improve special identities coverage (#208)

Author: JonasBK

src/CommonLib/Helpers.cs

@@ -23,7 +23,7 @@ public static class Helpers {
         private static readonly DateTime EpochDiff = new(1970, 1, 1);
 
         private static readonly string[] FilteredSids = {
-            "S-1-5-2", "S-1-5-3", "S-1-5-4", "S-1-5-6", "S-1-5-7", "S-1-2", "S-1-2-0", "S-1-5-18",
+            "S-1-5-3", "S-1-5-4", "S-1-5-6", "S-1-2", "S-1-2-0", "S-1-5-17", "S-1-5-18",
             "S-1-5-19", "S-1-5-20", "S-1-0-0", "S-1-0", "S-1-2-1"
         };
 

src/CommonLib/WellKnownPrincipal.cs

@@ -48,9 +48,8 @@ public static bool GetWellKnownPrincipal(string sid, out TypedPrincipal commonPr
                 "S-1-5-18" => new TypedPrincipal("Local System", Label.User),
                 "S-1-5-19" => new TypedPrincipal("Local Service", Label.User),
                 "S-1-5-20" => new TypedPrincipal("Network Service", Label.User),
-                "S-1-5-113" => new TypedPrincipal("Local Account", Label.User),
-                "S-1-5-114" => new TypedPrincipal("Local Account and Member of Administrators Group", Label.User),
-                "S-1-5-80-0" => new TypedPrincipal("All Services ", Label.Group),
+                "S-1-5-21-0-0-0-496" => new TypedPrincipal("Compounded Authentication", Label.Group),
+                "S-1-5-21-0-0-0-497" => new TypedPrincipal("Claims Valid", Label.Group),
                 "S-1-5-32-544" => new TypedPrincipal("Administrators", Label.Group),
                 "S-1-5-32-545" => new TypedPrincipal("Users", Label.Group),
                 "S-1-5-32-546" => new TypedPrincipal("Guests", Label.Group),
@@ -82,6 +81,24 @@ public static bool GetWellKnownPrincipal(string sid, out TypedPrincipal commonPr
                 "S-1-5-32-581" => new TypedPrincipal("System Managed Accounts Group", Label.Group),
                 "S-1-5-32-582" => new TypedPrincipal("Storage Replica Administrators", Label.Group),
                 "S-1-5-32-583" => new TypedPrincipal("Device Owners", Label.Group),
+                "S-1-5-64-10" => new TypedPrincipal("NTLM Authentication", Label.Group),
+                "S-1-5-64-14" => new TypedPrincipal("Schannel Authentication", Label.Group),
+                "S-1-5-64-21" => new TypedPrincipal("Digest Authentication", Label.Group),
+                "S-1-5-65-1" => new TypedPrincipal("This Organization Certificate", Label.Group),
+                "S-1-5-80" => new TypedPrincipal("Service", Label.Group),
+                "S-1-5-80-0" => new TypedPrincipal("All Services ", Label.Group),
+                "S-1-5-82" => new TypedPrincipal("IIS AppPool", Label.Group),
+                "S-1-5-90" => new TypedPrincipal("Window Manager\\Window Manager Group", Label.Group),
+                "S-1-5-96" => new TypedPrincipal("Font Driver Host\\UMFD-0", Label.Computer),
+                "S-1-5-113" => new TypedPrincipal("Local Account", Label.User),
+                "S-1-5-114" => new TypedPrincipal("Local Account and Member of Administrators Group", Label.User),
+                "S-1-5-1000" => new TypedPrincipal("Other Organization", Label.Group),
+                "S-1-18-1" => new TypedPrincipal("Authentication Authority Asserted Identity", Label.Group),
+                "S-1-18-2" => new TypedPrincipal("Service Asserted Identity", Label.Group),
+                "S-1-18-3" => new TypedPrincipal("Fresh Public Key Identity", Label.Group),
+                "S-1-18-4" => new TypedPrincipal("Key Trust", Label.Group),
+                "S-1-18-5" => new TypedPrincipal("MFA Key Property", Label.Group),
+                "S-1-18-6" => new TypedPrincipal("Attested Key Property", Label.Group),
                 _ => null
             };