npm - @etcsec-com/etc-collector - Versions diffs - 1.4.0 - Mend

@etcsec-com/etc-collector 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (617) hide show

package/.env.example +60 -0
package/.env.test.example +33 -0
package/.github/workflows/ci.yml +83 -0
package/.github/workflows/release.yml +246 -0
package/.prettierrc.json +10 -0
package/CHANGELOG.md +15 -0
package/Dockerfile +57 -0
package/LICENSE +190 -0
package/README.md +194 -0
package/dist/api/controllers/audit.controller.d.ts +21 -0
package/dist/api/controllers/audit.controller.d.ts.map +1 -0
package/dist/api/controllers/audit.controller.js +179 -0
package/dist/api/controllers/audit.controller.js.map +1 -0
package/dist/api/controllers/auth.controller.d.ts +16 -0
package/dist/api/controllers/auth.controller.d.ts.map +1 -0
package/dist/api/controllers/auth.controller.js +146 -0
package/dist/api/controllers/auth.controller.js.map +1 -0
package/dist/api/controllers/export.controller.d.ts +27 -0
package/dist/api/controllers/export.controller.d.ts.map +1 -0
package/dist/api/controllers/export.controller.js +80 -0
package/dist/api/controllers/export.controller.js.map +1 -0
package/dist/api/controllers/health.controller.d.ts +5 -0
package/dist/api/controllers/health.controller.d.ts.map +1 -0
package/dist/api/controllers/health.controller.js +16 -0
package/dist/api/controllers/health.controller.js.map +1 -0
package/dist/api/controllers/jobs.controller.d.ts +13 -0
package/dist/api/controllers/jobs.controller.d.ts.map +1 -0
package/dist/api/controllers/jobs.controller.js +125 -0
package/dist/api/controllers/jobs.controller.js.map +1 -0
package/dist/api/controllers/providers.controller.d.ts +15 -0
package/dist/api/controllers/providers.controller.d.ts.map +1 -0
package/dist/api/controllers/providers.controller.js +112 -0
package/dist/api/controllers/providers.controller.js.map +1 -0
package/dist/api/dto/AuditRequest.dto.d.ts +6 -0
package/dist/api/dto/AuditRequest.dto.d.ts.map +1 -0
package/dist/api/dto/AuditRequest.dto.js +3 -0
package/dist/api/dto/AuditRequest.dto.js.map +1 -0
package/dist/api/dto/AuditResponse.dto.d.ts +17 -0
package/dist/api/dto/AuditResponse.dto.d.ts.map +1 -0
package/dist/api/dto/AuditResponse.dto.js +3 -0
package/dist/api/dto/AuditResponse.dto.js.map +1 -0
package/dist/api/dto/TokenRequest.dto.d.ts +6 -0
package/dist/api/dto/TokenRequest.dto.d.ts.map +1 -0
package/dist/api/dto/TokenRequest.dto.js +3 -0
package/dist/api/dto/TokenRequest.dto.js.map +1 -0
package/dist/api/dto/TokenResponse.dto.d.ts +12 -0
package/dist/api/dto/TokenResponse.dto.d.ts.map +1 -0
package/dist/api/dto/TokenResponse.dto.js +3 -0
package/dist/api/dto/TokenResponse.dto.js.map +1 -0
package/dist/api/middlewares/authenticate.d.ts +12 -0
package/dist/api/middlewares/authenticate.d.ts.map +1 -0
package/dist/api/middlewares/authenticate.js +141 -0
package/dist/api/middlewares/authenticate.js.map +1 -0
package/dist/api/middlewares/errorHandler.d.ts +3 -0
package/dist/api/middlewares/errorHandler.d.ts.map +1 -0
package/dist/api/middlewares/errorHandler.js +30 -0
package/dist/api/middlewares/errorHandler.js.map +1 -0
package/dist/api/middlewares/rateLimit.d.ts +3 -0
package/dist/api/middlewares/rateLimit.d.ts.map +1 -0
package/dist/api/middlewares/rateLimit.js +34 -0
package/dist/api/middlewares/rateLimit.js.map +1 -0
package/dist/api/middlewares/validate.d.ts +4 -0
package/dist/api/middlewares/validate.d.ts.map +1 -0
package/dist/api/middlewares/validate.js +31 -0
package/dist/api/middlewares/validate.js.map +1 -0
package/dist/api/routes/audit.routes.d.ts +5 -0
package/dist/api/routes/audit.routes.d.ts.map +1 -0
package/dist/api/routes/audit.routes.js +24 -0
package/dist/api/routes/audit.routes.js.map +1 -0
package/dist/api/routes/auth.routes.d.ts +6 -0
package/dist/api/routes/auth.routes.d.ts.map +1 -0
package/dist/api/routes/auth.routes.js +22 -0
package/dist/api/routes/auth.routes.js.map +1 -0
package/dist/api/routes/export.routes.d.ts +5 -0
package/dist/api/routes/export.routes.d.ts.map +1 -0
package/dist/api/routes/export.routes.js +16 -0
package/dist/api/routes/export.routes.js.map +1 -0
package/dist/api/routes/health.routes.d.ts +4 -0
package/dist/api/routes/health.routes.d.ts.map +1 -0
package/dist/api/routes/health.routes.js +11 -0
package/dist/api/routes/health.routes.js.map +1 -0
package/dist/api/routes/index.d.ts +10 -0
package/dist/api/routes/index.d.ts.map +1 -0
package/dist/api/routes/index.js +20 -0
package/dist/api/routes/index.js.map +1 -0
package/dist/api/routes/providers.routes.d.ts +5 -0
package/dist/api/routes/providers.routes.d.ts.map +1 -0
package/dist/api/routes/providers.routes.js +13 -0
package/dist/api/routes/providers.routes.js.map +1 -0
package/dist/api/validators/audit.schemas.d.ts +60 -0
package/dist/api/validators/audit.schemas.d.ts.map +1 -0
package/dist/api/validators/audit.schemas.js +55 -0
package/dist/api/validators/audit.schemas.js.map +1 -0
package/dist/api/validators/auth.schemas.d.ts +17 -0
package/dist/api/validators/auth.schemas.d.ts.map +1 -0
package/dist/api/validators/auth.schemas.js +21 -0
package/dist/api/validators/auth.schemas.js.map +1 -0
package/dist/app.d.ts +3 -0
package/dist/app.d.ts.map +1 -0
package/dist/app.js +62 -0
package/dist/app.js.map +1 -0
package/dist/config/config.schema.d.ts +65 -0
package/dist/config/config.schema.d.ts.map +1 -0
package/dist/config/config.schema.js +95 -0
package/dist/config/config.schema.js.map +1 -0
package/dist/config/index.d.ts +4 -0
package/dist/config/index.d.ts.map +1 -0
package/dist/config/index.js +75 -0
package/dist/config/index.js.map +1 -0
package/dist/container.d.ts +47 -0
package/dist/container.d.ts.map +1 -0
package/dist/container.js +137 -0
package/dist/container.js.map +1 -0
package/dist/data/database.d.ts +13 -0
package/dist/data/database.d.ts.map +1 -0
package/dist/data/database.js +68 -0
package/dist/data/database.js.map +1 -0
package/dist/data/jobs/token-cleanup.job.d.ts +23 -0
package/dist/data/jobs/token-cleanup.job.d.ts.map +1 -0
package/dist/data/jobs/token-cleanup.job.js +96 -0
package/dist/data/jobs/token-cleanup.job.js.map +1 -0
package/dist/data/migrations/migration.runner.d.ts +13 -0
package/dist/data/migrations/migration.runner.d.ts.map +1 -0
package/dist/data/migrations/migration.runner.js +136 -0
package/dist/data/migrations/migration.runner.js.map +1 -0
package/dist/data/models/Token.model.d.ts +30 -0
