public static IEnumerable <string> ConvertFrom_SID(Args_ConvertFrom_SID args = null)
{
if (args == null)
{
args = new Args_ConvertFrom_SID();
}
var ADNameArguments = new Args_Convert_ADName
{
Domain = args.Domain,
Server = args.Server,
Credential = args.Credential
};
var Results = new List <string>();
foreach (var TargetSid in args.ObjectSID)
{
var trimedTargetSid = TargetSid.Trim('*');
try
{
// try to resolve any built-in SIDs first - https://support.microsoft.com/en-us/kb/243330
if (trimedTargetSid == @"S-1-0")
{
Results.Add(@"Null Authority");
}
else if (trimedTargetSid == @"S -1-0-0")
{
Results.Add(@"Nobody");
}
else if (trimedTargetSid == @"S-1-1")
{
Results.Add(@"World Authority");
}
else if (trimedTargetSid == @"S-1-1-0")
{
Results.Add(@"Everyone");
}
else if (trimedTargetSid == @"S-1-2")
{
Results.Add(@"Local Authority");
}
else if (trimedTargetSid == @"S-1-2-0")
{
Results.Add(@"Local");
}
else if (trimedTargetSid == @"S-1-2-1")
{
Results.Add(@"Console Logon ");
}
else if (trimedTargetSid == @"S-1-3")
{
Results.Add(@"Creator Authority");
}
else if (trimedTargetSid == @"S-1-3-0")
{
Results.Add(@"Creator Owner");
}
else if (trimedTargetSid == @"S-1-3-1")
{
Results.Add(@"Creator Group");
}
else if (trimedTargetSid == @"S-1-3-2")
{
Results.Add(@"Creator Owner Server");
}
else if (trimedTargetSid == @"S-1-3-3")
{
Results.Add(@"Creator Group Server");
}
else if (trimedTargetSid == @"S-1-3-4")
{
Results.Add(@"Owner Rights");
}
else if (trimedTargetSid == @"S-1-4")
{
Results.Add(@"Non-unique Authority");
}
else if (trimedTargetSid == @"S-1-5")
{
Results.Add(@"NT Authority");
}
else if (trimedTargetSid == @"S-1-5-1")
{
Results.Add(@"Dialup");
}
else if (trimedTargetSid == @"S-1-5-2")
{
Results.Add(@"Network");
}
else if (trimedTargetSid == @"S-1-5-3")
{
Results.Add(@"Batch");
}
else if (trimedTargetSid == @"S-1-5-4")
{
Results.Add(@"Interactive");
}
else if (trimedTargetSid == @"S-1-5-6")
{
Results.Add(@"Service");
}
else if (trimedTargetSid == @"S-1-5-7")
{
Results.Add(@"Anonymous");
}
else if (trimedTargetSid == @"S-1-5-8")
{
Results.Add(@"Proxy");
}
else if (trimedTargetSid == @"S-1-5-9")
{
Results.Add(@"Enterprise Domain Controllers");
}
else if (trimedTargetSid == @"S-1-5-10")
{
Results.Add(@"Principal Self");
}
else if (trimedTargetSid == @"S-1-5-11")
{
Results.Add(@"Authenticated Users");
}
else if (trimedTargetSid == @"S-1-5-12")
{
Results.Add(@"Restricted Code");
}
else if (trimedTargetSid == @"S-1-5-13")
{
Results.Add(@"Terminal Server Users");
}
else if (trimedTargetSid == @"S-1-5-14")
{
Results.Add(@"Remote Interactive Logon");
}
else if (trimedTargetSid == @"S-1-5-15")
{
Results.Add(@"This Organization ");
}
else if (trimedTargetSid == @"S-1-5-17")
{
Results.Add(@"This Organization ");
}
else if (trimedTargetSid == @"S-1-5-18")
{
Results.Add(@"Local System");
}
else if (trimedTargetSid == @"S-1-5-19")
{
Results.Add(@"NT Authority");
}
else if (trimedTargetSid == @"S-1-5-20")
{
Results.Add(@"NT Authority");
}
else if (trimedTargetSid == @"S-1-5-80-0")
{
Results.Add(@"All Services ");
}
