diff --git a/packages/cue/bh/ad/ad.cue b/packages/cue/bh/ad/ad.cue index 8397fe781..e84616ac8 100644 --- a/packages/cue/bh/ad/ad.cue +++ b/packages/cue/bh/ad/ad.cue @@ -892,14 +892,12 @@ Properties: [ LockoutDuration, LockoutObservationWindow, OwnerSid, - LockoutObservationWindow, SMBSigning, RestrictOutboundNTLM, GMSA, MSA, DoesAnyAceGrantOwnerRights, - DoesAnyInheritedAceGrantOwnerRights, - OwnerSid + DoesAnyInheritedAceGrantOwnerRights ] // Kinds diff --git a/packages/go/analysis/ad/owns.go b/packages/go/analysis/ad/owns.go index 728dc93e5..8b38882ca 100644 --- a/packages/go/analysis/ad/owns.go +++ b/packages/go/analysis/ad/owns.go @@ -19,6 +19,8 @@ package ad import ( "context" "errors" + "fmt" + "log/slog" "github.com/specterops/bloodhound/dawgs/util/channels" @@ -30,7 +32,6 @@ import ( "github.com/specterops/bloodhound/dawgs/query" "github.com/specterops/bloodhound/graphschema/ad" "github.com/specterops/bloodhound/graphschema/common" - "github.com/specterops/bloodhound/log" ) func PostOwnsAndWriteOwner(ctx context.Context, db graph.Database, groupExpansions impact.PathAggregator) (*analysis.AtomicPostProcessingStats, error) { @@ -38,11 +39,11 @@ func PostOwnsAndWriteOwner(ctx context.Context, db graph.Database, groupExpansio // Get the dSHeuristics values for all domains if dsHeuristicsCache, anyEnforced, err := GetDsHeuristicsCache(ctx, db); err != nil { - log.Errorf("failed fetching dsheuristics values for postownsandwriteowner: %w", err) + slog.Error(fmt.Sprintf("failed fetching dsheuristics values for postownsandwriteowner: %v", err)) return nil, err } else if adminGroupIds, err := FetchAdminGroupIds(ctx, db, groupExpansions); err != nil { // Get the admin group IDs - log.Errorf("failed fetching admin group ids values for postownsandwriteowner: %w", err) + slog.Error(fmt.Sprintf("failed fetching admin group ids values for postownsandwriteowner: %v", err)) } else { // Get all source nodes of Owns ACEs (i.e., owning principals) where the target node has no ACEs granting abusable explicit permissions to OWNER RIGHTS @@ -53,7 +54,7 @@ func PostOwnsAndWriteOwner(ctx context.Context, db graph.Database, groupExpansio query.Kind(query.Start(), ad.Entity), ) })); err != nil { - log.Errorf("failed to fetch OwnsRaw relationships for postownsandwriteowner: %w", err) + slog.Error(fmt.Sprintf("failed to fetch OwnsRaw relationships for postownsandwriteowner: %v", err)) } else { for _, rel := range relationships { @@ -62,12 +63,12 @@ func PostOwnsAndWriteOwner(ctx context.Context, db graph.Database, groupExpansio // Get the target node of the OwnsRaw relationship if targetNode, err := ops.FetchNode(tx, rel.EndID); err != nil { - log.Errorf("failed fetching OwnsRaw target node for postownsandwriteowner: %w", err) + slog.Error(fmt.Sprintf("failed fetching OwnsRaw target node for postownsandwriteowner: %v", err)) continue } else if domainSid, err := targetNode.Properties.GetOrDefault(ad.DomainSID.String(), "").String(); err != nil { // Get the domain SID of the target node - log.Errorf("failed fetching domain SID for postownsandwriteowner: %w", err) + slog.Error(fmt.Sprintf("failed fetching domain SID for postownsandwriteowner: %v", err)) continue } else { @@ -123,7 +124,7 @@ func PostOwnsAndWriteOwner(ctx context.Context, db graph.Database, groupExpansio } return nil }); err != nil { - log.Errorf("failed to process Owns relationships for postownsandwriteowner: %w", err) + slog.Error(fmt.Sprintf("failed to process Owns relationships for postownsandwriteowner: %v", err)) } // Get all source nodes of WriteOwner ACEs where the target node has no ACEs granting explicit abusable permissions to OWNER RIGHTS @@ -135,7 +136,7 @@ func PostOwnsAndWriteOwner(ctx context.Context, db graph.Database, groupExpansio query.Kind(query.Start(), ad.Entity), ) })); err != nil { - log.Errorf("failed to fetch WriteOwnerRaw relationships for postownsandwriteowner: %w", err) + slog.Error(fmt.Sprintf("failed to fetch WriteOwnerRaw relationships for postownsandwriteowner: %v", err)) } else { for _, rel := range relationships { @@ -144,12 +145,12 @@ func PostOwnsAndWriteOwner(ctx context.Context, db graph.Database, groupExpansio // Get the target node of the WriteOwnerRaw relationship if targetNode, err := ops.FetchNode(tx, rel.EndID); err != nil { - log.Errorf("failed fetching WriteOwnerRaw target node for postownsandwriteowner: %w", err) + slog.Error(fmt.Sprintf("failed fetching WriteOwnerRaw target node for postownsandwriteowner: %v", err)) continue } else if domainSid, err := targetNode.Properties.GetOrDefault(ad.DomainSID.String(), "").String(); err != nil { // Get the domain SID of the target node - log.Errorf("failed fetching domain SID for postownsandwriteowner: %w", err) + slog.Error(fmt.Sprintf("failed fetching domain SID for postownsandwriteowner: %v", err)) continue } else { @@ -205,7 +206,7 @@ func PostOwnsAndWriteOwner(ctx context.Context, db graph.Database, groupExpansio } return nil }); err != nil { - log.Errorf("failed to process WriteOwner relationships for postownsandwriteowner: %w", err) + slog.Error(fmt.Sprintf("failed to process WriteOwner relationships for postownsandwriteowner: %v", err)) } } return &operation.Stats, operation.Done() diff --git a/packages/go/graphschema/ad/ad.go b/packages/go/graphschema/ad/ad.go index 478c42ce2..4d9d27dff 100644 --- a/packages/go/graphschema/ad/ad.go +++ b/packages/go/graphschema/ad/ad.go @@ -1,19 +1,3 @@ -// Copyright 2025 Specter Ops, Inc. -// -// Licensed under the Apache License, Version 2.0 -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -// -// SPDX-License-Identifier: Apache-2.0 - // Code generated by Cuelang code gen. DO NOT EDIT! // Cuelang source: github.com/specterops/bloodhound/-/tree/main/packages/cue/schemas/ @@ -21,7 +5,6 @@ package ad import ( "errors" - graph "github.com/specterops/bloodhound/dawgs/graph" ) @@ -111,6 +94,10 @@ var ( ADCSESC13 = graph.StringKind("ADCSESC13") SyncedToEntraUser = graph.StringKind("SyncedToEntraUser") CoerceAndRelayNTLMToSMB = graph.StringKind("CoerceAndRelayNTLMToSMB") + WriteOwnerLimitedRights = graph.StringKind("WriteOwnerLimitedRights") + WriteOwnerRaw = graph.StringKind("WriteOwnerRaw") + OwnsLimitedRights = graph.StringKind("OwnsLimitedRights") + OwnsRaw = graph.StringKind("OwnsRaw") ) type Property string @@ -217,12 +204,17 @@ const ( MaxPwdAge Property = "maxpwdage" LockoutDuration Property = "lockoutduration" LockoutObservationWindow Property = "lockoutobservationwindow" + OwnerSid Property = "ownersid" SMBSigning Property = "smbsigning" RestrictOutboundNTLM Property = "restrictoutboundntlm" + GMSA Property = "gmsa" + MSA Property = "msa" + DoesAnyAceGrantOwnerRights Property = "doesanyacegrantownerrights" + DoesAnyInheritedAceGrantOwnerRights Property = "doesanyinheritedacegrantownerrights" ) func AllProperties() []Property { - return []Property{AdminCount, CASecurityCollected, CAName, CertChain, CertName, CertThumbprint, CertThumbprints, HasEnrollmentAgentRestrictions, EnrollmentAgentRestrictionsCollected, IsUserSpecifiesSanEnabled, IsUserSpecifiesSanEnabledCollected, RoleSeparationEnabled, RoleSeparationEnabledCollected, HasBasicConstraints, BasicConstraintPathLength, UnresolvedPublishedTemplates, DNSHostname, CrossCertificatePair, DistinguishedName, DomainFQDN, DomainSID, Sensitive, HighValue, BlocksInheritance, IsACL, IsACLProtected, IsDeleted, Enforced, Department, HasCrossCertificatePair, HasSPN, UnconstrainedDelegation, LastLogon, LastLogonTimestamp, IsPrimaryGroup, HasLAPS, DontRequirePreAuth, LogonType, HasURA, PasswordNeverExpires, PasswordNotRequired, FunctionalLevel, TrustType, SidFiltering, TrustedToAuth, SamAccountName, CertificateMappingMethodsRaw, CertificateMappingMethods, StrongCertificateBindingEnforcementRaw, StrongCertificateBindingEnforcement, EKUs, SubjectAltRequireUPN, SubjectAltRequireDNS, SubjectAltRequireDomainDNS, SubjectAltRequireEmail, SubjectAltRequireSPN, SubjectRequireEmail, AuthorizedSignatures, ApplicationPolicies, IssuancePolicies, SchemaVersion, RequiresManagerApproval, AuthenticationEnabled, SchannelAuthenticationEnabled, EnrolleeSuppliesSubject, CertificateApplicationPolicy, CertificateNameFlag, EffectiveEKUs, EnrollmentFlag, Flags, NoSecurityExtension, RenewalPeriod, ValidityPeriod, OID, HomeDirectory, CertificatePolicy, CertTemplateOID, GroupLinkID, ObjectGUID, ExpirePasswordsOnSmartCardOnlyAccounts, MachineAccountQuota, SupportedKerberosEncryptionTypes, TGTDelegationEnabled, PasswordStoredUsingReversibleEncryption, SmartcardRequired, UseDESKeyOnly, LogonScriptEnabled, LockedOut, UserCannotChangePassword, PasswordExpired, DSHeuristics, UserAccountControl, TrustAttributes, MinPwdLength, PwdProperties, PwdHistoryLength, LockoutThreshold, MinPwdAge, MaxPwdAge, LockoutDuration, LockoutObservationWindow, SMBSigning, RestrictOutboundNTLM} + return []Property{AdminCount, CASecurityCollected, CAName, CertChain, CertName, CertThumbprint, CertThumbprints, HasEnrollmentAgentRestrictions, EnrollmentAgentRestrictionsCollected, IsUserSpecifiesSanEnabled, IsUserSpecifiesSanEnabledCollected, RoleSeparationEnabled, RoleSeparationEnabledCollected, HasBasicConstraints, BasicConstraintPathLength, UnresolvedPublishedTemplates, DNSHostname, CrossCertificatePair, DistinguishedName, DomainFQDN, DomainSID, Sensitive, HighValue, BlocksInheritance, IsACL, IsACLProtected, IsDeleted, Enforced, Department, HasCrossCertificatePair, HasSPN, UnconstrainedDelegation, LastLogon, LastLogonTimestamp, IsPrimaryGroup, HasLAPS, DontRequirePreAuth, LogonType, HasURA, PasswordNeverExpires, PasswordNotRequired, FunctionalLevel, TrustType, SidFiltering, TrustedToAuth, SamAccountName, CertificateMappingMethodsRaw, CertificateMappingMethods, StrongCertificateBindingEnforcementRaw, StrongCertificateBindingEnforcement, EKUs, SubjectAltRequireUPN, SubjectAltRequireDNS, SubjectAltRequireDomainDNS, SubjectAltRequireEmail, SubjectAltRequireSPN, SubjectRequireEmail, AuthorizedSignatures, ApplicationPolicies, IssuancePolicies, SchemaVersion, RequiresManagerApproval, AuthenticationEnabled, SchannelAuthenticationEnabled, EnrolleeSuppliesSubject, CertificateApplicationPolicy, CertificateNameFlag, EffectiveEKUs, EnrollmentFlag, Flags, NoSecurityExtension, RenewalPeriod, ValidityPeriod, OID, HomeDirectory, CertificatePolicy, CertTemplateOID, GroupLinkID, ObjectGUID, ExpirePasswordsOnSmartCardOnlyAccounts, MachineAccountQuota, SupportedKerberosEncryptionTypes, TGTDelegationEnabled, PasswordStoredUsingReversibleEncryption, SmartcardRequired, UseDESKeyOnly, LogonScriptEnabled, LockedOut, UserCannotChangePassword, PasswordExpired, DSHeuristics, UserAccountControl, TrustAttributes, MinPwdLength, PwdProperties, PwdHistoryLength, LockoutThreshold, MinPwdAge, MaxPwdAge, LockoutDuration, LockoutObservationWindow, OwnerSid, SMBSigning, RestrictOutboundNTLM, GMSA, MSA, DoesAnyAceGrantOwnerRights, DoesAnyInheritedAceGrantOwnerRights} } func ParseProperty(source string) (Property, error) { switch source { @@ -428,10 +420,20 @@ func ParseProperty(source string) (Property, error) { return LockoutDuration, nil case "lockoutobservationwindow": return LockoutObservationWindow, nil + case "ownersid": + return OwnerSid, nil case "smbsigning": return SMBSigning, nil case "restrictoutboundntlm": return RestrictOutboundNTLM, nil + case "gmsa": + return GMSA, nil + case "msa": + return MSA, nil + case "doesanyacegrantownerrights": + return DoesAnyAceGrantOwnerRights, nil + case "doesanyinheritedacegrantownerrights": + return DoesAnyInheritedAceGrantOwnerRights, nil default: return "", errors.New("Invalid enumeration value: " + source) } @@ -640,10 +642,20 @@ func (s Property) String() string { return string(LockoutDuration) case LockoutObservationWindow: return string(LockoutObservationWindow) + case OwnerSid: + return string(OwnerSid) case SMBSigning: return string(SMBSigning) case RestrictOutboundNTLM: return string(RestrictOutboundNTLM) + case GMSA: + return string(GMSA) + case MSA: + return string(MSA) + case DoesAnyAceGrantOwnerRights: + return string(DoesAnyAceGrantOwnerRights) + case DoesAnyInheritedAceGrantOwnerRights: + return string(DoesAnyInheritedAceGrantOwnerRights) default: return "Invalid enumeration case: " + string(s) } @@ -852,10 +864,20 @@ func (s Property) Name() string { return "Lockout Duration" case LockoutObservationWindow: return "Lockout Observation Window" + case OwnerSid: + return "Owner SID" case SMBSigning: return "SMB Signing" case RestrictOutboundNTLM: return "Restrict Outbound NTLM" + case GMSA: + return "GMSA" + case MSA: + return "MSA" + case DoesAnyAceGrantOwnerRights: + return "Does Any ACE Grant Owner Rights" + case DoesAnyInheritedAceGrantOwnerRights: + return "Does Any Inherited ACE Grant Owner Rights" default: return "Invalid enumeration case: " + string(s) } @@ -872,19 +894,19 @@ func Nodes() []graph.Kind { return []graph.Kind{Entity, User, Computer, Group, GPO, OU, Container, Domain, LocalGroup, LocalUser, AIACA, RootCA, EnterpriseCA, NTAuthStore, CertTemplate, IssuancePolicy} } func Relationships() []graph.Kind { - return []graph.Kind{Owns, GenericAll, GenericWrite, WriteOwner, WriteDACL, MemberOf, ForceChangePassword, AllExtendedRights, AddMember, HasSession, Contains, GPLink, AllowedToDelegate, CoerceToTGT, GetChanges, GetChangesAll, GetChangesInFilteredSet, TrustedBy, AllowedToAct, AdminTo, CanPSRemote, CanRDP, ExecuteDCOM, HasSIDHistory, AddSelf, DCSync, ReadLAPSPassword, ReadGMSAPassword, DumpSMSAPassword, SQLAdmin, AddAllowedToAct, WriteSPN, AddKeyCredentialLink, LocalToComputer, MemberOfLocalGroup, RemoteInteractiveLogonRight, SyncLAPSPassword, WriteAccountRestrictions, WriteGPLink, RootCAFor, DCFor, PublishedTo, ManageCertificates, ManageCA, DelegatedEnrollmentAgent, Enroll, HostsCAService, WritePKIEnrollmentFlag, WritePKINameFlag, NTAuthStoreFor, TrustedForNTAuth, EnterpriseCAFor, IssuedSignedBy, GoldenCert, EnrollOnBehalfOf, OIDGroupLink, ExtendedByPolicy, ADCSESC1, ADCSESC3, ADCSESC4, ADCSESC6a, ADCSESC6b, ADCSESC9a, ADCSESC9b, ADCSESC10a, ADCSESC10b, ADCSESC13, SyncedToEntraUser, CoerceAndRelayNTLMToSMB} + return []graph.Kind{Owns, GenericAll, GenericWrite, WriteOwner, WriteDACL, MemberOf, ForceChangePassword, AllExtendedRights, AddMember, HasSession, Contains, GPLink, AllowedToDelegate, CoerceToTGT, GetChanges, GetChangesAll, GetChangesInFilteredSet, TrustedBy, AllowedToAct, AdminTo, CanPSRemote, CanRDP, ExecuteDCOM, HasSIDHistory, AddSelf, DCSync, ReadLAPSPassword, ReadGMSAPassword, DumpSMSAPassword, SQLAdmin, AddAllowedToAct, WriteSPN, AddKeyCredentialLink, LocalToComputer, MemberOfLocalGroup, RemoteInteractiveLogonRight, SyncLAPSPassword, WriteAccountRestrictions, WriteGPLink, RootCAFor, DCFor, PublishedTo, ManageCertificates, ManageCA, DelegatedEnrollmentAgent, Enroll, HostsCAService, WritePKIEnrollmentFlag, WritePKINameFlag, NTAuthStoreFor, TrustedForNTAuth, EnterpriseCAFor, IssuedSignedBy, GoldenCert, EnrollOnBehalfOf, OIDGroupLink, ExtendedByPolicy, ADCSESC1, ADCSESC3, ADCSESC4, ADCSESC6a, ADCSESC6b, ADCSESC9a, ADCSESC9b, ADCSESC10a, ADCSESC10b, ADCSESC13, SyncedToEntraUser, CoerceAndRelayNTLMToSMB, WriteOwnerLimitedRights, WriteOwnerRaw, OwnsLimitedRights, OwnsRaw} } func ACLRelationships() []graph.Kind { - return []graph.Kind{AllExtendedRights, ForceChangePassword, AddMember, AddAllowedToAct, GenericAll, WriteDACL, WriteOwner, GenericWrite, ReadLAPSPassword, ReadGMSAPassword, Owns, AddSelf, WriteSPN, AddKeyCredentialLink, GetChanges, GetChangesAll, GetChangesInFilteredSet, WriteAccountRestrictions, WriteGPLink, SyncLAPSPassword, DCSync, ManageCertificates, ManageCA, Enroll, WritePKIEnrollmentFlag, WritePKINameFlag} + return []graph.Kind{AllExtendedRights, ForceChangePassword, AddMember, AddAllowedToAct, GenericAll, WriteDACL, WriteOwner, GenericWrite, ReadLAPSPassword, ReadGMSAPassword, Owns, AddSelf, WriteSPN, AddKeyCredentialLink, GetChanges, GetChangesAll, GetChangesInFilteredSet, WriteAccountRestrictions, WriteGPLink, SyncLAPSPassword, DCSync, ManageCertificates, ManageCA, Enroll, WritePKIEnrollmentFlag, WritePKINameFlag, WriteOwnerLimitedRights, OwnsLimitedRights, OwnsRaw, WriteOwnerRaw} } func PathfindingRelationships() []graph.Kind { - return []graph.Kind{Owns, GenericAll, GenericWrite, WriteOwner, WriteDACL, MemberOf, ForceChangePassword, AllExtendedRights, AddMember, HasSession, GPLink, AllowedToDelegate, CoerceToTGT, AllowedToAct, AdminTo, CanPSRemote, CanRDP, ExecuteDCOM, HasSIDHistory, AddSelf, DCSync, ReadLAPSPassword, ReadGMSAPassword, DumpSMSAPassword, SQLAdmin, AddAllowedToAct, WriteSPN, AddKeyCredentialLink, SyncLAPSPassword, WriteAccountRestrictions, WriteGPLink, GoldenCert, ADCSESC1, ADCSESC3, ADCSESC4, ADCSESC6a, ADCSESC6b, ADCSESC9a, ADCSESC9b, ADCSESC10a, ADCSESC10b, ADCSESC13, SyncedToEntraUser, CoerceAndRelayNTLMToSMB, Contains, DCFor, TrustedBy} + return []graph.Kind{Owns, GenericAll, GenericWrite, WriteOwner, WriteDACL, MemberOf, ForceChangePassword, AllExtendedRights, AddMember, HasSession, GPLink, AllowedToDelegate, CoerceToTGT, AllowedToAct, AdminTo, CanPSRemote, CanRDP, ExecuteDCOM, HasSIDHistory, AddSelf, DCSync, ReadLAPSPassword, ReadGMSAPassword, DumpSMSAPassword, SQLAdmin, AddAllowedToAct, WriteSPN, AddKeyCredentialLink, SyncLAPSPassword, WriteAccountRestrictions, WriteGPLink, GoldenCert, ADCSESC1, ADCSESC3, ADCSESC4, ADCSESC6a, ADCSESC6b, ADCSESC9a, ADCSESC9b, ADCSESC10a, ADCSESC10b, ADCSESC13, SyncedToEntraUser, CoerceAndRelayNTLMToSMB, WriteOwnerLimitedRights, OwnsLimitedRights, Contains, DCFor, TrustedBy} } func InboundRelationshipKinds() []graph.Kind { - return []graph.Kind{Owns, GenericAll, GenericWrite, WriteOwner, WriteDACL, MemberOf, ForceChangePassword, AllExtendedRights, AddMember, HasSession, GPLink, AllowedToDelegate, CoerceToTGT, AllowedToAct, AdminTo, CanPSRemote, CanRDP, ExecuteDCOM, HasSIDHistory, AddSelf, DCSync, ReadLAPSPassword, ReadGMSAPassword, DumpSMSAPassword, SQLAdmin, AddAllowedToAct, WriteSPN, AddKeyCredentialLink, SyncLAPSPassword, WriteAccountRestrictions, WriteGPLink, GoldenCert, ADCSESC1, ADCSESC3, ADCSESC4, ADCSESC6a, ADCSESC6b, ADCSESC9a, ADCSESC9b, ADCSESC10a, ADCSESC10b, ADCSESC13, SyncedToEntraUser, CoerceAndRelayNTLMToSMB, Contains} + return []graph.Kind{Owns, GenericAll, GenericWrite, WriteOwner, WriteDACL, MemberOf, ForceChangePassword, AllExtendedRights, AddMember, HasSession, GPLink, AllowedToDelegate, CoerceToTGT, AllowedToAct, AdminTo, CanPSRemote, CanRDP, ExecuteDCOM, HasSIDHistory, AddSelf, DCSync, ReadLAPSPassword, ReadGMSAPassword, DumpSMSAPassword, SQLAdmin, AddAllowedToAct, WriteSPN, AddKeyCredentialLink, SyncLAPSPassword, WriteAccountRestrictions, WriteGPLink, GoldenCert, ADCSESC1, ADCSESC3, ADCSESC4, ADCSESC6a, ADCSESC6b, ADCSESC9a, ADCSESC9b, ADCSESC10a, ADCSESC10b, ADCSESC13, SyncedToEntraUser, CoerceAndRelayNTLMToSMB, WriteOwnerLimitedRights, OwnsLimitedRights, Contains} } func OutboundRelationshipKinds() []graph.Kind { - return []graph.Kind{Owns, GenericAll, GenericWrite, WriteOwner, WriteDACL, MemberOf, ForceChangePassword, AllExtendedRights, AddMember, HasSession, GPLink, AllowedToDelegate, CoerceToTGT, AllowedToAct, AdminTo, CanPSRemote, CanRDP, ExecuteDCOM, HasSIDHistory, AddSelf, DCSync, ReadLAPSPassword, ReadGMSAPassword, DumpSMSAPassword, SQLAdmin, AddAllowedToAct, WriteSPN, AddKeyCredentialLink, SyncLAPSPassword, WriteAccountRestrictions, WriteGPLink, GoldenCert, ADCSESC1, ADCSESC3, ADCSESC4, ADCSESC6a, ADCSESC6b, ADCSESC9a, ADCSESC9b, ADCSESC10a, ADCSESC10b, ADCSESC13, SyncedToEntraUser, CoerceAndRelayNTLMToSMB, Contains, DCFor} + return []graph.Kind{Owns, GenericAll, GenericWrite, WriteOwner, WriteDACL, MemberOf, ForceChangePassword, AllExtendedRights, AddMember, HasSession, GPLink, AllowedToDelegate, CoerceToTGT, AllowedToAct, AdminTo, CanPSRemote, CanRDP, ExecuteDCOM, HasSIDHistory, AddSelf, DCSync, ReadLAPSPassword, ReadGMSAPassword, DumpSMSAPassword, SQLAdmin, AddAllowedToAct, WriteSPN, AddKeyCredentialLink, SyncLAPSPassword, WriteAccountRestrictions, WriteGPLink, GoldenCert, ADCSESC1, ADCSESC3, ADCSESC4, ADCSESC6a, ADCSESC6b, ADCSESC9a, ADCSESC9b, ADCSESC10a, ADCSESC10b, ADCSESC13, SyncedToEntraUser, CoerceAndRelayNTLMToSMB, WriteOwnerLimitedRights, OwnsLimitedRights, Contains, DCFor} } func IsACLKind(s graph.Kind) bool { for _, acl := range ACLRelationships() { diff --git a/packages/go/graphschema/azure/azure.go b/packages/go/graphschema/azure/azure.go index f896acfcf..3ec7ddb97 100644 --- a/packages/go/graphschema/azure/azure.go +++ b/packages/go/graphschema/azure/azure.go @@ -1,19 +1,3 @@ -// Copyright 2025 Specter Ops, Inc. -// -// Licensed under the Apache License, Version 2.0 -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -// -// SPDX-License-Identifier: Apache-2.0 - // Code generated by Cuelang code gen. DO NOT EDIT! // Cuelang source: github.com/specterops/bloodhound/-/tree/main/packages/cue/schemas/ @@ -21,7 +5,6 @@ package azure import ( "errors" - graph "github.com/specterops/bloodhound/dawgs/graph" ) diff --git a/packages/go/graphschema/common/common.go b/packages/go/graphschema/common/common.go index b88cdfabf..3330daa6f 100644 --- a/packages/go/graphschema/common/common.go +++ b/packages/go/graphschema/common/common.go @@ -1,19 +1,3 @@ -// Copyright 2025 Specter Ops, Inc. -// -// Licensed under the Apache License, Version 2.0 -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -// -// SPDX-License-Identifier: Apache-2.0 - // Code generated by Cuelang code gen. DO NOT EDIT! // Cuelang source: github.com/specterops/bloodhound/-/tree/main/packages/cue/schemas/ @@ -21,7 +5,6 @@ package common import ( "errors" - graph "github.com/specterops/bloodhound/dawgs/graph" ad "github.com/specterops/bloodhound/graphschema/ad" azure "github.com/specterops/bloodhound/graphschema/azure" @@ -41,10 +24,10 @@ func NodeKinds() []graph.Kind { return []graph.Kind{MigrationData} } func InboundRelationshipKinds() []graph.Kind { - return []graph.Kind{ad.Owns, ad.GenericAll, ad.GenericWrite, ad.WriteOwner, ad.WriteDACL, ad.MemberOf, ad.ForceChangePassword, ad.AllExtendedRights, ad.AddMember, ad.HasSession, ad.GPLink, ad.AllowedToDelegate, ad.CoerceToTGT, ad.AllowedToAct, ad.AdminTo, ad.CanPSRemote, ad.CanRDP, ad.ExecuteDCOM, ad.HasSIDHistory, ad.AddSelf, ad.DCSync, ad.ReadLAPSPassword, ad.ReadGMSAPassword, ad.DumpSMSAPassword, ad.SQLAdmin, ad.AddAllowedToAct, ad.WriteSPN, ad.AddKeyCredentialLink, ad.SyncLAPSPassword, ad.WriteAccountRestrictions, ad.WriteGPLink, ad.GoldenCert, ad.ADCSESC1, ad.ADCSESC3, ad.ADCSESC4, ad.ADCSESC6a, ad.ADCSESC6b, ad.ADCSESC9a, ad.ADCSESC9b, ad.ADCSESC10a, ad.ADCSESC10b, ad.ADCSESC13, ad.SyncedToEntraUser, ad.CoerceAndRelayNTLMToSMB, ad.Contains, azure.AvereContributor, azure.Contributor, azure.GetCertificates, azure.GetKeys, azure.GetSecrets, azure.HasRole, azure.MemberOf, azure.Owner, azure.RunsAs, azure.VMContributor, azure.AutomationContributor, azure.KeyVaultContributor, azure.VMAdminLogin, azure.AddMembers, azure.AddSecret, azure.ExecuteCommand, azure.GlobalAdmin, azure.PrivilegedAuthAdmin, azure.Grant, azure.GrantSelf, azure.PrivilegedRoleAdmin, azure.ResetPassword, azure.UserAccessAdministrator, azure.Owns, azure.CloudAppAdmin, azure.AppAdmin, azure.AddOwner, azure.ManagedIdentity, azure.AKSContributor, azure.NodeResourceGroup, azure.WebsiteContributor, azure.LogicAppContributor, azure.AZMGAddMember, azure.AZMGAddOwner, azure.AZMGAddSecret, azure.AZMGGrantAppRoles, azure.AZMGGrantRole, azure.SyncedToADUser} + return []graph.Kind{ad.Owns, ad.GenericAll, ad.GenericWrite, ad.WriteOwner, ad.WriteDACL, ad.MemberOf, ad.ForceChangePassword, ad.AllExtendedRights, ad.AddMember, ad.HasSession, ad.GPLink, ad.AllowedToDelegate, ad.CoerceToTGT, ad.AllowedToAct, ad.AdminTo, ad.CanPSRemote, ad.CanRDP, ad.ExecuteDCOM, ad.HasSIDHistory, ad.AddSelf, ad.DCSync, ad.ReadLAPSPassword, ad.ReadGMSAPassword, ad.DumpSMSAPassword, ad.SQLAdmin, ad.AddAllowedToAct, ad.WriteSPN, ad.AddKeyCredentialLink, ad.SyncLAPSPassword, ad.WriteAccountRestrictions, ad.WriteGPLink, ad.GoldenCert, ad.ADCSESC1, ad.ADCSESC3, ad.ADCSESC4, ad.ADCSESC6a, ad.ADCSESC6b, ad.ADCSESC9a, ad.ADCSESC9b, ad.ADCSESC10a, ad.ADCSESC10b, ad.ADCSESC13, ad.SyncedToEntraUser, ad.CoerceAndRelayNTLMToSMB, ad.WriteOwnerLimitedRights, ad.OwnsLimitedRights, ad.Contains, azure.AvereContributor, azure.Contributor, azure.GetCertificates, azure.GetKeys, azure.GetSecrets, azure.HasRole, azure.MemberOf, azure.Owner, azure.RunsAs, azure.VMContributor, azure.AutomationContributor, azure.KeyVaultContributor, azure.VMAdminLogin, azure.AddMembers, azure.AddSecret, azure.ExecuteCommand, azure.GlobalAdmin, azure.PrivilegedAuthAdmin, azure.Grant, azure.GrantSelf, azure.PrivilegedRoleAdmin, azure.ResetPassword, azure.UserAccessAdministrator, azure.Owns, azure.CloudAppAdmin, azure.AppAdmin, azure.AddOwner, azure.ManagedIdentity, azure.AKSContributor, azure.NodeResourceGroup, azure.WebsiteContributor, azure.LogicAppContributor, azure.AZMGAddMember, azure.AZMGAddOwner, azure.AZMGAddSecret, azure.AZMGGrantAppRoles, azure.AZMGGrantRole, azure.SyncedToADUser} } func OutboundRelationshipKinds() []graph.Kind { - return []graph.Kind{ad.Owns, ad.GenericAll, ad.GenericWrite, ad.WriteOwner, ad.WriteDACL, ad.MemberOf, ad.ForceChangePassword, ad.AllExtendedRights, ad.AddMember, ad.HasSession, ad.GPLink, ad.AllowedToDelegate, ad.CoerceToTGT, ad.AllowedToAct, ad.AdminTo, ad.CanPSRemote, ad.CanRDP, ad.ExecuteDCOM, ad.HasSIDHistory, ad.AddSelf, ad.DCSync, ad.ReadLAPSPassword, ad.ReadGMSAPassword, ad.DumpSMSAPassword, ad.SQLAdmin, ad.AddAllowedToAct, ad.WriteSPN, ad.AddKeyCredentialLink, ad.SyncLAPSPassword, ad.WriteAccountRestrictions, ad.WriteGPLink, ad.GoldenCert, ad.ADCSESC1, ad.ADCSESC3, ad.ADCSESC4, ad.ADCSESC6a, ad.ADCSESC6b, ad.ADCSESC9a, ad.ADCSESC9b, ad.ADCSESC10a, ad.ADCSESC10b, ad.ADCSESC13, ad.SyncedToEntraUser, ad.CoerceAndRelayNTLMToSMB, ad.Contains, ad.DCFor, azure.AvereContributor, azure.Contributor, azure.GetCertificates, azure.GetKeys, azure.GetSecrets, azure.HasRole, azure.MemberOf, azure.Owner, azure.RunsAs, azure.VMContributor, azure.AutomationContributor, azure.KeyVaultContributor, azure.VMAdminLogin, azure.AddMembers, azure.AddSecret, azure.ExecuteCommand, azure.GlobalAdmin, azure.PrivilegedAuthAdmin, azure.Grant, azure.GrantSelf, azure.PrivilegedRoleAdmin, azure.ResetPassword, azure.UserAccessAdministrator, azure.Owns, azure.CloudAppAdmin, azure.AppAdmin, azure.AddOwner, azure.ManagedIdentity, azure.AKSContributor, azure.NodeResourceGroup, azure.WebsiteContributor, azure.LogicAppContributor, azure.AZMGAddMember, azure.AZMGAddOwner, azure.AZMGAddSecret, azure.AZMGGrantAppRoles, azure.AZMGGrantRole, azure.SyncedToADUser} + return []graph.Kind{ad.Owns, ad.GenericAll, ad.GenericWrite, ad.WriteOwner, ad.WriteDACL, ad.MemberOf, ad.ForceChangePassword, ad.AllExtendedRights, ad.AddMember, ad.HasSession, ad.GPLink, ad.AllowedToDelegate, ad.CoerceToTGT, ad.AllowedToAct, ad.AdminTo, ad.CanPSRemote, ad.CanRDP, ad.ExecuteDCOM, ad.HasSIDHistory, ad.AddSelf, ad.DCSync, ad.ReadLAPSPassword, ad.ReadGMSAPassword, ad.DumpSMSAPassword, ad.SQLAdmin, ad.AddAllowedToAct, ad.WriteSPN, ad.AddKeyCredentialLink, ad.SyncLAPSPassword, ad.WriteAccountRestrictions, ad.WriteGPLink, ad.GoldenCert, ad.ADCSESC1, ad.ADCSESC3, ad.ADCSESC4, ad.ADCSESC6a, ad.ADCSESC6b, ad.ADCSESC9a, ad.ADCSESC9b, ad.ADCSESC10a, ad.ADCSESC10b, ad.ADCSESC13, ad.SyncedToEntraUser, ad.CoerceAndRelayNTLMToSMB, ad.WriteOwnerLimitedRights, ad.OwnsLimitedRights, ad.Contains, ad.DCFor, azure.AvereContributor, azure.Contributor, azure.GetCertificates, azure.GetKeys, azure.GetSecrets, azure.HasRole, azure.MemberOf, azure.Owner, azure.RunsAs, azure.VMContributor, azure.AutomationContributor, azure.KeyVaultContributor, azure.VMAdminLogin, azure.AddMembers, azure.AddSecret, azure.ExecuteCommand, azure.GlobalAdmin, azure.PrivilegedAuthAdmin, azure.Grant, azure.GrantSelf, azure.PrivilegedRoleAdmin, azure.ResetPassword, azure.UserAccessAdministrator, azure.Owns, azure.CloudAppAdmin, azure.AppAdmin, azure.AddOwner, azure.ManagedIdentity, azure.AKSContributor, azure.NodeResourceGroup, azure.WebsiteContributor, azure.LogicAppContributor, azure.AZMGAddMember, azure.AZMGAddOwner, azure.AZMGAddSecret, azure.AZMGGrantAppRoles, azure.AZMGGrantRole, azure.SyncedToADUser} } type