v2022.5.9

Commits

• 9c0bfa4: Fix for pwn detector outputting wrong type (Lars Karlslund)
• 14a188b: Spelling fix, sigh (Lars Karlslund)
• 26bb476: Added predefined search for "Backup Operators" group (Lars Karlslund)
• 193a2fd: Improved predefined search to combine "Backup Operators" and "Server Operators" in one search, as they pose the same risk (Lars Karlslund)
• 40752a7: Improved robustness for UUID attributes (Lars Karlslund)
• 8266894: Source->Target search added to UI again, reworked AdminSDHolder analysis (WIP, needs some fixes) (Lars Karlslund)
• 32c0baa: QueryParser corner case panic fix (Lars Karlslund)
• 87496cc: Color the edges for ForeignIdentity light green (Lars Karlslund)
• 28ba5e1: Fixed D3 Force layout (Lars Karlslund)
• 056563b: Fixed D3 Graph layout, implemented cytoscape D3 for sampled layout (Lars Karlslund)
• 1e79f62: Added privilege assignment to collector (will need admin mode to grab this data), renamed som Pwn names (Lars Karlslund)
• 687e318: Added cPassword analysis to GPO (Lars Karlslund)
• 7a3f634: Made cpassword and username attribute matching case insensitive (Lars Karlslund)
• 5abf030: Fix for returning not returning placeholder objecttype (Lars Karlslund)
• 7448445: Fixes for privileges analyzer (Lars Karlslund)
• 002fda7: Better duplicate SID handling in multi forest/domain analysis, option to not import CNF (conflict) objects from AD (default = don't import) (Lars Karlslund)
• bab7b46: Fix for weird blank page problem when selecting a new predefined query (Lars Karlslund)
• 6a2b197: Collect ProductType and ProductSuite from registry (Lars Karlslund)
• 9729985: Icons for executables (Lars Karlslund)
• 81e463b: Timeout for CPU profilng (Lars Karlslund)
• 41421ab: Reworked how merging works, integrated UniqueSource into the main engine (Lars Karlslund)
• 298c654: Missing experimental stuff for attributes (Lars Karlslund)
• 4be4563: Changed some logging output, more correlation from GPOs, multi-level search function for objects, collector grabs scheduled task information and other goodness (Lars Karlslund)
• f2cd313: Upgrade auto-builder to Go 1.18 (Lars Karlslund)
• 195fb65: Isolate taskmaster package to localmachine collector, to enable other OS builds again (Lars Karlslund)
• 68048f4: Added a bunch of omitempty to localmachine structs (Lars Karlslund)
• 85fc7e3: Added command and arguments for ScheduledTask collection (Lars Karlslund)
• 2ff1546: Fix for testing missing SID filtering message, re-read the docs, this seems more correct. Only gives log output for now. (Lars Karlslund)
• 6f7022a: Added more privileges to enumerate members of (Lars Karlslund)
• 2ee1f2c: DACL and Owner for Scheduled Task executables (Lars Karlslund)
• 5dbf235: GUI fixes (Lars Karlslund)
• 31493d3: Reorganized attributes and pwns, added missing AS-REP roasting (wtf!) (Lars Karlslund)
• e04db07: Remove unused attributes (Lars Karlslund)
• ec6691c: Improve auto-generated Foreign-Security-Principal objects (Lars Karlslund)
• 0d08b96: Updated readme.MD to reflect Go 1.18 requirement (Lars Karlslund)
• 245e305: Report returned errors from execution (Lars Karlslund)
• 47314eb: Add profiling endpoints to webservice (on demand CPU / heap / allocation profilng) (Lars Karlslund)
• c197b25: Optimizations galore, and added file share analysis (Lars Karlslund)
• e68af07: Deduplicate SIDs that are parsed from strings too (Lars Karlslund)
• e2306bd: Optimize away SID string comparisons, and fix registry permission checks (Lars Karlslund)
• 86a3666: Update copyright end year ¯_(ツ)_/¯ (Lars Karlslund)
• 7112c1e: Allow unauthenticated binds (Lars Karlslund)
• e041a7d: Fix pre/post processing log output (Lars Karlslund)
• 2ce094e: Remove double lock from Objects.Merge (Lars Karlslund)
• 1fa7b3d: Add SERVICES group and other minor adjustments to localmachine import (Lars Karlslund)
• d4724c1: Parallelize preprocessing runs across all returned Object collections (Lars Karlslund)
• c4df977: Make anti multi source merging case insensitive (Lars Karlslund)
• 82a90f4: Localmachine analyzer tweaks (Lars Karlslund)
• dea4442: SysInternals AD Explorer snapshot support (Lars Karlslund)
• 1fa5d4f: Implemented default FML for pwns (Lars Karlslund)
• e2eab58: Fixed GPO collection for objects that come from AD Explorer (Lars Karlslund)
• 367f080: Moved group membership resolution based on DNs and object Members() calls to after merge, in order to fix parent-child setups (Lars Karlslund)
• 093e807: sidHistory attribute decoded as SID (Lars Karlslund)
• 6cfb28f: Attribute type fixes, AD Explorer conversion fix for "bool" (Lars Karlslund)
• 6f0c723: AD Explorer conversion fix for "bool" datatype (wasn't included in last commit) (Lars Karlslund)
• 8ba8104: Outgoing limit expansion experiment (Lars Karlslund)
• 3cf5c1f: Removed wrong comments (Lars Karlslund)
• 60ded9f: Changed Attribute type from uint16 to int16, NonExistingAttribute = -1 (Lars Karlslund)
• 20cc4d0: Crash fix for localmachine collector (Lars Karlslund)
• 6c223fc: LDAP query modifier: timediff (Lars Karlslund)
• c95cbd6: Fix for NonExistingAttribute in queryparser (Lars Karlslund)
• f93e48f: Removed some false positives where there was a DENY ACE pointing to a group that a later ALLOW ACE was member of (Lars Karlslund)
• 12d9ac7: More robustness if RootDSE doesn't return all the attributes we expect (Lars Karlslund)
• 3dd0f7b: Naming conventions fix for well known SIDs (Lars Karlslund)
• f1fa2f6: Reworked indexes, merging and deduplication of dual-loaded distinguishedName objects - also CNF and DEL objects are not loaded default now (Lars Karlslund)
• e65aed6: Fix for merge-but-then-add-anyway problem (Lars Karlslund)
• 936dd44: Support for matching on multiple attributes in query by glob matching on attribute names (*=thedudeabides) (Lars Karlslund)
• 1aaff27: Fix for AdminSDHolder analyzer in multi-domain analysis (Lars Karlslund)
• 7fd7577: Fixes for Absorb, changed from slice to map for member/memberof, also Go 1.18 requirement due to generics (Lars Karlslund)
• d877dcb: Data corruption fix for bug that affected last attribute being set in setFlex (Lars Karlslund)
• 699e656: WSUS host server collection from localmachine and added edge "patches" for attack path analysis (Lars Karlslund)
• 8923752: Typo fix (Lars Karlslund)
• 610c12f: Added combined WSUS/SCCM edge as "ControlsUpdates" (Lars Karlslund)
• 6e50c67: Resolve GPO group assignments that contain %Computername% etc. in them to the real groups (Lars Karlslund)
• 777c584: Reduced output on many missing groups when resolving from %Computername% (Lars Karlslund)
• 94eb7bb: Fixed the since and timediff query modifiers (Lars Karlslund)
• 16bb4a8: Updated readme file with new screenshots and more relevant information (Lars Karlslund)