fix: replace BUILTIN container with domain node

SpecterOps · Apr 17, 2024 · ff106e5 · ff106e5
1 parent e9ef5be
commit ff106e5
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 1 deletion.
diff --git a/src/CommonLib/Processors/ContainerProcessor.cs b/src/CommonLib/Processors/ContainerProcessor.cs
@@ -2,6 +2,7 @@
 using System.Collections.Generic;
 using System.DirectoryServices.Protocols;
 using Microsoft.Extensions.Logging;
+using SharpHoundCommonLib.Enums;
 using SharpHoundCommonLib.LDAPQueries;
 using SharpHoundCommonLib.OutputTypes;
 
@@ -48,6 +49,13 @@ public TypedPrincipal GetContainingObject(string distinguishedName)
         {
             var containerDn = Helpers.RemoveDistinguishedNamePrefix(distinguishedName);
 
+            if (containerDn.StartsWith("CN=BUILTIN", StringComparison.OrdinalIgnoreCase))
+            {
+                var domain = Helpers.DistinguishedNameToDomain(distinguishedName);
+                var domainSid = _utils.GetSidFromDomainName(domain);
+                return new TypedPrincipal(domainSid, Label.Domain);
+            }
+
             if (string.IsNullOrEmpty(containerDn))
                 return null;
 

diff --git a/test/unit/ContainerProcessorTest.cs b/test/unit/ContainerProcessorTest.cs
@@ -143,6 +143,10 @@ public void ContainerProcessor_GetContainingObject_ExpectedResult()
             result = proc.GetContainingObject("CN=PRIMARY,OU=DOMAIN CONTROLLERS,DC=TESTLAB,DC=LOCAL");
             Assert.Equal(Label.OU, result.ObjectType);
             Assert.Equal("0DE400CD-2FF3-46E0-8A26-2C917B403C65", result.ObjectIdentifier);
+
+            result = proc.GetContainingObject("CN=ADMINISTRATORS,CN=BUILTIN,DC=TESTLAB,DC=LOCAL");
+            Assert.Equal(Label.Domain, result.ObjectType);
+            Assert.Equal("S-1-5-21-3130019616-2776909439-2417379446", result.ObjectIdentifier);
         }
 
         [Fact]

diff --git a/test/unit/Facades/MockLDAPUtils.cs b/test/unit/Facades/MockLDAPUtils.cs
@@ -690,7 +690,12 @@ public string GetDomainNameFromSid(string sid)
 
         public string GetSidFromDomainName(string domainName)
         {
-            throw new NotImplementedException();
+            if (domainName.Equals("TESTLAB.LOCAL", StringComparison.OrdinalIgnoreCase))
+            {
+                return "S-1-5-21-3130019616-2776909439-2417379446";
+            }
+
+            return null;
         }
 
         public string ConvertWellKnownPrincipal(string sid, string domain)