Property string diff --git a/packages/go/graphschema/graph.go b/packages/go/graphschema/graph.go index f606615cf..c0cb95318 100644 --- a/packages/go/graphschema/graph.go +++ b/packages/go/graphschema/graph.go @@ -1,19 +1,3 @@ -// Copyright 2025 Specter Ops, Inc. -// -// Licensed under the Apache License, Version 2.0 -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -// -// SPDX-License-Identifier: Apache-2.0 - // Code generated by Cuelang code gen. DO NOT EDIT! // Cuelang source: github.com/specterops/bloodhound/-/tree/main/packages/cue/schemas/ diff --git a/packages/javascript/bh-shared-ui/src/graphSchema.ts b/packages/javascript/bh-shared-ui/src/graphSchema.ts index 280aff109..e80609334 100644 --- a/packages/javascript/bh-shared-ui/src/graphSchema.ts +++ b/packages/javascript/bh-shared-ui/src/graphSchema.ts @@ -1,1102 +1,1013 @@ -// Copyright 2025 Specter Ops, Inc. -// -// Licensed under the Apache License, Version 2.0 -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -// -// SPDX-License-Identifier: Apache-2.0 export enum ActiveDirectoryNodeKind { - Entity = 'Base', - User = 'User', - Computer = 'Computer', - Group = 'Group', - GPO = 'GPO', - OU = 'OU', - Container = 'Container', - Domain = 'Domain', - LocalGroup = 'ADLocalGroup', - LocalUser = 'ADLocalUser', - AIACA = 'AIACA', - RootCA = 'RootCA', - EnterpriseCA = 'EnterpriseCA', - NTAuthStore = 'NTAuthStore', - CertTemplate = 'CertTemplate', - IssuancePolicy = 'IssuancePolicy', +Entity = 'Base', +User = 'User', +Computer = 'Computer', +Group = 'Group', +GPO = 'GPO', +OU = 'OU', +Container = 'Container', +Domain = 'Domain', +LocalGroup = 'ADLocalGroup', +LocalUser = 'ADLocalUser', +AIACA = 'AIACA', +RootCA = 'RootCA', +EnterpriseCA = 'EnterpriseCA', +NTAuthStore = 'NTAuthStore', +CertTemplate = 'CertTemplate', +IssuancePolicy = 'IssuancePolicy', +} +export function ActiveDirectoryNodeKindToDisplay (value : ActiveDirectoryNodeKind): string | undefined { +switch (value) { +case ActiveDirectoryNodeKind.Entity: +return 'Entity' +case ActiveDirectoryNodeKind.User: +return 'User' +case ActiveDirectoryNodeKind.Computer: +return 'Computer' +case ActiveDirectoryNodeKind.Group: +return 'Group' +case ActiveDirectoryNodeKind.GPO: +return 'GPO' +case ActiveDirectoryNodeKind.OU: +return 'OU' +case ActiveDirectoryNodeKind.Container: +return 'Container' +case ActiveDirectoryNodeKind.Domain: +return 'Domain' +case ActiveDirectoryNodeKind.LocalGroup: +return 'LocalGroup' +case ActiveDirectoryNodeKind.LocalUser: +return 'LocalUser' +case ActiveDirectoryNodeKind.AIACA: +return 'AIACA' +case ActiveDirectoryNodeKind.RootCA: +return 'RootCA' +case ActiveDirectoryNodeKind.EnterpriseCA: +return 'EnterpriseCA' +case ActiveDirectoryNodeKind.NTAuthStore: +return 'NTAuthStore' +case ActiveDirectoryNodeKind.CertTemplate: +return 'CertTemplate' +case ActiveDirectoryNodeKind.IssuancePolicy: +return 'IssuancePolicy' +default: +return undefined } -export function ActiveDirectoryNodeKindToDisplay(value: ActiveDirectoryNodeKind): string | undefined { - switch (value) { - case ActiveDirectoryNodeKind.Entity: - return 'Entity'; - case ActiveDirectoryNodeKind.User: - return 'User'; - case ActiveDirectoryNodeKind.Computer: - return 'Computer'; - case ActiveDirectoryNodeKind.Group: - return 'Group'; - case ActiveDirectoryNodeKind.GPO: - return 'GPO'; - case ActiveDirectoryNodeKind.OU: - return 'OU'; - case ActiveDirectoryNodeKind.Container: - return 'Container'; - case ActiveDirectoryNodeKind.Domain: - return 'Domain'; - case ActiveDirectoryNodeKind.LocalGroup: - return 'LocalGroup'; - case ActiveDirectoryNodeKind.LocalUser: - return 'LocalUser'; - case ActiveDirectoryNodeKind.AIACA: - return 'AIACA'; - case ActiveDirectoryNodeKind.RootCA: - return 'RootCA'; - case ActiveDirectoryNodeKind.EnterpriseCA: - return 'EnterpriseCA'; - case ActiveDirectoryNodeKind.NTAuthStore: - return 'NTAuthStore'; - case ActiveDirectoryNodeKind.CertTemplate: - return 'CertTemplate'; - case ActiveDirectoryNodeKind.IssuancePolicy: - return 'IssuancePolicy'; - default: - return undefined; - } } export enum ActiveDirectoryRelationshipKind { - Owns = 'Owns', - GenericAll = 'GenericAll', - GenericWrite = 'GenericWrite', - WriteOwner = 'WriteOwner', - WriteDACL = 'WriteDacl', - MemberOf = 'MemberOf', - ForceChangePassword = 'ForceChangePassword', - AllExtendedRights = 'AllExtendedRights', - AddMember = 'AddMember', - HasSession = 'HasSession', - Contains = 'Contains', - GPLink = 'GPLink', - AllowedToDelegate = 'AllowedToDelegate', - CoerceToTGT = 'CoerceToTGT', - GetChanges = 'GetChanges', - GetChangesAll = 'GetChangesAll', - GetChangesInFilteredSet = 'GetChangesInFilteredSet', - TrustedBy = 'TrustedBy', - AllowedToAct = 'AllowedToAct', - AdminTo = 'AdminTo', - CanPSRemote = 'CanPSRemote', - CanRDP = 'CanRDP', - ExecuteDCOM = 'ExecuteDCOM', - HasSIDHistory = 'HasSIDHistory', - AddSelf = 'AddSelf', - DCSync = 'DCSync', - ReadLAPSPassword = 'ReadLAPSPassword', - ReadGMSAPassword = 'ReadGMSAPassword', - DumpSMSAPassword = 'DumpSMSAPassword', - SQLAdmin = 'SQLAdmin', - AddAllowedToAct = 'AddAllowedToAct', - WriteSPN = 'WriteSPN', - AddKeyCredentialLink = 'AddKeyCredentialLink', - LocalToComputer = 'LocalToComputer', - MemberOfLocalGroup = 'MemberOfLocalGroup', - RemoteInteractiveLogonRight = 'RemoteInteractiveLogonRight', - SyncLAPSPassword = 'SyncLAPSPassword', - WriteAccountRestrictions = 'WriteAccountRestrictions', - WriteGPLink = 'WriteGPLink', - RootCAFor = 'RootCAFor', - DCFor = 'DCFor', - PublishedTo = 'PublishedTo', - ManageCertificates = 'ManageCertificates', - ManageCA = 'ManageCA', - DelegatedEnrollmentAgent = 'DelegatedEnrollmentAgent', - Enroll = 'Enroll', - HostsCAService = 'HostsCAService', - WritePKIEnrollmentFlag = 'WritePKIEnrollmentFlag', - WritePKINameFlag = 'WritePKINameFlag', - NTAuthStoreFor = 'NTAuthStoreFor', - TrustedForNTAuth = 'TrustedForNTAuth', - EnterpriseCAFor = 'EnterpriseCAFor', - IssuedSignedBy = 'IssuedSignedBy', - GoldenCert = 'GoldenCert', - EnrollOnBehalfOf = 'EnrollOnBehalfOf', - OIDGroupLink = 'OIDGroupLink', - ExtendedByPolicy = 'ExtendedByPolicy', - ADCSESC1 = 'ADCSESC1', - ADCSESC3 = 'ADCSESC3', - ADCSESC4 = 'ADCSESC4', - ADCSESC6a = 'ADCSESC6a', - ADCSESC6b = 'ADCSESC6b', - ADCSESC9a = 'ADCSESC9a', - ADCSESC9b = 'ADCSESC9b', - ADCSESC10a = 'ADCSESC10a', - ADCSESC10b = 'ADCSESC10b', - ADCSESC13 = 'ADCSESC13', - SyncedToEntraUser = 'SyncedToEntraUser', - CoerceAndRelayNTLMToSMB = 'CoerceAndRelayNTLMToSMB', +Owns = 'Owns', +GenericAll = 'GenericAll', +GenericWrite = 'GenericWrite', +WriteOwner = 'WriteOwner', +WriteDACL = 'WriteDacl', +MemberOf = 'MemberOf', +ForceChangePassword = 'ForceChangePassword', +AllExtendedRights = 'AllExtendedRights', +AddMember = 'AddMember', +HasSession = 'HasSession', +Contains = 'Contains', +GPLink = 'GPLink', +AllowedToDelegate = 'AllowedToDelegate', +CoerceToTGT = 'CoerceToTGT', +GetChanges = 'GetChanges', +GetChangesAll = 'GetChangesAll', +GetChangesInFilteredSet = 'GetChangesInFilteredSet', +TrustedBy = 'TrustedBy', +AllowedToAct = 'AllowedToAct', +AdminTo = 'AdminTo', +CanPSRemote = 'CanPSRemote', +CanRDP = 'CanRDP', +ExecuteDCOM = 'ExecuteDCOM', +HasSIDHistory = 'HasSIDHistory', +AddSelf = 'AddSelf', +DCSync = 'DCSync', +ReadLAPSPassword = 'ReadLAPSPassword', +ReadGMSAPassword = 'ReadGMSAPassword', +DumpSMSAPassword = 'DumpSMSAPassword', +SQLAdmin = 'SQLAdmin', +AddAllowedToAct = 'AddAllowedToAct', +WriteSPN = 'WriteSPN', +AddKeyCredentialLink = 'AddKeyCredentialLink', +LocalToComputer = 'LocalToComputer', +MemberOfLocalGroup = 'MemberOfLocalGroup', +RemoteInteractiveLogonRight = 'RemoteInteractiveLogonRight', +SyncLAPSPassword = 'SyncLAPSPassword', +WriteAccountRestrictions = 'WriteAccountRestrictions', +WriteGPLink = 'WriteGPLink', +RootCAFor = 'RootCAFor', +DCFor = 'DCFor', +PublishedTo = 'PublishedTo', +ManageCertificates = 'ManageCertificates', +ManageCA = 'ManageCA', +DelegatedEnrollmentAgent = 'DelegatedEnrollmentAgent', +Enroll = 'Enroll', +HostsCAService = 'HostsCAService', +WritePKIEnrollmentFlag = 'WritePKIEnrollmentFlag', +WritePKINameFlag = 'WritePKINameFlag', +NTAuthStoreFor = 'NTAuthStoreFor', +TrustedForNTAuth = 'TrustedForNTAuth', +EnterpriseCAFor = 'EnterpriseCAFor', +IssuedSignedBy = 'IssuedSignedBy', +GoldenCert = 'GoldenCert', +EnrollOnBehalfOf = 'EnrollOnBehalfOf', +OIDGroupLink = 'OIDGroupLink', +ExtendedByPolicy = 'ExtendedByPolicy', +ADCSESC1 = 'ADCSESC1', +ADCSESC3 = 'ADCSESC3', +ADCSESC4 = 'ADCSESC4', +ADCSESC6a = 'ADCSESC6a', +ADCSESC6b = 'ADCSESC6b', +ADCSESC9a = 'ADCSESC9a', +ADCSESC9b = 'ADCSESC9b', +ADCSESC10a = 'ADCSESC10a', +ADCSESC10b = 'ADCSESC10b', +ADCSESC13 = 'ADCSESC13', +SyncedToEntraUser = 'SyncedToEntraUser', +CoerceAndRelayNTLMToSMB = 'CoerceAndRelayNTLMToSMB', +WriteOwnerLimitedRights = 'WriteOwnerLimitedRights', +WriteOwnerRaw = 'WriteOwnerRaw', +OwnsLimitedRights = 'OwnsLimitedRights', +OwnsRaw = 'OwnsRaw', +} +export function ActiveDirectoryRelationshipKindToDisplay (value : ActiveDirectoryRelationshipKind): string | undefined { +switch (value) { +case ActiveDirectoryRelationshipKind.Owns: +return 'Owns' +case ActiveDirectoryRelationshipKind.GenericAll: +return 'GenericAll' +case ActiveDirectoryRelationshipKind.GenericWrite: +return 'GenericWrite' +case ActiveDirectoryRelationshipKind.WriteOwner: +return 'WriteOwner' +case ActiveDirectoryRelationshipKind.WriteDACL: +return 'WriteDACL' +case ActiveDirectoryRelationshipKind.MemberOf: +return 'MemberOf' +case ActiveDirectoryRelationshipKind.ForceChangePassword: +return 'ForceChangePassword' +case ActiveDirectoryRelationshipKind.AllExtendedRights: +return 'AllExtendedRights' +case ActiveDirectoryRelationshipKind.AddMember: +return 'AddMember' +case ActiveDirectoryRelationshipKind.HasSession: +return 'HasSession' +case ActiveDirectoryRelationshipKind.Contains: +return 'Contains' +case ActiveDirectoryRelationshipKind.GPLink: +return 'GPLink' +case ActiveDirectoryRelationshipKind.AllowedToDelegate: +return 'AllowedToDelegate' +case ActiveDirectoryRelationshipKind.CoerceToTGT: +return 'CoerceToTGT' +case ActiveDirectoryRelationshipKind.GetChanges: +return 'GetChanges' +case ActiveDirectoryRelationshipKind.GetChangesAll: +return 'GetChangesAll' +case ActiveDirectoryRelationshipKind.GetChangesInFilteredSet: +return 'GetChangesInFilteredSet' +case ActiveDirectoryRelationshipKind.TrustedBy: +return 'TrustedBy' +case ActiveDirectoryRelationshipKind.AllowedToAct: +return 'AllowedToAct' +case ActiveDirectoryRelationshipKind.AdminTo: +return 'AdminTo' +case ActiveDirectoryRelationshipKind.CanPSRemote: +return 'CanPSRemote' +case ActiveDirectoryRelationshipKind.CanRDP: +return 'CanRDP' +case ActiveDirectoryRelationshipKind.ExecuteDCOM: +return 'ExecuteDCOM' +case ActiveDirectoryRelationshipKind.HasSIDHistory: +return 'HasSIDHistory' +case ActiveDirectoryRelationshipKind.AddSelf: +return 'AddSelf' +case ActiveDirectoryRelationshipKind.DCSync: +return 'DCSync' +case ActiveDirectoryRelationshipKind.ReadLAPSPassword: +return 'ReadLAPSPassword' +case ActiveDirectoryRelationshipKind.ReadGMSAPassword: +return 'ReadGMSAPassword' +case ActiveDirectoryRelationshipKind.DumpSMSAPassword: +return 'DumpSMSAPassword' +case ActiveDirectoryRelationshipKind.SQLAdmin: +return 'SQLAdmin' +case ActiveDirectoryRelationshipKind.AddAllowedToAct: +return 'AddAllowedToAct' +case ActiveDirectoryRelationshipKind.WriteSPN: +return 'WriteSPN' +case ActiveDirectoryRelationshipKind.AddKeyCredentialLink: +return 'AddKeyCredentialLink' +case ActiveDirectoryRelationshipKind.LocalToComputer: +return 'LocalToComputer' +case ActiveDirectoryRelationshipKind.MemberOfLocalGroup: +return 'MemberOfLocalGroup' +case ActiveDirectoryRelationshipKind.RemoteInteractiveLogonRight: +return 'RemoteInteractiveLogonRight' +case ActiveDirectoryRelationshipKind.SyncLAPSPassword: +return 'SyncLAPSPassword' +case ActiveDirectoryRelationshipKind.WriteAccountRestrictions: +return 'WriteAccountRestrictions' +case ActiveDirectoryRelationshipKind.WriteGPLink: +return 'WriteGPLink' +case ActiveDirectoryRelationshipKind.RootCAFor: +return 'RootCAFor' +case ActiveDirectoryRelationshipKind.DCFor: +return 'DCFor' +case ActiveDirectoryRelationshipKind.PublishedTo: +return 'PublishedTo' +case ActiveDirectoryRelationshipKind.ManageCertificates: +return 'ManageCertificates' +case ActiveDirectoryRelationshipKind.ManageCA: +return 'ManageCA' +case ActiveDirectoryRelationshipKind.DelegatedEnrollmentAgent: +return 'DelegatedEnrollmentAgent' +case ActiveDirectoryRelationshipKind.Enroll: +return 'Enroll' +case ActiveDirectoryRelationshipKind.HostsCAService: +return 'HostsCAService' +case ActiveDirectoryRelationshipKind.WritePKIEnrollmentFlag: +return 'WritePKIEnrollmentFlag' +case ActiveDirectoryRelationshipKind.WritePKINameFlag: +return 'WritePKINameFlag' +case ActiveDirectoryRelationshipKind.NTAuthStoreFor: +return 'NTAuthStoreFor' +case ActiveDirectoryRelationshipKind.TrustedForNTAuth: +return 'TrustedForNTAuth' +case ActiveDirectoryRelationshipKind.EnterpriseCAFor: +return 'EnterpriseCAFor' +case