectors/index.js +38 -0
package/dist/services/audit/detectors/index.js.map +1 -0
package/dist/services/audit/response-formatter.d.ts +176 -0
package/dist/services/audit/response-formatter.d.ts.map +1 -0
package/dist/services/audit/response-formatter.js +240 -0
package/dist/services/audit/response-formatter.js.map +1 -0
package/dist/services/audit/scoring.service.d.ts +15 -0
package/dist/services/audit/scoring.service.d.ts.map +1 -0
package/dist/services/audit/scoring.service.js +139 -0
package/dist/services/audit/scoring.service.js.map +1 -0
package/dist/services/auth/crypto.service.d.ts +19 -0
package/dist/services/auth/crypto.service.d.ts.map +1 -0
package/dist/services/auth/crypto.service.js +135 -0
package/dist/services/auth/crypto.service.js.map +1 -0
package/dist/services/auth/errors.d.ts +19 -0
package/dist/services/auth/errors.d.ts.map +1 -0
package/dist/services/auth/errors.js +46 -0
package/dist/services/auth/errors.js.map +1 -0
package/dist/services/auth/token.service.d.ts +41 -0
package/dist/services/auth/token.service.d.ts.map +1 -0
package/dist/services/auth/token.service.js +208 -0
package/dist/services/auth/token.service.js.map +1 -0
package/dist/services/config/config.service.d.ts +6 -0
package/dist/services/config/config.service.d.ts.map +1 -0
package/dist/services/config/config.service.js +64 -0
package/dist/services/config/config.service.js.map +1 -0
package/dist/services/export/export.service.d.ts +28 -0
package/dist/services/export/export.service.d.ts.map +1 -0
package/dist/services/export/export.service.js +28 -0
package/dist/services/export/export.service.js.map +1 -0
package/dist/services/export/formatters/csv.formatter.d.ts +8 -0
package/dist/services/export/formatters/csv.formatter.d.ts.map +1 -0
package/dist/services/export/formatters/csv.formatter.js +46 -0
package/dist/services/export/formatters/csv.formatter.js.map +1 -0
package/dist/services/export/formatters/json.formatter.d.ts +40 -0
package/dist/services/export/formatters/json.formatter.d.ts.map +1 -0
package/dist/services/export/formatters/json.formatter.js +58 -0
package/dist/services/export/formatters/json.formatter.js.map +1 -0
package/dist/services/jobs/azure-job-runner.d.ts +38 -0
package/dist/services/jobs/azure-job-runner.d.ts.map +1 -0
package/dist/services/jobs/azure-job-runner.js +199 -0
package/dist/services/jobs/azure-job-runner.js.map +1 -0
package/dist/services/jobs/index.d.ts +4 -0
package/dist/services/jobs/index.d.ts.map +1 -0
package/dist/services/jobs/index.js +20 -0
package/dist/services/jobs/index.js.map +1 -0
package/dist/services/jobs/job-runner.d.ts +64 -0
package/dist/services/jobs/job-runner.d.ts.map +1 -0
package/dist/services/jobs/job-runner.js +952 -0
package/dist/services/jobs/job-runner.js.map +1 -0
package/dist/services/jobs/job-store.d.ts +27 -0
package/dist/services/jobs/job-store.d.ts.map +1 -0
package/dist/services/jobs/job-store.js +261 -0
package/dist/services/jobs/job-store.js.map +1 -0
package/dist/services/jobs/job.types.d.ts +67 -0
package/dist/services/jobs/job.types.d.ts.map +1 -0
package/dist/services/jobs/job.types.js +36 -0
package/dist/services/jobs/job.types.js.map +1 -0
package/dist/types/ad.types.d.ts +74 -0
package/dist/types/ad.types.d.ts.map +1 -0
package/dist/types/ad.types.js +3 -0
package/dist/types/ad.types.js.map +1 -0
package/dist/types/adcs.types.d.ts +58 -0
package/dist/types/adcs.types.d.ts.map +1 -0
package/dist/types/adcs.types.js +38 -0
package/dist/types/adcs.types.js.map +1 -0
package/dist/types/attack-graph.types.d.ts +135 -0
package/dist/types/attack-graph.types.d.ts.map +1 -0
package/dist/types/attack-graph.types.js +58 -0
package/dist/types/attack-graph.types.js.map +1 -0
package/dist/types/audit.types.d.ts +34 -0
package/dist/types/audit.types.d.ts.map +1 -0
package/dist/types/audit.types.js +3 -0
package/dist/types/audit.types.js.map +1 -0
package/dist/types/azure.types.d.ts +61 -0
package/dist/types/azure.types.d.ts.map +1 -0
package/dist/types/azure.types.js +3 -0
package/dist/types/azure.types.js.map +1 -0
package/dist/types/config.types.d.ts +63 -0
package/dist/types/config.types.d.ts.map +1 -0
