diff --git a/cmd/ui/src/utils.ts b/cmd/ui/src/utils.ts index fdb6579f39..6c93c0caeb 100644 --- a/cmd/ui/src/utils.ts +++ b/cmd/ui/src/utils.ts @@ -25,7 +25,7 @@ import { isLink, isNode } from 'src/ducks/graph/utils'; import { Glyph } from 'src/rendering/programs/node.glyphs'; import { store } from 'src/store'; -const IGNORE_401_LOGOUT = ['/api/v2/login', '/api/v2/logout', '/api/v2/features'] +const IGNORE_401_LOGOUT = ['/api/v2/login', '/api/v2/logout', '/api/v2/features']; export const getDatesInRange = (startDate: Date, endDate: Date) => { const date = new Date(startDate.getTime()); diff --git a/packages/cue/bh/ad/ad.cue b/packages/cue/bh/ad/ad.cue index fa54f3c92b..3af47cb6e4 100644 --- a/packages/cue/bh/ad/ad.cue +++ b/packages/cue/bh/ad/ad.cue @@ -574,6 +574,160 @@ ObjectGUID: types.#StringEnum & { representation: "objectguid" } +ExpirePasswordsOnSmartCardOnlyAccounts: types.#StringEnum & { + symbol: "ExpirePasswordsOnSmartCardOnlyAccounts" + schema: "ad" + name: "Expire Passwords on Smart Card only Accounts" + representation: "expirepasswordsonsmartcardonlyaccounts" +} + +MachineAccountQuota: types.#StringEnum & { + symbol: "MachineAccountQuota" + schema: "ad" + name: "Machine Account Quota" + representation: "machineaccountquota" +} + +SupportedKerberosEncryptionTypes: types.#StringEnum & { + symbol: "SupportedKerberosEncryptionTypes" + schema: "ad" + name: "Supported Kerberos Encryption Types" + representation: "supportedencryptiontypes" +} + +TGTDelegationEnabled: types.#StringEnum & { + symbol: "TGTDelegationEnabled" + schema: "ad" + name: "TGT Delegation Enabled" + representation: "tgtdelegationenabled" +} + +PasswordStoredUsingReversibleEncryption: types.#StringEnum & { + symbol: "PasswordStoredUsingReversibleEncryption" + schema: "ad" + name: "Password Stored Using Reversible Encryption" + representation: "encryptedtextpwdallowed" +} + +SmartcardRequired: types.#StringEnum & { + symbol: "SmartcardRequired" + schema: "ad" + name: "Smartcard Required" + representation: "smartcardrequired" +} + +UseDESKeyOnly: types.#StringEnum & { + symbol: "UseDESKeyOnly" + schema: "ad" + name: "Use DES Key Only" + representation: "usedeskeyonly" +} + +LogonScriptEnabled: types.#StringEnum & { + symbol: "LogonScriptEnabled" + schema: "ad" + name: "Logon Script Enabled" + representation: "logonscriptenabled" +} + +LockedOut: types.#StringEnum & { + symbol: "LockedOut" + schema: "ad" + name: "Locked Out" + representation: "lockedout" +} + +UserCannotChangePassword: types.#StringEnum & { + symbol: "UserCannotChangePassword" + schema: "ad" + name: "User Cannot Change Password" + representation: "passwordcantchange" +} + +PasswordExpired: types.#StringEnum & { + symbol: "PasswordExpired" + schema: "ad" + name: "Password Expired" + representation: "passwordexpired" +} + +DSHeuristics: types.#StringEnum & { + symbol: "DSHeuristics" + schema: "ad" + name: "DSHeuristics" + representation: "dsheuristics" +} + +UserAccountControl: types.#StringEnum & { + symbol: "UserAccountControl" + schema: "ad" + name: "User Account Control" + representation: "useraccountcontrol" +} + +TrustAttributes: types.#StringEnum & { + symbol: "TrustAttributes" + schema: "ad" + name: "Trust Attributes" + representation: "trustattributes" +} + +LockoutDuration: types.#StringEnum & { + symbol: "LockoutDuration" + schema: "ad" + name: "Lockout Duration" + representation: "lockoutduration" +} + +LockoutObservationWindow: types.#StringEnum & { + symbol: "LockoutObservationWindow" + schema: "ad" + name: "Lockout Observation Window" + representation: "lockoutobservationwindow" +} + +MaxPwdAge: types.#StringEnum & { + symbol: "MaxPwdAge" + schema: "ad" + name: "Maximum Password Age" + representation: "maxpwdage" +} + +MinPwdAge: types.#StringEnum & { + symbol: "MinPwdAge" + schema: "ad" + name: "Minimum Password Age" + representation: "minpwdage" +} + +LockoutThreshold: types.#StringEnum & { + symbol: "LockoutThreshold" + schema: "ad" + name: "Lockout Threshold" + representation: "lockoutthreshold" +} + +PwdHistoryLength: types.