ActiveDirectoryRelationshipKind.IssuedSignedBy: +return 'IssuedSignedBy' +case ActiveDirectoryRelationshipKind.GoldenCert: +return 'GoldenCert' +case ActiveDirectoryRelationshipKind.EnrollOnBehalfOf: +return 'EnrollOnBehalfOf' +case ActiveDirectoryRelationshipKind.OIDGroupLink: +return 'OIDGroupLink' +case ActiveDirectoryRelationshipKind.ExtendedByPolicy: +return 'ExtendedByPolicy' +case ActiveDirectoryRelationshipKind.ADCSESC1: +return 'ADCSESC1' +case ActiveDirectoryRelationshipKind.ADCSESC3: +return 'ADCSESC3' +case ActiveDirectoryRelationshipKind.ADCSESC4: +return 'ADCSESC4' +case ActiveDirectoryRelationshipKind.ADCSESC6a: +return 'ADCSESC6a' +case ActiveDirectoryRelationshipKind.ADCSESC6b: +return 'ADCSESC6b' +case ActiveDirectoryRelationshipKind.ADCSESC9a: +return 'ADCSESC9a' +case ActiveDirectoryRelationshipKind.ADCSESC9b: +return 'ADCSESC9b' +case ActiveDirectoryRelationshipKind.ADCSESC10a: +return 'ADCSESC10a' +case ActiveDirectoryRelationshipKind.ADCSESC10b: +return 'ADCSESC10b' +case ActiveDirectoryRelationshipKind.ADCSESC13: +return 'ADCSESC13' +case ActiveDirectoryRelationshipKind.SyncedToEntraUser: +return 'SyncedToEntraUser' +case ActiveDirectoryRelationshipKind.CoerceAndRelayNTLMToSMB: +return 'CoerceAndRelayNTLMToSMB' +case ActiveDirectoryRelationshipKind.WriteOwnerLimitedRights: +return 'WriteOwnerLimitedRights' +case ActiveDirectoryRelationshipKind.WriteOwnerRaw: +return 'WriteOwnerRaw' +case ActiveDirectoryRelationshipKind.OwnsLimitedRights: +return 'OwnsLimitedRights' +case ActiveDirectoryRelationshipKind.OwnsRaw: +return 'OwnsRaw' +default: +return undefined } -export function ActiveDirectoryRelationshipKindToDisplay(value: ActiveDirectoryRelationshipKind): string | undefined { - switch (value) { - case ActiveDirectoryRelationshipKind.Owns: - return 'Owns'; - case ActiveDirectoryRelationshipKind.GenericAll: - return 'GenericAll'; - case ActiveDirectoryRelationshipKind.GenericWrite: - return 'GenericWrite'; - case ActiveDirectoryRelationshipKind.WriteOwner: - return 'WriteOwner'; - case ActiveDirectoryRelationshipKind.WriteDACL: - return 'WriteDACL'; - case ActiveDirectoryRelationshipKind.MemberOf: - return 'MemberOf'; - case ActiveDirectoryRelationshipKind.ForceChangePassword: - return 'ForceChangePassword'; - case ActiveDirectoryRelationshipKind.AllExtendedRights: - return 'AllExtendedRights'; - case ActiveDirectoryRelationshipKind.AddMember: - return 'AddMember'; - case ActiveDirectoryRelationshipKind.HasSession: - return 'HasSession'; - case ActiveDirectoryRelationshipKind.Contains: - return 'Contains'; - case ActiveDirectoryRelationshipKind.GPLink: - return 'GPLink'; - case ActiveDirectoryRelationshipKind.AllowedToDelegate: - return 'AllowedToDelegate'; - case ActiveDirectoryRelationshipKind.CoerceToTGT: - return 'CoerceToTGT'; - case ActiveDirectoryRelationshipKind.GetChanges: - return 'GetChanges'; - case ActiveDirectoryRelationshipKind.GetChangesAll: - return 'GetChangesAll'; - case ActiveDirectoryRelationshipKind.GetChangesInFilteredSet: - return 'GetChangesInFilteredSet'; - case ActiveDirectoryRelationshipKind.TrustedBy: - return 'TrustedBy'; - case ActiveDirectoryRelationshipKind.AllowedToAct: - return 'AllowedToAct'; - case ActiveDirectoryRelationshipKind.AdminTo: - return 'AdminTo'; - case ActiveDirectoryRelationshipKind.CanPSRemote: - return 'CanPSRemote'; - case ActiveDirectoryRelationshipKind.CanRDP: - return 'CanRDP'; - case ActiveDirectoryRelationshipKind.ExecuteDCOM: - return 'ExecuteDCOM'; - case ActiveDirectoryRelationshipKind.HasSIDHistory: - return 'HasSIDHistory'; - case ActiveDirectoryRelationshipKind.AddSelf: - return 'AddSelf'; - case ActiveDirectoryRelationshipKind.DCSync: - return 'DCSync'; - case ActiveDirectoryRelationshipKind.ReadLAPSPassword: - return 'ReadLAPSPassword'; - case ActiveDirectoryRelationshipKind.ReadGMSAPassword: - return 'ReadGMSAPassword'; - case ActiveDirectoryRelationshipKind.DumpSMSAPassword: - return 'DumpSMSAPassword'; - case ActiveDirectoryRelationshipKind.SQLAdmin: - return 'SQLAdmin'; - case ActiveDirectoryRelationshipKind.AddAllowedToAct: - return 'AddAllowedToAct'; - case ActiveDirectoryRelationshipKind.WriteSPN: - return 'WriteSPN'; - case ActiveDirectoryRelationshipKind.AddKeyCredentialLink: - return 'AddKeyCredentialLink'; - case ActiveDirectoryRelationshipKind.LocalToComputer: - return 'LocalToComputer'; - case ActiveDirectoryRelationshipKind.MemberOfLocalGroup: - return 'MemberOfLocalGroup'; - case ActiveDirectoryRelationshipKind.RemoteInteractiveLogonRight: - return 'RemoteInteractiveLogonRight'; - case ActiveDirectoryRelationshipKind.SyncLAPSPassword: - return 'SyncLAPSPassword'; - case ActiveDirectoryRelationshipKind.WriteAccountRestrictions: - return 'WriteAccountRestrictions'; - case ActiveDirectoryRelationshipKind.WriteGPLink: - return 'WriteGPLink'; - case ActiveDirectoryRelationshipKind.RootCAFor: - return 'RootCAFor'; - case ActiveDirectoryRelationshipKind.DCFor: - return 'DCFor'; - case ActiveDirectoryRelationshipKind.PublishedTo: - return 'PublishedTo'; - case ActiveDirectoryRelationshipKind.ManageCertificates: - return 'ManageCertificates'; - case ActiveDirectoryRelationshipKind.ManageCA: - return 'ManageCA'; - case ActiveDirectoryRelationshipKind.DelegatedEnrollmentAgent: - return 'DelegatedEnrollmentAgent'; - case ActiveDirectoryRelationshipKind.Enroll: - return 'Enroll'; - case ActiveDirectoryRelationshipKind.HostsCAService: - return 'HostsCAService'; - case ActiveDirectoryRelationshipKind.WritePKIEnrollmentFlag: - return 'WritePKIEnrollmentFlag'; - case ActiveDirectoryRelationshipKind.WritePKINameFlag: - return 'WritePKINameFlag'; - case ActiveDirectoryRelationshipKind.NTAuthStoreFor: - return 'NTAuthStoreFor'; - case ActiveDirectoryRelationshipKind.TrustedForNTAuth: - return 'TrustedForNTAuth'; - case ActiveDirectoryRelationshipKind.EnterpriseCAFor: - return 'EnterpriseCAFor'; - case ActiveDirectoryRelationshipKind.IssuedSignedBy: - return 'IssuedSignedBy'; - case ActiveDirectoryRelationshipKind.GoldenCert: - return 'GoldenCert'; - case ActiveDirectoryRelationshipKind.EnrollOnBehalfOf: - return 'EnrollOnBehalfOf'; - case ActiveDirectoryRelationshipKind.OIDGroupLink: - return 'OIDGroupLink'; - case ActiveDirectoryRelationshipKind.ExtendedByPolicy: - return 'ExtendedByPolicy'; - case ActiveDirectoryRelationshipKind.ADCSESC1: - return 'ADCSESC1'; - case ActiveDirectoryRelationshipKind.ADCSESC3: - return 'ADCSESC3'; - case ActiveDirectoryRelationshipKind.ADCSESC4: - return 'ADCSESC4'; - case ActiveDirectoryRelationshipKind.ADCSESC6a: - return 'ADCSESC6a'; - case ActiveDirectoryRelationshipKind.ADCSESC6b: - return 'ADCSESC6b'; - case ActiveDirectoryRelationshipKind.ADCSESC9a: - return 'ADCSESC9a'; - case ActiveDirectoryRelationshipKind.ADCSESC9b: - return 'ADCSESC9b'; - case ActiveDirectoryRelationshipKind.ADCSESC10a: - return 'ADCSESC10a'; - case ActiveDirectoryRelationshipKind.ADCSESC10b: - return 'ADCSESC10b'; - case ActiveDirectoryRelationshipKind.ADCSESC13: - return 'ADCSESC13'; - case ActiveDirectoryRelationshipKind.SyncedToEntraUser: - return 'SyncedToEntraUser'; - case ActiveDirectoryRelationshipKind.CoerceAndRelayNTLMToSMB: - return 'CoerceAndRelayNTLMToSMB'; - default: - return undefined; - } } -export type ActiveDirectoryKind = ActiveDirectoryNodeKind | ActiveDirectoryRelationshipKind; -export const EdgeCompositionRelationships = [ - 'GoldenCert', - 'ADCSESC1', - 'ADCSESC3', - 'ADCSESC4', - 'ADCSESC6a', - 'ADCSESC6b', - 'ADCSESC9a', - 'ADCSESC9b', - 'ADCSESC10a', - 'ADCSESC10b', - 'ADCSESC13', - 'CoerceAndRelayNTLMToSMB', -]; +export type ActiveDirectoryKind = ActiveDirectoryNodeKind|ActiveDirectoryRelationshipKind +export const EdgeCompositionRelationships = ['GoldenCert','ADCSESC1','ADCSESC3','ADCSESC4','ADCSESC6a','ADCSESC6b','ADCSESC9a','ADCSESC9b','ADCSESC10a','ADCSESC10b','ADCSESC13','CoerceAndRelayNTLMToSMB'] export enum ActiveDirectoryKindProperties { - AdminCount = 'admincount', - CASecurityCollected = 'casecuritycollected', - CAName = 'caname', - CertChain = 'certchain', - CertName = 'certname', - CertThumbprint = 'certthumbprint', - CertThumbprints = 'certthumbprints', - HasEnrollmentAgentRestrictions = 'hasenrollmentagentrestrictions', - EnrollmentAgentRestrictionsCollected = 'enrollmentagentrestrictionscollected', - IsUserSpecifiesSanEnabled = 'isuserspecifiessanenabled', - IsUserSpecifiesSanEnabledCollected = 'isuserspecifiessanenabledcollected', - RoleSeparationEnabled = 'roleseparationenabled', - RoleSeparationEnabledCollected = 'roleseparationenabledcollected', - HasBasicConstraints = 'hasbasicconstraints', - BasicConstraintPathLength = 'basicconstraintpathlength', - UnresolvedPublishedTemplates = 'unresolvedpublishedtemplates', - DNSHostname = 'dnshostname', - CrossCertificatePair = 'crosscertificatepair', - DistinguishedName = 'distinguishedname', - DomainFQDN = 'domain', - DomainSID = 'domainsid', - Sensitive = 'sensitive', - HighValue = 'highvalue', - BlocksInheritance = 'blocksinheritance', - IsACL = 'isacl', - IsACLProtected = 'isaclprotected', - IsDeleted = 'isdeleted', - Enforced = 'enforced', - Department = 'department', - HasCrossCertificatePair = 'hascrosscertificatepair', - HasSPN = 'hasspn', - UnconstrainedDelegation = 'unconstraineddelegation', - LastLogon = 'lastlogon', - LastLogonTimestamp = 'lastlogontimestamp', - IsPrimaryGroup = 'isprimarygroup', - HasLAPS = 'haslaps', - DontRequirePreAuth = 'dontreqpreauth', - LogonType = 'logontype', - HasURA = 'hasura', - PasswordNeverExpires = 'pwdneverexpires', - PasswordNotRequired = 'passwordnotreqd', - FunctionalLevel = 'functionallevel', - TrustType = 'trusttype', - SidFiltering = 'sidfiltering', - TrustedToAuth = 'trustedtoauth', - SamAccountName = 'samaccountname', - CertificateMappingMethodsRaw = 'certificatemappingmethodsraw', - CertificateMappingMethods = 'certificatemappingmethods', - StrongCertificateBindingEnforcementRaw = 'strongcertificatebindingenforcementraw', - StrongCertificateBindingEnforcement = 'strongcertificatebindingenforcement', - EKUs = 'ekus', - SubjectAltRequireUPN = 'subjectaltrequireupn', - SubjectAltRequireDNS = 'subjectaltrequiredns', - SubjectAltRequireDomainDNS = 'subjectaltrequiredomaindns', - SubjectAltRequireEmail = 'subjectaltrequireemail', - SubjectAltRequireSPN = 'subjectaltrequirespn', - SubjectRequireEmail = 'subjectrequireemail', - AuthorizedSignatures = 'authorizedsignatures', - ApplicationPolicies = 'applicationpolicies', - IssuancePolicies = 'issuancepolicies', - SchemaVersion = 'schemaversion', - RequiresManagerApproval = 'requiresmanagerapproval', - AuthenticationEnabled = 'authenticationenabled', - SchannelAuthenticationEnabled = 'schannelauthenticationenabled', - EnrolleeSuppliesSubject = 'enrolleesuppliessubject', - CertificateApplicationPolicy = 'certificateapplicationpolicy', - CertificateNameFlag = 'certificatenameflag', - EffectiveEKUs = 'effectiveekus', - EnrollmentFlag = 'enrollmentflag', - Flags = 'flags', - NoSecurityExtension = 'nosecurityextension', - RenewalPeriod = 'renewalperiod', - ValidityPeriod = 'validityperiod', - OID = 'oid', - HomeDirectory = 'homedirectory', - CertificatePolicy = 'certificatepolicy', - CertTemplateOID = 'certtemplateoid', - GroupLinkID = 'grouplinkid', - ObjectGUID = 'objectguid', - ExpirePasswordsOnSmartCardOnlyAccounts = 'expirepasswordsonsmartcardonlyaccounts', - MachineAccountQuota = 'machineaccountquota', - SupportedKerberosEncryptionTypes = 'supportedencryptiontypes', - TGTDelegationEnabled = 'tgtdelegationenabled', - PasswordStoredUsingReversibleEncryption = 'encryptedtextpwdallowed', - SmartcardRequired = 'smartcardrequired', - UseDESKeyOnly = 'usedeskeyonly', - LogonScriptEnabled = 'logonscriptenabled', - LockedOut = 'lockedout', - UserCannotChangePassword = 'passwordcantchange', - PasswordExpired = 'passwordexpired', - DSHeuristics = 'dsheuristics', - UserAccountControl = 'useraccountcontrol', - TrustAttributes = 'trustattributes', - MinPwdLength = 'minpwdlength', - PwdProperties = 'pwdproperties', - PwdHistoryLength = 'pwdhistorylength', - LockoutThreshold = 'lockoutthreshold', - MinPwdAge = 'minpwdage', - MaxPwdAge = 'maxpwdage', - LockoutDuration = 'lockoutduration', - LockoutObservationWindow = 'lockoutobservationwindow', - SMBSigning = 'smbsigning', - RestrictOutboundNTLM = 'restrictoutboundntlm', +AdminCount = 'admincount', +CASecurityCollected = 'casecuritycollected', +CAName = 'caname', +CertChain = 'certchain', +CertName = 'certname', +CertThumbprint = 'certthumbprint', +CertThumbprints = 'certthumbprints', +HasEnrollmentAgentRestrictions = 'hasenrollmentagentrestrictions', +EnrollmentAgentRestrictionsCollected = 'enrollmentagentrestrictionscollected', +IsUserSpecifiesSanEnabled = 'isuserspecifiessanenabled', +IsUserSpecifiesSanEnabledCollected = 'isuserspecifiessanenabledcollected', +RoleSeparationEnabled = 'roleseparationenabled', +RoleSeparationEnabledCollected = 'roleseparationenabledcollected', +HasBasicConstraints = 'hasbasicconstraints', +BasicConstraintPathLength = 'basicconstraintpathlength', +UnresolvedPublishedTemplates = 'unresolvedpublishedtemplates', +DNSHostname = 'dnshostname', +CrossCertificatePair = 'crosscertificatepair', +DistinguishedName = 'distinguishedname', +DomainFQDN = 'domain', +DomainSID = 'domainsid', +Sensitive = 'sensitive', +HighValue = 'highvalue', +BlocksInheritance = 'blocksinheritance', +IsACL = 'isacl', +IsACLProtected = 'isaclprotected', +IsDeleted = 'isdeleted', +Enforced = 'enforced', +Department = 'department', +HasCrossCertificatePair = 'hascrosscertificatepair', +HasSPN = 'hasspn', +UnconstrainedDelegation = 'unconstraineddelegation', +LastLogon = 'lastlogon', +LastLogonTimestamp = 'lastlogontimestamp', +IsPrimaryGroup = 'isprimarygroup', +HasLAPS = 