@etcsec-com/etc-collector 1.4.0

package/tests/unit/services/audit/detectors/ad/groups.detector.test.ts

@@ -0,0 +1,276 @@
+/**
+ * Unit Tests for Groups Security Vulnerability Detector
+ * Story 1.7: AD Vulnerability Detection Engine
+ *
+ * Tests all group-related vulnerability detectors:
+ * - GPO_MODIFY_RIGHTS
+ * - DNS_ADMINS_MEMBER
+ * - OVERSIZED_GROUP_CRITICAL
+ * - OVERSIZED_GROUP_HIGH
+ * - OVERSIZED_GROUP
+ * - PRE_WINDOWS_2000_ACCESS
+ * - DANGEROUS_GROUP_NESTING
+ */
+
+import {
+  detectGpoModifyRights,
+  detectDnsAdminsMember,
+  detectPreWindows2000Access,
+  detectOversizedGroupCritical,
+  detectOversizedGroupHigh,
+  detectOversizedGroup,
+  detectDangerousGroupNesting,
+} from '../../../../../../src/services/audit/detectors/ad/groups.detector';
+import { ADUser, ADGroup } from '../../../../../../src/types/ad.types';
+
+describe('Groups Security Detectors', () => {
+  const createUser = (overrides: Partial<ADUser> = {}): ADUser => ({
+    dn: 'CN=TestUser,DC=example,DC=com',
+    sAMAccountName: 'testuser',
+    enabled: true,
+    userAccountControl: 0,
+    ...overrides,
+  });
+
+  const createGroup = (overrides: Partial<ADGroup> = {}): ADGroup => ({
+    dn: 'CN=TestGroup,DC=example,DC=com',
+    sAMAccountName: 'TestGroup',
+    member: [],
+    ...overrides,
+  });
+
+  describe('detectGpoModifyRights', () => {
+    it('should detect Group Policy Creator Owners membership', () => {
+      const users: ADUser[] = [
+        createUser({
+          sAMAccountName: 'gpouser',
+          memberOf: ['CN=Group Policy Creator Owners,DC=example,DC=com'],
+        }),
+        createUser({
+          sAMAccountName: 'normaluser',
+          memberOf: ['CN=Users,DC=example,DC=com'],
+        }),
+      ];
+
+      const result = detectGpoModifyRights(users, false);
+
+      expect(result.type).toBe('GPO_MODIFY_RIGHTS');
+      expect(result.severity).toBe('high');
+      expect(result.category).toBe('groups');
+      expect(result.count).toBe(1);
+    });
+  });
+
+  describe('detectDnsAdminsMember', () => {
+    it('should detect DnsAdmins membership', () => {
+      const users: ADUser[] = [
+        createUser({
+          sAMAccountName: 'dnsadmin',
+          memberOf: ['CN=DnsAdmins,DC=example,DC=com'],
+        }),
+        createUser({
+          sAMAccountName: 'normaluser',
+          memberOf: ['CN=Users,DC=example,DC=com'],
+        }),
+      ];
+
+      const result = detectDnsAdminsMember(users, false);
+
+      expect(result.type).toBe('DNS_ADMINS_MEMBER');
+      expect(result.severity).toBe('high');
+      expect(result.count).toBe(1);
+    });
+  });
+
+  describe('detectPreWindows2000Access', () => {
+    it('should detect Pre-Windows 2000 Compatible Access membership', () => {
+      const users: ADUser[] = [
+        createUser({
+          sAMAccountName: 'olduser',
+          memberOf: ['CN=Pre-Windows 2000 Compatible Access,DC=example,DC=com'],
+        }),
+        createUser({
+          sAMAccountName: 'normaluser',
+          memberOf: [],
+        }),
+      ];
+
+      const result = detectPreWindows2000Access(users, false);
+
+      expect(result.type).toBe('PRE_WINDOWS_2000_ACCESS');
+      expect(result.severity).toBe('medium');
+      expect(result.count).toBe(1);
+    });
+  });
+
+  describe('detectOversizedGroupCritical', () => {
+    it('should detect groups with 1000+ members', () => {
+      const groups: ADGroup[] = [
+        createGroup({
+          name: 'HugeGroup',
+          member: Array(1500).fill('CN=User,DC=example,DC=com'),
+        }),
+        createGroup({
+          name: 'LargeGroup',
+          member: Array(800).fill('CN=User,DC=example,DC=com'),
+        }),
+        createGroup({
+          name: 'SmallGroup',
+          member: Array(50).fill('CN=User,DC=example,DC=com'),
+        }),
+      ];
+
+      const result = detectOversizedGroupCritical(groups, false);
+
+      expect(result.type).toBe('OVERSIZED_GROUP_CRITICAL');
+      expect(result.severity).toBe('high');
+      expect(result.count).toBe(1); // Only HugeGroup
+    });
+
