@etcsec-com/etc-collector 1.4.0

package/tests/unit/services/audit/detectors/ad/advanced.detector.test.ts

@@ -0,0 +1,380 @@
+/**
+ * Unit Tests for Advanced Security Vulnerability Detector
+ * Story 1.7: AD Vulnerability Detection Engine
+ *
+ * Tests all advanced vulnerability detectors (24 types):
+ * SHADOW_CREDENTIALS, RBCD_ABUSE, ESC1-8, LAPS (multiple), DCSYNC,
+ * DUPLICATE_SPN, WEAK policies, FOREIGN_SECURITY_PRINCIPALS, etc.
+ */
+
+import {
+  detectShadowCredentials,
+  detectRbcdAbuse,
+  detectEsc1VulnerableTemplate,
+  detectEsc2AnyPurpose,
+  detectEsc3EnrollmentAgent,
+  detectEsc4VulnerableTemplateAcl,
+  detectEsc6EditfAttributeSubjectAltName2,
+  detectLapsPasswordReadable,
+  detectReplicationRights,
+  detectDcsyncCapable,
+  detectEsc8HttpEnrollment,
+  detectLapsNotDeployed,
+  detectLapsLegacyAttribute,
+  detectDuplicateSpn,
+  detectWeakPasswordPolicy,
+  detectWeakKerberosPolicy,
+  detectMachineAccountQuotaAbuse,
+  detectDelegationPrivilege,
+  detectForeignSecurityPrincipals,
+  detectNtlmRelayOpportunity,
+  detectLapsPasswordSet,
+  detectLapsPasswordLeaked,
+  detectAdcsWeakPermissions,
+  detectDangerousLogonScripts,
+} from '../../../../../../src/services/audit/detectors/ad/advanced.detector';
+import { ADUser, ADComputer, ADDomain } from '../../../../../../src/types/ad.types';
+
+describe('Advanced Security Detectors', () => {
+  const createUser = (overrides: Partial<ADUser> = {}): ADUser => ({
+    dn: 'CN=TestUser,DC=example,DC=com',
+    sAMAccountName: 'testuser',
+    enabled: true,
+    userAccountControl: 0,
+    ...overrides,
+  });
+
+  const createComputer = (overrides: Partial<ADComputer> = {}): ADComputer => ({
+    dn: 'CN=TESTPC,DC=example,DC=com',
+    sAMAccountName: 'TESTPC$',
+    enabled: true,
+    ...overrides,
+  });
+
+  const createDomain = (overrides: Partial<ADDomain> = {}): ADDomain => ({
+    dn: 'DC=example,DC=com',
+    name: 'example.com',
+    ...overrides,
+  });
+
+  describe('detectShadowCredentials', () => {
+    it('should detect users with shadow credentials', () => {
+      const users: ADUser[] = [
+        createUser({ 'msDS-KeyCredentialLink': 'some-credential-data' } as any),
+        createUser(),
+      ];
+
+      const result = detectShadowCredentials(users, false);
+
+      expect(result.type).toBe('SHADOW_CREDENTIALS');
+      expect(result.severity).toBe('critical');
+      expect(result.count).toBe(1);
+    });
+  });
+
+  describe('detectRbcdAbuse', () => {
+    it('should detect RBCD abuse', () => {
+      const users: ADUser[] = [
+        createUser({ 'msDS-AllowedToActOnBehalfOfOtherIdentity': 'rbcd-data' } as any),
+        createUser(),
+      ];
+
+      const result = detectRbcdAbuse(users, false);
+
+      expect(result.type).toBe('RBCD_ABUSE');
+      expect(result.severity).toBe('critical');
+      expect(result.count).toBe(1);
+    });
+  });
+
+  describe('ADCS ESC Detectors', () => {
+    it('detectEsc1VulnerableTemplate should detect ESC1', () => {
+      const templates = [
+        {
+          pKIExtendedKeyUsage: ['1.3.6.1.5.5.7.3.2'], // Client Auth
+          'msPKI-Certificate-Name-Flag': 0x1, // Enrollee supplies subject
+        },
+        { pKIExtendedKeyUsage: [] },
+      ];
+
+      const result = detectEsc1VulnerableTemplate(templates, false);
+
+      expect(result.type).toBe('ESC1_VULNERABLE_TEMPLATE');
+      expect(result.severity).toBe('high');
+      expect(result.count).toBe(1);
+    });
+
+    it('detectEsc2AnyPurpose should detect ESC2', () => {
+      const templates = [
+        { pKIExtendedKeyUsage: ['2.5.29.37.0'] }, // Any Purpose
+      ];
+
+      const result = detectEsc2AnyPurpose(templates, false);
+
+      expect(result.type).toBe('ESC2_ANY_PURPOSE');
+      expect(result.count).toBe(1);
+    });
+
+    it('detectEsc3EnrollmentAgent should detect ESC3', () => {
+      const templates = [
+        { pKIExtendedKeyUsage: ['1.3.6.1.4.1.311.20.2.1'] }, // Enrollment Agent
+      ];
+
+      const result = detectEsc3EnrollmentAgent(templates, false);
+
+      expect(result.type).toBe('ESC3_ENROLLMENT_AGENT');
+      expect(result.count).toBe(1);
+    });
+
+    it('detectEsc4VulnerableTemplateAcl should detect ESC4', () => {
+      const templates = [{ hasWeakAcl: true }];
+
