Trust account (#207)

* collect trust accounts

* add netbios for domains

Author: JonasBK

src/CommonLib/Enums/LDAPProperties.cs

@@ -94,6 +94,7 @@ public static class LDAPProperties
         public const string LockoutDuration = "lockoutduration";
         public const string LockoutThreshold = "lockoutthreshold";
         public const string LockOutObservationWindow = "lockoutobservationwindow";
+        public const string PrincipalName = "msds-principalname";
         public const string GroupType = "grouptype";
     }
 }

src/CommonLib/Helpers.cs

@@ -16,7 +16,7 @@ namespace SharpHoundCommonLib {
     public static class Helpers {
         private static readonly HashSet<string> Groups = new() { "268435456", "268435457", "536870912", "536870913" };
         private static readonly HashSet<string> Computers = new() { "805306369" };
-        private static readonly HashSet<string> Users = new() { "805306368" };
+        private static readonly HashSet<string> Users = new() { "805306368", "805306370" };
 
         private static readonly Regex DCReplaceRegex = new("DC=", RegexOptions.IgnoreCase | RegexOptions.Compiled);
         private static readonly Regex SPNRegex = new(@".*\/.*", RegexOptions.Compiled);

src/CommonLib/LdapQueries/CommonProperties.cs

@@ -60,7 +60,8 @@ public static class CommonProperties
             LDAPProperties.SupportedEncryptionTypes, LDAPProperties.DSHeuristics,
             LDAPProperties.MinPwdLength, LDAPProperties.PwdProperties, LDAPProperties.MinPwdAge, 
             LDAPProperties.MaxPwdAge, LDAPProperties.PwdHistoryLength, LDAPProperties.LockoutDuration, 
-            LDAPProperties.LockoutThreshold, LDAPProperties.LockOutObservationWindow, LDAPProperties.GroupType
+            LDAPProperties.LockoutThreshold, LDAPProperties.LockOutObservationWindow, LDAPProperties.GroupType, 
+            LDAPProperties.PrincipalName
         };
 
         public static readonly string[] ContainerProps =

src/CommonLib/LdapQueries/LdapFilter.cs

@@ -56,7 +56,7 @@ public LdapFilter AddAllObjects(params string[] conditions) {
         /// <param name="conditions"></param>
         /// <returns></returns>
         public LdapFilter AddUsers(params string[] conditions) {
-            _filterParts.Add(BuildString("(samaccounttype=805306368)", conditions));
+            _filterParts.Add(BuildString("(|(samaccounttype=805306368)(samaccounttype=805306370))", conditions));
 
             return this;
         }

src/CommonLib/Processors/LdapPropertyProcessor.cs

@@ -116,9 +116,15 @@ public async Task<Dictionary<string, object>> ReadDomainProperties(IDirectoryObj
             if (!entry.TryGetLongProperty(LDAPProperties.DomainFunctionalLevel, out var functionalLevel)) {
                 functionalLevel = -1;
             }
-
             props.Add("functionallevel", FunctionalLevelToString((int)functionalLevel));
 
+            if (entry.TryGetProperty(LDAPProperties.PrincipalName, out var principalname)) {          
+                if (!string.IsNullOrEmpty(principalname) && principalname.IndexOf('\\') > 0) {
+                    var netBios = principalname.Split('\\')[0];
+                    props.Add("netbios", netBios);
+                }
+            }
+
             var dn = entry.GetProperty(LDAPProperties.DistinguishedName);
             var dsh = await _utils.GetDSHueristics(domain, dn);
             props.Add("dsheuristics", dsh.DSHeuristics);

test/unit/CommonLibHelperTests.cs

@@ -82,7 +82,8 @@ public void SamAccountTypeToType_ValidString_CorrectLabel() {
                 (accountType: "536870912", label: Label.Group),
                 (accountType: "536870913", label: Label.Group),
                 (accountType: "805306369", Label.Computer),
-                (accountType: "805306368", Label.User)
+                (accountType: "805306368", Label.User),
+                (accountType: "805306370", Label.User)
             };
 
             foreach (var e in accountTypeLookup) {

test/unit/LDAPFilterTest.cs

@@ -64,7 +64,7 @@ public void LDAPFilter_GetFilterList()
             IEnumerable<string> filters = test.GetFilterList();
 
             int i = 0;
-            string userFilter = "(samaccounttype=805306368)";
+            string userFilter = "(|(samaccounttype=805306368)(samaccounttype=805306370))";
             string computerFilter = "(samaccounttype=805306369)";
             string[] expected = {userFilter, computerFilter};
 

test/unit/LDAPUtilsTest.cs

@@ -224,6 +224,31 @@ public async Task Test_ResolveSearchResult_MSAGMSA() {
             Assert.False(result.Deleted);
         }
 
+        [Fact]
+        public async Task Test_ResolveSearchResult_TrustAccount() {
+            var utils = new MockLdapUtils();
+            var attribs = new Dictionary<string, object> {
+                { LDAPProperties.ObjectClass, new[] { "top"} },
+                { LDAPProperties.SAMAccountType, "805306370" },
+                { LDAPProperties.SAMAccountName, "DOMAIN1$" }
+            };
+
+            const string sid = "S-1-5-21-3130019616-2776909439-2417379446-2105";
+            const string dn = "CN=DOMAIN1$,CN=USERS,DC=TESTLAB,DC=LOCAL";
+            var guid = new Guid().ToString();
+
+            var mock = new MockDirectoryObject(dn, attribs, sid, guid);
+
+            var (success, result) = await LdapUtils.ResolveSearchResult(mock, utils);
+            Assert.True(success);
+            Assert.Equal(sid, result.ObjectId);
+            Assert.Equal(Label.User, result.ObjectType);
+            Assert.Equal("DOMAIN1$@TESTLAB.LOCAL", result.DisplayName);
+            Assert.Equal("S-1-5-21-3130019616-2776909439-2417379446", result.DomainSid);
+            Assert.Equal("TESTLAB.LOCAL", result.Domain);
+            Assert.False(result.Deleted);
+        }
+
         [Fact]
         public async Task Test_ResolveHostToSid_BlankHost() {
             var spn = "MSSQLSvc/:1433";

test/unit/LdapPropertyTests.cs

@@ -1139,6 +1139,15 @@ public async void LDAPPropertyProcessor_ReadDomainProperties<T>(MockDirectoryObj
                     }, "S-1-5-21-3130019616-2776909439-2417379446",""), 
                     "maxpwdage", 
                     "12 days, 23 hours, 25 minutes, 10 seconds" 
+                },
+                new object[] 
+                { 
+                    new MockDirectoryObject("DC\u003dtestlab,DC\u003dlocal", new Dictionary<string, object>
+                    {
+                        {LDAPProperties.PrincipalName, "TESTLAB\\S-1-5-21-3130019616-2776909439-2417379446"}
+                    }, "S-1-5-21-3130019616-2776909439-2417379446",""), 
+                    "netbios", 
+                    "TESTLAB"
                 }
             };