From ff106e5f98be1471d4d48032ef453a79dab53a8d Mon Sep 17 00:00:00 2001
From: Mistah J <26472282+mistahj67@users.noreply.github.com>
Date: Mon, 15 Apr 2024 08:36:02 -1000
Subject: [PATCH] fix: replace BUILTIN container with domain node

---
 src/CommonLib/Processors/ContainerProcessor.cs | 8 ++++++++
 test/unit/ContainerProcessorTest.cs            | 4 ++++
 test/unit/Facades/MockLDAPUtils.cs             | 7 ++++++-
 3 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/src/CommonLib/Processors/ContainerProcessor.cs b/src/CommonLib/Processors/ContainerProcessor.cs
index 19ce60ce..8e73ddc6 100644
--- a/src/CommonLib/Processors/ContainerProcessor.cs
+++ b/src/CommonLib/Processors/ContainerProcessor.cs
@@ -2,6 +2,7 @@
 using System.Collections.Generic;
 using System.DirectoryServices.Protocols;
 using Microsoft.Extensions.Logging;
+using SharpHoundCommonLib.Enums;
 using SharpHoundCommonLib.LDAPQueries;
 using SharpHoundCommonLib.OutputTypes;
 
@@ -48,6 +49,13 @@ public TypedPrincipal GetContainingObject(string distinguishedName)
         {
             var containerDn = Helpers.RemoveDistinguishedNamePrefix(distinguishedName);
 
+            if (containerDn.StartsWith("CN=BUILTIN", StringComparison.OrdinalIgnoreCase))
+            {
+                var domain = Helpers.DistinguishedNameToDomain(distinguishedName);
+                var domainSid = _utils.GetSidFromDomainName(domain);
+                return new TypedPrincipal(domainSid, Label.Domain);
+            }
+
             if (string.IsNullOrEmpty(containerDn))
                 return null;
 
diff --git a/test/unit/ContainerProcessorTest.cs b/test/unit/ContainerProcessorTest.cs
index 8e6a7282..35592b14 100644
--- a/test/unit/ContainerProcessorTest.cs
+++ b/test/unit/ContainerProcessorTest.cs
@@ -143,6 +143,10 @@ public void ContainerProcessor_GetContainingObject_ExpectedResult()
             result = proc.GetContainingObject("CN=PRIMARY,OU=DOMAIN CONTROLLERS,DC=TESTLAB,DC=LOCAL");
             Assert.Equal(Label.OU, result.ObjectType);
             Assert.Equal("0DE400CD-2FF3-46E0-8A26-2C917B403C65", result.ObjectIdentifier);
+
+            result = proc.GetContainingObject("CN=ADMINISTRATORS,CN=BUILTIN,DC=TESTLAB,DC=LOCAL");
+            Assert.Equal(Label.Domain, result.ObjectType);
+            Assert.Equal("S-1-5-21-3130019616-2776909439-2417379446", result.ObjectIdentifier);
         }
 
         [Fact]
diff --git a/test/unit/Facades/MockLDAPUtils.cs b/test/unit/Facades/MockLDAPUtils.cs
index af088a5b..195453e6 100644
--- a/test/unit/Facades/MockLDAPUtils.cs
+++ b/test/unit/Facades/MockLDAPUtils.cs
@@ -690,7 +690,12 @@ public string GetDomainNameFromSid(string sid)
 
         public string GetSidFromDomainName(string domainName)
         {
-            throw new NotImplementedException();
+            if (domainName.Equals("TESTLAB.LOCAL", StringComparison.OrdinalIgnoreCase))
+            {
+                return "S-1-5-21-3130019616-2776909439-2417379446";
+            }
+
+            return null;
         }
 
         public string ConvertWellKnownPrincipal(string sid, string domain)