package/dist/types/config.types.js +3 -0
package/dist/types/config.types.js.map +1 -0
package/dist/types/error.types.d.ts +33 -0
package/dist/types/error.types.d.ts.map +1 -0
package/dist/types/error.types.js +70 -0
package/dist/types/error.types.js.map +1 -0
package/dist/types/finding.types.d.ts +133 -0
package/dist/types/finding.types.d.ts.map +1 -0
package/dist/types/finding.types.js +3 -0
package/dist/types/finding.types.js.map +1 -0
package/dist/types/gpo.types.d.ts +39 -0
package/dist/types/gpo.types.d.ts.map +1 -0
package/dist/types/gpo.types.js +15 -0
package/dist/types/gpo.types.js.map +1 -0
package/dist/types/token.types.d.ts +26 -0
package/dist/types/token.types.d.ts.map +1 -0
package/dist/types/token.types.js +3 -0
package/dist/types/token.types.js.map +1 -0
package/dist/types/trust.types.d.ts +45 -0
package/dist/types/trust.types.d.ts.map +1 -0
package/dist/types/trust.types.js +71 -0
package/dist/types/trust.types.js.map +1 -0
package/dist/utils/entity-converter.d.ts +17 -0
package/dist/utils/entity-converter.d.ts.map +1 -0
package/dist/utils/entity-converter.js +285 -0
package/dist/utils/entity-converter.js.map +1 -0
package/dist/utils/graph.util.d.ts +66 -0
package/dist/utils/graph.util.d.ts.map +1 -0
package/dist/utils/graph.util.js +382 -0
package/dist/utils/graph.util.js.map +1 -0
package/dist/utils/logger.d.ts +7 -0
package/dist/utils/logger.d.ts.map +1 -0
package/dist/utils/logger.js +86 -0
package/dist/utils/logger.js.map +1 -0
package/dist/utils/type-name-normalizer.d.ts +5 -0
package/dist/utils/type-name-normalizer.d.ts.map +1 -0
package/dist/utils/type-name-normalizer.js +218 -0
package/dist/utils/type-name-normalizer.js.map +1 -0
package/docker-compose.yml +26 -0
package/docs/api/README.md +178 -0
package/docs/api/openapi.yaml +1524 -0
package/eslint.config.js +54 -0
package/jest.config.js +38 -0
package/package.json +97 -0
package/scripts/fetch-ad-cert.sh +142 -0
package/src/.gitkeep +0 -0
package/src/api/.gitkeep +0 -0
package/src/api/controllers/.gitkeep +0 -0
package/src/api/controllers/audit.controller.ts +313 -0
package/src/api/controllers/auth.controller.ts +258 -0
package/src/api/controllers/export.controller.ts +153 -0
package/src/api/controllers/health.controller.ts +16 -0
package/src/api/controllers/jobs.controller.ts +187 -0
package/src/api/controllers/providers.controller.ts +165 -0
package/src/api/dto/.gitkeep +0 -0
package/src/api/dto/AuditRequest.dto.ts +8 -0
package/src/api/dto/AuditResponse.dto.ts +19 -0
package/src/api/dto/TokenRequest.dto.ts +8 -0
package/src/api/dto/TokenResponse.dto.ts +14 -0
package/src/api/middlewares/.gitkeep +0 -0
package/src/api/middlewares/authenticate.ts +203 -0
package/src/api/middlewares/errorHandler.ts +54 -0
package/src/api/middlewares/rateLimit.ts +35 -0
package/src/api/middlewares/validate.ts +32 -0
package/src/api/routes/.gitkeep +0 -0
package/src/api/routes/audit.routes.ts +77 -0
package/src/api/routes/auth.routes.ts +71 -0
package/src/api/routes/export.routes.ts +34 -0
package/src/api/routes/health.routes.ts +14 -0
package/src/api/routes/index.ts +40 -0
package/src/api/routes/providers.routes.ts +24 -0
package/src/api/validators/.gitkeep +0 -0
package/src/api/validators/audit.schemas.ts +59 -0
package/src/api/validators/auth.schemas.ts +59 -0
package/src/app.ts +87 -0
package/src/config/.gitkeep +0 -0
package/src/config/config.schema.ts +108 -0
package/src/config/index.ts +82 -0
package/src/container.ts +221 -0
package/src/data/.gitkeep +0 -0
package/src/data/database.ts +78 -0
package/src/data/jobs/token-cleanup.job.ts +166 -0
package/src/data/migrations/.gitkeep +0 -0
package/src/data/migrations/001_initial_schema.sql +47 -0
package/src/data/migrations/migration.runner.ts +125 -0
package/src/data/models/.gitkeep +0 -0
package/src/data/models/Token.model.ts +35 -0
package/src/data/repositories/.gitkeep +0 -0
package/src/data/repositories/token.repository.ts +160 -0
package/src/providers/.gitkeep +0 -0
package/src/providers/azure/.gitkeep +0 -0
package/src/providers/azure/auth.provider.ts +14 -0
package/src/providers/azure/azure-errors.ts +189 -0
package/src/providers/azure/azure-retry.ts +168 -0