#StringEnum & { + symbol: "PwdHistoryLength" + schema: "ad" + name: "Password History Length" + representation: "pwdhistorylength" +} + +PwdProperties: types.#StringEnum & { + symbol: "PwdProperties" + schema: "ad" + name: "Password Properties" + representation: "pwdproperties" +} + +MinPwdLength: types.#StringEnum & { + symbol: "MinPwdLength" + schema: "ad" + name: "Minimum password length" + representation: "minpwdlength" +} + Properties: [ AdminCount, CASecurityCollected, @@ -652,7 +806,29 @@ Properties: [ CertificatePolicy, CertTemplateOID, GroupLinkID, - ObjectGUID + ObjectGUID, + ExpirePasswordsOnSmartCardOnlyAccounts, + MachineAccountQuota, + SupportedKerberosEncryptionTypes, + TGTDelegationEnabled, + PasswordStoredUsingReversibleEncryption, + SmartcardRequired, + UseDESKeyOnly, + LogonScriptEnabled, + LockedOut, + UserCannotChangePassword, + PasswordExpired, + DSHeuristics, + UserAccountControl, + TrustAttributes, + MinPwdLength, + PwdProperties, + PwdHistoryLength, + LockoutThreshold, + MinPwdAge, + MaxPwdAge, + LockoutDuration, + LockoutObservationWindow ] // Kinds diff --git a/packages/go/ein/ad.go b/packages/go/ein/ad.go index 45e2f71ac3..48a0205d30 100644 --- a/packages/go/ein/ad.go +++ b/packages/go/ein/ad.go @@ -303,10 +303,12 @@ func ParseDomainTrusts(domain Domain) ParsedDomainTrustData { }, IngestibleRel{ RelProps: map[string]any{ - "isacl": false, - "sidfiltering": trust.SidFilteringEnabled, - "trusttype": trust.TrustType, - "transitive": trust.IsTransitive}, + "isacl": false, + "sidfiltering": trust.SidFilteringEnabled, + "tgtdelegationenabled": trust.TGTDelegationEnabled, + "trustattributes": trust.TrustAttributes, + "trusttype": trust.TrustType, + "transitive": trust.IsTransitive}, RelType: ad.TrustedBy, }, )) @@ -324,10 +326,12 @@ func ParseDomainTrusts(domain Domain) ParsedDomainTrustData { }, IngestibleRel{ RelProps: map[string]any{ - "isacl": false, - "sidfiltering": trust.SidFilteringEnabled, - "trusttype": trust.TrustType, - "transitive": trust.IsTransitive}, + "isacl": false, + "sidfiltering": trust.SidFilteringEnabled, + "tgtdelegationenabled": trust.TGTDelegationEnabled, + "trustattributes": trust.TrustAttributes, + "trusttype": trust.TrustType, + "transitive": trust.IsTransitive}, RelType: ad.TrustedBy, }, )) diff --git a/packages/go/ein/incoming_models.go b/packages/go/ein/incoming_models.go index 15e768c6d2..b4564a6d3f 100644 --- a/packages/go/ein/incoming_models.go +++ b/packages/go/ein/incoming_models.go @@ -201,12 +201,14 @@ type Container struct { } type Trust struct { - TargetDomainSid string - IsTransitive bool - TrustDirection string - TrustType string - SidFilteringEnabled bool - TargetDomainName string + TargetDomainSid string + IsTransitive bool + TrustDirection string + TrustType string + SidFilteringEnabled bool + TargetDomainName string + TGTDelegationEnabled bool + TrustAttributes string } type GPLink struct { diff --git a/packages/go/graphschema/ad/ad.go b/packages/go/graphschema/ad/ad.go index e9c41d6712..14a1134a91 100644 --- a/packages/go/graphschema/ad/ad.go +++ b/packages/go/graphschema/ad/ad.go @@ -117,88 +117,110 @@ var ( type Property string const ( - AdminCount Property = "admincount" - CASecurityCollected Property = "casecuritycollected" - CAName Property = "caname" - CertChain Property = "certchain" - CertName Property = "certname" - CertThumbprint Property = "certthumbprint" - CertThumbprints Property = "certthumbprints" - HasEnrollmentAgentRestrictions Property = "hasenrollmentagentrestrictions" - EnrollmentAgentRestrictionsCollected Property = "enrollmentagentrestrictionscollected" - IsUserSpecifiesSanEnabled Property = "isuserspecifiessanenabled" - IsUserSpecifiesSanEnabledCollected Property = "isuserspecifiessanenabledcollected" - RoleSeparationEnabled Property = "roleseparationenabled" - RoleSeparationEnabledCollected Property = "roleseparationenabledcollected" - HasBasicConstraints Property = "hasbasicconstraints" - BasicConstraintPathLength Property = "basicconstraintpathlength" - UnresolvedPublishedTemplates