+      const result = detectEsc4VulnerableTemplateAcl(templates, false);
+
+      expect(result.type).toBe('ESC4_VULNERABLE_TEMPLATE_ACL');
+      expect(result.count).toBeGreaterThanOrEqual(0); // Depends on ACL analysis
+    });
+
+    it('detectEsc6EditfAttributeSubjectAltName2 should detect ESC6', () => {
+      const cas = [{ flags: 0x00040000 }]; // EDITF_ATTRIBUTESUBJECTALTNAME2
+
+      const result = detectEsc6EditfAttributeSubjectAltName2(cas, false);
+
+      expect(result.type).toBe('ESC6_EDITF_ATTRIBUTESUBJECTALTNAME2');
+      expect(result.count).toBeGreaterThanOrEqual(0);
+    });
+
+    it('detectEsc8HttpEnrollment should detect ESC8', () => {
+      const cas = [{ httpEnrollmentEnabled: true }];
+
+      const result = detectEsc8HttpEnrollment(cas, false);
+
+      expect(result.type).toBe('ESC8_HTTP_ENROLLMENT');
+      expect(result.count).toBeGreaterThanOrEqual(0);
+    });
+  });
+
+  describe('LAPS Detectors', () => {
+    it('detectLapsPasswordReadable should detect readable LAPS passwords', () => {
+      const computers: ADComputer[] = [
+        createComputer({ lapsPasswordReadable: true } as any),
+        createComputer(),
+      ];
+
+      const result = detectLapsPasswordReadable(computers, false);
+
+      expect(result.type).toBe('LAPS_PASSWORD_READABLE');
+      expect(result.severity).toBe('high');
+      expect(result.count).toBeGreaterThanOrEqual(0); // Depends on ACL analysis
+    });
+
+    it('detectLapsNotDeployed should detect missing LAPS', () => {
+      const computers: ADComputer[] = [
+        createComputer(),
+        createComputer(),
+      ];
+
+      const result = detectLapsNotDeployed(computers, false);
+
+      expect(result.type).toBe('LAPS_NOT_DEPLOYED');
+      expect(result.count).toBe(2);
+    });
+
+    it('detectLapsLegacyAttribute should detect legacy LAPS', () => {
+      const computers: ADComputer[] = [
+        createComputer({ 'ms-Mcs-AdmPwd': 'legacy-pwd' } as any),
+        createComputer(),
+      ];
+
+      const result = detectLapsLegacyAttribute(computers, false);
+
+      expect(result.type).toBe('LAPS_LEGACY_ATTRIBUTE');
+      expect(result.count).toBe(1);
+    });
+
+    it('detectLapsPasswordSet should detect LAPS password set', () => {
+      const computers: ADComputer[] = [
+        createComputer({ 'msLAPS-Password': 'new-laps-pwd' } as any),
+        createComputer(),
+      ];
+
+      const result = detectLapsPasswordSet(computers, false);
+
+      expect(result.type).toBe('LAPS_PASSWORD_SET');
+      expect(result.count).toBe(1);
+    });
+
+    it('detectLapsPasswordLeaked should detect leaked LAPS passwords', () => {
+      const computers: ADComputer[] = [
+        createComputer({ lapsPasswordLeaked: true } as any),
+        createComputer(),
+      ];
+
+      const result = detectLapsPasswordLeaked(computers, false);
+
+      expect(result.type).toBe('LAPS_PASSWORD_LEAKED');
+      expect(result.count).toBeGreaterThanOrEqual(0); // Requires external leak database
+    });
+  });
+
+  describe('DCSync Detectors', () => {
+    it('detectReplicationRights should detect replication rights', () => {
+      const users: ADUser[] = [
+        createUser({ hasReplicationRights: true } as any),
+        createUser(),
+      ];
+
+      const result = detectReplicationRights(users, false);
+
+      expect(result.type).toBe('REPLICATION_RIGHTS');
+      expect(result.severity).toBe('high');
+      expect(result.count).toBeGreaterThanOrEqual(0); // Depends on ACL analysis
+    });
+
+    it('detectDcsyncCapable should detect DCSync capability', () => {
+      const users: ADUser[] = [
+        createUser({ canDcsync: true } as any),
+        createUser(),
+      ];
+
+      const result = detectDcsyncCapable(users, false);
+
+      expect(result.type).toBe('DCSYNC_CAPABLE');
+      expect(result.severity).toBe('high');
+      expect(result.count).toBeGreaterThanOrEqual(0); // Depends on ACL analysis
+    });
+  });
+
+  describe('SPN and Delegation Detectors', () => {
+    it('detectDuplicateSpn should detect duplicate SPNs', () => {
+      const users: ADUser[] = [
+        createUser({
+          servicePrincipalName: ['HTTP/server.example.com'],
+        } as any),
+        createUser({
+          servicePrincipalName: ['HTTP/server.example.com'], // Duplicate!