'haslaps', +DontRequirePreAuth = 'dontreqpreauth', +LogonType = 'logontype', +HasURA = 'hasura', +PasswordNeverExpires = 'pwdneverexpires', +PasswordNotRequired = 'passwordnotreqd', +FunctionalLevel = 'functionallevel', +TrustType = 'trusttype', +SidFiltering = 'sidfiltering', +TrustedToAuth = 'trustedtoauth', +SamAccountName = 'samaccountname', +CertificateMappingMethodsRaw = 'certificatemappingmethodsraw', +CertificateMappingMethods = 'certificatemappingmethods', +StrongCertificateBindingEnforcementRaw = 'strongcertificatebindingenforcementraw', +StrongCertificateBindingEnforcement = 'strongcertificatebindingenforcement', +EKUs = 'ekus', +SubjectAltRequireUPN = 'subjectaltrequireupn', +SubjectAltRequireDNS = 'subjectaltrequiredns', +SubjectAltRequireDomainDNS = 'subjectaltrequiredomaindns', +SubjectAltRequireEmail = 'subjectaltrequireemail', +SubjectAltRequireSPN = 'subjectaltrequirespn', +SubjectRequireEmail = 'subjectrequireemail', +AuthorizedSignatures = 'authorizedsignatures', +ApplicationPolicies = 'applicationpolicies', +IssuancePolicies = 'issuancepolicies', +SchemaVersion = 'schemaversion', +RequiresManagerApproval = 'requiresmanagerapproval', +AuthenticationEnabled = 'authenticationenabled', +SchannelAuthenticationEnabled = 'schannelauthenticationenabled', +EnrolleeSuppliesSubject = 'enrolleesuppliessubject', +CertificateApplicationPolicy = 'certificateapplicationpolicy', +CertificateNameFlag = 'certificatenameflag', +EffectiveEKUs = 'effectiveekus', +EnrollmentFlag = 'enrollmentflag', +Flags = 'flags', +NoSecurityExtension = 'nosecurityextension', +RenewalPeriod = 'renewalperiod', +ValidityPeriod = 'validityperiod', +OID = 'oid', +HomeDirectory = 'homedirectory', +CertificatePolicy = 'certificatepolicy', +CertTemplateOID = 'certtemplateoid', +GroupLinkID = 'grouplinkid', +ObjectGUID = 'objectguid', +ExpirePasswordsOnSmartCardOnlyAccounts = 'expirepasswordsonsmartcardonlyaccounts', +MachineAccountQuota = 'machineaccountquota', +SupportedKerberosEncryptionTypes = 'supportedencryptiontypes', +TGTDelegationEnabled = 'tgtdelegationenabled', +PasswordStoredUsingReversibleEncryption = 'encryptedtextpwdallowed', +SmartcardRequired = 'smartcardrequired', +UseDESKeyOnly = 'usedeskeyonly', +LogonScriptEnabled = 'logonscriptenabled', +LockedOut = 'lockedout', +UserCannotChangePassword = 'passwordcantchange', +PasswordExpired = 'passwordexpired', +DSHeuristics = 'dsheuristics', +UserAccountControl = 'useraccountcontrol', +TrustAttributes = 'trustattributes', +MinPwdLength = 'minpwdlength', +PwdProperties = 'pwdproperties', +PwdHistoryLength = 'pwdhistorylength', +LockoutThreshold = 'lockoutthreshold', +MinPwdAge = 'minpwdage', +MaxPwdAge = 'maxpwdage', +LockoutDuration = 'lockoutduration', +LockoutObservationWindow = 'lockoutobservationwindow', +OwnerSid = 'ownersid', +SMBSigning = 'smbsigning', +RestrictOutboundNTLM = 'restrictoutboundntlm', +GMSA = 'gmsa', +MSA = 'msa', +DoesAnyAceGrantOwnerRights = 'doesanyacegrantownerrights', +DoesAnyInheritedAceGrantOwnerRights = 'doesanyinheritedacegrantownerrights', } -export function ActiveDirectoryKindPropertiesToDisplay(value: ActiveDirectoryKindProperties): string | undefined { - switch (value) { - case ActiveDirectoryKindProperties.AdminCount: - return 'Admin Count'; - case ActiveDirectoryKindProperties.CASecurityCollected: - return 'CA Security Collected'; - case ActiveDirectoryKindProperties.CAName: - return 'CA Name'; - case ActiveDirectoryKindProperties.CertChain: - return 'Certificate Chain'; - case ActiveDirectoryKindProperties.CertName: - return 'Certificate Name'; - case ActiveDirectoryKindProperties.CertThumbprint: - return 'Certificate Thumbprint'; - case ActiveDirectoryKindProperties.CertThumbprints: - return 'Certificate Thumbprints'; - case ActiveDirectoryKindProperties.HasEnrollmentAgentRestrictions: - return 'Has Enrollment Agent Restrictions'; - case ActiveDirectoryKindProperties.EnrollmentAgentRestrictionsCollected: - return 'Enrollment Agent Restrictions Collected'; - case ActiveDirectoryKindProperties.IsUserSpecifiesSanEnabled: - return 'Is User Specifies San Enabled'; - case ActiveDirectoryKindProperties.IsUserSpecifiesSanEnabledCollected: - return 'Is User Specifies San Enabled Collected'; - case ActiveDirectoryKindProperties.RoleSeparationEnabled: - return 'Role Separation Enabled'; - case ActiveDirectoryKindProperties.RoleSeparationEnabledCollected: - return 'Role Separation Enabled Collected'; - case ActiveDirectoryKindProperties.HasBasicConstraints: - return 'Has Basic Constraints'; - case ActiveDirectoryKindProperties.BasicConstraintPathLength: - return 'Basic Constraint Path Length'; - case ActiveDirectoryKindProperties.UnresolvedPublishedTemplates: - return 'Unresolved Published Certificate Templates'; - case ActiveDirectoryKindProperties.DNSHostname: - return 'DNS Hostname'; - case ActiveDirectoryKindProperties.CrossCertificatePair: - return 'Cross Certificate Pair'; - case ActiveDirectoryKindProperties.DistinguishedName: - return 'Distinguished Name'; - case ActiveDirectoryKindProperties.DomainFQDN: - return 'Domain FQDN'; - case ActiveDirectoryKindProperties.DomainSID: - return 'Domain SID'; - case ActiveDirectoryKindProperties.Sensitive: - return 'Marked Sensitive'; - case ActiveDirectoryKindProperties.HighValue: - return 'High Value'; - case ActiveDirectoryKindProperties.BlocksInheritance: - return 'Blocks GPO Inheritance'; - case ActiveDirectoryKindProperties.IsACL: - return 'Is ACL'; - case ActiveDirectoryKindProperties.IsACLProtected: - return 'ACL Inheritance Denied'; - case ActiveDirectoryKindProperties.IsDeleted: - return 'Is Deleted'; - case ActiveDirectoryKindProperties.Enforced: - return 'Enforced'; - case ActiveDirectoryKindProperties.Department: - return 'Department'; - case ActiveDirectoryKindProperties.HasCrossCertificatePair: - return 'Has Cross Certificate Pair'; - case ActiveDirectoryKindProperties.HasSPN: - return 'Has SPN'; - case ActiveDirectoryKindProperties.UnconstrainedDelegation: - return 'Allows Unconstrained Delegation'; - case ActiveDirectoryKindProperties.LastLogon: - return 'Last Logon'; - case ActiveDirectoryKindProperties.LastLogonTimestamp: - return 'Last Logon (Replicated)'; - case ActiveDirectoryKindProperties.IsPrimaryGroup: - return 'Is Primary Group'; - case ActiveDirectoryKindProperties.HasLAPS: - return 'LAPS Enabled'; - case ActiveDirectoryKindProperties.DontRequirePreAuth: - return 'Do Not Require Pre-Authentication'; - case ActiveDirectoryKindProperties.LogonType: - return 'Logon Type'; - case ActiveDirectoryKindProperties.HasURA: - return 'Has User Rights Assignment Collection'; - case ActiveDirectoryKindProperties.PasswordNeverExpires: - return 'Password Never Expires'; - case ActiveDirectoryKindProperties.PasswordNotRequired: - return 'Password Not Required'; - case ActiveDirectoryKindProperties.FunctionalLevel: - return 'Functional Level'; - case ActiveDirectoryKindProperties.TrustType: - return 'Trust Type'; - case ActiveDirectoryKindProperties.SidFiltering: - return 'SID Filtering Enabled'; - case ActiveDirectoryKindProperties.TrustedToAuth: - return 'Trusted For Constrained Delegation'; - case ActiveDirectoryKindProperties.SamAccountName: - return 'SAM Account Name'; - case ActiveDirectoryKindProperties.CertificateMappingMethodsRaw: - return 'Certificate Mapping Methods (Raw)'; - case ActiveDirectoryKindProperties.CertificateMappingMethods: - return 'Certificate Mapping Methods'; - case ActiveDirectoryKindProperties.StrongCertificateBindingEnforcementRaw: - return 'Strong Certificate Binding Enforcement (Raw)'; - case ActiveDirectoryKindProperties.StrongCertificateBindingEnforcement: - return 'Strong Certificate Binding Enforcement'; - case ActiveDirectoryKindProperties.EKUs: - return 'Enhanced Key Usage'; - case ActiveDirectoryKindProperties.SubjectAltRequireUPN: - return 'Subject Alternative Name Require UPN'; - case ActiveDirectoryKindProperties.SubjectAltRequireDNS: - return 'Subject Alternative Name Require DNS'; - case ActiveDirectoryKindProperties.SubjectAltRequireDomainDNS: - return 'Subject Alternative Name Require Domain DNS'; - case ActiveDirectoryKindProperties.SubjectAltRequireEmail: - return 'Subject Alternative Name Require Email'; - case ActiveDirectoryKindProperties.SubjectAltRequireSPN: - return 'Subject Alternative Name Require SPN'; - case ActiveDirectoryKindProperties.SubjectRequireEmail: - return 'Subject Require Email'; - case ActiveDirectoryKindProperties.AuthorizedSignatures: - return 'Authorized Signatures Required'; - case ActiveDirectoryKindProperties.ApplicationPolicies: - return 'Application Policies Required'; - case ActiveDirectoryKindProperties.IssuancePolicies: - return 'Issuance Policies Required'; - case ActiveDirectoryKindProperties.SchemaVersion: - return 'Schema Version'; - case ActiveDirectoryKindProperties.RequiresManagerApproval: - return 'Requires Manager Approval'; - case ActiveDirectoryKindProperties.AuthenticationEnabled: - return 'Authentication Enabled'; - case ActiveDirectoryKindProperties.SchannelAuthenticationEnabled: - return 'Schannel Authentication Enabled'; - case ActiveDirectoryKindProperties.EnrolleeSuppliesSubject: - return 'Enrollee Supplies Subject'; - case ActiveDirectoryKindProperties.CertificateApplicationPolicy: - return 'Application Policy Extensions'; - case ActiveDirectoryKindProperties.CertificateNameFlag: - return 'Certificate Name Flags'; - case ActiveDirectoryKindProperties.EffectiveEKUs: - return 'Effective EKUs'; - case ActiveDirectoryKindProperties.EnrollmentFlag: - return 'Enrollment Flags'; - case ActiveDirectoryKindProperties.Flags: - return 'Flags'; - case ActiveDirectoryKindProperties.NoSecurityExtension: - return 'No Security Extension'; - case ActiveDirectoryKindProperties.RenewalPeriod: - return 'Renewal Period'; - case ActiveDirectoryKindProperties.ValidityPeriod: - return 'Validity Period'; - case ActiveDirectoryKindProperties.OID: - return 'OID'; - case ActiveDirectoryKindProperties.HomeDirectory: - return 'Home Directory'; - case ActiveDirectoryKindProperties.CertificatePolicy: - return 'Issuance Policy Extensions'; - case ActiveDirectoryKindProperties.CertTemplateOID: - return 'Certificate Template OID'; - case ActiveDirectoryKindProperties.GroupLinkID: - return 'Group Link ID'; - case ActiveDirectoryKindProperties.ObjectGUID: - return 'Object GUID'; - case ActiveDirectoryKindProperties.ExpirePasswordsOnSmartCardOnlyAccounts: - return 'Expire Passwords on Smart Card only Accounts'; - case ActiveDirectoryKindProperties.MachineAccountQuota: - return 'Machine Account Quota'; - case ActiveDirectoryKindProperties.SupportedKerberosEncryptionTypes: - return 'Supported Kerberos Encryption Types'; - case ActiveDirectoryKindProperties.TGTDelegationEnabled: - return 'TGT Delegation Enabled'; - case ActiveDirectoryKindProperties.PasswordStoredUsingReversibleEncryption: - return 'Password Stored Using Reversible Encryption'; - case ActiveDirectoryKindProperties.SmartcardRequired: - return 'Smartcard Required'; - case ActiveDirectoryKindProperties.UseDESKeyOnly: - return 'Use DES Key Only'; - case ActiveDirectoryKindProperties.LogonScriptEnabled: - return 'Logon Script Enabled'; - case ActiveDirectoryKindProperties.LockedOut: - return 'Locked Out'; - case ActiveDirectoryKindProperties.UserCannotChangePassword: - return 'User Cannot Change Password'; - case ActiveDirectoryKindProperties.PasswordExpired: - return 'Password Expired'; - case ActiveDirectoryKindProperties.DSHeuristics: - return 'DSHeuristics'; - case ActiveDirectoryKindProperties.UserAccountControl: - return 'User Account Control'; - case ActiveDirectoryKindProperties.TrustAttributes: - return 'Trust Attributes'; - case ActiveDirectoryKindProperties.MinPwdLength: - return 'Minimum password length'; - case ActiveDirectoryKindProperties.PwdProperties: - return 'Password Properties'; - case ActiveDirectoryKindProperties.PwdHistoryLength: - return 'Password History Length'; - case ActiveDirectoryKindProperties.LockoutThreshold: - return 'Lockout Threshold'; - case ActiveDirectoryKindProperties.MinPwdAge: - return 'Minimum Password Age'; - case ActiveDirectoryKindProperties.MaxPwdAge: - return 'Maximum Password Age'; - case ActiveDirectoryKindProperties.LockoutDuration: - return 'Lockout Duration'; - case ActiveDirectoryKindProperties.LockoutObservationWindow: - return 'Lockout Observation Window'; - case ActiveDirectoryKindProperties.SMBSigning: - return 'SMB Signing'; - case ActiveDirectoryKindProperties.RestrictOutboundNTLM: - return 'Restrict Outbound NTLM'; - default: - return undefined; - } +export function ActiveDirectoryKindPropertiesToDisplay (value : ActiveDirectoryKindProperties): string | undefined { +switch (value) { +case ActiveDirectoryKindProperties.AdminCount: +return 'Admin Count' +case ActiveDirectoryKindProperties.CASecurityCollected: +return 'CA Security Collected' +case ActiveDirectoryKindProperties.CAName: +return 'CA Name' +case ActiveDirectoryKindProperties.CertChain: +return 'Certificate Chain' +case ActiveDirectoryKindProperties.CertName: +return 'Certificate Name' +case ActiveDirectoryKindProperties.CertThumbprint: +return 'Certificate Thumbprint' +case ActiveDirectoryKindProperties.CertThumbprints: +return 'Certificate Thumbprints' +case ActiveDirectoryKindProperties.HasEnrollmentAgentRestrictions: +return 'Has Enrollment Agent Restrictions' +case ActiveDirectoryKindProperties.EnrollmentAgentRestrictionsCollected: +return 'Enrollment Agent Restrictions Collected' +case ActiveDirectoryKindProperties.IsUserSpecifiesSanEnabled: +return 'Is User Specifies San Enabled' +case ActiveDirectoryKindProperties.IsUserSpecifiesSanEnabledCollected: +return 'Is User Specifies San Enabled Collected' +case