public static IEnumerable <string> ConvertFrom_SID(Args_ConvertFrom_SID args = null) { if (args == null) { args = new Args_ConvertFrom_SID(); } var ADNameArguments = new Args_Convert_ADName { Domain = args.Domain, Server = args.Server, Credential = args.Credential }; var Results = new List <string>(); foreach (var TargetSid in args.ObjectSID) { var trimedTargetSid = TargetSid.Trim('*'); try { // try to resolve any built-in SIDs first - https://support.microsoft.com/en-us/kb/243330 if (trimedTargetSid == @"S-1-0") { Results.Add(@"Null Authority"); } else if (trimedTargetSid == @"S -1-0-0") { Results.Add(@"Nobody"); } else if (trimedTargetSid == @"S-1-1") { Results.Add(@"World Authority"); } else if (trimedTargetSid == @"S-1-1-0") { Results.Add(@"Everyone"); } else if (trimedTargetSid == @"S-1-2") { Results.Add(@"Local Authority"); } else if (trimedTargetSid == @"S-1-2-0") { Results.Add(@"Local"); } else if (trimedTargetSid == @"S-1-2-1") { Results.Add(@"Console Logon "); } else if (trimedTargetSid == @"S-1-3") { Results.Add(@"Creator Authority"); } else if (trimedTargetSid == @"S-1-3-0") { Results.Add(@"Creator Owner"); } else if (trimedTargetSid == @"S-1-3-1") { Results.Add(@"Creator Group"); } else if (trimedTargetSid == @"S-1-3-2") { Results.Add(@"Creator Owner Server"); } else if (trimedTargetSid == @"S-1-3-3") { Results.Add(@"Creator Group Server"); } else if (trimedTargetSid == @"S-1-3-4") { Results.Add(@"Owner Rights"); } else if (trimedTargetSid == @"S-1-4") { Results.Add(@"Non-unique Authority"); } else if (trimedTargetSid == @"S-1-5") { Results.Add(@"NT Authority"); } else if (trimedTargetSid == @"S-1-5-1") { Results.Add(@"Dialup"); } else if (trimedTargetSid == @"S-1-5-2") { Results.Add(@"Network"); } else if (trimedTargetSid == @"S-1-5-3") { Results.Add(@"Batch"); } else if (trimedTargetSid == @"S-1-5-4") { Results.Add(@"Interactive"); } else if (trimedTargetSid == @"S-1-5-6") { Results.Add(@"Service"); } else if (trimedTargetSid == @"S-1-5-7") { Results.Add(@"Anonymous"); } else if (trimedTargetSid == @"S-1-5-8") { Results.Add(@"Proxy"); } else if (trimedTargetSid == @"S-1-5-9") { Results.Add(@"Enterprise Domain Controllers"); } else if (trimedTargetSid == @"S-1-5-10") { Results.Add(@"Principal Self"); } else if (trimedTargetSid == @"S-1-5-11") { Results.Add(@"Authenticated Users"); } else if (trimedTargetSid == @"S-1-5-12") { Results.Add(@"Restricted Code"); } else if (trimedTargetSid == @"S-1-5-13") { Results.Add(@"Terminal Server Users"); } else if (trimedTargetSid == @"S-1-5-14") { Results.Add(@"Remote Interactive Logon"); } else if (trimedTargetSid == @"S-1-5-15") { Results.Add(@"This Organization "); } else if (trimedTargetSid == @"S-1-5-17") { Results.Add(@"This Organization "); } else if (trimedTargetSid == @"S-1-5-18") { Results.Add(@"Local System"); } else if (trimedTargetSid == @"S-1-5-19") { Results.Add(@"NT Authority"); } else if (trimedTargetSid == @"S-1-5-20") { Results.Add(@"NT Authority"); } else if (trimedTargetSid == @"S-1-5-80-0") { Results.Add(@"All Services "); } else if (trimedTargetSid == @"S-1-5-32-544") { Results.Add(@"BUILTIN\Administrators"); } else if (trimedTargetSid == @"S-1-5-32-545") { Results.Add(@"BUILTIN\Users"); } else if (trimedTargetSid == @"S-1-5-32-546") { Results.Add(@"BUILTIN\Guests"); } else if (trimedTargetSid == @"S-1-5-32-547") { Results.Add(@"BUILTIN\Power Users"); } else if (trimedTargetSid == @"S-1-5-32-548") { Results.Add(@"BUILTIN\Account Operators"); } else if (trimedTargetSid == @"S-1-5-32-549") { Results.Add(@"BUILTIN\Server Operators"); } else if (trimedTargetSid == @"S-1-5-32-550") { Results.Add(@"BUILTIN\Print Operators"); } else if (trimedTargetSid == @"S-1-5-32-551") { Results.Add(@"BUILTIN\Backup Operators"); } else if (trimedTargetSid == @"S-1-5-32-552") { Results.Add(@"BUILTIN\Replicators"); } else if (trimedTargetSid == @"S-1-5-32-554") { Results.Add(@"BUILTIN\Pre-Windows 2000 Compatible Access"); } else if (trimedTargetSid == @"S-1-5-32-555") { Results.Add(@"BUILTIN\Remote Desktop Users"); } else if (trimedTargetSid == @"S-1-5-32-556") { Results.Add(@"BUILTIN\Network Configuration Operators"); } else if (trimedTargetSid == @"S-1-5-32-557") { Results.Add(@"BUILTIN\Incoming Forest Trust Builders"); } else if (trimedTargetSid == @"S-1-5-32-558") { Results.Add(@"BUILTIN\Performance Monitor Users"); } else if (trimedTargetSid == @"S-1-5-32-559") { Results.Add(@"BUILTIN\Performance Log Users"); } else if (trimedTargetSid == @"S-1-5-32-560") { Results.Add(@"BUILTIN\Windows Authorization Access Group"); } else if (trimedTargetSid == @"S-1-5-32-561") { Results.Add(@"BUILTIN\Terminal Server License Servers"); } else if (trimedTargetSid == @"S-1-5-32-562") { Results.Add(@"BUILTIN\Distributed COM Users"); } else if (trimedTargetSid == @"S-1-5-32-569") { Results.Add(@"BUILTIN\Cryptographic Operators"); } else if (trimedTargetSid == @"S-1-5-32-573") { Results.Add(@"BUILTIN\Event Log Readers"); } else if (trimedTargetSid == @"S-1-5-32-574") { Results.Add(@"BUILTIN\Certificate Service DCOM Access"); } else if (trimedTargetSid == @"S-1-5-32-575") { Results.Add(@"BUILTIN\RDS Remote Access Servers"); } else if (trimedTargetSid == @"S-1-5-32-576") { Results.Add(@"BUILTIN\RDS Endpoint Servers"); } else if (trimedTargetSid == @"S-1-5-32-577") { Results.Add(@"BUILTIN\RDS Management Servers"); } else if (trimedTargetSid == @"S-1-5-32-578") { Results.Add(@"BUILTIN\Hyper-V Administrators"); } else if (trimedTargetSid == @"S-1-5-32-579") { Results.Add(@"BUILTIN\Access Control Assistance Operators"); } else if (trimedTargetSid == @"S-1-5-32-580") { Results.Add(@"BUILTIN\Access Control Assistance Operators"); } else { ADNameArguments.Identity = new string[] { TargetSid }; Results.AddRange(ConvertADName.Convert_ADName(ADNameArguments)); } } catch (Exception e) { Logger.Write_Verbose($@"[ConvertFrom-SID] Error converting SID '{TargetSid}' : {e}"); } } return(Results); }
public static IEnumerable <string> Convert_ADName(Args_Convert_ADName args) { ADSNameType ADSInitType; string InitName; // https://msdn.microsoft.com/en-us/library/aa772266%28v=vs.85%29.aspx if (args.Server.IsNotNullOrEmpty()) { ADSInitType = ADSNameType.Canonical; InitName = args.Server; } else if (args.Domain.IsNotNullOrEmpty()) { ADSInitType = ADSNameType.DN; InitName = args.Domain; } else if (args.Credential != null) { ADSInitType = ADSNameType.DN; InitName = args.Credential.Domain; } else { // if no domain or server is specified, default to GC initialization ADSInitType = ADSNameType.NT4; InitName = null; } var Names = new List <string>(); ADSNameType ADSOutputType; if (args.Identity != null) { foreach (var TargetIdentity in args.Identity) { if (args.OutputType == null) { if (new Regex(@"^[A-Za-z]+\\[A-Za-z ]+").Match(TargetIdentity).Success) { ADSOutputType = ADSNameType.DomainSimple; } else { ADSOutputType = ADSNameType.NT4; } } else { ADSOutputType = args.OutputType.Value; } var Translate = new ActiveDs.NameTranslate(); if (args.Credential != null) { try { Translate.InitEx((int)ADSInitType, InitName, args.Credential.UserName, args.Credential.Domain, args.Credential.Password); } catch (Exception e) { Logger.Write_Verbose($@"[Convert-ADName] Error initializing translation for '{args.Identity}' using alternate credentials : {e}"); } } else { try { Translate.Init((int)ADSInitType, InitName); } catch (Exception e) { Logger.Write_Verbose($@"[Convert-ADName] Error initializing translation for '{args.Identity}' : {e}"); } } // always chase all referrals Translate.ChaseReferral = 0x60; try { // 8 = Unknown name type -> let the server do the work for us Translate.Set((int)ADSNameType.Unknown, TargetIdentity); Names.Add(Translate.Get((int)ADSOutputType)); } catch (Exception e) { Logger.Write_Verbose($@"[Convert-ADName] Error translating '{TargetIdentity}' : {e})"); } } } return(Names); }
public static IEnumerable <GroupMember> Get_DomainGroupMember(Args_Get_DomainGroupMember args = null) { if (args == null) { args = new Args_Get_DomainGroupMember(); } var SearcherArguments = new Args_Get_DomainSearcher() { Properties = new string[] { @"member", @"samaccountname", @"distinguishedname" }, Domain = args.Domain, LDAPFilter = args.LDAPFilter, SearchBase = args.SearchBase, Server = args.Server, SearchScope = args.SearchScope, ResultPageSize = args.ResultPageSize, ServerTimeLimit = args.ServerTimeLimit, Tombstone = args.Tombstone, Credential = args.Credential }; var ADNameArguments = new Args_Convert_ADName { Domain = args.Domain, Server = args.Server, Credential = args.Credential }; var GroupMembers = new List <GroupMember>(); var GroupSearcher = GetDomainSearcher.Get_DomainSearcher(SearcherArguments); if (GroupSearcher != null) { string GroupFoundDomain = null; string GroupFoundName = null; string GroupFoundDN = null; List <string> Members = null; if (args.RecurseUsingMatchingRule) { var GroupArguments = new Args_Get_DomainGroup() { Properties = SearcherArguments.Properties, Domain = SearcherArguments.Domain, LDAPFilter = SearcherArguments.LDAPFilter, SearchBase = SearcherArguments.SearchBase, Server = SearcherArguments.Server, SearchScope = SearcherArguments.SearchScope, ResultPageSize = SearcherArguments.ResultPageSize, ServerTimeLimit = SearcherArguments.ServerTimeLimit, Tombstone = SearcherArguments.Tombstone, Credential = SearcherArguments.Credential, Identity = args.Identity, Raw = true }; var Groups = GetDomainGroup.Get_DomainGroup(GroupArguments); if (Groups == null) { Logger.Write_Warning($@"[Get-DomainGroupMember] Error searching for group with identity: {args.Identity}"); } else { var Group = Groups.First() as SearchResult; GroupFoundName = Group.Properties[@"samaccountname"][0] as string; GroupFoundDN = Group.Properties[@"distinguishedname"][0] as string; if (args.Domain.IsNotNullOrEmpty()) { GroupFoundDomain = args.Domain; } else { // if a domain isn't passed, try to extract it from the found group distinguished name if (GroupFoundDN.IsNotNullOrEmpty()) { GroupFoundDomain = GroupFoundDN.Substring(GroupFoundDN.IndexOf(@"DC=")).Replace(@"DC=", @"").Replace(@",", @"."); } } Logger.Write_Verbose($@"[Get-DomainGroupMember] Using LDAP matching rule to recurse on '{GroupFoundDN}', only user accounts will be returned."); GroupSearcher.Filter = $@"(&(samAccountType=805306368)(memberof:1.2.840.113556.1.4.1941:={GroupFoundDN}))"; GroupSearcher.PropertiesToLoad.AddRange(new string[] { @"distinguishedName" }); var Results = GroupSearcher.FindAll(); if (Results != null) { Members = new List <string>(); foreach (SearchResult result in