package/dist/data/models/Token.model.d.ts.map +1 -0
package/dist/data/models/Token.model.js +3 -0
package/dist/data/models/Token.model.js.map +1 -0
package/dist/data/repositories/token.repository.d.ts +16 -0
package/dist/data/repositories/token.repository.d.ts.map +1 -0
package/dist/data/repositories/token.repository.js +97 -0
package/dist/data/repositories/token.repository.js.map +1 -0
package/dist/providers/azure/auth.provider.d.ts +5 -0
package/dist/providers/azure/auth.provider.d.ts.map +1 -0
package/dist/providers/azure/auth.provider.js +13 -0
package/dist/providers/azure/auth.provider.js.map +1 -0
package/dist/providers/azure/azure-errors.d.ts +40 -0
package/dist/providers/azure/azure-errors.d.ts.map +1 -0
package/dist/providers/azure/azure-errors.js +121 -0
package/dist/providers/azure/azure-errors.js.map +1 -0
package/dist/providers/azure/azure-retry.d.ts +41 -0
package/dist/providers/azure/azure-retry.d.ts.map +1 -0
package/dist/providers/azure/azure-retry.js +85 -0
package/dist/providers/azure/azure-retry.js.map +1 -0
package/dist/providers/azure/graph-client.d.ts +26 -0
package/dist/providers/azure/graph-client.d.ts.map +1 -0
package/dist/providers/azure/graph-client.js +146 -0
package/dist/providers/azure/graph-client.js.map +1 -0
package/dist/providers/azure/graph.provider.d.ts +23 -0
package/dist/providers/azure/graph.provider.d.ts.map +1 -0
package/dist/providers/azure/graph.provider.js +161 -0
package/dist/providers/azure/graph.provider.js.map +1 -0
package/dist/providers/azure/queries/app.queries.d.ts +6 -0
package/dist/providers/azure/queries/app.queries.d.ts.map +1 -0
package/dist/providers/azure/queries/app.queries.js +9 -0
package/dist/providers/azure/queries/app.queries.js.map +1 -0
package/dist/providers/azure/queries/policy.queries.d.ts +6 -0
package/dist/providers/azure/queries/policy.queries.d.ts.map +1 -0
package/dist/providers/azure/queries/policy.queries.js +9 -0
package/dist/providers/azure/queries/policy.queries.js.map +1 -0
package/dist/providers/azure/queries/user.queries.d.ts +7 -0
package/dist/providers/azure/queries/user.queries.d.ts.map +1 -0
package/dist/providers/azure/queries/user.queries.js +10 -0
package/dist/providers/azure/queries/user.queries.js.map +1 -0
package/dist/providers/interfaces/IGraphProvider.d.ts +31 -0
package/dist/providers/interfaces/IGraphProvider.d.ts.map +1 -0
package/dist/providers/interfaces/IGraphProvider.js +3 -0
package/dist/providers/interfaces/IGraphProvider.js.map +1 -0
package/dist/providers/interfaces/ILDAPProvider.d.ts +37 -0
package/dist/providers/interfaces/ILDAPProvider.d.ts.map +1 -0
package/dist/providers/interfaces/ILDAPProvider.js +3 -0
package/dist/providers/interfaces/ILDAPProvider.js.map +1 -0
package/dist/providers/ldap/acl-parser.d.ts +8 -0
package/dist/providers/ldap/acl-parser.d.ts.map +1 -0
package/dist/providers/ldap/acl-parser.js +157 -0
package/dist/providers/ldap/acl-parser.js.map +1 -0
package/dist/providers/ldap/ad-mappers.d.ts +8 -0
package/dist/providers/ldap/ad-mappers.d.ts.map +1 -0
package/dist/providers/ldap/ad-mappers.js +162 -0
package/dist/providers/ldap/ad-mappers.js.map +1 -0
package/dist/providers/ldap/ldap-client.d.ts +33 -0
package/dist/providers/ldap/ldap-client.d.ts.map +1 -0
package/dist/providers/ldap/ldap-client.js +195 -0
package/dist/providers/ldap/ldap-client.js.map +1 -0
package/dist/providers/ldap/ldap-errors.d.ts +48 -0
package/dist/providers/ldap/ldap-errors.d.ts.map +1 -0
package/dist/providers/ldap/ldap-errors.js +120 -0
package/dist/providers/ldap/ldap-errors.js.map +1 -0
package/dist/providers/ldap/ldap-retry.d.ts +14 -0
package/dist/providers/ldap/ldap-retry.d.ts.map +1 -0
package/dist/providers/ldap/ldap-retry.js +102 -0
package/dist/providers/ldap/ldap-retry.js.map +1 -0
package/dist/providers/ldap/ldap-sanitizer.d.ts +12 -0
package/dist/providers/ldap/ldap-sanitizer.d.ts.map +1 -0
package/dist/providers/ldap/ldap-sanitizer.js +104 -0
package/dist/providers/ldap/ldap-sanitizer.js.map +1 -0
package/dist/providers/ldap/ldap.provider.d.ts +21 -0
package/dist/providers/ldap/ldap.provider.d.ts.map +1 -0
package/dist/providers/ldap/ldap.provider.js +165 -0
package/dist/providers/ldap/ldap.provider.js.map +1 -0
package/dist/providers/ldap/queries/computer.queries.d.ts +6 -0
package/dist/providers/ldap/queries/computer.queries.d.ts.map +1 -0
package/dist/providers/ldap/queries/computer.queries.js +9 -0
package/dist/providers/ldap/queries/computer.queries.js.map +1 -0
package/dist/providers/ldap/queries/group.queries.d.ts +6 -0
package/dist/providers/ldap/queries/group.queries.d.ts.map +1 -0
package/dist/providers/ldap/queries/group.queries.js +9 -0
package/dist/providers/ldap/queries/group.queries.js.map +1 -0
package/dist/providers/ldap/queries/user.queries.d.ts +7 -0
package/dist/providers/ldap/queries/user.queries.d.ts.map +1 -0
package/dist/providers/ldap/queries/user.queries.js +10 -0
package/dist/providers/ldap/queries/user.queries.js.map +1 -0
package/dist/providers/smb/smb.provider.d.ts +68 -0
package/dist/providers/smb/smb.provider.d.ts.map +1 -0
package/dist/providers/smb/smb.provider.js +382 -0
package/dist/providers/smb/smb.provider.js.map +1 -0
package/dist/server.d.ts +2 -0
package/dist/server.d.ts.map +1 -0
package/dist/server.js +44 -0
package/dist/server.js.map +1 -0
package/dist/services/audit/ad-audit.service.d.ts +70 -0
package/dist/services/audit/ad-audit.service.d.ts.map +1 -0
package/dist/services/audit/ad-audit.service.js +1019 -0
package/dist/services/audit/ad-audit.service.js.map +1 -0
package/dist/services/audit/attack-graph.service.d.ts +62 -0
package/dist/services/audit/attack-graph.service.d.ts.map +1 -0
package/dist/services/audit/attack-graph.service.js +702 -0
package/dist/services/audit/attack-graph.service.js.map +1 -0
package/dist/services/audit/audit.service.d.ts +4 -0
package/dist/services/audit/audit.service.d.ts.map +1 -0
package/dist/services/audit/audit.service.js +10 -0
package/dist/services/audit/audit.service.js.map +1 -0
package/dist/services/audit/azure-audit.service.d.ts +37 -0
package/dist/services/audit/azure-audit.service.d.ts.map +1 -0
package/dist/services/audit/azure-audit.service.js +153 -0
package/dist/services/audit/azure-audit.service.js.map +1 -0
package/dist/services/audit/detectors/ad/accounts.detector.d.ts +37 -0
package/dist/services/audit/detectors/ad/accounts.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/accounts.detector.js +881 -0
