TrustedBy replacement related changes (#196)

* trust enum alternative

* add group scope

* switch to use ldaputil's GetDomain for trusts

* fix type

Author: JonasBK

src/CommonLib/Enums/LDAPProperties.cs

@@ -94,5 +94,6 @@ public static class LDAPProperties
         public const string LockoutDuration = "lockoutduration";
         public const string LockoutThreshold = "lockoutthreshold";
         public const string LockOutObservationWindow = "lockoutobservationwindow";
+        public const string GroupType = "grouptype";
     }
 }

src/CommonLib/Enums/TrustType.cs

@@ -2,10 +2,12 @@
 {
     public enum TrustType
     {
+        TreeRoot,
         ParentChild,
         CrossLink,
-        Forest,
         External,
+        Forest,
+        Kerberos,
         Unknown
     }
 }

src/CommonLib/LdapQueries/CommonProperties.cs

@@ -60,7 +60,7 @@ public static class CommonProperties
             LDAPProperties.SupportedEncryptionTypes, LDAPProperties.DSHeuristics,
             LDAPProperties.MinPwdLength, LDAPProperties.PwdProperties, LDAPProperties.MinPwdAge, 
             LDAPProperties.MaxPwdAge, LDAPProperties.PwdHistoryLength, LDAPProperties.LockoutDuration, 
-            LDAPProperties.LockoutThreshold, LDAPProperties.LockOutObservationWindow
+            LDAPProperties.LockoutThreshold, LDAPProperties.LockOutObservationWindow, LDAPProperties.GroupType
         };
 
         public static readonly string[] ContainerProps =

src/CommonLib/Processors/DomainTrustProcessor.cs

@@ -1,5 +1,6 @@
 using System.Collections.Generic;
 using System.DirectoryServices.Protocols;
+using System.Linq;
 using System.Security.Principal;
 using Microsoft.Extensions.Logging;
 using SharpHoundCommonLib.Enums;
@@ -27,6 +28,20 @@ public DomainTrustProcessor(ILdapUtils utils, ILogger log = null)
         public async IAsyncEnumerable<DomainTrust> EnumerateDomainTrusts(string domain)
         {
             _log.LogDebug("Running trust enumeration for {Domain}", domain);
+
+            // Attempt to get trust type
+            var trustInfoList = new List<(string TargetName, System.DirectoryServices.ActiveDirectory.TrustType TrustType)>();
+            try
+            {
+                _utils.GetDomain(domain, out var domainObject);
+                trustInfoList.AddRange(from System.DirectoryServices.ActiveDirectory.TrustRelationshipInformation trust in domainObject.GetAllTrustRelationships()
+                select (trust.TargetName, trust.TrustType));
+            }
+            catch 
+            {
+                _log.LogWarning("Trust type enumeration using non-LDAP for {Domain} failed", domain);
+            }
+
             await foreach (var result in _utils.Query(new LdapQueryParameters {
                                    LDAPFilter = CommonFilters.TrustedDomains,
                                    Attributes = CommonProperties.DomainTrustProps,
@@ -90,7 +105,9 @@ public async IAsyncEnumerable<DomainTrust> EnumerateDomainTrusts(string domain)
                     (attributes.HasFlag(TrustAttributes.WithinForest) ||
                     attributes.HasFlag(TrustAttributes.CrossOrganizationEnableTGTDelegation));
 
-                trust.TrustType = TrustAttributesToType(attributes);
+                var match = trustInfoList.FirstOrDefault(t => 
+                    t.TargetName.ToUpper().Equals(trust.TargetDomainName));
+                trust.TrustType = !string.IsNullOrEmpty(match.TargetName) ? (TrustType) match.TrustType : TrustAttributesToType(attributes);
 
                 yield return trust;
             }

src/CommonLib/Processors/LdapPropertyProcessor.cs

@@ -179,6 +179,9 @@ public static Dictionary<string, object> ReadGroupProperties(IDirectoryObject en
             var props = GetCommonProps(entry);
             entry.TryGetLongProperty(LDAPProperties.AdminCount, out var ac);
             props.Add("admincount", ac != 0);
+            entry.TryGetLongProperty(LDAPProperties.GroupType, out var groupType);
+            props.Add("groupscope", GetGroupScope(groupType));
+
             return props;
         }
 
@@ -854,6 +857,31 @@ private static string ConvertPKIPeriod(byte[] bytes) {
             }
         }
 
+        private static string GetGroupScope(long groupType)
+        {
+            // Constants from ADS_GROUP_TYPE_ENUM in Active Directory
+            const int ADS_GROUP_TYPE_GLOBAL_GROUP = 0x00000002;
+            const int ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP = 0x00000004;
+            const int ADS_GROUP_TYPE_UNIVERSAL_GROUP = 0x00000008;
+
+            if ((groupType & ADS_GROUP_TYPE_UNIVERSAL_GROUP) == ADS_GROUP_TYPE_UNIVERSAL_GROUP)
+            {
+                return "Universal";
+            }
+            else if ((groupType & ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP) == ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP)
+            {
+                return "DomainLocal";
+            }
+            else if ((groupType & ADS_GROUP_TYPE_GLOBAL_GROUP) == ADS_GROUP_TYPE_GLOBAL_GROUP)
+            {
+                return "Global";
+            }
+            else
+            {
+                return "Unknown";
+            }
+        }
+
         [DllImport("Advapi32", SetLastError = false)]
         private static extern bool IsTextUnicode(byte[] buf, int len, ref IsTextUnicodeFlags opt);