Results) { Members.Add(result.Properties[@"distinguishedname"][0] as string); } } } } else { var IdentityFilter = @""; var Filter = @""; if (args.Identity != null) { foreach (var item in args.Identity) { var IdentityInstance = item.Replace(@"(", @"\28").Replace(@")", @"\29"); if (new Regex(@"^S-1-").Match(IdentityInstance).Success) { IdentityFilter += $@"(objectsid={IdentityInstance})"; } else if (new Regex(@"^CN=").Match(IdentityInstance).Success) { IdentityFilter += $@"(distinguishedname={IdentityInstance})"; if (args.Domain.IsNullOrEmpty() && args.SearchBase.IsNullOrEmpty()) { // if a -Domain isn't explicitly set, extract the object domain out of the distinguishedname // and rebuild the domain searcher var IdentityDomain = IdentityInstance.Substring(IdentityInstance.IndexOf(@"DC=")).Replace(@"DC=", @"".Replace(@",", @".")); Logger.Write_Verbose($@"[Get-DomainGroupMember] Extracted domain '{IdentityDomain}' from '{IdentityInstance}'"); SearcherArguments.Domain = IdentityDomain; GroupSearcher = GetDomainSearcher.Get_DomainSearcher(SearcherArguments); if (GroupSearcher == null) { Logger.Write_Warning($@"[Get-DomainGroupMember] Unable to retrieve domain searcher for '{IdentityDomain}'"); } } } else if (new Regex(@"^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$").Match(IdentityInstance).Success) { var GuidByteString = string.Join(string.Empty, Guid.Parse(IdentityInstance).ToByteArray().Select(x => x.ToString(@"\X2"))); IdentityFilter += $@"(objectguid={GuidByteString})"; } else if (IdentityInstance.Contains(@"\")) { var ConvertedIdentityInstance = ConvertADName.Convert_ADName(new Args_Convert_ADName { OutputType = ADSNameType.Canonical, Identity = new string[] { IdentityInstance.Replace(@"\28", @"(").Replace(@"\29", @")") } }); if (ConvertedIdentityInstance != null && ConvertedIdentityInstance.Any()) { var GroupDomain = ConvertedIdentityInstance.First().Substring(0, ConvertedIdentityInstance.First().IndexOf('/')); var GroupName = IdentityInstance.Split(new char[] { '\\' })[1]; IdentityFilter += $@"(samAccountName={GroupName})"; SearcherArguments.Domain = GroupDomain; Logger.Write_Verbose($@"[Get-DomainGroupMember] Extracted domain '{GroupDomain}' from '{IdentityInstance}'"); GroupSearcher = GetDomainSearcher.Get_DomainSearcher(SearcherArguments); } } else { IdentityFilter += $@"(samAccountName={IdentityInstance})"; } } } if (IdentityFilter != null && IdentityFilter.Trim() != @"") { Filter += $@"(|{IdentityFilter})"; } if (args.LDAPFilter.IsNotNullOrEmpty()) { Logger.Write_Verbose($@"[Get-DomainGroupMember] Using additional LDAP filter: {args.LDAPFilter}"); Filter += $@"{args.LDAPFilter}"; } GroupSearcher.Filter = $@"(&(objectCategory=group){Filter})"; Logger.Write_Verbose($@"[Get-DomainGroupMember] Get-DomainGroupMember filter string: {GroupSearcher.Filter}"); SearchResult Result = null; try { Result = GroupSearcher.FindOne(); } catch (Exception e) { Logger.Write_Warning($@"[Get-DomainGroupMember] Error searching for group with identity '{args.Identity}': {e}"); Members = new List <string>(); } GroupFoundName = @""; GroupFoundDN = @""; if (Result != null) { var tmpProperty = Result.Properties[@"member"]; var tmpValues = new string[tmpProperty.Count]; tmpProperty.CopyTo(tmpValues, 0); Members = tmpValues.ToList(); string RangedProperty = ""; if (Members.Count == 0) { // ranged searching, thanks @meatballs__ ! var Finished = false; var Bottom = 0; var Top = 0; while (!Finished) { Top = Bottom + 1499; var MemberRange = $@"member;range={Bottom}-{Top}"; Bottom += 1500; GroupSearcher.PropertiesToLoad.Clear(); GroupSearcher.PropertiesToLoad.Add($@"{MemberRange}"); GroupSearcher.PropertiesToLoad.Add(@"samaccountname"); GroupSearcher.PropertiesToLoad.Add(@"distinguishedname"); try { Result = GroupSearcher.FindOne(); RangedProperty = Result.Properties.PropertyNames.GetFirstMatch(@"member;range=*"); tmpProperty = Result.Properties[RangedProperty]; tmpValues = new string[tmpProperty.Count]; tmpProperty.CopyTo(tmpValues, 0); Members.AddRange(tmpValues.ToList()); GroupFoundName = Result.Properties[@"samaccountname"][0] as string; GroupFoundDN = Result.Properties[@"distinguishedname"][0] as string; if (Members.Count == 0) { Finished = true; } } catch { Finished = true; } } } else { GroupFoundName = Result.Properties[@"samaccountname"][0] as string; GroupFoundDN = Result.Properties[@"distinguishedname"][0] as string; tmpProperty = Result.Properties[RangedProperty]; tmpValues = new string[tmpProperty.Count]; tmpProperty.CopyTo(tmpValues, 0); Members.AddRange(tmpValues.ToList()); } if (args.Domain.IsNotNullOrEmpty()) { GroupFoundDomain = args.Domain; } else { // if a domain isn't passed, try to extract it from the found group distinguished name if (GroupFoundDN.IsNotNullOrEmpty()) { GroupFoundDomain = GroupFoundDN.Substring(GroupFoundDN.IndexOf(@"DC=")).Replace(@"DC=", @"".Replace(@",", @".")); } } } var UseMatchingRule = false; string MemberDomain = null; foreach (var Member in Members) { ResultPropertyCollection Properties = null; if (args.Recurse && UseMatchingRule) { //$Properties = $_.Properties } else { var ObjectSearcherArguments = new Args_Get_DomainObject { ADSPath = SearcherArguments.ADSPath, Credential = SearcherArguments.Credential, Domain = SearcherArguments.Domain, DomainController = SearcherArguments.DomainController, Filter = SearcherArguments.Filter, LDAPFilter = SearcherArguments.LDAPFilter, Properties = SearcherArguments.Properties, ResultPageSize = SearcherArguments.ResultPageSize, SearchBase = SearcherArguments.SearchBase, SearchScope = SearcherArguments.SearchScope, SecurityMasks = SearcherArguments.SecurityMasks, Server = SearcherArguments.Server, ServerTimeLimit = SearcherArguments.ServerTimeLimit, Tombstone = SearcherArguments.Tombstone }; ObjectSearcherArguments.Identity = new string[] { Member }; ObjectSearcherArguments.Raw = true; ObjectSearcherArguments.Properties = new string[] { @"distinguishedname", @"cn", @"samaccountname", @"objectsid", @"objectclass" }; var Object = GetDomainObject.Get_DomainObject(ObjectSearcherArguments)?.FirstOrDefault() as SearchResult; Properties = Object.Properties; } if (Properties != null) { var GroupMember = new GroupMember { GroupDomain = GroupFoundDomain, GroupName = GroupFoundName, GroupDistinguishedName = GroupFoundDN }; string MemberSID = null; if (Properties["objectsid"] != null) { MemberSID = new System.Security.Principal.SecurityIdentifier(Properties["objectsid"][0] as byte[], 0).Value; } else { MemberSID = null; } string MemberDN = null; try { MemberDN = Properties["distinguishedname"][0].ToString(); if (MemberDN.IsRegexMatch(@"ForeignSecurityPrincipals|S-1-5-21")) { try { if (MemberSID.IsNullOrEmpty()) { MemberSID = Properties["cn"][0].ToString(); } ADNameArguments.Identity = new string[] { MemberSID }; ADNameArguments.OutputType = ADSNameType.DomainSimple; var MemberSimpleName = ConvertADName.Convert_ADName(ADNameArguments); if (MemberSimpleName != null && MemberSimpleName.Any()) { MemberDomain = MemberSimpleName.First().Split('@')[1]; } else { Logger.Write_Warning($@"[Get-DomainGroupMember] Error converting {MemberDN}"); MemberDomain = null; } } catch { Logger.Write_Warning($@"[Get-DomainGroupMember] Error converting {MemberDN}"); MemberDomain = null; } } else { // extract the FQDN from the Distinguished Name MemberDomain = MemberDN.Substring(MemberDN.IndexOf(@"DC=")).Replace(@"DC=", @"").Replace(@",", @"."); } } catch { MemberDN = null; MemberDomain = null; } string MemberName = null; if (Properties["samaccountname"] != null) { // forest users have the samAccountName set MemberName = Properties["samaccountname"][0].ToString(); } else { // external trust users have a SID, so convert it try { MemberName = ConvertFromSID.ConvertFrom_SID(new Args_ConvertFrom_SID { ObjectSID = new string[] { Properties["cn"][0].ToString() }, Domain = ADNameArguments.Domain, Server = ADNameArguments.Server, Credential = ADNameArguments.Credential }).First(); } catch { // if there's a problem contacting the domain to resolve the SID MemberName = Properties["cn"][0].ToString(); } } string MemberObjectClass = null; if (Properties["objectclass"].RegexContains(@"computer")) { MemberObjectClass = @"computer"; } else if (Properties["objectclass"].RegexContains(@"group")) { MemberObjectClass = @"group"; } else if (Properties["objectclass"].RegexContains(@"user")) { MemberObjectClass = @"user"; } else { MemberObjectClass = null; } GroupMember.MemberDomain = MemberDomain; GroupMember.MemberName = MemberName; GroupMember.MemberDistinguishedName = MemberDN; GroupMember.MemberObjectClass = MemberObjectClass; GroupMember.MemberSID = MemberSID; GroupMembers.Add(GroupMember); // if we're doing manual recursion if (args.Recurse && MemberDN.IsNotNullOrEmpty() && MemberObjectClass.IsRegexMatch(@"group")) { Logger.Write_Verbose($@"[Get-DomainGroupMember] Manually recursing on group: {MemberDN}"); var GroupArguments = new Args_Get_DomainGroupMember() { Domain = SearcherArguments.Domain, LDAPFilter = SearcherArguments.LDAPFilter, SearchBase = SearcherArguments.SearchBase, Server = SearcherArguments.Server, SearchScope = SearcherArguments.SearchScope, ResultPageSize = SearcherArguments.ResultPageSize, ServerTimeLimit = SearcherArguments.ServerTimeLimit, Tombstone = SearcherArguments.Tombstone, Credential = SearcherArguments.Credential, Identity = new string[] { MemberDN } }; GroupMembers.AddRange(Get_DomainGroupMember(GroupArguments)); } } } } GroupSearcher.Dispose(); } return(GroupMembers); }
public static IEnumerable <ACL> Find_InterestingDomainAcl(Args_Find_InterestingDomainAcl args = null) { if (args == null) { args = new Args_Find_InterestingDomainAcl(); } var ACLArguments = new Args_Get_DomainObjectAcl { ResolveGUIDs = args.ResolveGUIDs, RightsFilter = args.RightsFilter, LDAPFilter = args.LDAPFilter, SearchBase = args.SearchBase, Server = args.Server, SearchScope = args.SearchScope, ResultPageSize = args.ResultPageSize, ServerTimeLimit = args.ServerTimeLimit, Tombstone = args.Tombstone, Credential = args.Credential }; var ObjectSearcherArguments = new Args_Get_DomainObject { Properties = new[] { "samaccountname", "objectclass" }, Raw = true, Server = args.Server, SearchScope = args.SearchScope, ResultPageSize = args.ResultPageSize, ServerTimeLimit = args.ServerTimeLimit, Tombstone = args.Tombstone, Credential = args.Credential }; var ADNameArguments = new Args_Convert_ADName { Server = args.Server, Credential = args.Credential }; // ongoing list of built-up SIDs var ResolvedSIDs = new Dictionary <string, ResolvedSID>(); if (args.Domain != null) { ACLArguments.Domain = args.Domain; ADNameArguments.Domain = args.Domain; } var InterestingACLs = new List <ACL>(); var acls = GetDomainObjectAcl.Get_DomainObjectAcl(ACLArguments); foreach (var acl in acls) { if ((acl.ActiveDirectoryRights.ToString().IsRegexMatch(@"GenericAll|Write|Create|Delete")) || ((acl.ActiveDirectoryRights == ActiveDirectoryRights.ExtendedRight) && (acl.Ace is QualifiedAce) && (acl.Ace as QualifiedAce).AceQualifier == AceQualifier.AccessAllowed)) { // only process SIDs > 1000 var ace = acl.Ace as QualifiedAce; if (ace != null && ace.SecurityIdentifier.Value.IsRegexMatch(@"^S-1-5-.*-[1-9]\d{3,}$")) { if (ResolvedSIDs.ContainsKey(ace.SecurityIdentifier.Value) && ResolvedSIDs[ace.SecurityIdentifier.Value] != null) { var ResolvedSID = ResolvedSIDs[(acl.Ace as KnownAce).SecurityIdentifier.Value]; var InterestingACL = new ACL { ObjectDN = acl.ObjectDN, Ace = ace, ActiveDirectoryRights = acl.ActiveDirectoryRights, IdentityReferenceName = ResolvedSID.IdentityReferenceName, IdentityReferenceDomain = ResolvedSID.IdentityReferenceDomain, IdentityReferenceDN = ResolvedSID.IdentityReferenceDN, IdentityReferenceClass = ResolvedSID.IdentityReferenceClass }; InterestingACLs.Add(InterestingACL); } else { ADNameArguments.Identity = new string[] { ace.SecurityIdentifier.Value }; ADNameArguments.OutputType = ADSNameType.DN; var IdentityReferenceDN = ConvertADName.Convert_ADName(ADNameArguments)?.FirstOrDefault(); // "IdentityReferenceDN: $IdentityReferenceDN" if (IdentityReferenceDN != null) { var IdentityReferenceDomain = IdentityReferenceDN.Substring(IdentityReferenceDN.IndexOf("DC=")).Replace(@"DC=", "").Replace(",", "."); // "IdentityReferenceDomain: $IdentityReferenceDomain" ObjectSearcherArguments.Domain = IdentityReferenceDomain; ObjectSearcherArguments.Identity = new[] { IdentityReferenceDN }; // "IdentityReferenceDN: $IdentityReferenceDN" var Object = GetDomainObject.Get_DomainObject(ObjectSearcherArguments)?.FirstOrDefault() as SearchResult; if (Object != null) { var IdentityReferenceName = Object.Properties["samaccountname"][0].ToString(); string IdentityReferenceClass; if (Object.Properties["objectclass"][0].ToString().IsRegexMatch(@"computer")) { IdentityReferenceClass = "computer"; } else if (Object.Properties["objectclass"][0].ToString().IsRegexMatch(@"group")) { IdentityReferenceClass = "group"; } else if (Object.Properties["objectclass"][0].ToString().IsRegexMatch(@"user")) { IdentityReferenceClass = "user"; } else { IdentityReferenceClass = null; } // save so we don't look up more than once ResolvedSIDs[ace.SecurityIdentifier.Value] = new ResolvedSID { IdentityReferenceName = IdentityReferenceName, IdentityReferenceDomain = IdentityReferenceDomain, IdentityReferenceDN = IdentityReferenceDN, IdentityReferenceClass = IdentityReferenceClass }; var InterestingACL = new ACL { ObjectDN = acl.ObjectDN, Ace = ace, ActiveDirectoryRights = acl.ActiveDirectoryRights, IdentityReferenceName = IdentityReferenceName, IdentityReferenceDomain = IdentityReferenceDomain, IdentityReferenceDN = IdentityReferenceDN, IdentityReferenceClass = IdentityReferenceClass }; InterestingACLs.Add(InterestingACL); } } else { Logger.Write_Warning($@"[Find-InterestingDomainAcl] Unable to convert SID '{ace.SecurityIdentifier.Value}' to a distinguishedname with Convert-ADName"); } } } } } return(InterestingACLs); }
public static IEnumerable <string> Convert_ADName(Args_Convert_ADName args) { return(ConvertADName.Convert_ADName(args)); }