package/dist/services/audit/detectors/ad/accounts.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/adcs.detector.d.ts +21 -0
package/dist/services/audit/detectors/ad/adcs.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/adcs.detector.js +227 -0
package/dist/services/audit/detectors/ad/adcs.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/advanced.detector.d.ts +63 -0
package/dist/services/audit/detectors/ad/advanced.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/advanced.detector.js +867 -0
package/dist/services/audit/detectors/ad/advanced.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/attack-paths.detector.d.ts +16 -0
package/dist/services/audit/detectors/ad/attack-paths.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/attack-paths.detector.js +369 -0
package/dist/services/audit/detectors/ad/attack-paths.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/compliance.detector.d.ts +28 -0
package/dist/services/audit/detectors/ad/compliance.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/compliance.detector.js +896 -0
package/dist/services/audit/detectors/ad/compliance.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/computers.detector.d.ts +30 -0
package/dist/services/audit/detectors/ad/computers.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/computers.detector.js +799 -0
package/dist/services/audit/detectors/ad/computers.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/gpo.detector.d.ts +17 -0
package/dist/services/audit/detectors/ad/gpo.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/gpo.detector.js +257 -0
package/dist/services/audit/detectors/ad/gpo.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/groups.detector.d.ts +19 -0
package/dist/services/audit/detectors/ad/groups.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/groups.detector.js +488 -0
package/dist/services/audit/detectors/ad/groups.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/index.d.ts +15 -0
package/dist/services/audit/detectors/ad/index.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/index.js +51 -0
package/dist/services/audit/detectors/ad/index.js.map +1 -0
package/dist/services/audit/detectors/ad/kerberos.detector.d.ts +17 -0
package/dist/services/audit/detectors/ad/kerberos.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/kerberos.detector.js +293 -0
package/dist/services/audit/detectors/ad/kerberos.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/monitoring.detector.d.ts +23 -0
package/dist/services/audit/detectors/ad/monitoring.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/monitoring.detector.js +328 -0
package/dist/services/audit/detectors/ad/monitoring.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/network.detector.d.ts +39 -0
package/dist/services/audit/detectors/ad/network.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/network.detector.js +257 -0
package/dist/services/audit/detectors/ad/network.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/password.detector.d.ts +14 -0
package/dist/services/audit/detectors/ad/password.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/password.detector.js +235 -0
package/dist/services/audit/detectors/ad/password.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/permissions.detector.d.ts +20 -0
package/dist/services/audit/detectors/ad/permissions.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/permissions.detector.js +392 -0
package/dist/services/audit/detectors/ad/permissions.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/trusts.detector.d.ts +11 -0
package/dist/services/audit/detectors/ad/trusts.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/trusts.detector.js +186 -0
package/dist/services/audit/detectors/ad/trusts.detector.js.map +1 -0
package/dist/services/audit/detectors/azure/app-security.detector.d.ts +11 -0
package/dist/services/audit/detectors/azure/app-security.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/azure/app-security.detector.js +184 -0
package/dist/services/audit/detectors/azure/app-security.detector.js.map +1 -0
package/dist/services/audit/detectors/azure/conditional-access.detector.d.ts +10 -0
package/dist/services/audit/detectors/azure/conditional-access.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/azure/conditional-access.detector.js +130 -0
package/dist/services/audit/detectors/azure/conditional-access.detector.js.map +1 -0
package/dist/services/audit/detectors/azure/privilege-security.detector.d.ts +8 -0
package/dist/services/audit/detectors/azure/privilege-security.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/azure/privilege-security.detector.js +113 -0
package/dist/services/audit/detectors/azure/privilege-security.detector.js.map +1 -0
package/dist/services/audit/detectors/azure/user-security.detector.d.ts +14 -0
package/dist/services/audit/detectors/azure/user-security.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/azure/user-security.detector.js +198 -0
package/dist/services/audit/detectors/azure/user-security.detector.js.map +1 -0
package/dist/services/audit/detectors/index.d.ts +2 -0
package/dist/services/audit/detectors/index.d.ts.map +1 -0
package/dist/services/audit/detectors/index.js +38 -0
package/dist/services/audit/detectors/index.js.map +1 -0
package/dist/services/audit/response-formatter.d.ts +176 -0
package/dist/services/audit/response-formatter.d.ts.map +1 -0
package/dist/services/audit/response-formatter.js +240 -0
package/dist/services/audit/response-formatter.js.map +1 -0
package/dist/services/audit/scoring.service.d.ts +15 -0
package/dist/services/audit/scoring.service.d.ts.map +1 -0
package/dist/services/audit/scoring.service.js +139 -0
package/dist/services/audit/scoring.service.js.map +1 -0
package/dist/services/auth/crypto.service.d.ts +19 -0
package/dist/services/auth/crypto.service.d.ts.map +1 -0
package/dist/services/auth/crypto.service.js +135 -0
package/dist/services/auth/crypto.service.js.map +1 -0
package/dist/services/auth/errors.d.ts +19 -0
package/dist/services/auth/errors.d.ts.map +1 -0
package/dist/services/auth/errors.js +46 -0
package/dist/services/auth/errors.js.map +1 -0
package/dist/services/auth/token.service.d.ts +41 -0
package/dist/services/auth/token.service.d.ts.map +1 -0
package/dist/services/auth/token.service.js +208 -0
