Improve auto-generated Foreign-Security-Principal objects

modules/integrations/activedirectory/analyze/analyze-ad.go

@@ -1202,6 +1202,7 @@ func init() {
 						log.Warn().Msgf("Possible hardening? %v is a member of %v, which is not found - adding synthetic group. Your analysis will be degraded, try dumping with Domain Admin rights.", object.DN(), memberof)
 					}
 					group = engine.NewObject(
+						engine.IgnoreBlanks,
 						engine.DistinguishedName, memberof,
 						engine.ObjectCategorySimple, engine.AttributeValueString("Group"),
 						engine.ObjectClass, engine.AttributeValueString("top"), engine.AttributeValueString("group"),
@@ -1219,9 +1220,24 @@ func init() {
 			for _, member := range object.Attr(activedirectory.Member).Slice() {
 				memberobject, found := ao.Find(engine.DistinguishedName, member)
 				if !found {
-					log.Warn().Msgf("Possible hardening? %v is a member of %v, which is not found - adding synthetic member", object.DN(), member)
+					var sid engine.AttributeValueSID
+					var category string
+					if stringsid, _, found := strings.Cut(member.String(), ",CN=ForeignSecurityPrincipals,"); found {
+						// We can figure out what the SID is
+						if c, err := windowssecurity.SIDFromString(stringsid); err == nil {
+							sid = engine.AttributeValueSID(c)
+							category = "Foreign-Security-Principal"
+						}
+						log.Info().Msgf("Missing Foreign-Security-Principal: %v is a member of %v, which is not found - adding enhanced synthetic group", object.DN(), member)
+					} else {
+						log.Warn().Msgf("Possible hardening? %v is a member of %v, which is not found - adding synthetic group. Your analysis will be degraded, try dumping with Domain Admin rights.", object.DN(), member)
+					}
 					memberobject = engine.NewObject(
+						engine.IgnoreBlanks,
 						engine.DistinguishedName, member,
+						engine.ObjectCategorySimple, category,
+						engine.ObjectSid, sid,
+						engine.MetaDataSource, "Autogenerated",
 					)
 					ao.Add(memberobject)
 				}