Additional AD properties (#782)

* feat: new AD attributes * feat: hygiene saved queries * more AD props * Update commonSearches.tsx
SpecterOps · Aug 26, 2024 · e6f6851 · e6f6851
1 parent f076a01
commit e6f6851
Show file tree

Hide file tree

Showing 6 changed files with 525 additions and 95 deletions.
diff --git a/packages/cue/bh/ad/ad.cue b/packages/cue/bh/ad/ad.cue
@@ -574,6 +574,160 @@ ObjectGUID: types.#StringEnum & {
 	representation: "objectguid"
 }
 
+ExpirePasswordsOnSmartCardOnlyAccounts: types.#StringEnum & {
+	symbol: "ExpirePasswordsOnSmartCardOnlyAccounts"
+	schema: "ad"
+	name: "Expire Passwords on Smart Card only Accounts"
+	representation: "expirepasswordsonsmartcardonlyaccounts"
+}
+
+MachineAccountQuota: types.#StringEnum & {
+	symbol: "MachineAccountQuota"
+	schema: "ad"
+	name: "Machine Account Quota"
+	representation: "machineaccountquota"
+}
+
+SupportedKerberosEncryptionTypes: types.#StringEnum & {
+	symbol: "SupportedKerberosEncryptionTypes"
+	schema: "ad"
+	name: "Supported Kerberos Encryption Types"
+	representation: "supportedencryptiontypes"
+}
+
+TGTDelegationEnabled: types.#StringEnum & {
+	symbol: "TGTDelegationEnabled"
+	schema: "ad"
+	name: "TGT Delegation Enabled"
+	representation: "tgtdelegationenabled"
+}
+
+PasswordStoredUsingReversibleEncryption: types.#StringEnum & {
+	symbol: "PasswordStoredUsingReversibleEncryption"
+	schema: "ad"
+	name: "Password Stored Using Reversible Encryption"
+	representation: "encryptedtextpwdallowed"
+}
+
+SmartcardRequired: types.#StringEnum & {
+	symbol: "SmartcardRequired"
+	schema: "ad"
+	name: "Smartcard Required"
+	representation: "smartcardrequired"
+}
+
+UseDESKeyOnly: types.#StringEnum & {
+	symbol: "UseDESKeyOnly"
+	schema: "ad"
+	name: "Use DES Key Only"
+	representation: "usedeskeyonly"
+}
+
+LogonScriptEnabled: types.#StringEnum & {
+	symbol: "LogonScriptEnabled"
+	schema: "ad"
+	name: "Logon Script Enabled"
+	representation: "logonscriptenabled"
+}
+
+LockedOut: types.#StringEnum & {
+	symbol: "LockedOut"
+	schema: "ad"
+	name: "Locked Out"
+	representation: "lockedout"
+}
+
+UserCannotChangePassword: types.#StringEnum & {
+	symbol: "UserCannotChangePassword"
+	schema: "ad"
+	name: "User Cannot Change Password"
+	representation: "passwordcantchange"
+}
+
+PasswordExpired: types.#StringEnum & {
+	symbol: "PasswordExpired"
+	schema: "ad"
+	name: "Password Expired"
+	representation: "passwordexpired"
+}
+
+DSHeuristics: types.#StringEnum & {
+	symbol: "DSHeuristics"
+	schema: "ad"
+	name: "DSHeuristics"
+	representation: "dsheuristics"
+}
+
+UserAccountControl: types.#StringEnum & {
+	symbol: "UserAccountControl"
+	schema: "ad"
+	name: "User Account Control"
+	representation: "useraccountcontrol"
+}
+
+TrustAttributes: types.#StringEnum & {
+	symbol: "TrustAttributes"
+	schema: "ad"
+	name: "Trust Attributes"
+	representation: "trustattributes"
+}
+
+LockoutDuration: types.#StringEnum & {
+	symbol: "LockoutDuration"
+	schema: "ad"
+	name: "Lockout Duration"
+	representation: "lockoutduration"
+}
+
+LockoutObservationWindow: types.#StringEnum & {
+	symbol: "LockoutObservationWindow"
+	schema: "ad"
+	name: "Lockout Observation Window"
+	representation: "lockoutobservationwindow"
+}
+
+MaxPwdAge: types.#StringEnum & {
+	symbol: "MaxPwdAge"
+	schema: "ad"
+	name: "Maximum Password Age"
+	representation: "maxpwdage"
+}
+
+MinPwdAge: types.#StringEnum & {
+	symbol: "MinPwdAge"
+	schema: "ad"
+	name: "Minimum Password Age"
+	representation: "minpwdage"
+}
+
+LockoutThreshold: types.#StringEnum & {
+	symbol: "LockoutThreshold"
+	schema: "ad"
+	name: "Lockout Threshold"
+	representation: "lockoutthreshold"
+}
+
+PwdHistoryLength: types.#StringEnum & {
+	symbol: "PwdHistoryLength"
+	schema: "ad"
+	name: "Password History Length"
+	representation: "pwdhistorylength"
+}
+
+PwdProperties: types.#StringEnum & {
+	symbol: "PwdProperties"
+	schema: "ad"
+	name: "Password Properties"
+	representation: "pwdproperties"
+}
+
+MinPwdLength: types.#StringEnum & {
+	symbol: "MinPwdLength"
+	schema: "ad"
+	name: "Minimum password length"
+	representation: "minpwdlength"
+}
+
 Properties: [
 	AdminCount,
 	CASecurityCollected,
@@ -652,7 +806,29 @@ Properties: [
 	CertificatePolicy,
 	CertTemplateOID,
 	GroupLinkID,
-	ObjectGUID
+	ObjectGUID,
+	ExpirePasswordsOnSmartCardOnlyAccounts,
+	MachineAccountQuota,
+	SupportedKerberosEncryptionTypes,
+	TGTDelegationEnabled,
+	PasswordStoredUsingReversibleEncryption,
+	SmartcardRequired,
+	UseDESKeyOnly,
+	LogonScriptEnabled,
+	LockedOut,
+	UserCannotChangePassword,
+	PasswordExpired,
+	DSHeuristics,
+	UserAccountControl,
+	TrustAttributes,
+	MinPwdLength,
+	PwdProperties,
+	PwdHistoryLength,
+	LockoutThreshold,
+	MinPwdAge,
+	MaxPwdAge,
+	LockoutDuration,
+	LockoutObservationWindow
 ]
 