+    it('should handle groups without members', () => {
+      const groups: ADGroup[] = [
+        createGroup({ name: 'EmptyGroup', member: undefined }),
+      ];
+
+      const result = detectOversizedGroupCritical(groups, false);
+      expect(result.count).toBe(0);
+    });
+  });
+
+  describe('detectOversizedGroupHigh', () => {
+    it('should detect groups with 500-1000 members', () => {
+      const groups: ADGroup[] = [
+        createGroup({
+          name: 'Group1',
+          member: Array(600).fill('CN=User,DC=example,DC=com'),
+        }),
+        createGroup({
+          name: 'Group2',
+          member: Array(999).fill('CN=User,DC=example,DC=com'),
+        }),
+        createGroup({
+          name: 'Group3',
+          member: Array(1001).fill('CN=User,DC=example,DC=com'), // Too big
+        }),
+        createGroup({
+          name: 'Group4',
+          member: Array(400).fill('CN=User,DC=example,DC=com'), // Too small
+        }),
+      ];
+
+      const result = detectOversizedGroupHigh(groups, false);
+
+      expect(result.type).toBe('OVERSIZED_GROUP_HIGH');
+      expect(result.severity).toBe('medium');
+      expect(result.count).toBe(2); // Group1 and Group2
+    });
+  });
+
+  describe('detectOversizedGroup', () => {
+    it('should detect groups with 100-500 members', () => {
+      const groups: ADGroup[] = [
+        createGroup({
+          name: 'Group1',
+          member: Array(150).fill('CN=User,DC=example,DC=com'),
+        }),
+        createGroup({
+          name: 'Group2',
+          member: Array(499).fill('CN=User,DC=example,DC=com'),
+        }),
+        createGroup({
+          name: 'Group3',
+          member: Array(501).fill('CN=User,DC=example,DC=com'), // Too big
+        }),
+        createGroup({
+          name: 'Group4',
+          member: Array(99).fill('CN=User,DC=example,DC=com'), // Too small
+        }),
+      ];
+
+      const result = detectOversizedGroup(groups, false);
+
+      expect(result.type).toBe('OVERSIZED_GROUP');
+      expect(result.severity).toBe('medium');
+      expect(result.count).toBe(2); // Group1 and Group2
+    });
+  });
+
+  describe('detectDangerousGroupNesting', () => {
+    it('should detect protected groups nested in non-protected groups', () => {
+      const groups: ADGroup[] = [
+        createGroup({
+          dn: 'CN=Domain Admins,DC=example,DC=com',
+          name: 'Domain Admins',
+          memberOf: [
+            'CN=IT Department,DC=example,DC=com', // Non-protected group
+          ],
+        }),
+        createGroup({
+          dn: 'CN=Enterprise Admins,DC=example,DC=com',
+          name: 'Enterprise Admins',
+          memberOf: [
+            'CN=Administrators,DC=example,DC=com', // Protected group - OK
+          ],
+        }),
+        createGroup({
+          dn: 'CN=Regular Users,DC=example,DC=com',
+          name: 'Regular Users',
+          memberOf: ['CN=All Users,DC=example,DC=com'], // Not a protected group
+        }),
+      ];
+
+      const result = detectDangerousGroupNesting(groups, false);
+
+      expect(result.type).toBe('DANGEROUS_GROUP_NESTING');
+      expect(result.severity).toBe('medium');
+      expect(result.count).toBe(1); // Only Domain Admins nested in IT Department
+    });
+
+    it('should not flag protected groups nested in other protected groups', () => {
+      const groups: ADGroup[] = [
+        createGroup({
+          dn: 'CN=Domain Admins,DC=example,DC=com',
+          name: 'Domain Admins',
+          memberOf: [
+            'CN=Administrators,DC=example,DC=com',
+            'CN=Enterprise Admins,DC=example,DC=com',
+          ],
+        }),
+      ];
+
+      const result = detectDangerousGroupNesting(groups, false);
+      expect(result.count).toBe(0);
+    });
+  });
+
+  describe('Integration Tests', () => {
+    it('should detect multiple group vulnerabilities', () => {
+      const users: ADUser[] = [
+        createUser({
+          sAMAccountName: 'poweruser',
+          memberOf: [
+            'CN=Group Policy Creator Owners,DC=example,DC=com',