else if (trimedTargetSid == @"S-1-5-32-544")
{
Results.Add(@"BUILTIN\Administrators");
}
else if (trimedTargetSid == @"S-1-5-32-545")
{
Results.Add(@"BUILTIN\Users");
}
else if (trimedTargetSid == @"S-1-5-32-546")
{
Results.Add(@"BUILTIN\Guests");
}
else if (trimedTargetSid == @"S-1-5-32-547")
{
Results.Add(@"BUILTIN\Power Users");
}
else if (trimedTargetSid == @"S-1-5-32-548")
{
Results.Add(@"BUILTIN\Account Operators");
}
else if (trimedTargetSid == @"S-1-5-32-549")
{
Results.Add(@"BUILTIN\Server Operators");
}
else if (trimedTargetSid == @"S-1-5-32-550")
{
Results.Add(@"BUILTIN\Print Operators");
}
else if (trimedTargetSid == @"S-1-5-32-551")
{
Results.Add(@"BUILTIN\Backup Operators");
}
else if (trimedTargetSid == @"S-1-5-32-552")
{
Results.Add(@"BUILTIN\Replicators");
}
else if (trimedTargetSid == @"S-1-5-32-554")
{
Results.Add(@"BUILTIN\Pre-Windows 2000 Compatible Access");
}
else if (trimedTargetSid == @"S-1-5-32-555")
{
Results.Add(@"BUILTIN\Remote Desktop Users");
}
else if (trimedTargetSid == @"S-1-5-32-556")
{
Results.Add(@"BUILTIN\Network Configuration Operators");
}
else if (trimedTargetSid == @"S-1-5-32-557")
{
Results.Add(@"BUILTIN\Incoming Forest Trust Builders");
}
else if (trimedTargetSid == @"S-1-5-32-558")
{
Results.Add(@"BUILTIN\Performance Monitor Users");
}
else if (trimedTargetSid == @"S-1-5-32-559")
{
Results.Add(@"BUILTIN\Performance Log Users");
}
else if (trimedTargetSid == @"S-1-5-32-560")
{
Results.Add(@"BUILTIN\Windows Authorization Access Group");
}
else if (trimedTargetSid == @"S-1-5-32-561")
{
Results.Add(@"BUILTIN\Terminal Server License Servers");
}
else if (trimedTargetSid == @"S-1-5-32-562")
{
Results.Add(@"BUILTIN\Distributed COM Users");
}
else if (trimedTargetSid == @"S-1-5-32-569")
{
Results.Add(@"BUILTIN\Cryptographic Operators");
}
else if (trimedTargetSid == @"S-1-5-32-573")
{
Results.Add(@"BUILTIN\Event Log Readers");
}
else if (trimedTargetSid == @"S-1-5-32-574")
{
Results.Add(@"BUILTIN\Certificate Service DCOM Access");
}
else if (trimedTargetSid == @"S-1-5-32-575")
{
Results.Add(@"BUILTIN\RDS Remote Access Servers");
}
else if (trimedTargetSid == @"S-1-5-32-576")
{
Results.Add(@"BUILTIN\RDS Endpoint Servers");
}
else if (trimedTargetSid == @"S-1-5-32-577")
{
Results.Add(@"BUILTIN\RDS Management Servers");
}
else if (trimedTargetSid == @"S-1-5-32-578")
{
Results.Add(@"BUILTIN\Hyper-V Administrators");
}
else if (trimedTargetSid == @"S-1-5-32-579")
{
Results.Add(@"BUILTIN\Access Control Assistance Operators");
}
else if (trimedTargetSid == @"S-1-5-32-580")
{
Results.Add(@"BUILTIN\Access Control Assistance Operators");
}
else
{
ADNameArguments.Identity = new string[] { TargetSid };
Results.AddRange(ConvertADName.Convert_ADName(ADNameArguments));
}
}
catch (Exception e)
{
Logger.Write_Verbose($@"[ConvertFrom-SID] Error converting SID '{TargetSid}' : {e}");
}
}
return(Results);
}
public static IEnumerable <string> Convert_ADName(Args_Convert_ADName args)
{
ADSNameType ADSInitType;
string InitName;
// https://msdn.microsoft.com/en-us/library/aa772266%28v=vs.85%29.aspx
if (args.Server.IsNotNullOrEmpty())