package/src/providers/azure/graph-client.ts +315 -0
package/src/providers/azure/graph.provider.ts +294 -0
package/src/providers/azure/queries/app.queries.ts +9 -0
package/src/providers/azure/queries/policy.queries.ts +9 -0
package/src/providers/azure/queries/user.queries.ts +10 -0
package/src/providers/interfaces/.gitkeep +0 -0
package/src/providers/interfaces/IGraphProvider.ts +117 -0
package/src/providers/interfaces/ILDAPProvider.ts +142 -0
package/src/providers/ldap/.gitkeep +0 -0
package/src/providers/ldap/acl-parser.ts +231 -0
package/src/providers/ldap/ad-mappers.ts +280 -0
package/src/providers/ldap/ldap-client.ts +259 -0
package/src/providers/ldap/ldap-errors.ts +188 -0
package/src/providers/ldap/ldap-retry.ts +267 -0
package/src/providers/ldap/ldap-sanitizer.ts +273 -0
package/src/providers/ldap/ldap.provider.ts +293 -0
package/src/providers/ldap/queries/computer.queries.ts +9 -0
package/src/providers/ldap/queries/group.queries.ts +9 -0
package/src/providers/ldap/queries/user.queries.ts +10 -0
package/src/providers/smb/smb.provider.ts +653 -0
package/src/server.ts +60 -0
package/src/services/.gitkeep +0 -0
package/src/services/audit/.gitkeep +0 -0
package/src/services/audit/ad-audit.service.ts +1481 -0
package/src/services/audit/attack-graph.service.ts +1104 -0
package/src/services/audit/audit.service.ts +12 -0
package/src/services/audit/azure-audit.service.ts +286 -0
package/src/services/audit/detectors/ad/accounts.detector.ts +1232 -0
package/src/services/audit/detectors/ad/adcs.detector.ts +449 -0
package/src/services/audit/detectors/ad/advanced.detector.ts +1270 -0
package/src/services/audit/detectors/ad/attack-paths.detector.ts +600 -0
package/src/services/audit/detectors/ad/compliance.detector.ts +1421 -0
package/src/services/audit/detectors/ad/computers.detector.ts +1188 -0
package/src/services/audit/detectors/ad/gpo.detector.ts +485 -0
package/src/services/audit/detectors/ad/groups.detector.ts +685 -0
package/src/services/audit/detectors/ad/index.ts +84 -0
package/src/services/audit/detectors/ad/kerberos.detector.ts +424 -0
package/src/services/audit/detectors/ad/monitoring.detector.ts +501 -0
package/src/services/audit/detectors/ad/network.detector.ts +538 -0
package/src/services/audit/detectors/ad/password.detector.ts +324 -0
package/src/services/audit/detectors/ad/permissions.detector.ts +637 -0
package/src/services/audit/detectors/ad/trusts.detector.ts +315 -0
package/src/services/audit/detectors/azure/app-security.detector.ts +246 -0
package/src/services/audit/detectors/azure/conditional-access.detector.ts +186 -0
package/src/services/audit/detectors/azure/privilege-security.detector.ts +176 -0
package/src/services/audit/detectors/azure/user-security.detector.ts +280 -0
package/src/services/audit/detectors/index.ts +18 -0
package/src/services/audit/response-formatter.ts +604 -0
package/src/services/audit/scoring.service.ts +234 -0
package/src/services/auth/.gitkeep +0 -0
package/src/services/auth/crypto.service.ts +230 -0
package/src/services/auth/errors.ts +47 -0
package/src/services/auth/token.service.ts +420 -0
package/src/services/config/.gitkeep +0 -0
package/src/services/config/config.service.ts +75 -0
package/src/services/export/.gitkeep +0 -0
package/src/services/export/export.service.ts +99 -0
package/src/services/export/formatters/csv.formatter.ts +124 -0
package/src/services/export/formatters/json.formatter.ts +160 -0
package/src/services/jobs/azure-job-runner.ts +312 -0
package/src/services/jobs/index.ts +9 -0
package/src/services/jobs/job-runner.ts +1280 -0
package/src/services/jobs/job-store.ts +384 -0
package/src/services/jobs/job.types.ts +182 -0
package/src/types/.gitkeep +0 -0
package/src/types/ad.types.ts +91 -0
package/src/types/adcs.types.ts +107 -0
package/src/types/attack-graph.types.ts +260 -0
package/src/types/audit.types.ts +42 -0
package/src/types/azure.types.ts +68 -0
package/src/types/config.types.ts +79 -0
package/src/types/error.types.ts +69 -0
package/src/types/finding.types.ts +284 -0
package/src/types/gpo.types.ts +72 -0
package/src/types/smb2.d.ts +73 -0
package/src/types/token.types.ts +32 -0
package/src/types/trust.types.ts +140 -0