package/dist/services/auth/token.service.js.map +1 -0
package/dist/services/config/config.service.d.ts +6 -0
package/dist/services/config/config.service.d.ts.map +1 -0
package/dist/services/config/config.service.js +64 -0
package/dist/services/config/config.service.js.map +1 -0
package/dist/services/export/export.service.d.ts +28 -0
package/dist/services/export/export.service.d.ts.map +1 -0
package/dist/services/export/export.service.js +28 -0
package/dist/services/export/export.service.js.map +1 -0
package/dist/services/export/formatters/csv.formatter.d.ts +8 -0
package/dist/services/export/formatters/csv.formatter.d.ts.map +1 -0
package/dist/services/export/formatters/csv.formatter.js +46 -0
package/dist/services/export/formatters/csv.formatter.js.map +1 -0
package/dist/services/export/formatters/json.formatter.d.ts +40 -0
package/dist/services/export/formatters/json.formatter.d.ts.map +1 -0
package/dist/services/export/formatters/json.formatter.js +58 -0
package/dist/services/export/formatters/json.formatter.js.map +1 -0
package/dist/services/jobs/azure-job-runner.d.ts +38 -0
package/dist/services/jobs/azure-job-runner.d.ts.map +1 -0
package/dist/services/jobs/azure-job-runner.js +199 -0
package/dist/services/jobs/azure-job-runner.js.map +1 -0
package/dist/services/jobs/index.d.ts +4 -0
package/dist/services/jobs/index.d.ts.map +1 -0
package/dist/services/jobs/index.js +20 -0
package/dist/services/jobs/index.js.map +1 -0
package/dist/services/jobs/job-runner.d.ts +64 -0
package/dist/services/jobs/job-runner.d.ts.map +1 -0
package/dist/services/jobs/job-runner.js +952 -0
package/dist/services/jobs/job-runner.js.map +1 -0
package/dist/services/jobs/job-store.d.ts +27 -0
package/dist/services/jobs/job-store.d.ts.map +1 -0
package/dist/services/jobs/job-store.js +261 -0
package/dist/services/jobs/job-store.js.map +1 -0
package/dist/services/jobs/job.types.d.ts +67 -0
package/dist/services/jobs/job.types.d.ts.map +1 -0
package/dist/services/jobs/job.types.js +36 -0
package/dist/services/jobs/job.types.js.map +1 -0
package/dist/types/ad.types.d.ts +74 -0
package/dist/types/ad.types.d.ts.map +1 -0
package/dist/types/ad.types.js +3 -0
package/dist/types/ad.types.js.map +1 -0
package/dist/types/adcs.types.d.ts +58 -0
package/dist/types/adcs.types.d.ts.map +1 -0
package/dist/types/adcs.types.js +38 -0
package/dist/types/adcs.types.js.map +1 -0
package/dist/types/attack-graph.types.d.ts +135 -0
package/dist/types/attack-graph.types.d.ts.map +1 -0
package/dist/types/attack-graph.types.js +58 -0
package/dist/types/attack-graph.types.js.map +1 -0
package/dist/types/audit.types.d.ts +34 -0
package/dist/types/audit.types.d.ts.map +1 -0
package/dist/types/audit.types.js +3 -0
package/dist/types/audit.types.js.map +1 -0
package/dist/types/azure.types.d.ts +61 -0
package/dist/types/azure.types.d.ts.map +1 -0
package/dist/types/azure.types.js +3 -0
package/dist/types/azure.types.js.map +1 -0
package/dist/types/config.types.d.ts +63 -0
package/dist/types/config.types.d.ts.map +1 -0
package/dist/types/config.types.js +3 -0
package/dist/types/config.types.js.map +1 -0
package/dist/types/error.types.d.ts +33 -0
package/dist/types/error.types.d.ts.map +1 -0
package/dist/types/error.types.js +70 -0
package/dist/types/error.types.js.map +1 -0
package/dist/types/finding.types.d.ts +133 -0
package/dist/types/finding.types.d.ts.map +1 -0
package/dist/types/finding.types.js +3 -0
package/dist/types/finding.types.js.map +1 -0
package/dist/types/gpo.types.d.ts +39 -0
package/dist/types/gpo.types.d.ts.map +1 -0
package/dist/types/gpo.types.js +15 -0
package/dist/types/gpo.types.js.map +1 -0
package/dist/types/token.types.d.ts +26 -0
package/dist/types/token.types.d.ts.map +1 -0
package/dist/types/token.types.js +3 -0
package/dist/types/token.types.js.map +1 -0
package/dist/types/trust.types.d.ts +45 -0
package/dist/types/trust.types.d.ts.map +1 -0
package/dist/types/trust.types.js +71 -0
package/dist/types/trust.types.js.map +1 -0
package/dist/utils/entity-converter.d.ts +17 -0
package/dist/utils/entity-converter.d.ts.map +1 -0
package/dist/utils/entity-converter.js +285 -0
package/dist/utils/entity-converter.js.map +1 -0
package/dist/utils/graph.util.d.ts +66 -0
package/dist/utils/graph.util.d.ts.map +1 -0
package/dist/utils/graph.util.js +382 -0
package/dist/utils/graph.util.js.map +1 -0
package/dist/utils/logger.d.ts +7 -0
package/dist/utils/logger.d.ts.map +1 -0
package/dist/utils/logger.js +86 -0
package/dist/utils/logger.js.map +1 -0
package/dist/utils/type-name-normalizer.d.ts +5 -0
package/dist/utils/type-name-normalizer.d.ts.map +1 -0
package/dist/utils/type-name-normalizer.js +218 -0
package/dist/utils/type-name-normalizer.js.map +1 -0
package/docker-compose.yml +26 -0
package/docs/api/README.md +178 -0
package/docs/api/openapi.yaml +1524 -0
package/eslint.config.js +54 -0
package/jest.config.js +38 -0
package/package.json +97 -0
package/scripts/fetch-ad-cert.sh +142 -0
package/src/.gitkeep +0 -0
package/src/api/.gitkeep +0 -0
package/src/api/controllers/.gitkeep +0 -0
package/src/api/controllers/audit.controller.ts +313 -0
package/src/api/controllers/auth.controller.ts +258 -0
package/src/api/controllers/export.controller.ts +153 -0
package/src/api/controllers/health.controller.ts +16 -0
package/src/api/controllers/jobs.controller.ts +187 -0
package/src/api/controllers/providers.controller.ts +165 -0
package/src/api/dto/.gitkeep +0 -0
package/src/api/dto/AuditRequest.dto.ts +8 -0
package/src/api/dto/AuditResponse.dto.ts +19 -0
package/src/api/dto/TokenRequest.dto.ts +8 -0
package/src/api/dto/TokenResponse.dto.ts +14 -0
package/src/api/middlewares/.gitkeep +0 -0
package/src/api/middlewares/authenticate.ts +203 -0
package/src/api/middlewares/errorHandler.ts +54 -0
package/src/api/middlewares/rateLimit.ts +35 -0
package/src/api/middlewares/validate.ts +32 -0
package/src/api/routes/.gitkeep +0 -0
package/src/api/routes/audit.routes.ts +77 -0
package/src/api/routes/auth.routes.ts +71 -0
package/src/api/routes/export.routes.ts +34 -0
package/src/api/routes/health.routes.ts +14 -0
package/src/api/routes/index.ts +40 -0
package/src/api/routes/providers.routes.ts +24 -0
package/src/api/validators/.gitkeep +0 -0
package/src/api/validators/audit.schemas.ts +59 -0
package/src/api/validators/auth.schemas.ts +59 -0
package/src/app.ts +87 -0
package/src/config/.gitkeep +0 -0
package/src/config/config.schema.ts +108 -0
