Added InheritsSecurity edge to all objects and PublishedBy attributes…

… to Cert Templates
lkarlslund · Jan 9, 2024 · 207c0b2 · 207c0b2
1 parent 06416d5
commit 207c0b2
Show file tree

Hide file tree

Showing 2 changed files with 73 additions and 8 deletions.
diff --git a/modules/integrations/activedirectory/analyze/analyze-ad.go b/modules/integrations/activedirectory/analyze/analyze-ad.go
@@ -67,16 +67,23 @@ var (
 
 	EdgePublishesCertificateTemplate = engine.NewEdge("PublishCertTmpl").Tag("Informative").RegisterProbabilityCalculator(activedirectory.NotAChance)
 
-	NetBIOSName       = engine.NewAttribute("nETBIOSName")
-	NCName            = engine.NewAttribute("nCName")
-	DNSRoot           = engine.NewAttribute("dnsRoot")
+	NetBIOSName = engine.NewAttribute("nETBIOSName")
+	NCName      = engine.NewAttribute("nCName")
+	DNSRoot     = engine.NewAttribute("dnsRoot")
+
 	MemberOfRecursive = engine.NewAttribute("memberOfRecursive")
 
-	ObjectTypeMachine   = engine.NewObjectType("Machine", "Machine")
-	DomainJoinedSID     = engine.NewAttribute("domainJoinedSid").Merge()
-	DnsHostName         = engine.NewAttribute("dnsHostName")
-	EdgeAuthenticatesAs = engine.NewEdge("AuthenticatesAs")
-	EdgeMachineAccount  = engine.NewEdge("MachineAccount").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability {
+	ObjectTypeMachine    = engine.NewObjectType("Machine", "Machine")
+	DomainJoinedSID      = engine.NewAttribute("domainJoinedSid").Merge()
+	DnsHostName          = engine.NewAttribute("dnsHostName")
+	EdgeAuthenticatesAs  = engine.NewEdge("AuthenticatesAs")
+	EdgeInheritsSecurity = engine.NewEdge("InheritsSecurity").SetDefault(true, true, false)
+
+	CertificateTemplates   = engine.NewAttribute("certificateTemplates")
+	PublishedBy            = engine.NewAttribute("publishedBy")
+	PublishedByDnsHostName = engine.NewAttribute("publishedByDnsHostName")
+
+	EdgeMachineAccount = engine.NewEdge("MachineAccount").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability {
 		return -1 // Just informative
 	}).Describe("Indicates this is the domain joined computer account belonging to the machine")
 )
@@ -153,6 +160,17 @@ func init() {
 		})
 	}, "Reading local admin passwords via LAPS", engine.BeforeMergeFinal)
 
+	Loader.AddProcessor(func(ao *engine.Objects) {
+		ao.Iterate(func(o *engine.Object) bool {
+			if sd, err := o.SecurityDescriptor(); err == nil && sd.Control&engine.CONTROLFLAG_DACL_PROTECTED == 0 {
+				if parentobject, found := ao.DistinguishedParent(o); found {
+					parentobject.EdgeTo(o, EdgeInheritsSecurity)
+				}
+			}
+			return true
+		})
+	}, "Indicator that object inherits security from the container it is within", engine.BeforeMergeFinal)
+
 	Loader.AddProcessor(func(ao *engine.Objects) {
 		ao.Iterate(func(o *engine.Object) bool {
 			if o.Type() != engine.ObjectTypeContainer || o.OneAttrString(engine.Name) != "Machine" {
@@ -1734,6 +1752,52 @@ func init() {
 		engine.AfterMerge,
 	)
 
+	Loader.AddProcessor(
+		func(ao *engine.Objects) {
+			ao.Iterate(func(o *engine.Object) bool {
+				if o.Type() == engine.ObjectTypePKIEnrollmentService {
+
+					// Templates that is offered for enrollment
+					o.Attr(CertificateTemplates).Iterate(func(templatename engine.AttributeValue) bool {
+
+						templates, found := ao.FindTwoMulti(engine.Name, templatename,
+							engine.ObjectClass, engine.AttributeValueString("pKICertificateTemplate"))
+
+						if found {
+							alreadyset := false
+							templates.Iterate(func(template *engine.Object) bool {
+								if !engine.CompareAttributeValues(template.OneAttr(engine.DomainContext), o.OneAttr(engine.DomainContext)) {
+									return true // continue
+								}
+
+								if alreadyset {
+									ui.Warn().Msgf("Found multiple templates for %s", templatename)
+								}
+
+								template.SetFlex(
+									PublishedBy, engine.AttributeValueString(o.DN()),
+									PublishedByDnsHostName, o.Attr(activedirectory.DNSHostName),
+								)
+
+								alreadyset = true
+								return true
+							})
+							if !alreadyset {
+								ui.Warn().Msgf("Found no matching template for %s", templatename)
+							}
+						} else {
+							ui.Warn().Msgf("Template %s not found", templatename)
+						}
+						return true
+					})
+				}
+				return true
+			})
+		},
+		"Certificate template publishing status",
+		engine.AfterMerge,
+	)
+
 	/*
 		Loader.AddProcessor(func(ao *engine.Objects) {
 			ao.Filter(func(o *engine.Object) bool {

diff --git a/modules/integrations/activedirectory/attributes.go b/modules/integrations/activedirectory/attributes.go
@@ -99,4 +99,5 @@ var (
 	PKIExpirationPeriod                     = engine.NewAttribute("pKIExpirationPeriod").Tag("AD")
 	PKIOverlapPeriod                        = engine.NewAttribute("pKIOverlapPeriod").Tag("AD")
 	MsDSBehaviourVersion                    = engine.NewAttribute("msDS-Behavior-Version").Type(engine.AttributeTypeInt)
+	DNSHostName                             = engine.NewAttribute("dnsHostName").Tag("AD")
 )