{
ADSInitType = ADSNameType.Canonical;
InitName = args.Server;
}
else if (args.Domain.IsNotNullOrEmpty())
{
ADSInitType = ADSNameType.DN;
InitName = args.Domain;
}
else if (args.Credential != null)
{
ADSInitType = ADSNameType.DN;
InitName = args.Credential.Domain;
}
else
{
// if no domain or server is specified, default to GC initialization
ADSInitType = ADSNameType.NT4;
InitName = null;
}
var Names = new List <string>();
ADSNameType ADSOutputType;
if (args.Identity != null)
{
foreach (var TargetIdentity in args.Identity)
{
if (args.OutputType == null)
{
if (new Regex(@"^[A-Za-z]+\\[A-Za-z ]+").Match(TargetIdentity).Success)
{
ADSOutputType = ADSNameType.DomainSimple;
}
else
{
ADSOutputType = ADSNameType.NT4;
}
}
else
{
ADSOutputType = args.OutputType.Value;
}
var Translate = new ActiveDs.NameTranslate();
if (args.Credential != null)
{
try
{
Translate.InitEx((int)ADSInitType, InitName, args.Credential.UserName, args.Credential.Domain, args.Credential.Password);
}
catch (Exception e)
{
Logger.Write_Verbose($@"[Convert-ADName] Error initializing translation for '{args.Identity}' using alternate credentials : {e}");
}
}
else
{
try
{
Translate.Init((int)ADSInitType, InitName);
}
catch (Exception e)
{
Logger.Write_Verbose($@"[Convert-ADName] Error initializing translation for '{args.Identity}' : {e}");
}
}
// always chase all referrals
Translate.ChaseReferral = 0x60;
try
{
// 8 = Unknown name type -> let the server do the work for us
Translate.Set((int)ADSNameType.Unknown, TargetIdentity);
Names.Add(Translate.Get((int)ADSOutputType));
}
catch (Exception e)
{
Logger.Write_Verbose($@"[Convert-ADName] Error translating '{TargetIdentity}' : {e})");
}
}
}
return(Names);
}
public static IEnumerable <GroupMember> Get_DomainGroupMember(Args_Get_DomainGroupMember args = null)
{
if (args == null)
{
args = new Args_Get_DomainGroupMember();
}
var SearcherArguments = new Args_Get_DomainSearcher()
{
Properties = new string[] { @"member", @"samaccountname", @"distinguishedname" },
Domain = args.Domain,
LDAPFilter = args.LDAPFilter,
SearchBase = args.SearchBase,
Server = args.Server,
SearchScope = args.SearchScope,
ResultPageSize = args.ResultPageSize,
ServerTimeLimit = args.ServerTimeLimit,
Tombstone = args.Tombstone,
Credential = args.Credential
};
var ADNameArguments = new Args_Convert_ADName
{
Domain = args.Domain,
Server = args.Server,
Credential = args.Credential
};
var GroupMembers = new List <GroupMember>();
var GroupSearcher = GetDomainSearcher.Get_DomainSearcher(SearcherArguments);
if (GroupSearcher != null)
{
string GroupFoundDomain = null;
string GroupFoundName = null;
string GroupFoundDN = null;
List <string> Members = null;
if (args.RecurseUsingMatchingRule)
{
var GroupArguments = new Args_Get_DomainGroup()
{
Properties = SearcherArguments.Properties,
Domain = SearcherArguments.Domain,
LDAPFilter = SearcherArguments.LDAPFilter,
SearchBase = SearcherArguments.SearchBase,
Server = SearcherArguments.Server,
SearchScope = SearcherArguments.SearchScope,
ResultPageSize = SearcherArguments.ResultPageSize,