Property = "unresolvedpublishedtemplates" - DNSHostname Property = "dnshostname" - CrossCertificatePair Property = "crosscertificatepair" - DistinguishedName Property = "distinguishedname" - DomainFQDN Property = "domain" - DomainSID Property = "domainsid" - Sensitive Property = "sensitive" - HighValue Property = "highvalue" - BlocksInheritance Property = "blocksinheritance" - IsACL Property = "isacl" - IsACLProtected Property = "isaclprotected" - IsDeleted Property = "isdeleted" - Enforced Property = "enforced" - Department Property = "department" - HasCrossCertificatePair Property = "hascrosscertificatepair" - HasSPN Property = "hasspn" - UnconstrainedDelegation Property = "unconstraineddelegation" - LastLogon Property = "lastlogon" - LastLogonTimestamp Property = "lastlogontimestamp" - IsPrimaryGroup Property = "isprimarygroup" - HasLAPS Property = "haslaps" - DontRequirePreAuth Property = "dontreqpreauth" - LogonType Property = "logontype" - HasURA Property = "hasura" - PasswordNeverExpires Property = "pwdneverexpires" - PasswordNotRequired Property = "passwordnotreqd" - FunctionalLevel Property = "functionallevel" - TrustType Property = "trusttype" - SidFiltering Property = "sidfiltering" - TrustedToAuth Property = "trustedtoauth" - SamAccountName Property = "samaccountname" - CertificateMappingMethodsRaw Property = "certificatemappingmethodsraw" - CertificateMappingMethods Property = "certificatemappingmethods" - StrongCertificateBindingEnforcementRaw Property = "strongcertificatebindingenforcementraw" - StrongCertificateBindingEnforcement Property = "strongcertificatebindingenforcement" - EKUs Property = "ekus" - SubjectAltRequireUPN Property = "subjectaltrequireupn" - SubjectAltRequireDNS Property = "subjectaltrequiredns" - SubjectAltRequireDomainDNS Property = "subjectaltrequiredomaindns" - SubjectAltRequireEmail Property = "subjectaltrequireemail" - SubjectAltRequireSPN Property = "subjectaltrequirespn" - SubjectRequireEmail Property = "subjectrequireemail" - AuthorizedSignatures Property = "authorizedsignatures" - ApplicationPolicies Property = "applicationpolicies" - IssuancePolicies Property = "issuancepolicies" - SchemaVersion Property = "schemaversion" - RequiresManagerApproval Property = "requiresmanagerapproval" - AuthenticationEnabled Property = "authenticationenabled" - EnrolleeSuppliesSubject Property = "enrolleesuppliessubject" - CertificateApplicationPolicy Property = "certificateapplicationpolicy" - CertificateNameFlag Property = "certificatenameflag" - EffectiveEKUs Property = "effectiveekus" - EnrollmentFlag Property = "enrollmentflag" - Flags Property = "flags" - NoSecurityExtension Property = "nosecurityextension" - RenewalPeriod Property = "renewalperiod" - ValidityPeriod Property = "validityperiod" - OID Property = "oid" - HomeDirectory Property = "homedirectory" - CertificatePolicy Property = "certificatepolicy" - CertTemplateOID Property = "certtemplateoid" - GroupLinkID Property = "grouplinkid" - ObjectGUID Property = "objectguid" + AdminCount Property = "admincount" + CASecurityCollected Property = "casecuritycollected" + CAName Property = "caname" + CertChain Property = "certchain" + CertName Property = "certname" + CertThumbprint Property = "certthumbprint" + CertThumbprints Property = "certthumbprints" + HasEnrollmentAgentRestrictions Property = "hasenrollmentagentrestrictions" + EnrollmentAgentRestrictionsCollected Property = "enrollmentagentrestrictionscollected" + IsUserSpecifiesSanEnabled Property = "isuserspecifiessanenabled" + IsUserSpecifiesSanEnabledCollected Property = "isuserspecifiessanenabledcollected" + RoleSeparationEnabled Property = "roleseparationenabled" + RoleSeparationEnabledCollected Property = "roleseparationenabledcollected" + HasBasicConstraints Property = "hasbasicconstraints" + BasicConstraintPathLength Property = "basicconstraintpathlength" + UnresolvedPublishedTemplates Property = "unresolvedpublishedtemplates" + DNSHostname Property = "dnshostname" + CrossCertificatePair Property = "crosscertificatepair" + DistinguishedName