package/src/utils/.gitkeep +0 -0
package/src/utils/entity-converter.ts +453 -0
package/src/utils/graph.util.ts +609 -0
package/src/utils/logger.ts +111 -0
package/src/utils/type-name-normalizer.ts +302 -0
package/tests/.gitkeep +0 -0
package/tests/e2e/.gitkeep +0 -0
package/tests/fixtures/.gitkeep +0 -0
package/tests/integration/.gitkeep +0 -0
package/tests/integration/README.md +156 -0
package/tests/integration/ad-audit.integration.test.ts +216 -0
package/tests/integration/api/.gitkeep +0 -0
package/tests/integration/api/endpoints.integration.test.ts +431 -0
package/tests/integration/auth/jwt-authentication.integration.test.ts +358 -0
package/tests/integration/providers/.gitkeep +0 -0
package/tests/integration/providers/azure-basic.integration.test.ts +167 -0
package/tests/integration/providers/ldap-basic.integration.test.ts +152 -0
package/tests/integration/providers/ldap-connectivity.test.ts +44 -0
package/tests/integration/providers/ldap-provider.integration.test.ts +347 -0
package/tests/mocks/.gitkeep +0 -0
package/tests/setup.ts +16 -0
package/tests/unit/.gitkeep +0 -0
package/tests/unit/api/middlewares/authenticate.test.ts +446 -0
package/tests/unit/providers/.gitkeep +0 -0
package/tests/unit/providers/azure/azure-errors.test.ts +193 -0
package/tests/unit/providers/azure/azure-retry.test.ts +254 -0
package/tests/unit/providers/azure/graph-provider.test.ts +313 -0
package/tests/unit/providers/ldap/ad-mappers.test.ts +392 -0
package/tests/unit/providers/ldap/ldap-provider.test.ts +376 -0
package/tests/unit/providers/ldap/ldap-retry.test.ts +377 -0
package/tests/unit/providers/ldap/ldap-sanitizer.test.ts +301 -0
package/tests/unit/sample.test.ts +19 -0
package/tests/unit/services/.gitkeep +0 -0
package/tests/unit/services/audit/detectors/ad/accounts.detector.test.ts +393 -0
package/tests/unit/services/audit/detectors/ad/advanced.detector.test.ts +380 -0
package/tests/unit/services/audit/detectors/ad/computers.detector.test.ts +440 -0
package/tests/unit/services/audit/detectors/ad/groups.detector.test.ts +276 -0
package/tests/unit/services/audit/detectors/ad/kerberos.detector.test.ts +215 -0
package/tests/unit/services/audit/detectors/ad/password.detector.test.ts +226 -0
package/tests/unit/services/audit/detectors/ad/permissions.detector.test.ts +244 -0
package/tests/unit/services/audit/detectors/azure/app-security.detector.test.ts +349 -0
package/tests/unit/services/audit/detectors/azure/conditional-access.detector.test.ts +374 -0
package/tests/unit/services/audit/detectors/azure/privilege-security.detector.test.ts +374 -0
package/tests/unit/services/audit/detectors/azure/user-security.detector.test.ts +297 -0
package/tests/unit/services/auth/crypto.service.test.ts +296 -0
package/tests/unit/services/auth/token.service.test.ts +579 -0
package/tests/unit/services/export/export.service.test.ts +241 -0
package/tests/unit/services/export/formatters/csv.formatter.test.ts +270 -0
package/tests/unit/services/export/formatters/json.formatter.test.ts +258 -0
package/tests/unit/utils/.gitkeep +0 -0
package/tsconfig.json +50 -0

package/src/services/audit/detectors/ad/index.ts ADDED Viewed

@@ -0,0 +1,84 @@
+/**
+ * Active Directory Vulnerability Detectors
+ *
+ * Exports all AD vulnerability detection functions
+ * Story 1.7: AD Vulnerability Detection Engine
+ *
+ * Total: 216 vulnerabilities across 14 categories
+ * - Password: 10 vulnerabilities (+3 Phase 3)
+ * - Kerberos: 12 vulnerabilities (+4 Phase 4)
+ * - Accounts: 31 vulnerabilities (+3 Phase 4)
+ * - Groups: 14 vulnerabilities (+3 Phase 4)
+ * - Computers: 28 vulnerabilities (+2 Phase 4)
+ * - Advanced: 35 vulnerabilities (+3 Phase 4)
+ * - Permissions: 15 vulnerabilities (+6 Phase 4)
+ * - ADCS: 11 vulnerabilities (ESC1-ESC11)
+ * - GPO: 9 vulnerabilities (+2 Phase 4)
+ * - Trusts: 7 vulnerabilities
+ * - Attack Paths: 10 vulnerabilities (Phase 2A)
+ * - Monitoring: 8 vulnerabilities (Phase 2B)
+ * - Compliance: 23 vulnerabilities (+8 Industry Frameworks: PCI-DSS, SOC2, GDPR, SOX, DORA, HIPAA, ISO27001)
+ * - Network: 12 vulnerabilities (Phase 3)
+ */
+// Password detectors
+export * from './password.detector';
