Improved GPO collection and merging into domains

lkarlslund · May 17, 2022 · 2db1c5e · 2db1c5e
1 parent b29519a
commit 2db1c5e
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 16 deletions.
diff --git a/modules/integrations/activedirectory/analyze/gpoimport.go b/modules/integrations/activedirectory/analyze/gpoimport.go
@@ -49,7 +49,7 @@ var usernamecpassword = regexp.MustCompile(`(?i)(runAs|userName)="(?P<username>[
 
 func ImportGPOInfo(ginfo activedirectory.GPOdump, ao *engine.Objects) error {
 	if ginfo.DomainDN != "" {
-		ao.AddDefaultFlex(engine.UniqueSource, ginfo.DomainDN)
+		ao.AddDefaultFlex(engine.DomainPart, ginfo.DomainDN)
 	}
 
 	gpoobject, _ := ao.FindOrAdd(gPCFileSysPath, engine.AttributeValueString(ginfo.Path))

diff --git a/modules/integrations/activedirectory/collect/cli.go b/modules/integrations/activedirectory/collect/cli.go
@@ -215,7 +215,6 @@ func Execute(cmd *cobra.Command, args []string) error {
 		datapath = idp.Value.String()
 	}
 
-	var domainContext, domainNetbios string
 	var gpostocollect []*activedirectory.RawObject
 
 	if *adexplorerfile != "" {
@@ -226,16 +225,6 @@ func Execute(cmd *cobra.Command, args []string) error {
 			return err
 		}
 
-		cp, _ := util.ParseBool(*collectgpos)
-		if *collectgpos == "auto" || cp {
-			for _, ro := range rao {
-				if _, found := ro.Attributes["gPCFileSysPath"]; found {
-					myro := ro
-					gpostocollect = append(gpostocollect, &myro)
-				}
-			}
-		}
-
 		var e *msgp.Writer
 
 		outfile, err := os.Create(filepath.Join(datapath, filepath.Base(*adexplorerfile)+".objects.msgp.lz4"))
@@ -262,6 +251,16 @@ func Execute(cmd *cobra.Command, args []string) error {
 				return fmt.Errorf("problem encoding LDAP object %v: %v", ro.DistinguishedName, err)
 			}
 		}
+
+		cp, _ := util.ParseBool(*collectgpos)
+		if *collectgpos == "auto" || cp {
+			for _, ro := range rao {
+				if _, found := ro.Attributes["gPCFileSysPath"]; found {
+					myro := ro
+					gpostocollect = append(gpostocollect, &myro)
+				}
+			}
+		}
 	} else {
 		// Active Directory dump directly from AD controller
 		ad := AD{
@@ -302,6 +301,8 @@ func Execute(cmd *cobra.Command, args []string) error {
 			return fmt.Errorf("expected 1 Active Directory RootDSE object, but got %v", len(rootdse))
 		}
 
+		var domainContext string
+
 		rd := rootdse[0]
 
 		namingcontexts := map[string]bool{}
@@ -332,8 +333,6 @@ func Execute(cmd *cobra.Command, args []string) error {
 			namingcontexts[schemaContext] = true
 		}
 
-		domainNetbios = util.ExtractNetbiosFromBase(domainContext)
-
 		var otherContexts []string
 		for context, used := range namingcontexts {
 			if !used {
@@ -441,6 +440,8 @@ func Execute(cmd *cobra.Command, args []string) error {
 			// Let's check if it this is a GPO and then add som fake attributes to represent it
 			if gpfsp, found := object.Attributes["gPCFileSysPath"]; found {
 
+				domainPart := util.ExtractDomainPart(object.DistinguishedName)
+
 				gpodisplayname := object.Attributes["displayName"]
 				gpoguid := object.Attributes["name"]
 				originalpath := gpfsp[0]
@@ -468,8 +469,7 @@ func Execute(cmd *cobra.Command, args []string) error {
 
 					gpoinfo.GPOinfo.GUID = gpuuid
 					gpoinfo.GPOinfo.Path = originalpath // The original path is kept, we don't care
-					gpoinfo.GPOinfo.DomainDN = domainContext
-					gpoinfo.GPOinfo.DomainNetbios = domainNetbios
+					gpoinfo.GPOinfo.DomainDN = domainPart
 
 					offset := len(gppath)
 					var filescollected int