From 2db1c5e5b02c19c21e8a215547309fd522d17e9e Mon Sep 17 00:00:00 2001 From: Lars Karlslund Date: Tue, 17 May 2022 20:07:26 +0200 Subject: [PATCH] Improved GPO collection and merging into domains --- .../activedirectory/analyze/gpoimport.go | 2 +- .../activedirectory/collect/cli.go | 30 +++++++++---------- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/modules/integrations/activedirectory/analyze/gpoimport.go b/modules/integrations/activedirectory/analyze/gpoimport.go index 9d19251..eb620e7 100644 --- a/modules/integrations/activedirectory/analyze/gpoimport.go +++ b/modules/integrations/activedirectory/analyze/gpoimport.go @@ -49,7 +49,7 @@ var usernamecpassword = regexp.MustCompile(`(?i)(runAs|userName)="(?P[ func ImportGPOInfo(ginfo activedirectory.GPOdump, ao *engine.Objects) error { if ginfo.DomainDN != "" { - ao.AddDefaultFlex(engine.UniqueSource, ginfo.DomainDN) + ao.AddDefaultFlex(engine.DomainPart, ginfo.DomainDN) } gpoobject, _ := ao.FindOrAdd(gPCFileSysPath, engine.AttributeValueString(ginfo.Path)) diff --git a/modules/integrations/activedirectory/collect/cli.go b/modules/integrations/activedirectory/collect/cli.go index 037be38..9c92630 100644 --- a/modules/integrations/activedirectory/collect/cli.go +++ b/modules/integrations/activedirectory/collect/cli.go @@ -215,7 +215,6 @@ func Execute(cmd *cobra.Command, args []string) error { datapath = idp.Value.String() } - var domainContext, domainNetbios string var gpostocollect []*activedirectory.RawObject if *adexplorerfile != "" { @@ -226,16 +225,6 @@ func Execute(cmd *cobra.Command, args []string) error { return err } - cp, _ := util.ParseBool(*collectgpos) - if *collectgpos == "auto" || cp { - for _, ro := range rao { - if _, found := ro.Attributes["gPCFileSysPath"]; found { - myro := ro - gpostocollect = append(gpostocollect, &myro) - } - } - } - var e *msgp.Writer outfile, err := os.Create(filepath.Join(datapath, filepath.Base(*adexplorerfile)+".objects.msgp.lz4")) @@ -262,6 +251,16 @@ func Execute(cmd *cobra.Command, args []string) error { return fmt.Errorf("problem encoding LDAP object %v: %v", ro.DistinguishedName, err) } } + + cp, _ := util.ParseBool(*collectgpos) + if *collectgpos == "auto" || cp { + for _, ro := range rao { + if _, found := ro.Attributes["gPCFileSysPath"]; found { + myro := ro + gpostocollect = append(gpostocollect, &myro) + } + } + } } else { // Active Directory dump directly from AD controller ad := AD{ @@ -302,6 +301,8 @@ func Execute(cmd *cobra.Command, args []string) error { return fmt.Errorf("expected 1 Active Directory RootDSE object, but got %v", len(rootdse)) } + var domainContext string + rd := rootdse[0] namingcontexts := map[string]bool{} @@ -332,8 +333,6 @@ func Execute(cmd *cobra.Command, args []string) error { namingcontexts[schemaContext] = true } - domainNetbios = util.ExtractNetbiosFromBase(domainContext) - var otherContexts []string for context, used := range namingcontexts { if !used { @@ -441,6 +440,8 @@ func Execute(cmd *cobra.Command, args []string) error { // Let's check if it this is a GPO and then add som fake attributes to represent it if gpfsp, found := object.Attributes["gPCFileSysPath"]; found { + domainPart := util.ExtractDomainPart(object.DistinguishedName) + gpodisplayname := object.Attributes["displayName"] gpoguid := object.Attributes["name"] originalpath := gpfsp[0] @@ -468,8 +469,7 @@ func Execute(cmd *cobra.Command, args []string) error { gpoinfo.GPOinfo.GUID = gpuuid gpoinfo.GPOinfo.Path = originalpath // The original path is kept, we don't care - gpoinfo.GPOinfo.DomainDN = domainContext - gpoinfo.GPOinfo.DomainNetbios = domainNetbios + gpoinfo.GPOinfo.DomainDN = domainPart offset := len(gppath) var filescollected int