package/src/config/index.ts +82 -0
package/src/container.ts +221 -0
package/src/data/.gitkeep +0 -0
package/src/data/database.ts +78 -0
package/src/data/jobs/token-cleanup.job.ts +166 -0
package/src/data/migrations/.gitkeep +0 -0
package/src/data/migrations/001_initial_schema.sql +47 -0
package/src/data/migrations/migration.runner.ts +125 -0
package/src/data/models/.gitkeep +0 -0
package/src/data/models/Token.model.ts +35 -0
package/src/data/repositories/.gitkeep +0 -0
package/src/data/repositories/token.repository.ts +160 -0
package/src/providers/.gitkeep +0 -0
package/src/providers/azure/.gitkeep +0 -0
package/src/providers/azure/auth.provider.ts +14 -0
package/src/providers/azure/azure-errors.ts +189 -0
package/src/providers/azure/azure-retry.ts +168 -0
package/src/providers/azure/graph-client.ts +315 -0
package/src/providers/azure/graph.provider.ts +294 -0
package/src/providers/azure/queries/app.queries.ts +9 -0
package/src/providers/azure/queries/policy.queries.ts +9 -0
package/src/providers/azure/queries/user.queries.ts +10 -0
package/src/providers/interfaces/.gitkeep +0 -0
package/src/providers/interfaces/IGraphProvider.ts +117 -0
package/src/providers/interfaces/ILDAPProvider.ts +142 -0
package/src/providers/ldap/.gitkeep +0 -0
package/src/providers/ldap/acl-parser.ts +231 -0
package/src/providers/ldap/ad-mappers.ts +280 -0
package/src/providers/ldap/ldap-client.ts +259 -0
package/src/providers/ldap/ldap-errors.ts +188 -0
package/src/providers/ldap/ldap-retry.ts +267 -0
package/src/providers/ldap/ldap-sanitizer.ts +273 -0
package/src/providers/ldap/ldap.provider.ts +293 -0
package/src/providers/ldap/queries/computer.queries.ts +9 -0
package/src/providers/ldap/queries/group.queries.ts +9 -0
package/src/providers/ldap/queries/user.queries.ts +10 -0
package/src/providers/smb/smb.provider.ts +653 -0
package/src/server.ts +60 -0
package/src/services/.gitkeep +0 -0
package/src/services/audit/.gitkeep +0 -0
package/src/services/audit/ad-audit.service.ts +1481 -0
package/src/services/audit/attack-graph.service.ts +1104 -0
package/src/services/audit/audit.service.ts +12 -0
package/src/services/audit/azure-audit.service.ts +286 -0
package/src/services/audit/detectors/ad/accounts.detector.ts +1232 -0
package/src/services/audit/detectors/ad/adcs.detector.ts +449 -0
package/src/services/audit/detectors/ad/advanced.detector.ts +1270 -0
package/src/services/audit/detectors/ad/attack-paths.detector.ts +600 -0
package/src/services/audit/detectors/ad/compliance.detector.ts +1421 -0
package/src/services/audit/detectors/ad/computers.detector.ts +1188 -0
package/src/services/audit/detectors/ad/gpo.detector.ts +485 -0
package/src/services/audit/detectors/ad/groups.detector.ts +685 -0
package/src/services/audit/detectors/ad/index.ts +84 -0
package/src/services/audit/detectors/ad/kerberos.detector.ts +424 -0
package/src/services/audit/detectors/ad/monitoring.detector.ts +501 -0
package/src/services/audit/detectors/ad/network.detector.ts +538 -0
package/src/services/audit/detectors/ad/password.detector.ts +324 -0
package/src/services/audit/detectors/ad/permissions.detector.ts +637 -0
package/src/services/audit/detectors/ad/trusts.detector.ts +315 -0
package/src/services/audit/detectors/azure/app-security.detector.ts +246 -0
package/src/services/audit/detectors/azure/conditional-access.detector.ts +186 -0
package/src/services/audit/detectors/azure/privilege-security.detector.ts +176 -0
package/src/services/audit/detectors/azure/user-security.detector.ts +280 -0
package/src/services/audit/detectors/index.ts +18 -0
package/src/services/audit/response-formatter.ts +604 -0
package/src/services/audit/scoring.service.ts +234 -0
package/src/services/auth/.gitkeep +0 -0
package/src/services/auth/crypto.service.ts +230 -0
package/src/services/auth/errors.ts +47 -0
package/src/services/auth/token.service.ts +420 -0
package/src/services/config/.gitkeep +0 -0
package/src/services/config/config.service.ts +75 -0
package/src/services/export/.gitkeep +0 -0
package/src/services/export/export.service.ts +99 -0
package/src/services/export/formatters/csv.formatter.ts +124 -0
package/src/services/export/formatters/json.formatter.ts +160 -0
package/src/services/jobs/azure-job-runner.ts +312 -0
package/src/services/jobs/index.ts +9 -0
package/src/services/jobs/job-runner.ts +1280 -0
package/src/services/jobs/job-store.ts +384 -0
package/src/services/jobs/job.types.ts +182 -0
package/src/types/.gitkeep +0 -0
package/src/types/ad.types.ts +91 -0
package/src/types/adcs.types.ts +107 -0
package/src/types/attack-graph.types.ts +260 -0
package/src/types/audit.types.ts +42 -0
package/src/types/azure.types.ts +68 -0
package/src/types/config.types.ts +79 -0
package/src/types/error.types.ts +69 -0
package/src/types/finding.types.ts +284 -0
package/src/types/gpo.types.ts +72 -0
package/src/types/smb2.d.ts +73 -0
package/src/types/token.types.ts +32 -0
package/src/types/trust.types.ts +140 -0
package/src/utils/.gitkeep +0 -0
package/src/utils/entity-converter.ts +453 -0
package/src/utils/graph.util.ts +609 -0
package/src/utils/logger.ts +111 -0
package/src/utils/type-name-normalizer.ts +302 -0
package/tests/.gitkeep +0 -0
package/tests/e2e/.gitkeep +0 -0
package/tests/fixtures/.gitkeep +0 -0
package/tests/integration/.gitkeep +0 -0
package/tests/integration/README.md +156 -0
package/tests/integration/ad-audit.integration.test.ts +216 -0
package/tests/integration/api/.gitkeep +0 -0
package/tests/integration/api/endpoints.integration.test.ts +431 -0
package/tests/integration/auth/jwt-authentication.integration.test.ts +358 -0
package/tests/integration/providers/.gitkeep +0 -0
package/tests/integration/providers/azure-basic.integration.test.ts +167 -0
package/tests/integration/providers/ldap-basic.integration.test.ts +152 -0
package/tests/integration/providers/ldap-connectivity.test.ts +44 -0
package/tests/integration/providers/ldap-provider.integration.test.ts +347 -0
package/tests/mocks/.gitkeep +0 -0
package/tests/setup.ts +16 -0
package/tests/unit/.gitkeep +0 -0
package/tests/unit/api/middlewares/authenticate.test.ts +446 -0
package/tests/unit/providers/.gitkeep +0 -0
package/tests/unit/providers/azure/azure-errors.test.ts +193 -0
package/tests/unit/providers/azure/azure-retry.test.ts +254 -0
package/tests/unit/providers/azure/graph-provider.test.ts +313 -0
package/tests/unit/providers/ldap/ad-mappers.test.ts +392 -0