Property = "distinguishedname" + DomainFQDN Property = "domain" + DomainSID Property = "domainsid" + Sensitive Property = "sensitive" + HighValue Property = "highvalue" + BlocksInheritance Property = "blocksinheritance" + IsACL Property = "isacl" + IsACLProtected Property = "isaclprotected" + IsDeleted Property = "isdeleted" + Enforced Property = "enforced" + Department Property = "department" + HasCrossCertificatePair Property = "hascrosscertificatepair" + HasSPN Property = "hasspn" + UnconstrainedDelegation Property = "unconstraineddelegation" + LastLogon Property = "lastlogon" + LastLogonTimestamp Property = "lastlogontimestamp" + IsPrimaryGroup Property = "isprimarygroup" + HasLAPS Property = "haslaps" + DontRequirePreAuth Property = "dontreqpreauth" + LogonType Property = "logontype" + HasURA Property = "hasura" + PasswordNeverExpires Property = "pwdneverexpires" + PasswordNotRequired Property = "passwordnotreqd" + FunctionalLevel Property = "functionallevel" + TrustType Property = "trusttype" + SidFiltering Property = "sidfiltering" + TrustedToAuth Property = "trustedtoauth" + SamAccountName Property = "samaccountname" + CertificateMappingMethodsRaw Property = "certificatemappingmethodsraw" + CertificateMappingMethods Property = "certificatemappingmethods" + StrongCertificateBindingEnforcementRaw Property = "strongcertificatebindingenforcementraw" + StrongCertificateBindingEnforcement Property = "strongcertificatebindingenforcement" + EKUs Property = "ekus" + SubjectAltRequireUPN Property = "subjectaltrequireupn" + SubjectAltRequireDNS Property = "subjectaltrequiredns" + SubjectAltRequireDomainDNS Property = "subjectaltrequiredomaindns" + SubjectAltRequireEmail Property = "subjectaltrequireemail" + SubjectAltRequireSPN Property = "subjectaltrequirespn" + SubjectRequireEmail Property = "subjectrequireemail" + AuthorizedSignatures Property = "authorizedsignatures" + ApplicationPolicies Property = "applicationpolicies" + IssuancePolicies Property = "issuancepolicies" + SchemaVersion Property = "schemaversion" + RequiresManagerApproval Property = "requiresmanagerapproval" + AuthenticationEnabled Property = "authenticationenabled" + EnrolleeSuppliesSubject Property = "enrolleesuppliessubject" + CertificateApplicationPolicy Property = "certificateapplicationpolicy" + CertificateNameFlag Property = "certificatenameflag" + EffectiveEKUs Property = "effectiveekus" + EnrollmentFlag Property = "enrollmentflag" + Flags Property = "flags" + NoSecurityExtension Property = "nosecurityextension" + RenewalPeriod Property = "renewalperiod" + ValidityPeriod Property = "validityperiod" + OID Property = "oid" + HomeDirectory Property = "homedirectory" + CertificatePolicy Property = "certificatepolicy" + CertTemplateOID Property = "certtemplateoid" + GroupLinkID Property = "grouplinkid" + ObjectGUID Property = "objectguid" + ExpirePasswordsOnSmartCardOnlyAccounts Property = "expirepasswordsonsmartcardonlyaccounts" + MachineAccountQuota Property = "machineaccountquota" + SupportedKerberosEncryptionTypes Property = "supportedencryptiontypes" + TGTDelegationEnabled Property = "tgtdelegationenabled" + PasswordStoredUsingReversibleEncryption Property = "encryptedtextpwdallowed" + SmartcardRequired Property = "smartcardrequired" + UseDESKeyOnly Property = "usedeskeyonly" + LogonScriptEnabled Property = "logonscriptenabled" + LockedOut Property = "lockedout" + UserCannotChangePassword Property = "passwordcantchange" + PasswordExpired Property = "passwordexpired" + DSHeuristics Property = "dsheuristics" + UserAccountControl Property = "useraccountcontrol" + TrustAttributes Property = "trustattributes" + MinPwdLength Property = "minpwdlength" + PwdProperties Property = "pwdproperties" + PwdHistoryLength Property = "pwdhistorylength" + LockoutThreshold Property = "lockoutthreshold" + MinPwdAge Property = "minpwdage" + MaxPwdAge Property = "maxpwdage" + LockoutDuration Property = "lockoutduration" + LockoutObservationWindow Property = "lockoutobservationwindow" ) func AllProperties() []Property { - return []Property{AdminCount, CASecurityCollected, CAName, CertChain, CertName, CertThumbprint, CertThumbprints, HasEnrollmentAgentRestrictions, EnrollmentAgentRestrictionsCollected, IsUserSpecifiesSanEnabled, IsUserSpecifiesSanEnabledCollected, RoleSeparationEnabled, RoleSeparationEnabledCollected, HasBasicConstraints, BasicConstraintPathLength, UnresolvedPublishedTemplates, DNSHostname, CrossCertificatePair, DistinguishedName, DomainFQDN, DomainSID, Sensitive, HighValue, BlocksInheritance, IsACL, IsACLProtected, IsDeleted, Enforced, Department, HasCrossCertificatePair, HasSPN, UnconstrainedDelegation, LastLogon, LastLogonTimestamp, IsPrimaryGroup, HasLAPS, DontRequirePreAuth, LogonType, HasURA, PasswordNeverExpires, PasswordNotRequired, FunctionalLevel, TrustType, SidFiltering, TrustedToAuth, SamAccountName, CertificateMappingMethodsRaw, CertificateMappingMethods, StrongCertificateBindingEnforcementRaw, StrongCertificateBindingEnforcement, EKUs, SubjectAltRequireUPN, SubjectAltRequireDNS, SubjectAltRequireDomainDNS, SubjectAltRequireEmail, SubjectAltRequireSPN, SubjectRequireEmail, AuthorizedSignatures, ApplicationPolicies, IssuancePolicies, SchemaVersion, RequiresManagerApproval, AuthenticationEnabled, EnrolleeSuppliesSubject, CertificateApplicationPolicy, CertificateNameFlag, EffectiveEKUs, EnrollmentFlag, Flags, NoSecurityExtension, RenewalPeriod, ValidityPeriod, OID, HomeDirectory, CertificatePolicy, CertTemplateOID, GroupLinkID, ObjectGUID} + return []Property{AdminCount, CASecurityCollected, CAName, CertChain, CertName, CertThumbprint, CertThumbprints, HasEnrollmentAgentRestrictions, EnrollmentAgentRestrictionsCollected, IsUserSpecifiesSanEnabled, IsUserSpecifiesSanEnabledCollected, RoleSeparationEnabled, RoleSeparationEnabledCollected, HasBasicConstraints, BasicConstraintPathLength, UnresolvedPublishedTemplates, DNSHostname, CrossCertificatePair, DistinguishedName, DomainFQDN, DomainSID, Sensitive, HighValue, BlocksInheritance, IsACL, IsACLProtected, IsDeleted, Enforced, Department, HasCrossCertificatePair, HasSPN, UnconstrainedDelegation, LastLogon, LastLogonTimestamp, IsPrimaryGroup, HasLAPS, DontRequirePreAuth, LogonType, HasURA, PasswordNeverExpires, PasswordNotRequired, FunctionalLevel, TrustType, SidFiltering, TrustedToAuth, SamAccountName, CertificateMappingMethodsRaw, CertificateMappingMethods, StrongCertificateBindingEnforcementRaw, StrongCertificateBindingEnforcement, EKUs, SubjectAltRequireUPN, SubjectAltRequireDNS, SubjectAltRequireDomainDNS, SubjectAltRequireEmail, SubjectAltRequireSPN, SubjectRequireEmail, AuthorizedSignatures, ApplicationPolicies, IssuancePolicies, SchemaVersion, RequiresManagerApproval, AuthenticationEnabled, EnrolleeSuppliesSubject, CertificateApplicationPolicy, CertificateNameFlag, EffectiveEKUs, EnrollmentFlag, Flags, NoSecurityExtension, RenewalPeriod, ValidityPeriod, OID, HomeDirectory, CertificatePolicy, CertTemplateOID, GroupLinkID, ObjectGUID, ExpirePasswordsOnSmartCardOnlyAccounts, MachineAccountQuota, SupportedKerberosEncryptionTypes, TGTDelegationEnabled, PasswordStoredUsingReversibleEncryption, SmartcardRequired, UseDESKeyOnly, LogonScriptEnabled, LockedOut, UserCannotChangePassword, PasswordExpired, DSHeuristics, UserAccountControl, TrustAttributes, MinPwdLength, PwdProperties, PwdHistoryLength, LockoutThreshold, MinPwdAge, MaxPwdAge, LockoutDuration, LockoutObservationWindow} } func ParseProperty(source string) (Property, error) { switch source { @@ -358,6 +380,50 @@ func ParseProperty(source string) (Property, error) { return GroupLinkID, nil case "objectguid": return ObjectGUID, nil + case "expirepasswordsonsmartcardonlyaccounts": + return ExpirePasswordsOnSmartCardOnlyAccounts, nil + case "machineaccountquota": + return MachineAccountQuota, nil + case "supportedencryptiontypes": + return SupportedKerberosEncryptionTypes, nil + case "tgtdelegationenabled": + return TGTDelegationEnabled, nil + case "encryptedtextpwdallowed": + return PasswordStoredUsingReversibleEncryption, nil + case "smartcardrequired": + return