+// Kerberos detectors
+export * from './kerberos.detector';
+// Accounts detectors
+export * from './accounts.detector';
+// Groups detectors
+export * from './groups.detector';
+// Computers detectors
+export * from './computers.detector';
+// Advanced detectors (excluding ESC functions which are in adcs.detector)
+export {
+  detectShadowCredentials,
+  detectRbcdAbuse,
+  detectLapsNotDeployed,
+  detectLapsPasswordReadable,
+  detectLapsLegacyAttribute,
+  detectLapsPasswordSet,
+  detectLapsPasswordLeaked,
+  detectDuplicateSpn,
+  detectWeakPasswordPolicy,
+  detectWeakKerberosPolicy,
+  detectMachineAccountQuotaAbuse,
+  detectDelegationPrivilege,
+  detectAdcsWeakPermissions,
+  detectDangerousLogonScripts,
+  detectForeignSecurityPrincipals,
+  detectReplicationRights,
+  detectDcsyncCapable,
+  detectNtlmRelayOpportunity,
+  detectAdvancedVulnerabilities,
+} from './advanced.detector';
+// Permissions detectors
+export * from './permissions.detector';
+// ADCS detectors (ESC1-ESC8) - replaces legacy ESC functions from advanced.detector
+export * from './adcs.detector';
+// GPO detectors
+export * from './gpo.detector';
+// Trusts detectors
+export * from './trusts.detector';
+// Attack Paths detectors (Phase 2A)
+export * from './attack-paths.detector';
+// Monitoring detectors (Phase 2B)
+export * from './monitoring.detector';
+// Compliance detectors (Phase 3)
+export * from './compliance.detector';
+// Network detectors (Phase 3)
+export * from './network.detector';

package/src/services/audit/detectors/ad/kerberos.detector.ts ADDED Viewed

@@ -0,0 +1,424 @@
+/**
+ * Kerberos Security Vulnerability Detector
+ *
+ * Detects Kerberos-related vulnerabilities in AD.
+ * Story 1.7: AD Vulnerability Detection Engine
+ *
+ * Vulnerabilities detected (12):
+ * - ASREP_ROASTING_RISK (Critical)
+ * - UNCONSTRAINED_DELEGATION (Critical)
+ * - GOLDEN_TICKET_RISK (Critical)
+ * - KERBEROASTING_RISK (High)
+ * - CONSTRAINED_DELEGATION (High)
+ * - WEAK_ENCRYPTION_DES (High)
+ * - WEAK_ENCRYPTION_RC4 (Medium)
+ * - WEAK_ENCRYPTION_FLAG (Medium)
+ * - KERBEROS_AES_DISABLED (High) - Phase 4
+ * - KERBEROS_RC4_FALLBACK (Medium) - Phase 4
+ * - KERBEROS_TICKET_LIFETIME_LONG (Medium) - Phase 4
+ * - KERBEROS_RENEWABLE_TICKET_LONG (Low) - Phase 4
+ */
+import { ADUser } from '../../../../types/ad.types';
+import { Finding } from '../../../../types/finding.types';
+import { toAffectedUserEntities } from '../../../../utils/entity-converter';
+/**
+ * Check for ASREP roasting risk (no Kerberos pre-authentication)
+ * UAC flag 0x400000 = DONT_REQ_PREAUTH
+ */
+export function detectAsrepRoastingRisk(users: ADUser[], includeDetails: boolean): Finding {
+  const affected = users.filter((u) => {
+    if (!u.userAccountControl) return false;
+    return (u.userAccountControl & 0x400000) !== 0;
+  });
+  return {
+    type: 'ASREP_ROASTING_RISK',
+    severity: 'critical',
+    category: 'kerberos',
+    title: 'AS-REP Roasting Risk',
+    description: 'User accounts without Kerberos pre-authentication required (UAC 0x400000). Vulnerable to AS-REP roasting attacks.',
+    count: affected.length,
+    affectedEntities: includeDetails ? toAffectedUserEntities(affected) : undefined,
+  };
+}
+/**
+ * Check for unconstrained delegation
+ * UAC flag 0x80000 = TRUSTED_FOR_DELEGATION
+ */
+export function detectUnconstrainedDelegation(users: ADUser[], includeDetails: boolean): Finding {
+  const affected = users.filter((u) => {
+    if (!u.userAccountControl) return false;
+    return (u.userAccountControl & 0x80000) !== 0;
+  });
+  return {
+    type: 'UNCONSTRAINED_DELEGATION',
+    severity: 'critical',
+    category: 'kerberos',
+    title: 'Unconstrained Delegation',
+    description: 'User accounts with unconstrained Kerberos delegation enabled (UAC 0x80000). Can impersonate any user.',
+    count: affected.length,
+    affectedEntities: includeDetails ? toAffectedUserEntities(affected) : undefined,
+  };
+}
+/**
+ * Check for Golden Ticket risk (krbtgt password old)
+ */
+export function detectGoldenTicketRisk(users: ADUser[], includeDetails: boolean): Finding {