package/tests/unit/providers/ldap/ldap-provider.test.ts +376 -0
package/tests/unit/providers/ldap/ldap-retry.test.ts +377 -0
package/tests/unit/providers/ldap/ldap-sanitizer.test.ts +301 -0
package/tests/unit/sample.test.ts +19 -0
package/tests/unit/services/.gitkeep +0 -0
package/tests/unit/services/audit/detectors/ad/accounts.detector.test.ts +393 -0
package/tests/unit/services/audit/detectors/ad/advanced.detector.test.ts +380 -0
package/tests/unit/services/audit/detectors/ad/computers.detector.test.ts +440 -0
package/tests/unit/services/audit/detectors/ad/groups.detector.test.ts +276 -0
package/tests/unit/services/audit/detectors/ad/kerberos.detector.test.ts +215 -0
package/tests/unit/services/audit/detectors/ad/password.detector.test.ts +226 -0
package/tests/unit/services/audit/detectors/ad/permissions.detector.test.ts +244 -0
package/tests/unit/services/audit/detectors/azure/app-security.detector.test.ts +349 -0
package/tests/unit/services/audit/detectors/azure/conditional-access.detector.test.ts +374 -0
package/tests/unit/services/audit/detectors/azure/privilege-security.detector.test.ts +374 -0
package/tests/unit/services/audit/detectors/azure/user-security.detector.test.ts +297 -0
package/tests/unit/services/auth/crypto.service.test.ts +296 -0
package/tests/unit/services/auth/token.service.test.ts +579 -0
package/tests/unit/services/export/export.service.test.ts +241 -0
package/tests/unit/services/export/formatters/csv.formatter.test.ts +270 -0
package/tests/unit/services/export/formatters/json.formatter.test.ts +258 -0
package/tests/unit/utils/.gitkeep +0 -0
package/tsconfig.json +50 -0

package/src/services/audit/detectors/ad/network.detector.ts ADDED Viewed

@@ -0,0 +1,538 @@
+/**
+ * Network Infrastructure Detector
+ *
+ * Detects network-related security issues in Active Directory:
+ * - DNS misconfigurations
+ * - Site topology issues
+ * - SYSVOL/DFSR problems
+ * - Domain Controller health issues
+ *
+ * Story 1.7: AD Vulnerability Detection Engine
+ * Phase 3: Network Infrastructure (12 vulnerabilities)
+ */
+import { ADComputer, ADDomain } from '../../../../types/ad.types';
+import { Finding } from '../../../../types/finding.types';
+import { toAffectedComputerEntities } from '../../../../utils/entity-converter';
+/**
+ * DNS Zone information (simplified)
+ */
+interface DnsZone {
+  name: string;
+  dn: string;
+  zoneType?: number; // 0=cache, 1=primary, 2=secondary, 3=stub, 4=forwarder
+  dynamicUpdate?: number; // 0=none, 1=nonsecure, 2=secure, 3=nonsecureAndSecure
+  secureSecondaries?: number; // 0=noTransfer, 1=transferToZoneServers, 2=transferToAnyServer
+  [key: string]: unknown;
+}
+/**
+ * AD Site information
+ */
+interface ADSite {
+  name: string;
+  dn: string;
+  subnets?: string[];
+  servers?: string[];
+  [key: string]: unknown;
+}
+/**
+ * AD Subnet information
+ */
+interface ADSubnet {
+  name: string;
+  dn: string;
+  site?: string;
+  location?: string;
+  [key: string]: unknown;
+}
+/**
+ * Detect unrestricted DNS zone transfers
+ *
+ * DNS zone transfers allowing any server can expose internal DNS data to attackers.
+ *
+ * @param dnsZones - Array of DNS zones (if available)
+ * @param _includeDetails - Whether to include affected entity details
+ * @returns Finding for DNS_ZONE_TRANSFER_UNRESTRICTED
+ */
+export function detectDnsZoneTransferUnrestricted(
+  dnsZones: DnsZone[],
+  _includeDetails: boolean
+): Finding {
+  const affected = dnsZones.filter(
+    (zone) =>
+      zone.secureSecondaries === 2 || // transferToAnyServer
+      zone.secureSecondaries === undefined // Not configured (default may be insecure)
+  );
+  return {
+    type: 'DNS_ZONE_TRANSFER_UNRESTRICTED',
+    severity: 'high',
+    category: 'network',
+    title: 'DNS Zone Transfer Unrestricted',
+    description:
+      'DNS zones allowing zone transfers to any server. Attackers can enumerate DNS records to map internal network topology.',
+    count: affected.length,
+    affectedEntities: affected.map((z) => z.name),
+    details: {
+      zones: affected.map((z) => ({
+        name: z.name,
+        dn: z.dn,
+        secureSecondaries: z.secureSecondaries,
+      })),
+    },
+  };
+}
+/**
+ * Detect insecure DNS dynamic updates
+ *
+ * DNS zones allowing non-secure dynamic updates enable DNS poisoning attacks.
+ *
+ * @param dnsZones - Array of DNS zones (if available)
+ * @param _includeDetails - Whether to include affected entity details
+ * @returns Finding for DNS_DYNAMIC_UPDATE_INSECURE
+ */
+export function detectDnsDynamicUpdateInsecure(
+  dnsZones: DnsZone[],
+  _includeDetails: boolean
+): Finding {
+  const affected = dnsZones.filter(
+    (zone) =>
+      zone.dynamicUpdate === 1 || // nonsecure
+      zone.dynamicUpdate === 3 // nonsecureAndSecure
+  );
+  return {
+    type: 'DNS_DYNAMIC_UPDATE_INSECURE',
+    severity: 'high',
+    category: 'network',
+    title: 'DNS Dynamic Update Insecure',
+    description:
+      'DNS zones allowing non-secure dynamic updates. Attackers can inject malicious DNS records without authentication.',
+    count: affected.length,
+    affectedEntities: affected.map((z) => z.name),
+    details: {
+      zones: affected.map((z) => ({
+        name: z.name,
+        dn: z.dn,
+        dynamicUpdate: z.dynamicUpdate,
+      })),
+    },
+  };
+}
+/**
+ * Detect DNS wildcard records
+ *
+ * Wildcard DNS records can be abused for MITM attacks and credential capture.
+ *
+ * @param dnsZones - Array of DNS zones with records (if available)
+ * @param _includeDetails - Whether to include affected entity details
+ * @returns Finding for DNS_WILDCARD_RECORDS
+ */
+export function detectDnsWildcardRecords(
+  _dnsZones: DnsZone[],
+  _includeDetails: boolean
+): Finding {
+  // This detection would require querying DNS records within zones
+  // For now, return empty finding as placeholder
+  const affected: DnsZone[] = [];
+  return {
+    type: 'DNS_WILDCARD_RECORDS',
+    severity: 'medium',
+    category: 'network',
+    title: 'DNS Wildcard Records Detected',
+    description:
+      'Wildcard DNS records (*.domain) can be exploited for MITM attacks. Review and remove unnecessary wildcards.',
+    count: affected.length,
+    affectedEntities: affected.map((z) => z.name),
+  };
+}
+/**
+ * Detect DNSSEC not enabled
+ *
+ * Without DNSSEC, DNS responses can be spoofed.