SmartcardRequired, nil + case "usedeskeyonly": + return UseDESKeyOnly, nil + case "logonscriptenabled": + return LogonScriptEnabled, nil + case "lockedout": + return LockedOut, nil + case "passwordcantchange": + return UserCannotChangePassword, nil + case "passwordexpired": + return PasswordExpired, nil + case "dsheuristics": + return DSHeuristics, nil + case "useraccountcontrol": + return UserAccountControl, nil + case "trustattributes": + return TrustAttributes, nil + case "minpwdlength": + return MinPwdLength, nil + case "pwdproperties": + return PwdProperties, nil + case "pwdhistorylength": + return PwdHistoryLength, nil + case "lockoutthreshold": + return LockoutThreshold, nil + case "minpwdage": + return MinPwdAge, nil + case "maxpwdage": + return MaxPwdAge, nil + case "lockoutduration": + return LockoutDuration, nil + case "lockoutobservationwindow": + return LockoutObservationWindow, nil default: return "", errors.New("Invalid enumeration value: " + source) } @@ -520,6 +586,50 @@ func (s Property) String() string { return string(GroupLinkID) case ObjectGUID: return string(ObjectGUID) + case ExpirePasswordsOnSmartCardOnlyAccounts: + return string(ExpirePasswordsOnSmartCardOnlyAccounts) + case MachineAccountQuota: + return string(MachineAccountQuota) + case SupportedKerberosEncryptionTypes: + return string(SupportedKerberosEncryptionTypes) + case TGTDelegationEnabled: + return string(TGTDelegationEnabled) + case PasswordStoredUsingReversibleEncryption: + return string(PasswordStoredUsingReversibleEncryption) + case SmartcardRequired: + return string(SmartcardRequired) + case UseDESKeyOnly: + return string(UseDESKeyOnly) + case LogonScriptEnabled: + return string(LogonScriptEnabled) + case LockedOut: + return string(LockedOut) + case UserCannotChangePassword: + return string(UserCannotChangePassword) + case PasswordExpired: + return string(PasswordExpired) + case DSHeuristics: + return string(DSHeuristics) + case UserAccountControl: + return string(UserAccountControl) + case TrustAttributes: + return string(TrustAttributes) + case MinPwdLength: + return string(MinPwdLength) + case PwdProperties: + return string(PwdProperties) + case PwdHistoryLength: + return string(PwdHistoryLength) + case LockoutThreshold: + return string(LockoutThreshold) + case MinPwdAge: + return string(MinPwdAge) + case MaxPwdAge: + return string(MaxPwdAge) + case LockoutDuration: + return string(LockoutDuration) + case LockoutObservationWindow: + return string(LockoutObservationWindow) default: return "Invalid enumeration case: " + string(s) } @@ -682,6 +792,50 @@ func (s Property) Name() string { return "Group Link ID" case ObjectGUID: return "Object GUID" + case ExpirePasswordsOnSmartCardOnlyAccounts: + return "Expire Passwords on Smart Card only Accounts" + case MachineAccountQuota: + return "Machine Account Quota" + case SupportedKerberosEncryptionTypes: + return "Supported Kerberos Encryption Types" + case TGTDelegationEnabled: + return "TGT Delegation Enabled" + case PasswordStoredUsingReversibleEncryption: + return "Password Stored Using Reversible Encryption" + case SmartcardRequired: + return "Smartcard Required" + case UseDESKeyOnly: + return "Use DES Key Only" + case LogonScriptEnabled: + return "Logon Script Enabled" + case LockedOut: + return "Locked Out" + case UserCannotChangePassword: + return "User Cannot Change Password" + case PasswordExpired: + return "Password Expired" + case DSHeuristics: + return "DSHeuristics" + case UserAccountControl: + return "User Account Control" + case TrustAttributes: + return "Trust Attributes" + case MinPwdLength: + return "Minimum password length" + case PwdProperties: + return "Password Properties" + case PwdHistoryLength: + return "Password History Length" + case LockoutThreshold: + return "Lockout Threshold" + case MinPwdAge: + return "Minimum Password Age" + case MaxPwdAge: + return "Maximum Password Age" + case LockoutDuration: + return "Lockout Duration" + case LockoutObservationWindow: + return "Lockout Observation Window" default: return "Invalid