+  const krbtgtAccount = users.find((u) => u.sAMAccountName === 'krbtgt');
+  if (!krbtgtAccount || !krbtgtAccount.passwordLastSet) {
+    return {
+      type: 'GOLDEN_TICKET_RISK',
+      severity: 'critical',
+      category: 'kerberos',
+      title: 'Golden Ticket Risk',
+      description: 'krbtgt account password unchanged for 180+ days or password date unavailable. Enables persistent Golden Ticket attacks.',
+      count: 0,
+    };
+  }
+  const now = Date.now();
+  const sixMonthsAgo = now - 180 * 24 * 60 * 60 * 1000;
+  const passwordAge = krbtgtAccount.passwordLastSet.getTime();
+  const isOld = passwordAge < sixMonthsAgo;
+  return {
+    type: 'GOLDEN_TICKET_RISK',
+    severity: 'critical',
+    category: 'kerberos',
+    title: 'Golden Ticket Risk',
+    description: `krbtgt account password unchanged for 180+ days. Enables persistent Golden Ticket attacks.`,
+    count: isOld ? 1 : 0,
+    affectedEntities: includeDetails && isOld ? [krbtgtAccount.dn] : undefined,
+  };
+}
+/**
+ * Check for Kerberoasting risk (user with SPN)
+ */
+export function detectKerberoastingRisk(users: ADUser[], includeDetails: boolean): Finding {
+  const affected = users.filter((u) => {
+    const spns = (u as any)['servicePrincipalName'];
+    return spns && Array.isArray(spns) && spns.length > 0;
+  });
+  return {
+    type: 'KERBEROASTING_RISK',
+    severity: 'high',
+    category: 'kerberos',
+    title: 'Kerberoasting Risk',
+    description: 'User accounts with Service Principal Names (SPNs). Vulnerable to Kerberoasting attacks to crack service account passwords.',
+    count: affected.length,
+    affectedEntities: includeDetails ? toAffectedUserEntities(affected) : undefined,
+  };
+}
+/**
+ * Check for constrained delegation
+ * UAC flag 0x1000000 = TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
+ */
+export function detectConstrainedDelegation(users: ADUser[], includeDetails: boolean): Finding {
+  const affected = users.filter((u) => {
+    if (!u.userAccountControl) return false;
+    return (u.userAccountControl & 0x1000000) !== 0;
+  });
+  return {
+    type: 'CONSTRAINED_DELEGATION',
+    severity: 'high',
+    category: 'kerberos',
+    title: 'Constrained Delegation',
+    description: 'User accounts with constrained Kerberos delegation configured (UAC 0x1000000). Can impersonate users to specific services.',
+    count: affected.length,
+    affectedEntities: includeDetails ? toAffectedUserEntities(affected) : undefined,
+  };
+}
+/**
+ * Check for weak DES encryption
+ * Checks both UAC flag 0x200000 (USE_DES_KEY_ONLY) and msDS-SupportedEncryptionTypes
+ * DES_CBC_CRC = 0x1, DES_CBC_MD5 = 0x2
+ */
+export function detectWeakEncryptionDES(users: ADUser[], includeDetails: boolean): Finding {
+  const DES_TYPES = 0x3; // DES_CBC_CRC (0x1) | DES_CBC_MD5 (0x2)
+  const affected = users.filter((u) => {
+    // Check UAC flag USE_DES_KEY_ONLY
+    if (u.userAccountControl && (u.userAccountControl & 0x200000) !== 0) {
+      return true;
+    }
+    // Check msDS-SupportedEncryptionTypes for DES support
+    const encTypes = (u as any)['msDS-SupportedEncryptionTypes'];
+    if (typeof encTypes === 'number' && (encTypes & DES_TYPES) !== 0) {
+      return true;
+    }
+    return false;
+  });
+  return {
+    type: 'WEAK_ENCRYPTION_DES',
+    severity: 'high',
+    category: 'kerberos',
+    title: 'Weak DES Encryption',
+    description: 'User accounts with DES encryption algorithms enabled (UAC 0x200000 or msDS-SupportedEncryptionTypes). DES is cryptographically broken.',
+    count: affected.length,
+    affectedEntities: includeDetails ? toAffectedUserEntities(affected) : undefined,
+  };
+}
+/**
+ * Check for privileged accounts vulnerable to AS-REP Roasting
+ * High-value targets (Domain Admins, Enterprise Admins, etc.) without pre-auth
+ */
+export function detectAdminAsrepRoastable(users: ADUser[], includeDetails: boolean): Finding {
+  const privilegedGroups = [
+    'Domain Admins',
+    'Enterprise Admins',
+    'Schema Admins',
+    'Administrators',
+    'Account Operators',
+    'Backup Operators',
+    'Server Operators',
+  ];
+  const affected = users.filter((u) => {