+ *
+ * @param domain - Domain information
+ * @param _includeDetails - Whether to include affected entity details
+ * @returns Finding for DNSSEC_NOT_ENABLED
+ */
+export function detectDnssecNotEnabled(
+  domain: ADDomain | null,
+  _includeDetails: boolean
+): Finding {
+  // Check if domain has DNSSEC trust anchors configured
+  // This would typically check for dnsroot LDAP object or DNS server config
+  const dnssecEnabled = domain && domain['msDS-TrustForestTrustInfo'] !== undefined;
+  return {
+    type: 'DNSSEC_NOT_ENABLED',
+    severity: 'medium',
+    category: 'network',
+    title: 'DNSSEC Not Enabled',
+    description:
+      'DNSSEC is not enabled for the domain. DNS responses can be spoofed, enabling cache poisoning and MITM attacks.',
+    count: dnssecEnabled ? 0 : 1,
+    details: {
+      recommendation: 'Enable DNSSEC signing on Active Directory-integrated DNS zones.',
+    },
+  };
+}
+/**
+ * Detect NTP not properly configured
+ *
+ * Improper time synchronization can cause Kerberos authentication failures and security issues.
+ *
+ * @param domainControllers - Array of domain controllers
+ * @param includeDetails - Whether to include affected entity details
+ * @returns Finding for NTP_NOT_CONFIGURED
+ */
+export function detectNtpNotConfigured(
+  domainControllers: ADComputer[],
+  includeDetails: boolean
+): Finding {
+  // PDC Emulator should be the authoritative time source
+  // Check if DCs have proper time config (would need registry data)
+  // For now, check if there are multiple DCs (time sync is critical with multiple DCs)
+  const hasSingleDc = domainControllers.length <= 1;
+  return {
+    type: 'NTP_NOT_CONFIGURED',
+    severity: 'medium',
+    category: 'network',
+    title: 'NTP Configuration Review Needed',
+    description:
+      'Time synchronization configuration should be reviewed. The PDC Emulator must be configured as the authoritative time source to prevent Kerberos authentication issues.',
+    count: hasSingleDc ? 0 : 1,
+    affectedEntities: includeDetails
+      ? toAffectedComputerEntities(domainControllers)
+      : undefined,
+    details: {
+      dcCount: domainControllers.length,
+      recommendation:
+        'Configure PDC Emulator as authoritative time source. Other DCs should sync from PDC.',
+    },
+  };
+}
+/**
+ * Detect site topology issues
+ *
+ * Sites without subnets or DCs can cause authentication performance issues.
+ *
+ * @param sites - Array of AD sites
+ * @param _includeDetails - Whether to include affected entity details
+ * @returns Finding for SITE_TOPOLOGY_ISSUES
+ */
+export function detectSiteTopologyIssues(
+  sites: ADSite[],
+  _includeDetails: boolean
+): Finding {
+  // Sites without servers (DCs) are problematic
+  const sitesWithoutDc = sites.filter(
+    (site) => !site.servers || site.servers.length === 0
+  );
+  return {
+    type: 'SITE_TOPOLOGY_ISSUES',
+    severity: 'medium',
+    category: 'network',
+    title: 'AD Site Topology Issues',
+    description:
+      'Sites without domain controllers cause clients to authenticate against remote DCs, increasing latency and WAN traffic.',
+    count: sitesWithoutDc.length,
+    affectedEntities: sitesWithoutDc.map((s) => s.name),
+    details: {
+      sitesWithoutDc: sitesWithoutDc.map((s) => s.name),
+    },
+  };
+}
+/**
+ * Detect missing subnets
+ *
+ * Subnets without site assignments cause suboptimal DC selection.
+ *
+ * @param sites - Array of AD sites
+ * @param subnets - Array of AD subnets
+ * @param _includeDetails - Whether to include affected entity details
+ * @returns Finding for SUBNET_MISSING
+ */
+export function detectSubnetMissing(
+  sites: ADSite[],
+  subnets: ADSubnet[],
+  _includeDetails: boolean
+): Finding {
+  // Check for sites without subnets
+  const sitesWithoutSubnets = sites.filter((site) => {
+    const siteSubnets = subnets.filter((sub) => sub.site === site.dn);
+    return siteSubnets.length === 0;
+  });
+  return {
+    type: 'SUBNET_MISSING',
+    severity: 'low',
+    category: 'network',
+    title: 'AD Sites Missing Subnets',
+    description:
+      'Sites without subnet definitions. Clients in undefined subnets will select DCs randomly, potentially crossing WAN links.',
+    count: sitesWithoutSubnets.length,
+    affectedEntities: sitesWithoutSubnets.map((s) => s.name),
+    details: {
+      totalSites: sites.length,
+      totalSubnets: subnets.length,
+      sitesWithoutSubnets: sitesWithoutSubnets.map((s) => s.name),
+    },
+  };
+}
+/**
+ * Detect SYSVOL/NETLOGON permission issues
+ *
+ * Weak permissions on SYSVOL/NETLOGON shares enable GPO manipulation.
+ *
+ * @param _domain - Domain information
+ * @param _includeDetails - Whether to include affected entity details
+ * @returns Finding for SYSVOL_NETLOGON_PERMISSIONS
+ */
+export function detectSysvolNetlogonPermissions(
+  _domain: ADDomain | null,
+  _includeDetails: boolean
+): Finding {
+  // This would require reading SYSVOL share permissions via SMB
+  // Placeholder for now
+  return {
+    type: 'SYSVOL_NETLOGON_PERMISSIONS',
+    severity: 'high',
+    category: 'network',
+    title: 'SYSVOL/NETLOGON Permissions Review',
+    description:
+      'SYSVOL and NETLOGON share permissions should be audited. Weak permissions allow attackers to modify logon scripts and GPOs.',
+    count: 0, // Will be populated when SMB permission reading is implemented
+    details: {
+      recommendation:
+        'Review SYSVOL and NETLOGON share permissions. Only Domain Admins should have write access.',
+    },
+  };
+}
+/**
+ * Detect DFSR not configured (legacy FRS in use)
+ *
+ * FRS is deprecated and should be migrated to DFSR.
+ *
+ * @param domain - Domain information
+ * @param _includeDetails - Whether to include affected entity details
+ * @returns Finding for DFSR_NOT_CONFIGURED
+ */
+export function detectDfsrNotConfigured(
+  domain: ADDomain | null,
+  _includeDetails: boolean
+): Finding {
+  // Check domain functional level - DFSR requires 2008+ functional level
+  const domainLevel = domain?.domainFunctionalLevel ?? 0;
+  // Levels: 0=2000, 2=2003, 3=2008, 4=2008R2, 5=2012, 6=2012R2, 7=2016
+  // If level is 2003 or lower, might still be using FRS
+  const potentialFrsUse = domainLevel <= 2;
+  return {
+    type: 'DFSR_NOT_CONFIGURED',
+    severity: potentialFrsUse ? 'medium' : 'low',
+    category: 'network',
+    title: 'DFSR Migration Status',
+    description:
+      'FRS (File Replication Service) is deprecated. SYSVOL should be replicated using DFSR (DFS Replication) for better reliability.',
+    count: potentialFrsUse ? 1 : 0,
+    details: {
+      domainFunctionalLevel: domainLevel,
+      domainFunctionalLevelName: getDomainLevelName(domainLevel),
+      potentialFrsUse,
+      recommendation: potentialFrsUse
+        ? 'Migrate SYSVOL replication from FRS to DFSR using dfsrmig.exe'
+        : 'Verify DFSR health with dcdiag /e /test:dfsrevent',
+    },
+  };
+}
+/**
+ * Detect old domain controller backups
+ *
+ * DCs without recent backups risk data loss.