ServerTimeLimit = SearcherArguments.ServerTimeLimit,
Tombstone = SearcherArguments.Tombstone,
Credential = SearcherArguments.Credential,
Identity = args.Identity,
Raw = true
};
var Groups = GetDomainGroup.Get_DomainGroup(GroupArguments);
if (Groups == null)
{
Logger.Write_Warning($@"[Get-DomainGroupMember] Error searching for group with identity: {args.Identity}");
}
else
{
var Group = Groups.First() as SearchResult;
GroupFoundName = Group.Properties[@"samaccountname"][0] as string;
GroupFoundDN = Group.Properties[@"distinguishedname"][0] as string;
if (args.Domain.IsNotNullOrEmpty())
{
GroupFoundDomain = args.Domain;
}
else
{
// if a domain isn't passed, try to extract it from the found group distinguished name
if (GroupFoundDN.IsNotNullOrEmpty())
{
GroupFoundDomain = GroupFoundDN.Substring(GroupFoundDN.IndexOf(@"DC=")).Replace(@"DC=", @"").Replace(@",", @".");
}
}
Logger.Write_Verbose($@"[Get-DomainGroupMember] Using LDAP matching rule to recurse on '{GroupFoundDN}', only user accounts will be returned.");
GroupSearcher.Filter = $@"(&(samAccountType=805306368)(memberof:1.2.840.113556.1.4.1941:={GroupFoundDN}))";
GroupSearcher.PropertiesToLoad.AddRange(new string[] { @"distinguishedName" });
var Results = GroupSearcher.FindAll();
if (Results != null)
{
Members = new List <string>();
foreach (SearchResult result in Results)
{
Members.Add(result.Properties[@"distinguishedname"][0] as string);
}
}
}
}
else
{
var IdentityFilter = @"";
var Filter = @"";
if (args.Identity != null)
{
foreach (var item in args.Identity)
{
var IdentityInstance = item.Replace(@"(", @"\28").Replace(@")", @"\29");
if (new Regex(@"^S-1-").Match(IdentityInstance).Success)
{
IdentityFilter += $@"(objectsid={IdentityInstance})";
}
else if (new Regex(@"^CN=").Match(IdentityInstance).Success)
{
IdentityFilter += $@"(distinguishedname={IdentityInstance})";
if (args.Domain.IsNullOrEmpty() && args.SearchBase.IsNullOrEmpty())
{
// if a -Domain isn't explicitly set, extract the object domain out of the distinguishedname
// and rebuild the domain searcher
var IdentityDomain = IdentityInstance.Substring(IdentityInstance.IndexOf(@"DC=")).Replace(@"DC=", @"".Replace(@",", @"."));
Logger.Write_Verbose($@"[Get-DomainGroupMember] Extracted domain '{IdentityDomain}' from '{IdentityInstance}'");
SearcherArguments.Domain = IdentityDomain;
GroupSearcher = GetDomainSearcher.Get_DomainSearcher(SearcherArguments);
if (GroupSearcher == null)
{
Logger.Write_Warning($@"[Get-DomainGroupMember] Unable to retrieve domain searcher for '{IdentityDomain}'");
}
}
}
else if (new Regex(@"^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$").Match(IdentityInstance).Success)
{
var GuidByteString = string.Join(string.Empty, Guid.Parse(IdentityInstance).ToByteArray().Select(x => x.ToString(@"\X2")));
IdentityFilter += $@"(objectguid={GuidByteString})";
}
else if (IdentityInstance.Contains(@"\"))
{
var ConvertedIdentityInstance = ConvertADName.Convert_ADName(new Args_Convert_ADName
{
OutputType = ADSNameType.Canonical,
Identity = new string[] { IdentityInstance.Replace(@"\28", @"(").Replace(@"\29", @")") }