+    // Check for DONT_REQ_PREAUTH flag
+    if (!u.userAccountControl || (u.userAccountControl & 0x400000) === 0) {
+      return false;
+    }
+    // Check if user is in a privileged group
+    if (!u.memberOf) return false;
+    return u.memberOf.some((dn) =>
+      privilegedGroups.some((group) => dn.toUpperCase().includes(`CN=${group.toUpperCase()}`))
+    );
+  });
+  return {
+    type: 'ADMIN_ASREP_ROASTABLE',
+    severity: 'critical',
+    category: 'kerberos',
+    title: 'Privileged Account AS-REP Roastable',
+    description:
+      'Privileged accounts (Domain Admins, Enterprise Admins, etc.) without Kerberos pre-authentication. ' +
+      'High-value targets for AS-REP roasting attacks - immediate domain compromise risk.',
+    count: affected.length,
+    affectedEntities: includeDetails ? toAffectedUserEntities(affected) : undefined,
+    details: affected.length > 0 ? {
+      risk: 'CRITICAL - Privileged account password hash can be obtained offline',
+      recommendation: 'Enable Kerberos pre-authentication immediately for all privileged accounts',
+    } : undefined,
+  };
+}
+/**
+ * Check for RC4-only encryption (no AES)
+ */
+export function detectWeakEncryptionRC4(users: ADUser[], includeDetails: boolean): Finding {
+  const affected = users.filter((u) => {
+    const encTypes = (u as any)['msDS-SupportedEncryptionTypes'];
+    if (typeof encTypes !== 'number') return false;
+    return (encTypes & 4) !== 0 && (encTypes & 24) === 0;
+  });
+  return {
+    type: 'WEAK_ENCRYPTION_RC4',
+    severity: 'medium',
+    category: 'kerberos',
+    title: 'Weak RC4 Encryption',
+    description: 'User accounts supporting RC4 encryption without AES. RC4 is deprecated and vulnerable to attacks.',
+    count: affected.length,
+    affectedEntities: includeDetails ? toAffectedUserEntities(affected) : undefined,
+  };
+}
+/**
+ * Check for USE_DES_KEY_ONLY flag
+ */
+export function detectWeakEncryptionFlag(users: ADUser[], includeDetails: boolean): Finding {
+  const affected = users.filter((u) => {
+    if (!u.userAccountControl) return false;
+    return (u.userAccountControl & 0x200000) !== 0;
+  });
+  return {
+    type: 'WEAK_ENCRYPTION_FLAG',
+    severity: 'medium',
+    category: 'kerberos',
+    title: 'Weak Encryption Flag',
+    description: 'User accounts with USE_DES_KEY_ONLY flag enabled (UAC 0x200000). Forces weak DES encryption.',
+    count: affected.length,
+    affectedEntities: includeDetails ? toAffectedUserEntities(affected) : undefined,
+  };
+}
+/**
+ * Detect accounts with AES encryption disabled
+ *
+ * Accounts without AES support are limited to weaker DES/RC4 encryption,
+ * making them vulnerable to offline cracking attacks.
+ *
+ * @param users - Array of AD users
+ * @param includeDetails - Whether to include affected entity details
+ * @returns Finding for KERBEROS_AES_DISABLED
+ */
+export function detectKerberosAesDisabled(users: ADUser[], includeDetails: boolean): Finding {
+  // msDS-SupportedEncryptionTypes: AES128=0x8, AES256=0x10
+  const AES_SUPPORT = 0x18;
+  const affected = users.filter((u) => {
+    if (!u.enabled) return false;
+    const encTypes = (u as Record<string, unknown>)['msDS-SupportedEncryptionTypes'] as
+      | number
+      | undefined;
+    // If explicitly set and doesn't include AES
+    if (encTypes !== undefined && (encTypes & AES_SUPPORT) === 0) {
+      return true;
+    }
+    // If UAC indicates DES-only (0x200000 = USE_DES_KEY_ONLY)
+    if (u.userAccountControl && (u.userAccountControl & 0x200000) !== 0) {
+      return true;
+    }
+    return false;
+  });
+  return {
+    type: 'KERBEROS_AES_DISABLED',
+    severity: 'high',
+    category: 'kerberos',
+    title: 'AES Encryption Disabled',
+    description:
+      'User accounts with AES Kerberos encryption disabled. ' +
+      'Forces use of weaker DES/RC4 encryption vulnerable to offline attacks.',
+    count: affected.length,
+    affectedEntities: includeDetails ? toAffectedUserEntities(affected) : undefined,
+  };
+}
+/**
+ * Detect accounts with RC4 fallback enabled
+ *
+ * While AES may be supported, RC4 fallback allows downgrade attacks.