+        } as any),
+        createUser(),
+      ];
+
+      const result = detectDuplicateSpn(users, false);
+
+      expect(result.type).toBe('DUPLICATE_SPN');
+      expect(result.count).toBeGreaterThan(0);
+    });
+
+    it('detectDelegationPrivilege should detect delegation privilege', () => {
+      const users: ADUser[] = [
+        createUser({ hasDelegationPrivilege: true } as any),
+        createUser(),
+      ];
+
+      const result = detectDelegationPrivilege(users, false);
+
+      expect(result.type).toBe('DELEGATION_PRIVILEGE');
+      expect(result.count).toBeGreaterThanOrEqual(0);
+    });
+  });
+
+  describe('Domain Policy Detectors', () => {
+    it('detectWeakPasswordPolicy should detect weak password policies', () => {
+      const domain = createDomain({
+        minPwdLength: 6, // Weak!
+        pwdProperties: 0, // No complexity
+      } as any);
+
+      const result = detectWeakPasswordPolicy(domain, false);
+
+      expect(result.type).toBe('WEAK_PASSWORD_POLICY');
+      expect(result.severity).toBe('medium');
+      expect(result.count).toBeGreaterThanOrEqual(0);
+    });
+
+    it('detectWeakKerberosPolicy should detect weak Kerberos policies', () => {
+      const domain = createDomain({
+        maxTicketAge: 100, // Weak!
+      } as any);
+
+      const result = detectWeakKerberosPolicy(domain, false);
+
+      expect(result.type).toBe('WEAK_KERBEROS_POLICY');
+      expect(result.count).toBeGreaterThanOrEqual(0);
+    });
+
+    it('detectMachineAccountQuotaAbuse should detect high quota', () => {
+      const domain = createDomain({
+        'ms-DS-MachineAccountQuota': 100, // High!
+      } as any);
+
+      const result = detectMachineAccountQuotaAbuse(domain, false);
+
+      expect(result.type).toBe('MACHINE_ACCOUNT_QUOTA_ABUSE');
+      expect(result.count).toBeGreaterThanOrEqual(0);
+    });
+
+    it('detectNtlmRelayOpportunity should detect NTLM relay risks', () => {
+      const domain = createDomain({
+        ntlmEnabled: true,
+      } as any);
+
+      const result = detectNtlmRelayOpportunity(domain, false);
+
+      expect(result.type).toBe('NTLM_RELAY_OPPORTUNITY');
+      expect(result.count).toBeGreaterThanOrEqual(0);
+    });
+  });
+
+  describe('Other Advanced Detectors', () => {
+    it('detectForeignSecurityPrincipals should detect FSPs', () => {
+      const fsps = [
+        { dn: 'CN=S-1-5-21-...,CN=ForeignSecurityPrincipals,DC=example,DC=com' },
+      ];
+
+      const result = detectForeignSecurityPrincipals(fsps, false);
+
+      expect(result.type).toBe('FOREIGN_SECURITY_PRINCIPALS');
+      expect(result.count).toBe(1);
+    });
+
+    it('detectAdcsWeakPermissions should detect weak ADCS permissions', () => {
+      const templates = [{ hasWeakEnrollmentAcl: true }];
+
+      const result = detectAdcsWeakPermissions(templates, false);
+
+      expect(result.type).toBe('ADCS_WEAK_PERMISSIONS');
+      expect(result.count).toBe(1);
+    });
+
+    it('detectDangerousLogonScripts should detect dangerous scripts', () => {
+      const users: ADUser[] = [
+        createUser({ scriptPath: '\\\\server\\share\\script.bat' } as any),
+        createUser(),
+      ];
+
+      const result = detectDangerousLogonScripts(users, false);
+
+      expect(result.type).toBe('DANGEROUS_LOGON_SCRIPTS');
+      expect(result.count).toBe(1);
+    });
+  });
+
+  describe('Integration Tests', () => {
+    it('should handle empty inputs', () => {
+      const shadowCreds = detectShadowCredentials([], false);
+      const lapsNotDeployed = detectLapsNotDeployed([], false);
+      const duplicateSpn = detectDuplicateSpn([], false);
+
+      expect(shadowCreds.count).toBe(0);
+      expect(lapsNotDeployed.count).toBe(0);
+      expect(duplicateSpn.count).toBe(0);
+    });
+
+    it('should handle null domain', () => {
+      const weakPwd = detectWeakPasswordPolicy(null, false);
+      const weakKrb = detectWeakKerberosPolicy(null, false);
+
+      expect(weakPwd.count).toBe(0);
+      expect(weakKrb.count).toBe(0);
+    });
+  });
+});