});
if (ConvertedIdentityInstance != null && ConvertedIdentityInstance.Any())
{
var GroupDomain = ConvertedIdentityInstance.First().Substring(0, ConvertedIdentityInstance.First().IndexOf('/'));
var GroupName = IdentityInstance.Split(new char[] { '\\' })[1];
IdentityFilter += $@"(samAccountName={GroupName})";
SearcherArguments.Domain = GroupDomain;
Logger.Write_Verbose($@"[Get-DomainGroupMember] Extracted domain '{GroupDomain}' from '{IdentityInstance}'");
GroupSearcher = GetDomainSearcher.Get_DomainSearcher(SearcherArguments);
}
}
else
{
IdentityFilter += $@"(samAccountName={IdentityInstance})";
}
}
}
if (IdentityFilter != null && IdentityFilter.Trim() != @"")
{
Filter += $@"(|{IdentityFilter})";
}
if (args.LDAPFilter.IsNotNullOrEmpty())
{
Logger.Write_Verbose($@"[Get-DomainGroupMember] Using additional LDAP filter: {args.LDAPFilter}");
Filter += $@"{args.LDAPFilter}";
}
GroupSearcher.Filter = $@"(&(objectCategory=group){Filter})";
Logger.Write_Verbose($@"[Get-DomainGroupMember] Get-DomainGroupMember filter string: {GroupSearcher.Filter}");
SearchResult Result = null;
try
{
Result = GroupSearcher.FindOne();
}
catch (Exception e)
{
Logger.Write_Warning($@"[Get-DomainGroupMember] Error searching for group with identity '{args.Identity}': {e}");
Members = new List <string>();
}
GroupFoundName = @"";
GroupFoundDN = @"";
if (Result != null)
{
var tmpProperty = Result.Properties[@"member"];
var tmpValues = new string[tmpProperty.Count];
tmpProperty.CopyTo(tmpValues, 0);
Members = tmpValues.ToList();
string RangedProperty = "";
if (Members.Count == 0)
{
// ranged searching, thanks @meatballs__ !
var Finished = false;
var Bottom = 0;
var Top = 0;
while (!Finished)
{
Top = Bottom + 1499;
var MemberRange = $@"member;range={Bottom}-{Top}";
Bottom += 1500;
GroupSearcher.PropertiesToLoad.Clear();
GroupSearcher.PropertiesToLoad.Add($@"{MemberRange}");
GroupSearcher.PropertiesToLoad.Add(@"samaccountname");
GroupSearcher.PropertiesToLoad.Add(@"distinguishedname");
try
{
Result = GroupSearcher.FindOne();
RangedProperty = Result.Properties.PropertyNames.GetFirstMatch(@"member;range=*");
tmpProperty = Result.Properties[RangedProperty];
tmpValues = new string[tmpProperty.Count];
tmpProperty.CopyTo(tmpValues, 0);
Members.AddRange(tmpValues.ToList());
GroupFoundName = Result.Properties[@"samaccountname"][0] as string;
GroupFoundDN = Result.Properties[@"distinguishedname"][0] as string;
if (Members.Count == 0)
{
Finished = true;
}
}
catch
{
Finished = true;
}
}
}
else
{
GroupFoundName = Result.Properties[@"samaccountname"][0] as string;
GroupFoundDN = Result.Properties[@"distinguishedname"][0] as string;
tmpProperty = Result.Properties[RangedProperty];
tmpValues = new string[tmpProperty.Count];
tmpProperty.CopyTo(tmpValues, 0);
Members.AddRange(tmpValues.ToList());
}
if (args.Domain.IsNotNullOrEmpty())
{
GroupFoundDomain = args.Domain;
}
else
{
// if a domain isn't passed, try to extract it from the found group distinguished name
if (GroupFoundDN.IsNotNullOrEmpty())
{
GroupFoundDomain = GroupFoundDN.Substring(GroupFoundDN.IndexOf(@"DC=")).Replace(@"DC=", @"".Replace(@",", @"."));