+ *
+ * @param domainControllers - Array of domain controllers
+ * @param includeDetails - Whether to include affected entity details
+ * @returns Finding for DC_BACKUP_OLD
+ */
+export function detectDcBackupOld(
+  domainControllers: ADComputer[],
+  includeDetails: boolean
+): Finding {
+  // Check lastLogonTimestamp and pwdLastSet as proxy for DC health
+  const now = new Date();
+  const thirtyDaysAgo = new Date(now.getTime() - 30 * 24 * 60 * 60 * 1000);
+  const possiblyUnbackedUp = domainControllers.filter((dc) => {
+    // If DC hasn't replicated password recently, it might indicate backup issues
+    const pwdLastSet = dc.passwordLastSet;
+    return pwdLastSet && pwdLastSet < thirtyDaysAgo;
+  });
+  return {
+    type: 'DC_BACKUP_OLD',
+    severity: 'medium',
+    category: 'network',
+    title: 'Domain Controller Backup Review',
+    description:
+      'Domain controllers should be backed up regularly. Tombstone lifetime is 180 days - DCs offline longer than this cannot rejoin.',
+    count: possiblyUnbackedUp.length,
+    affectedEntities: includeDetails
+      ? toAffectedComputerEntities(possiblyUnbackedUp)
+      : undefined,
+    details: {
+      recommendation:
+        'Verify Windows Server Backup or third-party backup solution is configured on all DCs.',
+    },
+  };
+}
+/**
+ * Detect domain controllers with potential disk space issues
+ *
+ * Low disk space on DCs can cause replication failures and service outages.
+ *
+ * @param domainControllers - Array of domain controllers
+ * @param _includeDetails - Whether to include affected entity details
+ * @returns Finding for DC_DISK_SPACE_LOW
+ */
+export function detectDcDiskSpaceLow(
+  domainControllers: ADComputer[],
+  _includeDetails: boolean
+): Finding {
+  // This would require WMI/CIM queries to check disk space
+  // Placeholder detection
+  return {
+    type: 'DC_DISK_SPACE_LOW',
+    severity: 'medium',
+    category: 'network',
+    title: 'DC Disk Space Monitoring',
+    description:
+      'Domain controller disk space should be monitored. Low disk space can cause AD database corruption and replication failures.',
+    count: 0, // Would be populated with actual disk space checks
+    details: {
+      dcCount: domainControllers.length,
+      recommendation:
+        'Monitor DC disk space. NTDS.dit location should have at least 20% free space.',
+    },
+  };
+}
+/**
+ * Detect domain controller time sync issues
+ *
+ * Time synchronization issues cause Kerberos failures.
+ *
+ * @param domainControllers - Array of domain controllers
+ * @param includeDetails - Whether to include affected entity details
+ * @returns Finding for DC_TIME_SYNC_ISSUE
+ */
+export function detectDcTimeSyncIssue(
+  domainControllers: ADComputer[],
+  includeDetails: boolean
+): Finding {
+  // Check if any DC has very old lastLogon (might indicate it's offline/out of sync)
+  const now = new Date();
+  const sevenDaysAgo = new Date(now.getTime() - 7 * 24 * 60 * 60 * 1000);
+  const possibleTimeSyncIssues = domainControllers.filter((dc) => {
+    const lastLogon = dc.lastLogon;
+    return lastLogon && lastLogon < sevenDaysAgo;
+  });
+  return {
+    type: 'DC_TIME_SYNC_ISSUE',
+    severity: 'high',
+    category: 'network',
+    title: 'DC Time Synchronization Review',
+    description:
+      'Domain controllers with potential time sync issues detected. Kerberos requires time difference < 5 minutes.',
+    count: possibleTimeSyncIssues.length,
+    affectedEntities: includeDetails
+      ? toAffectedComputerEntities(possibleTimeSyncIssues)
+      : undefined,
+    details: {
+      possibleIssues: possibleTimeSyncIssues.map((dc) => dc.sAMAccountName),
+      recommendation:
+        'Run "w32tm /query /status" on each DC to verify time configuration.',
+    },
+  };
+}
+/**
+ * Helper function to get domain functional level name
+ */
+function getDomainLevelName(level: number): string {
+  const levels: Record<number, string> = {
+    0: 'Windows 2000',
+    1: 'Windows Server 2003 Interim',
+    2: 'Windows Server 2003',
+    3: 'Windows Server 2008',
+    4: 'Windows Server 2008 R2',
+    5: 'Windows Server 2012',
+    6: 'Windows Server 2012 R2',
+    7: 'Windows Server 2016',
+  };
+  return levels[level] || `Unknown (${level})`;
+}
+/**
+ * Detect all network-related vulnerabilities
+ *
+ * @param computers - Array of AD computers
+ * @param domain - Domain information
+ * @param domainControllers - Array of domain controllers
+ * @param dnsZones - Array of DNS zones (if available)
+ * @param sites - Array of AD sites (if available)
+ * @param subnets - Array of AD subnets (if available)
+ * @param includeDetails - Whether to include affected entity details
+ * @returns Array of findings
+ */
+export function detectNetworkVulnerabilities(
+  _computers: ADComputer[],
+  domain: ADDomain | null,
+  domainControllers: ADComputer[],
+  dnsZones: DnsZone[] = [],
+  sites: ADSite[] = [],
+  subnets: ADSubnet[] = [],
+  includeDetails: boolean
+): Finding[] {
+  const findings: Finding[] = [];
+  // DNS detections
+  findings.push(detectDnsZoneTransferUnrestricted(dnsZones, includeDetails));
+  findings.push(detectDnsDynamicUpdateInsecure(dnsZones, includeDetails));
+  findings.push(detectDnsWildcardRecords(dnsZones, includeDetails));
+  findings.push(detectDnssecNotEnabled(domain, includeDetails));
+  // Infrastructure detections
+  findings.push(detectNtpNotConfigured(domainControllers, includeDetails));
+  findings.push(detectSiteTopologyIssues(sites, includeDetails));
+  findings.push(detectSubnetMissing(sites, subnets, includeDetails));
+  findings.push(detectSysvolNetlogonPermissions(domain, includeDetails));
+  // DFSR/DC health detections
+  findings.push(detectDfsrNotConfigured(domain, includeDetails));
+  findings.push(detectDcBackupOld(domainControllers, includeDetails));
+  findings.push(detectDcDiskSpaceLow(domainControllers, includeDetails));
+  findings.push(detectDcTimeSyncIssue(domainControllers, includeDetails));
+  // Filter out findings with count=0
+  return findings.filter((f) => f.count > 0);
+}