ActiveDirectoryKindProperties.RoleSeparationEnabled: +return 'Role Separation Enabled' +case ActiveDirectoryKindProperties.RoleSeparationEnabledCollected: +return 'Role Separation Enabled Collected' +case ActiveDirectoryKindProperties.HasBasicConstraints: +return 'Has Basic Constraints' +case ActiveDirectoryKindProperties.BasicConstraintPathLength: +return 'Basic Constraint Path Length' +case ActiveDirectoryKindProperties.UnresolvedPublishedTemplates: +return 'Unresolved Published Certificate Templates' +case ActiveDirectoryKindProperties.DNSHostname: +return 'DNS Hostname' +case ActiveDirectoryKindProperties.CrossCertificatePair: +return 'Cross Certificate Pair' +case ActiveDirectoryKindProperties.DistinguishedName: +return 'Distinguished Name' +case ActiveDirectoryKindProperties.DomainFQDN: +return 'Domain FQDN' +case ActiveDirectoryKindProperties.DomainSID: +return 'Domain SID' +case ActiveDirectoryKindProperties.Sensitive: +return 'Marked Sensitive' +case ActiveDirectoryKindProperties.HighValue: +return 'High Value' +case ActiveDirectoryKindProperties.BlocksInheritance: +return 'Blocks GPO Inheritance' +case ActiveDirectoryKindProperties.IsACL: +return 'Is ACL' +case ActiveDirectoryKindProperties.IsACLProtected: +return 'ACL Inheritance Denied' +case ActiveDirectoryKindProperties.IsDeleted: +return 'Is Deleted' +case ActiveDirectoryKindProperties.Enforced: +return 'Enforced' +case ActiveDirectoryKindProperties.Department: +return 'Department' +case ActiveDirectoryKindProperties.HasCrossCertificatePair: +return 'Has Cross Certificate Pair' +case ActiveDirectoryKindProperties.HasSPN: +return 'Has SPN' +case ActiveDirectoryKindProperties.UnconstrainedDelegation: +return 'Allows Unconstrained Delegation' +case ActiveDirectoryKindProperties.LastLogon: +return 'Last Logon' +case ActiveDirectoryKindProperties.LastLogonTimestamp: +return 'Last Logon (Replicated)' +case ActiveDirectoryKindProperties.IsPrimaryGroup: +return 'Is Primary Group' +case ActiveDirectoryKindProperties.HasLAPS: +return 'LAPS Enabled' +case ActiveDirectoryKindProperties.DontRequirePreAuth: +return 'Do Not Require Pre-Authentication' +case ActiveDirectoryKindProperties.LogonType: +return 'Logon Type' +case ActiveDirectoryKindProperties.HasURA: +return 'Has User Rights Assignment Collection' +case ActiveDirectoryKindProperties.PasswordNeverExpires: +return 'Password Never Expires' +case ActiveDirectoryKindProperties.PasswordNotRequired: +return 'Password Not Required' +case ActiveDirectoryKindProperties.FunctionalLevel: +return 'Functional Level' +case ActiveDirectoryKindProperties.TrustType: +return 'Trust Type' +case ActiveDirectoryKindProperties.SidFiltering: +return 'SID Filtering Enabled' +case ActiveDirectoryKindProperties.TrustedToAuth: +return 'Trusted For Constrained Delegation' +case ActiveDirectoryKindProperties.SamAccountName: +return 'SAM Account Name' +case ActiveDirectoryKindProperties.CertificateMappingMethodsRaw: +return 'Certificate Mapping Methods (Raw)' +case ActiveDirectoryKindProperties.CertificateMappingMethods: +return 'Certificate Mapping Methods' +case ActiveDirectoryKindProperties.StrongCertificateBindingEnforcementRaw: +return 'Strong Certificate Binding Enforcement (Raw)' +case ActiveDirectoryKindProperties.StrongCertificateBindingEnforcement: +return 'Strong Certificate Binding Enforcement' +case ActiveDirectoryKindProperties.EKUs: +return 'Enhanced Key Usage' +case ActiveDirectoryKindProperties.SubjectAltRequireUPN: +return 'Subject Alternative Name Require UPN' +case ActiveDirectoryKindProperties.SubjectAltRequireDNS: +return 'Subject Alternative Name Require DNS' +case ActiveDirectoryKindProperties.SubjectAltRequireDomainDNS: +return 'Subject Alternative Name Require Domain DNS' +case ActiveDirectoryKindProperties.SubjectAltRequireEmail: +return 'Subject Alternative Name Require Email' +case ActiveDirectoryKindProperties.SubjectAltRequireSPN: +return 'Subject Alternative Name Require SPN' +case ActiveDirectoryKindProperties.SubjectRequireEmail: +return 'Subject Require Email' +case ActiveDirectoryKindProperties.AuthorizedSignatures: +return 'Authorized Signatures Required' +case ActiveDirectoryKindProperties.ApplicationPolicies: +return 'Application Policies Required' +case ActiveDirectoryKindProperties.IssuancePolicies: +return 'Issuance Policies Required' +case ActiveDirectoryKindProperties.SchemaVersion: +return 'Schema Version' +case ActiveDirectoryKindProperties.RequiresManagerApproval: +return 'Requires Manager Approval' +case ActiveDirectoryKindProperties.AuthenticationEnabled: +return 'Authentication Enabled' +case ActiveDirectoryKindProperties.SchannelAuthenticationEnabled: +return 'Schannel Authentication Enabled' +case ActiveDirectoryKindProperties.EnrolleeSuppliesSubject: +return 'Enrollee Supplies Subject' +case ActiveDirectoryKindProperties.CertificateApplicationPolicy: +return 'Application Policy Extensions' +case ActiveDirectoryKindProperties.CertificateNameFlag: +return 'Certificate Name Flags' +case ActiveDirectoryKindProperties.EffectiveEKUs: +return 'Effective EKUs' +case ActiveDirectoryKindProperties.EnrollmentFlag: +return 'Enrollment Flags' +case ActiveDirectoryKindProperties.Flags: +return 'Flags' +case ActiveDirectoryKindProperties.NoSecurityExtension: +return 'No Security Extension' +case ActiveDirectoryKindProperties.RenewalPeriod: +return 'Renewal Period' +case ActiveDirectoryKindProperties.ValidityPeriod: +return 'Validity Period' +case ActiveDirectoryKindProperties.OID: +return 'OID' +case ActiveDirectoryKindProperties.HomeDirectory: +return 'Home Directory' +case ActiveDirectoryKindProperties.CertificatePolicy: +return 'Issuance Policy Extensions' +case ActiveDirectoryKindProperties.CertTemplateOID: +return 'Certificate Template OID' +case ActiveDirectoryKindProperties.GroupLinkID: +return 'Group Link ID' +case ActiveDirectoryKindProperties.ObjectGUID: +return 'Object GUID' +case ActiveDirectoryKindProperties.ExpirePasswordsOnSmartCardOnlyAccounts: +return 'Expire Passwords on Smart Card only Accounts' +case ActiveDirectoryKindProperties.MachineAccountQuota: +return 'Machine Account Quota' +case ActiveDirectoryKindProperties.SupportedKerberosEncryptionTypes: +return 'Supported Kerberos Encryption Types' +case ActiveDirectoryKindProperties.TGTDelegationEnabled: +return 'TGT Delegation Enabled' +case ActiveDirectoryKindProperties.PasswordStoredUsingReversibleEncryption: +return 'Password Stored Using Reversible Encryption' +case ActiveDirectoryKindProperties.SmartcardRequired: +return 'Smartcard Required' +case ActiveDirectoryKindProperties.UseDESKeyOnly: +return 'Use DES Key Only' +case ActiveDirectoryKindProperties.LogonScriptEnabled: +return 'Logon Script Enabled' +case ActiveDirectoryKindProperties.LockedOut: +return 'Locked Out' +case ActiveDirectoryKindProperties.UserCannotChangePassword: +return 'User Cannot Change Password' +case ActiveDirectoryKindProperties.PasswordExpired: +return 'Password Expired' +case ActiveDirectoryKindProperties.DSHeuristics: +return 'DSHeuristics' +case ActiveDirectoryKindProperties.UserAccountControl: +return 'User Account Control' +case ActiveDirectoryKindProperties.TrustAttributes: +return 'Trust Attributes' +case ActiveDirectoryKindProperties.MinPwdLength: +return 'Minimum password length' +case ActiveDirectoryKindProperties.PwdProperties: +return 'Password Properties' +case ActiveDirectoryKindProperties.PwdHistoryLength: +return 'Password History Length' +case ActiveDirectoryKindProperties.LockoutThreshold: +return 'Lockout Threshold' +case ActiveDirectoryKindProperties.MinPwdAge: +return 'Minimum Password Age' +case ActiveDirectoryKindProperties.MaxPwdAge: +return 'Maximum Password Age' +case ActiveDirectoryKindProperties.LockoutDuration: +return 'Lockout Duration' +case ActiveDirectoryKindProperties.LockoutObservationWindow: +return 'Lockout Observation Window' +case ActiveDirectoryKindProperties.OwnerSid: +return 'Owner SID' +case ActiveDirectoryKindProperties.SMBSigning: +return 'SMB Signing' +case ActiveDirectoryKindProperties.RestrictOutboundNTLM: +return 'Restrict Outbound NTLM' +case ActiveDirectoryKindProperties.GMSA: +return 'GMSA' +case ActiveDirectoryKindProperties.MSA: +return 'MSA' +case ActiveDirectoryKindProperties.DoesAnyAceGrantOwnerRights: +return 'Does Any ACE Grant Owner Rights' +case ActiveDirectoryKindProperties.DoesAnyInheritedAceGrantOwnerRights: +return 'Does Any Inherited ACE Grant Owner Rights' +default: +return undefined } -export function ActiveDirectoryPathfindingEdges(): ActiveDirectoryRelationshipKind[] { - return [ - ActiveDirectoryRelationshipKind.Owns, - ActiveDirectoryRelationshipKind.GenericAll, - ActiveDirectoryRelationshipKind.GenericWrite, - ActiveDirectoryRelationshipKind.WriteOwner, - ActiveDirectoryRelationshipKind.WriteDACL, - ActiveDirectoryRelationshipKind.MemberOf, - ActiveDirectoryRelationshipKind.ForceChangePassword, - ActiveDirectoryRelationshipKind.AllExtendedRights, - ActiveDirectoryRelationshipKind.AddMember, - ActiveDirectoryRelationshipKind.HasSession, - ActiveDirectoryRelationshipKind.GPLink, - ActiveDirectoryRelationshipKind.AllowedToDelegate, - ActiveDirectoryRelationshipKind.CoerceToTGT, - ActiveDirectoryRelationshipKind.AllowedToAct, - ActiveDirectoryRelationshipKind.AdminTo, - ActiveDirectoryRelationshipKind.CanPSRemote, - ActiveDirectoryRelationshipKind.CanRDP, - ActiveDirectoryRelationshipKind.ExecuteDCOM, - ActiveDirectoryRelationshipKind.HasSIDHistory, - ActiveDirectoryRelationshipKind.AddSelf, - ActiveDirectoryRelationshipKind.DCSync, - ActiveDirectoryRelationshipKind.ReadLAPSPassword, - ActiveDirectoryRelationshipKind.ReadGMSAPassword, - ActiveDirectoryRelationshipKind.DumpSMSAPassword, - ActiveDirectoryRelationshipKind.SQLAdmin, - ActiveDirectoryRelationshipKind.AddAllowedToAct, - ActiveDirectoryRelationshipKind.WriteSPN, - ActiveDirectoryRelationshipKind.AddKeyCredentialLink, - ActiveDirectoryRelationshipKind.SyncLAPSPassword, - ActiveDirectoryRelationshipKind.WriteAccountRestrictions, - ActiveDirectoryRelationshipKind.WriteGPLink, - ActiveDirectoryRelationshipKind.GoldenCert, - ActiveDirectoryRelationshipKind.ADCSESC1, - ActiveDirectoryRelationshipKind.ADCSESC3, - ActiveDirectoryRelationshipKind.ADCSESC4, - ActiveDirectoryRelationshipKind.ADCSESC6a, - ActiveDirectoryRelationshipKind.ADCSESC6b, - ActiveDirectoryRelationshipKind.ADCSESC9a, - ActiveDirectoryRelationshipKind.ADCSESC9b, - ActiveDirectoryRelationshipKind.ADCSESC10a, - ActiveDirectoryRelationshipKind.ADCSESC10b, - ActiveDirectoryRelationshipKind.ADCSESC13, - ActiveDirectoryRelationshipKind.SyncedToEntraUser, - ActiveDirectoryRelationshipKind.CoerceAndRelayNTLMToSMB, - ActiveDirectoryRelationshipKind.Contains, - ActiveDirectoryRelationshipKind.DCFor, - ActiveDirectoryRelationshipKind.TrustedBy, - ]; +} +export function ActiveDirectoryPathfindingEdges (): ActiveDirectoryRelationshipKind[] { +return [ActiveDirectoryRelationshipKind.Owns,ActiveDirectoryRelationshipKind.GenericAll,ActiveDirectoryRelationshipKind.GenericWrite,ActiveDirectoryRelationshipKind.WriteOwner,ActiveDirectoryRelationshipKind.WriteDACL,ActiveDirectoryRelationshipKind.MemberOf,ActiveDirectoryRelationshipKind.ForceChangePassword,ActiveDirectoryRelationshipKind.AllExtendedRights,ActiveDirectoryRelationshipKind.AddMember,ActiveDirectoryRelationshipKind.HasSession,ActiveDirectoryRelationshipKind.GPLink,ActiveDirectoryRelationshipKind.AllowedToDelegate,ActiveDirectoryRelationshipKind.CoerceToTGT,ActiveDirectoryRelationshipKind.AllowedToAct,ActiveDirectoryRelationshipKind.AdminTo,ActiveDirectoryRelationshipKind.CanPSRemote,ActiveDirectoryRelationshipKind.CanRDP,ActiveDirectoryRelationshipKind.ExecuteDCOM,ActiveDirectoryRelationshipKind.HasSIDHistory,ActiveDirectoryRelationshipKind.AddSelf,ActiveDirectoryRelationshipKind.DCSync,ActiveDirectoryRelationshipKind.ReadLAPSPassword,ActiveDirectoryRelationshipKind.ReadGMSAPassword,ActiveDirectoryRelationshipKind.DumpSMSAPassword,ActiveDirectoryRelationshipKind.SQLAdmin,ActiveDirectoryRelationshipKind.AddAllowedToAct,ActiveDirectoryRelationshipKind.WriteSPN,ActiveDirectoryRelationshipKind.AddKeyCredentialLink,ActiveDirectoryRelationshipKind.SyncLAPSPassword,ActiveDirectoryRelationshipKind.WriteAccountRestrictions,ActiveDirectoryRelationshipKind.WriteGPLink,ActiveDirectoryRelationshipKind.GoldenCert,ActiveDirectoryRelationshipKind.ADCSESC1,ActiveDirectoryRelationshipKind.ADCSESC3,ActiveDirectoryRelationshipKind.ADCSESC4,ActiveDirectoryRelationshipKind.ADCSESC6a,ActiveDirectoryRelationshipKind.ADCSESC6b,ActiveDirectoryRelationshipKind.ADCSESC9a,ActiveDirectoryRelationshipKind.ADCSESC9b,ActiveDirectoryRelationshipKind.ADCSESC10a,ActiveDirectoryRelationshipKind.ADCSESC10b,ActiveDirectoryRelationshipKind.ADCSESC13,ActiveDirectoryRelationshipKind.SyncedToEntraUser,ActiveDirectoryRelationshipKind.CoerceAndRelayNTLMToSMB,ActiveDirectoryRelationshipKind.WriteOwnerLimitedRights,ActiveDirectoryRelationshipKind.OwnsLimitedRights,ActiveDirectoryRelationshipKind.Contains,ActiveDirectoryRelationshipKind.DCFor,ActiveDirectoryRelationshipKind.TrustedBy] } export enum AzureNodeKind { - Entity = 'AZBase', - VMScaleSet = 'AZVMScaleSet', - App = 'AZApp', - Role = 'AZRole', - Device = 'AZDevice', - FunctionApp = 'AZFunctionApp', - Group = 'AZGroup', - KeyVault = 'AZKeyVault', - ManagementGroup = 'AZManagementGroup', - ResourceGroup = 'AZResourceGroup', - ServicePrincipal = 'AZServicePrincipal', - Subscription = 'AZSubscription', - Tenant = 'AZTenant', - User = 'AZUser', - VM = 'AZVM', - ManagedCluster = 'AZManagedCluster', - ContainerRegistry = 'AZContainerRegistry', - WebApp = 'AZWebApp', - LogicApp = 'AZLogicApp', - AutomationAccount = 'AZAutomationAccount', +Entity = 'AZBase', +VMScaleSet = 'AZVMScaleSet', +App = 'AZApp', +Role = 'AZRole', +Device = 'AZDevice', +FunctionApp = 'AZFunctionApp', +Group = 'AZGroup', +KeyVault = 'AZKeyVault', +ManagementGroup = 'AZManagementGroup', +ResourceGroup = 'AZResourceGroup', +ServicePrincipal = 'AZServicePrincipal', +Subscription = 'AZSubscription', +Tenant = 'AZTenant', +User = 'AZUser', +VM = 'AZVM', +ManagedCluster = 'AZManagedCluster', +ContainerRegistry = 'AZContainerRegistry', +WebApp = 'AZWebApp', +LogicApp = 'AZLogicApp', +AutomationAccount = 'AZAutomationAccount', +} +export function AzureNodeKindToDisplay (value : AzureNodeKind): string | undefined { +switch (value) { +case AzureNodeKind.Entity: +return 'Entity' +case AzureNodeKind.VMScaleSet: +return 'VMScaleSet' +case AzureNodeKind.App: +return 'App' +case AzureNodeKind.Role: +return 'Role' +case AzureNodeKind.Device: +return 'Device' +case AzureNodeKind.FunctionApp: +return 'FunctionApp' +case AzureNodeKind.Group: +return 'Group' +case AzureNodeKind.KeyVault: +return 'KeyVault' +case AzureNodeKind.ManagementGroup: +return 'ManagementGroup' +case AzureNodeKind.ResourceGroup: +return 'ResourceGroup' +case AzureNodeKind.ServicePrincipal: +return 'ServicePrincipal' +case AzureNodeKind.Subscription: +return 'Subscription' +case AzureNodeKind.Tenant: +return 'Tenant' +case AzureNodeKind.User: +return 'User' +case AzureNodeKind.VM: +return 'VM' +case AzureNodeKind.ManagedCluster: +return 'ManagedCluster' +case AzureNodeKind.ContainerRegistry: +return 'ContainerRegistry' +case AzureNodeKind.WebApp: +return 'WebApp' +case AzureNodeKind.LogicApp: +return 'LogicApp' +case AzureNodeKind.AutomationAccount: +return 'AutomationAccount' +default: +return undefined } -export function AzureNodeKindToDisplay(value: AzureNodeKind): string | undefined { - switch (value) { - case AzureNodeKind.Entity: - return 'Entity'; - case AzureNodeKind.VMScaleSet: - return 'VMScaleSet'; - case AzureNodeKind.App: - return 'App'; - case AzureNodeKind.Role: - return 'Role'; - case AzureNodeKind.Device: - return 'Device'; - case AzureNodeKind.FunctionApp: - return 'FunctionApp'; - case AzureNodeKind.Group: - return 'Group'; - case AzureNodeKind.KeyVault: - return 'KeyVault'; - case AzureNodeKind.ManagementGroup: - return 'ManagementGroup'; - case AzureNodeKind.ResourceGroup: - return 'ResourceGroup'; - case AzureNodeKind.ServicePrincipal: - return 'ServicePrincipal'; - case AzureNodeKind.Subscription: - return 'Subscription'; - case AzureNodeKind.Tenant: - return 'Tenant'; - case AzureNodeKind.User: - return 'User'; - case AzureNodeKind.VM: - return 'VM'; - case AzureNodeKind.ManagedCluster: - return 'ManagedCluster'; - case AzureNodeKind.ContainerRegistry: - return 'ContainerRegistry'; - case AzureNodeKind.WebApp: - return 'WebApp'; - case AzureNodeKind.LogicApp: - return 'LogicApp'; - case AzureNodeKind.AutomationAccount: - return 'AutomationAccount'; - default: - return undefined; - } } export enum AzureRelationshipKind { - AvereContributor = 'AZAvereContributor', - Contains = 'AZContains', - Contributor = 'AZContributor', - GetCertificates = 'AZGetCertificates', - GetKeys = 'AZGetKeys', - GetSecrets = 'AZGetSecrets', - HasRole = 'AZHasRole', - MemberOf = 'AZMemberOf', - Owner = 'AZOwner', - RunsAs = 'AZRunsAs', - VMContributor = 'AZVMContributor', - AutomationContributor = 'AZAutomationContributor', - KeyVaultContributor = 'AZKeyVaultContributor', - VMAdminLogin = 'AZVMAdminLogin', - AddMembers = 'AZAddMembers', - AddSecret = 'AZAddSecret', - ExecuteCommand = 'AZExecuteCommand', - GlobalAdmin = 'AZGlobalAdmin', - PrivilegedAuthAdmin = 'AZPrivilegedAuthAdmin', - Grant = 'AZGrant', - GrantSelf = 'AZGrantSelf', - PrivilegedRoleAdmin = 'AZPrivilegedRoleAdmin', - ResetPassword = 'AZResetPassword', - UserAccessAdministrator = 'AZUserAccessAdministrator', - Owns = 'AZOwns', - ScopedTo = 'AZScopedTo', - CloudAppAdmin = 'AZCloudAppAdmin', - AppAdmin = 'AZAppAdmin', - AddOwner = 'AZAddOwner', - ManagedIdentity = 'AZManagedIdentity', - ApplicationReadWriteAll = 'AZMGApplication_ReadWrite_All', - AppRoleAssignmentReadWriteAll = 'AZMGAppRoleAssignment_ReadWrite_All', - DirectoryReadWriteAll = 'AZMGDirectory_ReadWrite_All', - GroupReadWriteAll = 'AZMGGroup_ReadWrite_All', - GroupMemberReadWriteAll = 'AZMGGroupMember_ReadWrite_All', - RoleManagementReadWriteDirectory = 'AZMGRoleManagement_ReadWrite_Directory', - ServicePrincipalEndpointReadWriteAll = 'AZMGServicePrincipalEndpoint_ReadWrite_All', - AKSContributor = 'AZAKSContributor', - NodeResourceGroup = 'AZNodeResourceGroup', - WebsiteContributor = 'AZWebsiteContributor', - LogicAppContributor = 'AZLogicAppContributor', - AZMGAddMember = 'AZMGAddMember', - AZMGAddOwner = 'AZMGAddOwner', - AZMGAddSecret = 'AZMGAddSecret', - AZMGGrantAppRoles = 'AZMGGrantAppRoles', - AZMGGrantRole = 'AZMGGrantRole', - SyncedToADUser = 'SyncedToADUser', +AvereContributor = 'AZAvereContributor', +Contains = 'AZContains', +Contributor = 'AZContributor', +GetCertificates = 'AZGetCertificates', +GetKeys = 'AZGetKeys', +GetSecrets = 'AZGetSecrets', +HasRole = 'AZHasRole', +MemberOf = 'AZMemberOf', +Owner = 'AZOwner', +RunsAs = 'AZRunsAs', +VMContributor = 'AZVMContributor', +AutomationContributor = 'AZAutomationContributor', +KeyVaultContributor = 'AZKeyVaultContributor', +VMAdminLogin = 'AZVMAdminLogin', +AddMembers = 'AZAddMembers', +AddSecret = 'AZAddSecret', +ExecuteCommand = 'AZExecuteCommand', +GlobalAdmin = 'AZGlobalAdmin', +PrivilegedAuthAdmin = 'AZPrivilegedAuthAdmin', +Grant = 'AZGrant', +GrantSelf = 'AZGrantSelf', +PrivilegedRoleAdmin = 'AZPrivilegedRoleAdmin', +ResetPassword = 'AZResetPassword', +UserAccessAdministrator = 'AZUserAccessAdministrator', +Owns = 'AZOwns', +ScopedTo = 'AZScopedTo', +CloudAppAdmin = 'AZCloudAppAdmin', +AppAdmin = 'AZAppAdmin', +AddOwner = 'AZAddOwner', +ManagedIdentity = 'AZManagedIdentity', +ApplicationReadWriteAll = 'AZMGApplication_ReadWrite_All', +AppRoleAssignmentReadWriteAll = 'AZMGAppRoleAssignment_ReadWrite_All', +DirectoryReadWriteAll = 'AZMGDirectory_ReadWrite_All', +GroupReadWriteAll = 'AZMGGroup_ReadWrite_All', +GroupMemberReadWriteAll = 'AZMGGroupMember_ReadWrite_All', +RoleManagementReadWriteDirectory = 'AZMGRoleManagement_ReadWrite_Directory', +ServicePrincipalEndpointReadWriteAll = 'AZMGServicePrincipalEndpoint_ReadWrite_All', +AKSContributor = 'AZAKSContributor', +NodeResourceGroup = 'AZNodeResourceGroup', +WebsiteContributor = 'AZWebsiteContributor', +LogicAppContributor = 'AZLogicAppContributor', +AZMGAddMember = 'AZMGAddMember', +AZMGAddOwner = 'AZMGAddOwner', +AZMGAddSecret = 'AZMGAddSecret', +AZMGGrantAppRoles = 'AZMGGrantAppRoles', +AZMGGrantRole = 'AZMGGrantRole', +SyncedToADUser = 'SyncedToADUser', } -export function AzureRelationshipKindToDisplay(value: AzureRelationshipKind): string | undefined { - switch (value) { - case AzureRelationshipKind.AvereContributor: - return 'AvereContributor'; - case AzureRelationshipKind.Contains: - return 'Contains'; - case AzureRelationshipKind.Contributor: - return 'Contributor'; - case AzureRelationshipKind.GetCertificates: - return 'GetCertificates'; - case AzureRelationshipKind.GetKeys: - return 'GetKeys'; - case AzureRelationshipKind.GetSecrets: - return 'GetSecrets'; - case AzureRelationshipKind.HasRole: - return 'HasRole'; - case AzureRelationshipKind.MemberOf: - return 'MemberOf'; - case AzureRelationshipKind.Owner: - return 'Owner'; - case AzureRelationshipKind.RunsAs: - return 'RunsAs'; - case AzureRelationshipKind.VMContributor: - return 'VMContributor'; - case AzureRelationshipKind.AutomationContributor: - return 'AutomationContributor'; - case AzureRelationshipKind.KeyVaultContributor: - return 'KeyVaultContributor'; - case AzureRelationshipKind.VMAdminLogin: - return 'VMAdminLogin'; - case AzureRelationshipKind.AddMembers: - return 'AddMembers'; - case AzureRelationshipKind.AddSecret: - return 'AddSecret'; - case AzureRelationshipKind.ExecuteCommand: - return 'ExecuteCommand'; - case AzureRelationshipKind.GlobalAdmin: - return 'GlobalAdmin'; - case AzureRelationshipKind.PrivilegedAuthAdmin: - return 'PrivilegedAuthAdmin'; - case AzureRelationshipKind.Grant: - return 'Grant'; - case AzureRelationshipKind.GrantSelf: - return 'GrantSelf'; - case AzureRelationshipKind.PrivilegedRoleAdmin: - return 'PrivilegedRoleAdmin'; - case AzureRelationshipKind.ResetPassword: - return 'ResetPassword'; - case AzureRelationshipKind.UserAccessAdministrator: - return 'UserAccessAdministrator'; - case AzureRelationshipKind.Owns: - return 'Owns'; - case AzureRelationshipKind.ScopedTo: - return 'ScopedTo'; - case AzureRelationshipKind.CloudAppAdmin: - return 'CloudAppAdmin'; - case AzureRelationshipKind.AppAdmin: - return 'AppAdmin'; - case AzureRelationshipKind.AddOwner: - return 'AddOwner'; - case AzureRelationshipKind.ManagedIdentity: - return 'ManagedIdentity'; - case AzureRelationshipKind.ApplicationReadWriteAll: - return 'ApplicationReadWriteAll'; - case AzureRelationshipKind.AppRoleAssignmentReadWriteAll: - return 'AppRoleAssignmentReadWriteAll'; - case AzureRelationshipKind.DirectoryReadWriteAll: - return 'DirectoryReadWriteAll'; - case AzureRelationshipKind.GroupReadWriteAll: - return 'GroupReadWriteAll'; - case AzureRelationshipKind.GroupMemberReadWriteAll: - return 'GroupMemberReadWriteAll'; - case AzureRelationshipKind.RoleManagementReadWriteDirectory: - return 'RoleManagementReadWriteDirectory'; - case AzureRelationshipKind.ServicePrincipalEndpointReadWriteAll: - return 'ServicePrincipalEndpointReadWriteAll'; - case AzureRelationshipKind.AKSContributor: - return 'AKSContributor'; - case AzureRelationshipKind.NodeResourceGroup: - return 'NodeResourceGroup'; - case AzureRelationshipKind.WebsiteContributor: - return 'WebsiteContributor'; - case AzureRelationshipKind.LogicAppContributor: - return 'LogicAppContributor'; - case AzureRelationshipKind.AZMGAddMember: - return 'AZMGAddMember'; - case AzureRelationshipKind.AZMGAddOwner: - return 'AZMGAddOwner'; - case AzureRelationshipKind.AZMGAddSecret: - return 'AZMGAddSecret'; - case AzureRelationshipKind.AZMGGrantAppRoles: - return 'AZMGGrantAppRoles'; - case AzureRelationshipKind.AZMGGrantRole: - return 'AZMGGrantRole'; - case AzureRelationshipKind.SyncedToADUser: - return 'SyncedToADUser'; - default: - return undefined; - } +export function AzureRelationshipKindToDisplay (value : AzureRelationshipKind): string | undefined { +switch (value) { +case AzureRelationshipKind.AvereContributor: +return 'AvereContributor' +case AzureRelationshipKind.Contains: +return 'Contains' +case AzureRelationshipKind.Contributor: +return 'Contributor' +case AzureRelationshipKind.GetCertificates: +return 'GetCertificates' +case AzureRelationshipKind.GetKeys: +return 'GetKeys' +case AzureRelationshipKind.GetSecrets: +return 'GetSecrets' +case AzureRelationshipKind.HasRole: +return 'HasRole' +case AzureRelationshipKind.MemberOf: +return 'MemberOf' +case AzureRelationshipKind.Owner: +return 'Owner' +case AzureRelationshipKind.RunsAs: +return 'RunsAs' +case AzureRelationshipKind.VMContributor: +return 'VMContributor' +case AzureRelationshipKind.AutomationContributor: +return 'AutomationContributor' +case AzureRelationshipKind.KeyVaultContributor: +return 'KeyVaultContributor' +case AzureRelationshipKind.VMAdminLogin: +return 'VMAdminLogin' +case AzureRelationshipKind.AddMembers: +return 'AddMembers' +case AzureRelationshipKind.AddSecret: +return 'AddSecret' +case AzureRelationshipKind.ExecuteCommand: +return 'ExecuteCommand' +case AzureRelationshipKind.GlobalAdmin: +return 'GlobalAdmin' +case AzureRelationshipKind.PrivilegedAuthAdmin: +return 'PrivilegedAuthAdmin' +case AzureRelationshipKind.Grant: +return 'Grant' +case AzureRelationshipKind.GrantSelf: +return 'GrantSelf' +case AzureRelationshipKind.PrivilegedRoleAdmin: +return 'PrivilegedRoleAdmin' +case AzureRelationshipKind.ResetPassword: +return 'ResetPassword' +case AzureRelationshipKind.UserAccessAdministrator: +return 'UserAccessAdministrator' +case AzureRelationshipKind.Owns: +return 'Owns' +case AzureRelationshipKind.ScopedTo: +return 'ScopedTo' +case AzureRelationshipKind.CloudAppAdmin: +return 'CloudAppAdmin' +case AzureRelationshipKind.AppAdmin: +return 'AppAdmin' +case AzureRelationshipKind.AddOwner: +return 'AddOwner' +case AzureRelationshipKind.ManagedIdentity: +return 'ManagedIdentity' +case AzureRelationshipKind.ApplicationReadWriteAll: +return 'ApplicationReadWriteAll' +case AzureRelationshipKind.AppRoleAssignmentReadWriteAll: +return 'AppRoleAssignmentReadWriteAll' +case AzureRelationshipKind.DirectoryReadWriteAll: +return 'DirectoryReadWriteAll' +case AzureRelationshipKind.GroupReadWriteAll: +return 'GroupReadWriteAll' +case AzureRelationshipKind.GroupMemberReadWriteAll: +return 'GroupMemberReadWriteAll' +case AzureRelationshipKind.RoleManagementReadWriteDirectory: +return 'RoleManagementReadWriteDirectory' +case AzureRelationshipKind.ServicePrincipalEndpointReadWriteAll: +return 'ServicePrincipalEndpointReadWriteAll' +case AzureRelationshipKind.AKSContributor: +return 'AKSContributor' +case AzureRelationshipKind.NodeResourceGroup: +return 'NodeResourceGroup' +case AzureRelationshipKind.WebsiteContributor: +return 'WebsiteContributor' +case AzureRelationshipKind.LogicAppContributor: +return 'LogicAppContributor' +case AzureRelationshipKind.AZMGAddMember: +return 'AZMGAddMember' +case AzureRelationshipKind.AZMGAddOwner: +return 'AZMGAddOwner' +case AzureRelationshipKind.AZMGAddSecret: +return 'AZMGAddSecret' +case AzureRelationshipKind.AZMGGrantAppRoles: +return 'AZMGGrantAppRoles' +case AzureRelationshipKind.AZMGGrantRole: +return 'AZMGGrantRole' +case AzureRelationshipKind.SyncedToADUser: +return 'SyncedToADUser' +default: +return undefined } -export type AzureKind = AzureNodeKind | AzureRelationshipKind; +} +export type AzureKind = AzureNodeKind|AzureRelationshipKind export enum AzureKindProperties { - AppOwnerOrganizationID = 'appownerorganizationid', - AppDescription = 'appdescription', - AppDisplayName = 'appdisplayname', - ServicePrincipalType = 'serviceprincipaltype', - UserType = 'usertype', - TenantID = 'tenantid', - ServicePrincipalID = 'service_principal_id', - ServicePrincipalNames = 'service_principal_names', - OperatingSystemVersion = 'operatingsystemversion', - TrustType = 'trustype', - IsBuiltIn = 'isbuiltin', - AppID = 'appid', - AppRoleID = 'approleid', - DeviceID = 'deviceid', - NodeResourceGroupID = 'noderesourcegroupid', - OnPremID = 'onpremid', - OnPremSyncEnabled = 'onpremsyncenabled', - SecurityEnabled = 'securityenabled', - SecurityIdentifier = 'securityidentifier', - EnableRBACAuthorization = 'enablerbacauthorization', - Scope = 'scope', - Offer = 'offer', - MFAEnabled = 'mfaenabled', - License = 'license', - Licenses = 'licenses', - LoginURL = 'loginurl', - MFAEnforced = 'mfaenforced', - UserPrincipalName = 'userprincipalname', - IsAssignableToRole = 'isassignabletorole', - PublisherDomain = 'publisherdomain', - SignInAudience = 'signinaudience', - RoleTemplateID = 'templateid', +AppOwnerOrganizationID = 'appownerorganizationid', +AppDescription = 'appdescription', +AppDisplayName = 'appdisplayname', +ServicePrincipalType = 'serviceprincipaltype', +UserType = 'usertype', +TenantID = 'tenantid', +ServicePrincipalID = 'service_principal_id', +ServicePrincipalNames = 'service_principal_names', +OperatingSystemVersion = 'operatingsystemversion', +TrustType = 'trustype', +IsBuiltIn = 'isbuiltin', +AppID = 'appid', +AppRoleID = 'approleid', +DeviceID = 'deviceid', +NodeResourceGroupID = 'noderesourcegroupid', +OnPremID = 'onpremid', +OnPremSyncEnabled = 'onpremsyncenabled', +SecurityEnabled = 'securityenabled', +SecurityIdentifier = 'securityidentifier', +EnableRBACAuthorization = 'enablerbacauthorization', +Scope = 'scope', +Offer = 'offer', +MFAEnabled = 'mfaenabled', +License = 'license', +Licenses = 'licenses', +LoginURL = 'loginurl', +MFAEnforced = 'mfaenforced', +UserPrincipalName = 'userprincipalname', +IsAssignableToRole = 'isassignabletorole', +PublisherDomain = 'publisherdomain', +SignInAudience = 'signinaudience', +RoleTemplateID = 'templateid', +} +export function AzureKindPropertiesToDisplay (value : AzureKindProperties): string | undefined { +switch (value) { +case AzureKindProperties.AppOwnerOrganizationID: +return 'App Owner Organization ID' +case AzureKindProperties.AppDescription: +return 'App Description' +case AzureKindProperties.AppDisplayName: +return 'App Display Name' +case AzureKindProperties.ServicePrincipalType: +return 'Service Principal Type' +case AzureKindProperties.UserType: +return 'User Type' +case AzureKindProperties.TenantID: +return 'Tenant ID' +case AzureKindProperties.ServicePrincipalID: +return 'Service Principal ID' +case AzureKindProperties.ServicePrincipalNames: +return 'Service Principal Names' +case AzureKindProperties.OperatingSystemVersion: +return 'Operating System Version' +case AzureKindProperties.TrustType: +return 'Trust Type' +case AzureKindProperties.IsBuiltIn: +return 'Is Built In' +case AzureKindProperties.AppID: +return 'App ID' +case AzureKindProperties.AppRoleID: +return 'App Role ID' +case AzureKindProperties.DeviceID: +return 'Device ID' +case AzureKindProperties.NodeResourceGroupID: +return 'Node Resource Group ID' +case AzureKindProperties.OnPremID: +return 'On Prem ID' +case AzureKindProperties.OnPremSyncEnabled: +return 'On Prem Sync Enabled' +case AzureKindProperties.SecurityEnabled: +return 'Security Enabled' +case AzureKindProperties.SecurityIdentifier: +return 'Security Identifier' +case AzureKindProperties.EnableRBACAuthorization: +return 'RBAC Authorization Enabled' +case AzureKindProperties.Scope: +return 'Scope' +case AzureKindProperties.Offer: +return 'Offer' +case AzureKindProperties.MFAEnabled: +return 'MFA Enabled' +case AzureKindProperties.License: +return 'License' +case AzureKindProperties.Licenses: +return 'Licenses' +case AzureKindProperties.LoginURL: +return 'Login URL' +case AzureKindProperties.MFAEnforced: +return 'MFA Enforced' +case AzureKindProperties.UserPrincipalName: +return 'User Principal Name' +case AzureKindProperties.IsAssignableToRole: +return 'Is Role Assignable' +case AzureKindProperties.PublisherDomain: +return 'Publisher Domain' +case AzureKindProperties.SignInAudience: +return 'Sign In Audience' +case AzureKindProperties.RoleTemplateID: +return 'Role Template ID' +default: +return undefined } -export function AzureKindPropertiesToDisplay(value: AzureKindProperties): string | undefined { - switch (value) { - case AzureKindProperties.AppOwnerOrganizationID: - return 'App Owner Organization ID'; - case AzureKindProperties.AppDescription: - return 'App Description'; - case AzureKindProperties.AppDisplayName: - return 'App Display Name'; - case AzureKindProperties.ServicePrincipalType: - return 'Service Principal Type'; - case AzureKindProperties.UserType: - return 'User Type'; - case AzureKindProperties.TenantID: - return 'Tenant ID'; - case AzureKindProperties.ServicePrincipalID: - return 'Service Principal ID'; - case AzureKindProperties.ServicePrincipalNames: - return 'Service Principal Names'; - case AzureKindProperties.OperatingSystemVersion: - return 'Operating System Version'; - case AzureKindProperties.TrustType: - return 'Trust Type'; - case AzureKindProperties.IsBuiltIn: - return 'Is Built In'; - case AzureKindProperties.AppID: - return 'App ID'; - case AzureKindProperties.AppRoleID: - return 'App Role ID'; - case AzureKindProperties.DeviceID: - return 'Device ID'; - case AzureKindProperties.NodeResourceGroupID: - return 'Node Resource Group ID'; - case AzureKindProperties.OnPremID: - return 'On Prem ID'; - case AzureKindProperties.OnPremSyncEnabled: - return 'On Prem Sync Enabled'; - case AzureKindProperties.SecurityEnabled: - return 'Security Enabled'; - case AzureKindProperties.SecurityIdentifier: - return 'Security Identifier'; - case AzureKindProperties.EnableRBACAuthorization: - return 'RBAC Authorization Enabled'; - case AzureKindProperties.Scope: - return 'Scope'; - case AzureKindProperties.Offer: - return 'Offer'; - case AzureKindProperties.MFAEnabled: - return 'MFA Enabled'; - case AzureKindProperties.License: - return 'License'; - case AzureKindProperties.Licenses: - return 'Licenses'; - case AzureKindProperties.LoginURL: - return 'Login URL'; - case AzureKindProperties.MFAEnforced: - return 'MFA Enforced'; - case AzureKindProperties.UserPrincipalName: - return 'User Principal Name'; - case AzureKindProperties.IsAssignableToRole: - return 'Is Role Assignable'; - case AzureKindProperties.PublisherDomain: - return 'Publisher Domain'; - case AzureKindProperties.SignInAudience: - return 'Sign In Audience'; - case AzureKindProperties.RoleTemplateID: - return 'Role Template ID'; - default: - return undefined; - } } -export function AzurePathfindingEdges(): AzureRelationshipKind[] { - return [ - AzureRelationshipKind.AvereContributor, - AzureRelationshipKind.Contributor, - AzureRelationshipKind.GetCertificates, - AzureRelationshipKind.GetKeys, - AzureRelationshipKind.GetSecrets, - AzureRelationshipKind.HasRole, - AzureRelationshipKind.MemberOf, - AzureRelationshipKind.Owner, - AzureRelationshipKind.RunsAs, - AzureRelationshipKind.VMContributor, - AzureRelationshipKind.AutomationContributor, - AzureRelationshipKind.KeyVaultContributor, - AzureRelationshipKind.VMAdminLogin, - AzureRelationshipKind.AddMembers, - AzureRelationshipKind.AddSecret, - AzureRelationshipKind.ExecuteCommand, - AzureRelationshipKind.GlobalAdmin, - AzureRelationshipKind.PrivilegedAuthAdmin, - AzureRelationshipKind.Grant, - AzureRelationshipKind.GrantSelf, - AzureRelationshipKind.PrivilegedRoleAdmin, - AzureRelationshipKind.ResetPassword, - AzureRelationshipKind.UserAccessAdministrator, - AzureRelationshipKind.Owns, - AzureRelationshipKind.CloudAppAdmin, - AzureRelationshipKind.AppAdmin, - AzureRelationshipKind.AddOwner, - AzureRelationshipKind.ManagedIdentity, - AzureRelationshipKind.AKSContributor, - AzureRelationshipKind.NodeResourceGroup, - AzureRelationshipKind.WebsiteContributor, - AzureRelationshipKind.LogicAppContributor, - AzureRelationshipKind.AZMGAddMember, - AzureRelationshipKind.AZMGAddOwner, - AzureRelationshipKind.AZMGAddSecret, - AzureRelationshipKind.AZMGGrantAppRoles, - AzureRelationshipKind.AZMGGrantRole, - AzureRelationshipKind.SyncedToADUser, - AzureRelationshipKind.Contains, - ]; +export function AzurePathfindingEdges (): AzureRelationshipKind[] { +return [AzureRelationshipKind.AvereContributor,AzureRelationshipKind.Contributor,AzureRelationshipKind.GetCertificates,AzureRelationshipKind.GetKeys,AzureRelationshipKind.GetSecrets,AzureRelationshipKind.HasRole,AzureRelationshipKind.MemberOf,AzureRelationshipKind.Owner,AzureRelationshipKind.RunsAs,AzureRelationshipKind.VMContributor,AzureRelationshipKind.AutomationContributor,AzureRelationshipKind.KeyVaultContributor,AzureRelationshipKind.VMAdminLogin,AzureRelationshipKind.AddMembers,AzureRelationshipKind.AddSecret,AzureRelationshipKind.ExecuteCommand,AzureRelationshipKind.GlobalAdmin,AzureRelationshipKind.PrivilegedAuthAdmin,AzureRelationshipKind.Grant,AzureRelationshipKind.GrantSelf,AzureRelationshipKind.PrivilegedRoleAdmin,AzureRelationshipKind.ResetPassword,AzureRelationshipKind.UserAccessAdministrator,AzureRelationshipKind.Owns,AzureRelationshipKind.CloudAppAdmin,AzureRelationshipKind.AppAdmin,AzureRelationshipKind.AddOwner,AzureRelationshipKind.ManagedIdentity,AzureRelationshipKind.AKSContributor,AzureRelationshipKind.NodeResourceGroup,AzureRelationshipKind.WebsiteContributor,AzureRelationshipKind.LogicAppContributor,AzureRelationshipKind.AZMGAddMember,AzureRelationshipKind.AZMGAddOwner,AzureRelationshipKind.AZMGAddSecret,AzureRelationshipKind.AZMGGrantAppRoles,AzureRelationshipKind.AZMGGrantRole,AzureRelationshipKind.SyncedToADUser,AzureRelationshipKind.Contains] } export enum CommonNodeKind { - MigrationData = 'MigrationData', +MigrationData = 'MigrationData', +} +export function CommonNodeKindToDisplay (value : CommonNodeKind): string | undefined { +switch (value) { +case CommonNodeKind.MigrationData: +return 'MigrationData' +default: +return undefined } -export function CommonNodeKindToDisplay(value: CommonNodeKind): string | undefined { - switch (value) { - case CommonNodeKind.MigrationData: - return 'MigrationData'; - default: - return undefined; - } } export enum CommonKindProperties { - ObjectID = 'objectid', - Name = 'name', - DisplayName = 'displayname', - Description = 'description', - OwnerObjectID = 'owner_objectid', - Collected = 'collected', - OperatingSystem = 'operatingsystem', - SystemTags = 'system_tags', - UserTags = 'user_tags', - LastSeen = 'lastseen', - WhenCreated = 'whencreated', - Enabled = 'enabled', - PasswordLastSet = 'pwdlastset', - Title = 'title', - Email = 'email', - IsInherited = 'isinherited', +ObjectID = 'objectid', +Name = 'name', +DisplayName = 'displayname', +Description = 'description', +OwnerObjectID = 'owner_objectid', +Collected = 'collected', +OperatingSystem = 'operatingsystem', +SystemTags = 'system_tags', +UserTags = 'user_tags', +LastSeen = 'lastseen', +WhenCreated = 'whencreated', +Enabled = 'enabled', +PasswordLastSet = 'pwdlastset', +Title = 'title', +Email = 'email', +IsInherited = 'isinherited', } -export function CommonKindPropertiesToDisplay(value: CommonKindProperties): string | undefined { - switch (value) { - case CommonKindProperties.ObjectID: - return 'Object ID'; - case CommonKindProperties.Name: - return 'Name'; - case CommonKindProperties.DisplayName: - return 'Display Name'; - case CommonKindProperties.Description: - return 'Description'; - case CommonKindProperties.OwnerObjectID: - return 'Owner Object ID'; - case CommonKindProperties.Collected: - return 'Collected'; - case CommonKindProperties.OperatingSystem: - return 'Operating System'; - case CommonKindProperties.SystemTags: - return 'Node System Tags'; - case CommonKindProperties.UserTags: - return 'Node User Tags'; - case CommonKindProperties.LastSeen: - return 'Last Collected by BloodHound'; - case CommonKindProperties.WhenCreated: - return 'Created'; - case CommonKindProperties.Enabled: - return 'Enabled'; - case CommonKindProperties.PasswordLastSet: - return 'Password Last Set'; - case CommonKindProperties.Title: - return 'Title'; - case CommonKindProperties.Email: - return 'Email'; - case CommonKindProperties.IsInherited: - return 'Is Inherited'; - default: - return undefined; - } +export function CommonKindPropertiesToDisplay (value : CommonKindProperties): string | undefined { +switch (value) { +case CommonKindProperties.ObjectID: +return 'Object ID' +case CommonKindProperties.Name: +return 'Name' +case CommonKindProperties.DisplayName: +return 'Display Name' +case CommonKindProperties.Description: +return 'Description' +case CommonKindProperties.OwnerObjectID: +return 'Owner Object ID' +case CommonKindProperties.Collected: +return 'Collected' +case CommonKindProperties.OperatingSystem: +return 'Operating System' +case CommonKindProperties.SystemTags: +return 'Node System Tags' +case CommonKindProperties.UserTags: +return 'Node User Tags' +case CommonKindProperties.LastSeen: +return 'Last Collected by BloodHound' +case CommonKindProperties.WhenCreated: +return 'Created' +case CommonKindProperties.Enabled: +return 'Enabled' +case CommonKindProperties.PasswordLastSet: +return 'Password Last Set' +case CommonKindProperties.Title: +return 'Title' +case CommonKindProperties.Email: +return 'Email' +case CommonKindProperties.IsInherited: +return 'Is Inherited' +default: +return undefined } +} \ No newline at end of file