 // Kinds

diff --git a/packages/go/ein/ad.go b/packages/go/ein/ad.go
@@ -303,10 +303,12 @@ func ParseDomainTrusts(domain Domain) ParsedDomainTrustData {
 				},
 				IngestibleRel{
 					RelProps: map[string]any{
-						"isacl":        false,
-						"sidfiltering": trust.SidFilteringEnabled,
-						"trusttype":    trust.TrustType,
-						"transitive":   trust.IsTransitive},
+						"isacl":                false,
+						"sidfiltering":         trust.SidFilteringEnabled,
+						"tgtdelegationenabled": trust.TGTDelegationEnabled,
+						"trustattributes":      trust.TrustAttributes,
+						"trusttype":            trust.TrustType,
+						"transitive":           trust.IsTransitive},
 					RelType: ad.TrustedBy,
 				},
 			))
@@ -324,10 +326,12 @@ func ParseDomainTrusts(domain Domain) ParsedDomainTrustData {
 				},
 				IngestibleRel{
 					RelProps: map[string]any{
-						"isacl":        false,
-						"sidfiltering": trust.SidFilteringEnabled,
-						"trusttype":    trust.TrustType,
-						"transitive":   trust.IsTransitive},
+						"isacl":                false,
+						"sidfiltering":         trust.SidFilteringEnabled,
+						"tgtdelegationenabled": trust.TGTDelegationEnabled,
+						"trustattributes":      trust.TrustAttributes,
+						"trusttype":            trust.TrustType,
+						"transitive":           trust.IsTransitive},
 					RelType: ad.TrustedBy,
 				},
 			))

diff --git a/packages/go/ein/incoming_models.go b/packages/go/ein/incoming_models.go
@@ -201,12 +201,14 @@ type Container struct {
 }
 
 type Trust struct {
-	TargetDomainSid     string
-	IsTransitive        bool
-	TrustDirection      string
-	TrustType           string
-	SidFilteringEnabled bool
-	TargetDomainName    string
+	TargetDomainSid      string
+	IsTransitive         bool
+	TrustDirection       string
+	TrustType            string
+	SidFilteringEnabled  bool
+	TargetDomainName     string
+	TGTDelegationEnabled bool
+	TrustAttributes      string
 }
 
 type GPLink struct {