+ *
+ * @param users - Array of AD users
+ * @param includeDetails - Whether to include affected entity details
+ * @returns Finding for KERBEROS_RC4_FALLBACK
+ */
+export function detectKerberosRc4Fallback(users: ADUser[], includeDetails: boolean): Finding {
+  // RC4_HMAC_MD5 = 0x4
+  const RC4_SUPPORT = 0x4;
+  const AES_SUPPORT = 0x18;
+  const affected = users.filter((u) => {
+    if (!u.enabled) return false;
+    const encTypes = (u as Record<string, unknown>)['msDS-SupportedEncryptionTypes'] as
+      | number
+      | undefined;
+    if (encTypes === undefined) return false;
+    // Has both AES and RC4 - RC4 should be disabled
+    const hasAes = (encTypes & AES_SUPPORT) !== 0;
+    const hasRc4 = (encTypes & RC4_SUPPORT) !== 0;
+    return hasAes && hasRc4;
+  });
+  return {
+    type: 'KERBEROS_RC4_FALLBACK',
+    severity: 'medium',
+    category: 'kerberos',
+    title: 'RC4 Fallback Enabled',
+    description:
+      'User accounts support both AES and RC4 encryption. ' +
+      'RC4 fallback enables downgrade attacks even when AES is available.',
+    count: affected.length,
+    affectedEntities: includeDetails ? toAffectedUserEntities(affected) : undefined,
+    details: {
+      recommendation: 'Disable RC4 support when AES is available.',
+    },
+  };
+}
+/**
+ * Detect long Kerberos ticket lifetime (domain level)
+ *
+ * Very long ticket lifetimes increase the window for ticket theft attacks.
+ *
+ * @param _users - Array of AD users (not used, domain-level check)
+ * @param _includeDetails - Whether to include affected entity details
+ * @returns Finding for KERBEROS_TICKET_LIFETIME_LONG
+ */
+export function detectKerberosTicketLifetimeLong(
+  _users: ADUser[],
+  _includeDetails: boolean
+): Finding {
+  // This detection would need domain Kerberos policy data
+  // For now, return a placeholder that reminds to check
+  return {
+    type: 'KERBEROS_TICKET_LIFETIME_LONG',
+    severity: 'medium',
+    category: 'kerberos',
+    title: 'Kerberos Ticket Lifetime Review',
+    description:
+      'Kerberos ticket lifetime should be reviewed. ' +
+      'Default of 10 hours is reasonable; longer lifetimes increase attack window.',
+    count: 0, // Would be 1 if ticket lifetime > 10 hours detected
+    details: {
+      recommendation: 'TGT lifetime should not exceed 10 hours. Service tickets should not exceed 600 minutes.',
+      checkCommand: 'gpresult /r or check Default Domain Policy',
+    },
+  };
+}
+/**
+ * Detect long renewable ticket lifetime
+ *
+ * Very long renewable ticket lifetimes allow persistent access.
+ *
+ * @param _users - Array of AD users (not used, domain-level check)
+ * @param _includeDetails - Whether to include affected entity details
+ * @returns Finding for KERBEROS_RENEWABLE_TICKET_LONG
+ */
+export function detectKerberosRenewableTicketLong(
+  _users: ADUser[],
+  _includeDetails: boolean
+): Finding {
+  // This detection would need domain Kerberos policy data
+  return {
+    type: 'KERBEROS_RENEWABLE_TICKET_LONG',
+    severity: 'low',
+    category: 'kerberos',
+    title: 'Kerberos Renewable Ticket Lifetime Review',
+    description:
+      'Renewable ticket lifetime should be reviewed. ' +
+      'Default of 7 days is reasonable; longer allows persistent access with stolen tickets.',
+    count: 0, // Would be 1 if renewable lifetime > 7 days detected
+    details: {
+      recommendation: 'Renewable TGT lifetime should not exceed 7 days.',
+    },
+  };
+}
+/**
+ * Detect all Kerberos-related vulnerabilities
+ */
+export function detectKerberosVulnerabilities(users: ADUser[], includeDetails: boolean): Finding[] {
+  return [
+    detectAsrepRoastingRisk(users, includeDetails),
+    detectAdminAsrepRoastable(users, includeDetails), // NEW: Privileged accounts with ASREP risk
+    detectUnconstrainedDelegation(users, includeDetails),
+    detectGoldenTicketRisk(users, includeDetails),
+    detectKerberoastingRisk(users, includeDetails),
+    detectConstrainedDelegation(users, includeDetails),
+    detectWeakEncryptionDES(users, includeDetails),
+    detectWeakEncryptionRC4(users, includeDetails),
+    detectWeakEncryptionFlag(users, includeDetails),
+    // Phase 4: Advanced Kerberos detections
+    detectKerberosAesDisabled(users, includeDetails),
+    detectKerberosRc4Fallback(users, includeDetails),
+    detectKerberosTicketLifetimeLong(users, includeDetails),
+    detectKerberosRenewableTicketLong(users, includeDetails),
+  ].filter((finding) => finding.count > 0);
+}