}
}
}
var UseMatchingRule = false;
string MemberDomain = null;
foreach (var Member in Members)
{
ResultPropertyCollection Properties = null;
if (args.Recurse && UseMatchingRule)
{
//$Properties = $_.Properties
}
else
{
var ObjectSearcherArguments = new Args_Get_DomainObject
{
ADSPath = SearcherArguments.ADSPath,
Credential = SearcherArguments.Credential,
Domain = SearcherArguments.Domain,
DomainController = SearcherArguments.DomainController,
Filter = SearcherArguments.Filter,
LDAPFilter = SearcherArguments.LDAPFilter,
Properties = SearcherArguments.Properties,
ResultPageSize = SearcherArguments.ResultPageSize,
SearchBase = SearcherArguments.SearchBase,
SearchScope = SearcherArguments.SearchScope,
SecurityMasks = SearcherArguments.SecurityMasks,
Server = SearcherArguments.Server,
ServerTimeLimit = SearcherArguments.ServerTimeLimit,
Tombstone = SearcherArguments.Tombstone
};
ObjectSearcherArguments.Identity = new string[] { Member };
ObjectSearcherArguments.Raw = true;
ObjectSearcherArguments.Properties = new string[] { @"distinguishedname", @"cn", @"samaccountname", @"objectsid", @"objectclass" };
var Object = GetDomainObject.Get_DomainObject(ObjectSearcherArguments)?.FirstOrDefault() as SearchResult;
Properties = Object.Properties;
}
if (Properties != null)
{
var GroupMember = new GroupMember
{
GroupDomain = GroupFoundDomain,
GroupName = GroupFoundName,
GroupDistinguishedName = GroupFoundDN
};
string MemberSID = null;
if (Properties["objectsid"] != null)
{
MemberSID = new System.Security.Principal.SecurityIdentifier(Properties["objectsid"][0] as byte[], 0).Value;
}
else
{
MemberSID = null;
}
string MemberDN = null;
try
{
MemberDN = Properties["distinguishedname"][0].ToString();
if (MemberDN.IsRegexMatch(@"ForeignSecurityPrincipals|S-1-5-21"))
{
try
{
if (MemberSID.IsNullOrEmpty())
{
MemberSID = Properties["cn"][0].ToString();
}
ADNameArguments.Identity = new string[] { MemberSID };
ADNameArguments.OutputType = ADSNameType.DomainSimple;
var MemberSimpleName = ConvertADName.Convert_ADName(ADNameArguments);
if (MemberSimpleName != null && MemberSimpleName.Any())
{
MemberDomain = MemberSimpleName.First().Split('@')[1];
}
else
{
Logger.Write_Warning($@"[Get-DomainGroupMember] Error converting {MemberDN}");
MemberDomain = null;
}
}
catch
{
Logger.Write_Warning($@"[Get-DomainGroupMember] Error converting {MemberDN}");
MemberDomain = null;
}
}
else
{
// extract the FQDN from the Distinguished Name
MemberDomain = MemberDN.Substring(MemberDN.IndexOf(@"DC=")).Replace(@"DC=", @"").Replace(@",", @".");
}
}
catch
{
MemberDN = null;
MemberDomain = null;
}
string MemberName = null;
if (Properties["samaccountname"] != null)
{
// forest users have the samAccountName set
MemberName = Properties["samaccountname"][0].ToString();
}
else
{
// external trust users have a SID, so convert it
try
{
MemberName = ConvertFromSID.ConvertFrom_SID(new Args_ConvertFrom_SID
{
ObjectSID = new string[] { Properties["cn"][0].ToString() },
Domain = ADNameArguments.Domain,
Server = ADNameArguments.Server,