+            'CN=DnsAdmins,DC=example,DC=com',
+          ],
+        }),
+      ];
+
+      const gpo = detectGpoModifyRights(users, false);
+      const dns = detectDnsAdminsMember(users, false);
+
+      expect(gpo.count).toBe(1);
+      expect(dns.count).toBe(1);
+    });
+
+    it('should handle empty lists', () => {
+      const emptyUsers: ADUser[] = [];
+      const emptyGroups: ADGroup[] = [];
+
+      const gpo = detectGpoModifyRights(emptyUsers, false);
+      const oversized = detectOversizedGroupCritical(emptyGroups, false);
+
+      expect(gpo.count).toBe(0);
+      expect(oversized.count).toBe(0);
+    });
+  });
+});

package/tests/unit/services/audit/detectors/ad/kerberos.detector.test.ts

@@ -0,0 +1,215 @@
+/**
+ * Unit Tests for Kerberos Security Vulnerability Detector
+ * Story 1.7: AD Vulnerability Detection Engine
+ *
+ * Tests all Kerberos-related vulnerability detectors:
+ * - ASREP_ROASTING_RISK
+ * - UNCONSTRAINED_DELEGATION
+ * - KERBEROASTING_RISK
+ * - CONSTRAINED_DELEGATION
+ * - WEAK_ENCRYPTION_DES
+ * - WEAK_ENCRYPTION_FLAG
+ * - GOLDEN_TICKET_RISK
+ */
+
+import {
+  detectAsrepRoastingRisk,
+  detectUnconstrainedDelegation,
+  detectKerberoastingRisk,
+  detectConstrainedDelegation,
+  detectWeakEncryptionDES,
+  detectWeakEncryptionFlag,
+  detectGoldenTicketRisk,
+} from '../../../../../../src/services/audit/detectors/ad/kerberos.detector';
+import { ADUser } from '../../../../../../src/types/ad.types';
+
+describe('Kerberos Security Detectors', () => {
+  const createUser = (overrides: Partial<ADUser> = {}): ADUser => ({
+    dn: 'CN=TestUser,DC=example,DC=com',
+    sAMAccountName: 'testuser',
+    enabled: true,
+    userAccountControl: 0,
+    ...overrides,
+  });
+
+  describe('detectAsrepRoastingRisk', () => {
+    it('should detect users without Kerberos pre-auth (0x400000)', () => {
+      const users: ADUser[] = [
+        createUser({ sAMAccountName: 'user1', userAccountControl: 0x400000 }),
+        createUser({ sAMAccountName: 'user2', userAccountControl: 0x00 }),
+        createUser({ sAMAccountName: 'user3', userAccountControl: 0x400200 }),
+      ];
+
+      const result = detectAsrepRoastingRisk(users, false);
+
+      expect(result.type).toBe('ASREP_ROASTING_RISK');
+      expect(result.severity).toBe('critical');
+      expect(result.category).toBe('kerberos');
+      expect(result.count).toBe(2);
+    });
+
+    it('should include affected entities when includeDetails=true', () => {
+      const users: ADUser[] = [
+        createUser({ sAMAccountName: 'vulnerable', userAccountControl: 0x400000 }),
+      ];
+
+      const result = detectAsrepRoastingRisk(users, true);
+
+      expect(result.affectedEntities).toBeDefined();
+      expect(result.affectedEntities).toHaveLength(1);
+    });
+  });
+
+  describe('detectUnconstrainedDelegation', () => {
+    it('should detect users with unconstrained delegation (0x80000)', () => {
+      const users: ADUser[] = [
+        createUser({ sAMAccountName: 'user1', userAccountControl: 0x80000 }),
+        createUser({ sAMAccountName: 'user2', userAccountControl: 0x00 }),
+      ];
+
+      const result = detectUnconstrainedDelegation(users, false);
+
+      expect(result.type).toBe('UNCONSTRAINED_DELEGATION');
+      expect(result.severity).toBe('critical');
+      expect(result.count).toBe(1);
+    });
+  });
+
+  describe('detectKerberoastingRisk', () => {
+    it('should detect users with SPNs', () => {
+      const users: ADUser[] = [
+        createUser({
+          sAMAccountName: 'serviceacct',
+          servicePrincipalName: ['HTTP/server.example.com', 'MSSQL/db.example.com'],
+        } as any),
+        createUser({ sAMAccountName: 'normaluser' }),
+      ];
+
+      const result = detectKerberoastingRisk(users, false);
+
+      expect(result.type).toBe('KERBEROASTING_RISK');
+      expect(result.severity).toBe('high');
+      expect(result.count).toBe(1);
+    });
+
+    it('should handle empty SPN arrays', () => {
+      const users: ADUser[] = [
+        createUser({ servicePrincipalName: [] } as any),