enumeration case: " + string(s) } diff --git a/packages/javascript/bh-shared-ui/src/commonSearches.tsx b/packages/javascript/bh-shared-ui/src/commonSearches.tsx index ca9b9e93ba..c51dc2a487 100644 --- a/packages/javascript/bh-shared-ui/src/commonSearches.tsx +++ b/packages/javascript/bh-shared-ui/src/commonSearches.tsx @@ -208,7 +208,23 @@ export const CommonSearches: CommonSearchType[] = [ queries: [ { description: 'Enabled Tier Zero / High Value principals inactive for 60 days', - cypher: `WITH 60 as inactive_days\nMATCH (n)\nWHERE n.system_tags CONTAINS "admin_tier_0"\nAND n.enabled = true\nAND n.lastlogontimestamp < (datetime().epochseconds - (inactive_days * 86400)) // Replicated value\nAND n.lastlogon < (datetime().epochseconds - (inactive_days * 86400)) // Non-replicated value\nAND n.whencreated < (datetime().epochseconds - (inactive_days * 86400)) // Exclude recently created principals\nAND NOT n.name STARTS WITH "AZUREADKERBEROS." // Removes false positive, Azure KRBTGT\nAND NOT n.objectid ENDS WITH "-500" // Removes false positive, built-in Administrator\nAND NOT n.name STARTS WITH "AZUREADSSOACC." // Removes false positive, Entra Seamless SSO\nRETURN n\nLIMIT 100`, + cypher: `WITH 60 as inactive_days\nMATCH (n:Base)\nWHERE n.system_tags CONTAINS "admin_tier_0"\nAND n.enabled = true\nAND n.lastlogontimestamp < (datetime().epochseconds - (inactive_days * 86400)) // Replicated value\nAND n.lastlogon < (datetime().epochseconds - (inactive_days * 86400)) // Non-replicated value\nAND n.whencreated < (datetime().epochseconds - (inactive_days * 86400)) // Exclude recently created principals\nAND NOT n.name STARTS WITH "AZUREADKERBEROS." // Removes false positive, Azure KRBTGT\nAND NOT n.objectid ENDS WITH "-500" // Removes false positive, built-in Administrator\nAND NOT n.name STARTS WITH "AZUREADSSOACC." // Removes false positive, Entra Seamless SSO\nRETURN n`, + }, + { + description: 'Tier Zero / High Value enabled users not requiring smart card authentication', + cypher: `MATCH (n:User)\nWHERE "admin_tier_0" IN split(n.system_tags, ' ')\nAND n.enabled = true\nAND n.smartcardrequired = false\nAND NOT n.name STARTS WITH "MSOL_" // Removes false positive, Entra sync\nAND NOT n.name STARTS WITH "PROVAGENTGMSA" // Removes false positive, Entra sync\nAND NOT n.name STARTS WITH "ADSYNCMSA_" // Removes false positive, Entra sync\nRETURN n`, + }, + { + description: 'Domains where any user can join a computer to the domain', + cypher: `MATCH (n:Domain)\nWHERE n.machineaccountquota > 0\nRETURN n`, + }, + { + description: 'Domains with smart card accounts where smart account passwords do not expire', + cypher: `MATCH (n:Domain)-[:Contains*1..]->(m:Base)\nWHERE n.expirepasswordsonsmartcardonlyaccounts = false\nAND m.enabled = true\nAND m.smartcardrequired = true\nRETURN n`, + }, + { + description: 'Two-way forest trusts enabled for delegation', + cypher: `MATCH p=(n:Domain)-[r:TrustedBy]->(m:Domain)\nWHERE (n)<-[:TrustedBy]-(m)\nAND r.trusttype = 'Forest'\nAND r.tgtdelegationenabled = true\nRETURN p`, }, { description: 'Computers with unsupported operating systems', @@ -230,6 +246,18 @@ export const CommonSearches: CommonSearchType[] = [ description: 'Disabled Tier Zero / High Value principals', cypher: `MATCH (n:Base)\nWHERE n.system_tags CONTAINS "admin_tier_0"\nAND n.enabled = false\nAND NOT n.objectid ENDS WITH "-502" // Removes false positive, KRBTGT\nAND NOT n.objectid ENDS WITH "-500" // Removes false positive, built-in Administrator\nRETURN n\nLIMIT 100`, }, + { + description: 'Principals with passwords stored using reversible encryption', + cypher: `MATCH (n:Base)\nWHERE n.encryptedtextpwdallowed = true\nRETURN n`, + }, + { + description: 'Principals with DES-only Kerberos authentication', + cypher: `MATCH (n:Base)\nWHERE n.enabled = true\nAND n.usedeskeyonly = true\nRETURN n`, + }, + { + description: 'Principals with weak supported Kerberos encryption types', + cypher: `MATCH (n:Base)\nWHERE ANY(keyword IN n.supportedencryptiontypes WHERE keyword IN ['DES-CBC-CRC', 