Credential = ADNameArguments.Credential
}).First();
}
catch
{
// if there's a problem contacting the domain to resolve the SID
MemberName = Properties["cn"][0].ToString();
}
}
string MemberObjectClass = null;
if (Properties["objectclass"].RegexContains(@"computer"))
{
MemberObjectClass = @"computer";
}
else if (Properties["objectclass"].RegexContains(@"group"))
{
MemberObjectClass = @"group";
}
else if (Properties["objectclass"].RegexContains(@"user"))
{
MemberObjectClass = @"user";
}
else
{
MemberObjectClass = null;
}
GroupMember.MemberDomain = MemberDomain;
GroupMember.MemberName = MemberName;
GroupMember.MemberDistinguishedName = MemberDN;
GroupMember.MemberObjectClass = MemberObjectClass;
GroupMember.MemberSID = MemberSID;
GroupMembers.Add(GroupMember);
// if we're doing manual recursion
if (args.Recurse && MemberDN.IsNotNullOrEmpty() && MemberObjectClass.IsRegexMatch(@"group"))
{
Logger.Write_Verbose($@"[Get-DomainGroupMember] Manually recursing on group: {MemberDN}");
var GroupArguments = new Args_Get_DomainGroupMember()
{
Domain = SearcherArguments.Domain,
LDAPFilter = SearcherArguments.LDAPFilter,
SearchBase = SearcherArguments.SearchBase,
Server = SearcherArguments.Server,
SearchScope = SearcherArguments.SearchScope,
ResultPageSize = SearcherArguments.ResultPageSize,
ServerTimeLimit = SearcherArguments.ServerTimeLimit,
Tombstone = SearcherArguments.Tombstone,
Credential = SearcherArguments.Credential,
Identity = new string[] { MemberDN }
};
GroupMembers.AddRange(Get_DomainGroupMember(GroupArguments));
}
}
}
}
GroupSearcher.Dispose();
}
return(GroupMembers);
}
public static IEnumerable <ACL> Find_InterestingDomainAcl(Args_Find_InterestingDomainAcl args = null)
{
if (args == null)
{
args = new Args_Find_InterestingDomainAcl();
}
var ACLArguments = new Args_Get_DomainObjectAcl
{
ResolveGUIDs = args.ResolveGUIDs,
RightsFilter = args.RightsFilter,
LDAPFilter = args.LDAPFilter,
SearchBase = args.SearchBase,
Server = args.Server,
SearchScope = args.SearchScope,
ResultPageSize = args.ResultPageSize,
ServerTimeLimit = args.ServerTimeLimit,
Tombstone = args.Tombstone,
Credential = args.Credential
};
var ObjectSearcherArguments = new Args_Get_DomainObject
{
Properties = new[] { "samaccountname", "objectclass" },
Raw = true,
Server = args.Server,
SearchScope = args.SearchScope,
ResultPageSize = args.ResultPageSize,
ServerTimeLimit = args.ServerTimeLimit,
Tombstone = args.Tombstone,
Credential = args.Credential
};
var ADNameArguments = new Args_Convert_ADName
{
Server = args.Server,
Credential = args.Credential
};
// ongoing list of built-up SIDs
var ResolvedSIDs = new Dictionary <string, ResolvedSID>();
if (args.Domain != null)
{
ACLArguments.Domain = args.Domain;
ADNameArguments.Domain = args.Domain;
}
var InterestingACLs = new List <ACL>();
var acls = GetDomainObjectAcl.Get_DomainObjectAcl(ACLArguments);
foreach (var acl in acls)
{
if ((acl.ActiveDirectoryRights.ToString().IsRegexMatch(@"GenericAll|Write|Create|Delete")) || ((acl.ActiveDirectoryRights == ActiveDirectoryRights.ExtendedRight) && (acl.Ace is QualifiedAce) && (acl.Ace as QualifiedAce).AceQualifier == AceQualifier.AccessAllowed))