+        createUser({ servicePrincipalName: undefined } as any),
+      ];
+
+      const result = detectKerberoastingRisk(users, false);
+      expect(result.count).toBe(0);
+    });
+  });
+
+  describe('detectConstrainedDelegation', () => {
+    it('should detect users with constrained delegation (0x1000000)', () => {
+      const users: ADUser[] = [
+        createUser({ sAMAccountName: 'delegateuser', userAccountControl: 0x1000000 }),
+        createUser({ sAMAccountName: 'normaluser', userAccountControl: 0x00 }),
+      ];
+
+      const result = detectConstrainedDelegation(users, false);
+
+      expect(result.type).toBe('CONSTRAINED_DELEGATION');
+      expect(result.severity).toBe('high');
+      expect(result.count).toBe(1);
+    });
+  });
+
+  describe('detectWeakEncryptionDES', () => {
+    it('should detect DES encryption enabled (0x200000)', () => {
+      const users: ADUser[] = [
+        createUser({ sAMAccountName: 'user1', userAccountControl: 0x200000 }),
+        createUser({ sAMAccountName: 'user2', userAccountControl: 0x00 }),
+        createUser({ sAMAccountName: 'user3', userAccountControl: 0x200200 }),
+      ];
+
+      const result = detectWeakEncryptionDES(users, false);
+
+      expect(result.type).toBe('WEAK_ENCRYPTION_DES');
+      expect(result.severity).toBe('high');
+      expect(result.count).toBe(2);
+    });
+  });
+
+  describe('detectWeakEncryptionFlag', () => {
+    it('should detect USE_DES_KEY_ONLY flag (0x200000)', () => {
+      const users: ADUser[] = [
+        createUser({ sAMAccountName: 'user1', userAccountControl: 0x200000 }),
+        createUser({ sAMAccountName: 'user2', userAccountControl: 0x00 }),
+      ];
+
+      const result = detectWeakEncryptionFlag(users, false);
+
+      expect(result.type).toBe('WEAK_ENCRYPTION_FLAG');
+      expect(result.severity).toBe('medium');
+      expect(result.count).toBe(1);
+    });
+  });
+
+  describe('detectGoldenTicketRisk', () => {
+    it('should detect krbtgt with old password (>180 days)', () => {
+      const now = new Date();
+      const old = new Date(now.getTime() - 200 * 24 * 60 * 60 * 1000); // 200 days
+      const recent = new Date(now.getTime() - 100 * 24 * 60 * 60 * 1000);
+
+      const users: ADUser[] = [
+        createUser({
+          sAMAccountName: 'krbtgt',
+          passwordLastSet: old,
+        }),
+        createUser({
+          sAMAccountName: 'krbtgt',
+          passwordLastSet: recent,
+        }),
+        createUser({
+          sAMAccountName: 'normaluser',
+          passwordLastSet: old,
+        }),
+      ];
+
+      const result = detectGoldenTicketRisk(users, false);
+
+      expect(result.type).toBe('GOLDEN_TICKET_RISK');
+      expect(result.severity).toBe('critical');
+      expect(result.count).toBe(1);
+    });
+
+    it('should handle missing passwordLastSet', () => {
+      const users: ADUser[] = [
+        createUser({
+          sAMAccountName: 'krbtgt',
+          passwordLastSet: undefined,
+        }),
+      ];
+
+      const result = detectGoldenTicketRisk(users, false);
+      expect(result.count).toBe(0);
+    });
+  });
+
+  describe('Integration Tests', () => {
+    it('should detect multiple Kerberos vulnerabilities on same user', () => {
+      const users: ADUser[] = [
+        createUser({
+          sAMAccountName: 'baduser',
+          userAccountControl: 0x680000, // Unconstrained + AS-REP Roasting + DES
+          servicePrincipalName: ['HTTP/server'],
+          'msDS-AllowedToDelegateTo': ['CIFS/file'],
+        } as any),
+      ];
+
+      const asrep = detectAsrepRoastingRisk(users, false);
+      const unconstrained = detectUnconstrainedDelegation(users, false);
+      const kerberoast = detectKerberoastingRisk(users, false);
+      const constrained = detectConstrainedDelegation(users, false);
+      const weakDes = detectWeakEncryptionFlag(users, false);
+
+      const totalVulns = asrep.count + unconstrained.count + kerberoast.count +
+                         constrained.count + weakDes.count;
+      expect(totalVulns).toBeGreaterThan(0);
+    });
+  });
+});