'DES-CBC-MD5', 'RC4-HMAC-MD5'])\nRETURN n`, + }, { description: 'Tier Zero / High Value users with non-expiring passwords', cypher: `MATCH (u:User)\nWHERE u.enabled = true\nAND u.pwdneverexpires = true\nand u.system_tags CONTAINS "admin_tier_0"\nRETURN u\nLIMIT 100`, diff --git a/packages/javascript/bh-shared-ui/src/graphSchema.ts b/packages/javascript/bh-shared-ui/src/graphSchema.ts index 1a1f7a2724..f6770e95db 100644 --- a/packages/javascript/bh-shared-ui/src/graphSchema.ts +++ b/packages/javascript/bh-shared-ui/src/graphSchema.ts @@ -381,6 +381,28 @@ export enum ActiveDirectoryKindProperties { CertTemplateOID = 'certtemplateoid', GroupLinkID = 'grouplinkid', ObjectGUID = 'objectguid', + ExpirePasswordsOnSmartCardOnlyAccounts = 'expirepasswordsonsmartcardonlyaccounts', + MachineAccountQuota = 'machineaccountquota', + SupportedKerberosEncryptionTypes = 'supportedencryptiontypes', + TGTDelegationEnabled = 'tgtdelegationenabled', + PasswordStoredUsingReversibleEncryption = 'encryptedtextpwdallowed', + SmartcardRequired = 'smartcardrequired', + UseDESKeyOnly = 'usedeskeyonly', + LogonScriptEnabled = 'logonscriptenabled', + LockedOut = 'lockedout', + UserCannotChangePassword = 'passwordcantchange', + PasswordExpired = 'passwordexpired', + DSHeuristics = 'dsheuristics', + UserAccountControl = 'useraccountcontrol', + TrustAttributes = 'trustattributes', + MinPwdLength = 'minpwdlength', + PwdProperties = 'pwdproperties', + PwdHistoryLength = 'pwdhistorylength', + LockoutThreshold = 'lockoutthreshold', + MinPwdAge = 'minpwdage', + MaxPwdAge = 'maxpwdage', + LockoutDuration = 'lockoutduration', + LockoutObservationWindow = 'lockoutobservationwindow', } export function ActiveDirectoryKindPropertiesToDisplay(value: ActiveDirectoryKindProperties): string | undefined { switch (value) { @@ -540,6 +562,50 @@ export function ActiveDirectoryKindPropertiesToDisplay(value: ActiveDirectoryKin return 'Group Link ID'; case ActiveDirectoryKindProperties.ObjectGUID: return 'Object GUID'; + case ActiveDirectoryKindProperties.ExpirePasswordsOnSmartCardOnlyAccounts: + return 'Expire Passwords on Smart Card only Accounts'; + case ActiveDirectoryKindProperties.MachineAccountQuota: + return 'Machine Account Quota'; + case ActiveDirectoryKindProperties.SupportedKerberosEncryptionTypes: + return 'Supported Kerberos Encryption Types'; + case ActiveDirectoryKindProperties.TGTDelegationEnabled: + return 'TGT Delegation Enabled'; + case ActiveDirectoryKindProperties.PasswordStoredUsingReversibleEncryption: + return 'Password Stored Using Reversible Encryption'; + case ActiveDirectoryKindProperties.SmartcardRequired: + return 'Smartcard Required'; + case ActiveDirectoryKindProperties.UseDESKeyOnly: + return 'Use DES Key Only'; + case ActiveDirectoryKindProperties.LogonScriptEnabled: + return 'Logon Script Enabled'; + case ActiveDirectoryKindProperties.LockedOut: + return 'Locked Out'; + case ActiveDirectoryKindProperties.UserCannotChangePassword: + return 'User Cannot Change Password'; + case ActiveDirectoryKindProperties.PasswordExpired: + return 'Password Expired'; + case ActiveDirectoryKindProperties.DSHeuristics: + return 'DSHeuristics'; + case ActiveDirectoryKindProperties.UserAccountControl: + return 'User Account Control'; + case ActiveDirectoryKindProperties.TrustAttributes: + return 'Trust Attributes'; + case ActiveDirectoryKindProperties.MinPwdLength: + return 'Minimum password length'; + case ActiveDirectoryKindProperties.PwdProperties: + return 'Password Properties'; + case ActiveDirectoryKindProperties.PwdHistoryLength: + return 'Password History Length'; + case ActiveDirectoryKindProperties.LockoutThreshold: + return 'Lockout Threshold'; + case ActiveDirectoryKindProperties.MinPwdAge: + return 'Minimum Password Age'; + case ActiveDirectoryKindProperties.MaxPwdAge: + return 'Maximum Password Age'; + case ActiveDirectoryKindProperties.LockoutDuration: + return 'Lockout Duration'; + case ActiveDirectoryKindProperties.LockoutObservationWindow: + return 'Lockout Observation Window'; default: return undefined; }