{
// only process SIDs > 1000
var ace = acl.Ace as QualifiedAce;
if (ace != null && ace.SecurityIdentifier.Value.IsRegexMatch(@"^S-1-5-.*-[1-9]\d{3,}$"))
{
if (ResolvedSIDs.ContainsKey(ace.SecurityIdentifier.Value) && ResolvedSIDs[ace.SecurityIdentifier.Value] != null)
{
var ResolvedSID = ResolvedSIDs[(acl.Ace as KnownAce).SecurityIdentifier.Value];
var InterestingACL = new ACL
{
ObjectDN = acl.ObjectDN,
Ace = ace,
ActiveDirectoryRights = acl.ActiveDirectoryRights,
IdentityReferenceName = ResolvedSID.IdentityReferenceName,
IdentityReferenceDomain = ResolvedSID.IdentityReferenceDomain,
IdentityReferenceDN = ResolvedSID.IdentityReferenceDN,
IdentityReferenceClass = ResolvedSID.IdentityReferenceClass
};
InterestingACLs.Add(InterestingACL);
}
else
{
ADNameArguments.Identity = new string[] { ace.SecurityIdentifier.Value };
ADNameArguments.OutputType = ADSNameType.DN;
var IdentityReferenceDN = ConvertADName.Convert_ADName(ADNameArguments)?.FirstOrDefault();
// "IdentityReferenceDN: $IdentityReferenceDN"
if (IdentityReferenceDN != null)
{
var IdentityReferenceDomain = IdentityReferenceDN.Substring(IdentityReferenceDN.IndexOf("DC=")).Replace(@"DC=", "").Replace(",", ".");
// "IdentityReferenceDomain: $IdentityReferenceDomain"
ObjectSearcherArguments.Domain = IdentityReferenceDomain;
ObjectSearcherArguments.Identity = new[] { IdentityReferenceDN };
// "IdentityReferenceDN: $IdentityReferenceDN"
var Object = GetDomainObject.Get_DomainObject(ObjectSearcherArguments)?.FirstOrDefault() as SearchResult;
if (Object != null)
{
var IdentityReferenceName = Object.Properties["samaccountname"][0].ToString();
string IdentityReferenceClass;
if (Object.Properties["objectclass"][0].ToString().IsRegexMatch(@"computer"))
{
IdentityReferenceClass = "computer";
}
else if (Object.Properties["objectclass"][0].ToString().IsRegexMatch(@"group"))
{
IdentityReferenceClass = "group";
}
else if (Object.Properties["objectclass"][0].ToString().IsRegexMatch(@"user"))
{
IdentityReferenceClass = "user";
}
else
{
IdentityReferenceClass = null;
}
// save so we don't look up more than once
ResolvedSIDs[ace.SecurityIdentifier.Value] = new ResolvedSID
{
IdentityReferenceName = IdentityReferenceName,
IdentityReferenceDomain = IdentityReferenceDomain,
IdentityReferenceDN = IdentityReferenceDN,
IdentityReferenceClass = IdentityReferenceClass
};
var InterestingACL = new ACL
{
ObjectDN = acl.ObjectDN,
Ace = ace,
ActiveDirectoryRights = acl.ActiveDirectoryRights,
IdentityReferenceName = IdentityReferenceName,
IdentityReferenceDomain = IdentityReferenceDomain,
IdentityReferenceDN = IdentityReferenceDN,
IdentityReferenceClass = IdentityReferenceClass
};
InterestingACLs.Add(InterestingACL);
}
}
else
{
Logger.Write_Warning($@"[Find-InterestingDomainAcl] Unable to convert SID '{ace.SecurityIdentifier.Value}' to a distinguishedname with Convert-ADName");
}
}
}
}
}
return(InterestingACLs);
}
public static IEnumerable <string> Convert_ADName(Args_Convert_ADName args)
{
return(ConvertADName.Convert_ADName(args));
}
