Skip to content

Object Model

Jump to bottom
Macmod edited this page Feb 15, 2026 · 3 revisions

Flashingestor uses rigid types modeled after the official BloodHound CE format, defined in buildertypes.go. The fields of these types are defined below:

Note

Attribute(REMOTE): indicates attributes populated during remote collection only and merged during the conversion step.

BaseADObject

The main type that is embedded in other object types, as it contains attributes common to all objects.

Attributes:

  • ObjectIdentifier: Extracted using a three-tier fallback: first tries objectSid via entry.GetSID(), then falls back to objectGUID via entry.GetGUID(), and finally to the distinguished name (DN) if neither is available. Objects with objectSid (User, Group, Computer, Domain) use SID; objects without it (Container, OU, GPO, all PKI objects) use GUID.
  • Aces: Parsed from nTSecurityDescriptor binary attribute via ParseBinaryACL(), then resolved via ResolveACETypes(). Read ACL-Parsing for more information.
  • IsDeleted: Extracted from isDeleted LDAP attribute (check for "TRUE" value)
  • IsACLProtected: Determined from security descriptor control flags during ACL parsing
  • ContainedBy: Resolved from parent DN via MemberCache - special handling for the Builtin container and null for domain objects, as domains are root containers

Domain

Built by BuildDomainFromEntry() from domain partition root LDAP entry and trust entries.

Filter: (objectClass=domain)

Base attributes:

  • Trusts: Array of trust relationships parsed from trust LDAP entries (filter: objectClass=trustedDomain)
    • Each trust extracts: name, trustDirection, trustAttributes, securityIdentifier from LDAP attributes
    • Trust flags parsed via parseTrust() to determine type, transitivity, SID filtering, TGT delegation
  • Links: GPO links parsed from gPLink LDAP attribute via parseGPLinkString()
    • Each link resolved via MemberCache to get GPO GUID
    • Each GPLinkRef contains:
      • GUID: The GPO object identifier
      • IsEnforced: Boolean indicating if the link is enforced (from gPLink option == 2)
  • ChildObjects: Retrieved from ChildCache indexed by DN, converted to TypedPrincipal
  • GPOChanges(REMOTE): Populated during remote collection phase (GPOLocalGroup method)
    • AffectedComputers: Computers affected by GPO modifications
    • DcomUsers: Users granted DCOM rights via GPO
    • LocalAdmins: Users/groups granted local admin via GPO
    • PSRemoteUsers: Users granted PowerShell remoting rights via GPO
    • RemoteDesktopUsers: Users granted RDP rights via GPO
  • InheritanceHashes: Computed from security descriptor via GetInheritedAceHashes()
  • ForestRootIdentifier: Retrieved from DomainSIDCache using forest root name from BState().GetForestRoot()

Properties:

  • Domain: Extracted from DN via GetDomainFromDN() and uppercased
  • DistinguishedName: Uppercased DN from LDAP entry
  • DomainSID: Extracted from objectSid via GetSID()
  • Description: Extracted from description LDAP attribute
  • WhenCreated: Extracted from whenCreated LDAP attribute, formatted via FormatTime1()
  • Name: Same as Domain (uppercased domain name)
  • FunctionalLevel: Extracted from msDS-Behavior-Version LDAP attribute, mapped via FUNCTIONAL_LEVELS map
  • HighValue: Hardcoded true (all domains are high-value targets)
  • IsACLProtected: Copied from BaseADObject
  • Collected: Hardcoded true
  • DoesAnyAceGrantOwnerRights: Computed from ACE list by checking for owner rights SID
  • DoesAnyInheritedAceGrantOwnerRights: Computed from ACE list by checking inherited ACEs for owner rights SID

User

Built by BuildUserFromEntry() from user LDAP entries.

Filter: (|(&(objectCategory=person)(objectClass=user))(objectClass=msDS-ManagedServiceAccount)(objectClass=msDS-GroupManagedServiceAccount))

Base attributes:

  • AllowedToDelegate: Array of computers user can delegate to, resolved from msDS-AllowedToDelegateTo via ResolveSpn()
  • UnconstrainedDelegation: Copied from Properties
  • PrimaryGroupSID: Constructed from domain SID + primaryGroupID LDAP attribute
  • HasSIDHistory: Array of principals from sIDHistory, resolved via ResolveSID()
  • SPNTargets: Parsed from servicePrincipalName, filtering for MSSQL SPNs to create SQLAdmin privileges
  • DomainSID: Extracted from objectSid by removing RID

Properties:

  • Domain: Extracted from DN via GetDomainFromDN()
  • DistinguishedName: Uppercased DN
  • DomainSID: Derived from objectSid by removing RID component
  • Description: Extracted from description LDAP attribute
  • WhenCreated: Extracted from whenCreated, formatted via FormatTime1()
  • Name: Constructed as sAMAccountName@DOMAIN (uppercased)
  • SAMAccountName: Extracted from sAMAccountName LDAP attribute
  • IsACLProtected: Copied from BaseADObject
  • Sensitive: Bit flag check on userAccountControl (UAC & 0x00100000)
  • DontReqPreauth: Bit flag check on UAC (UAC & 0x00400000)
  • PasswordNotReqd: Bit flag check on UAC (UAC & 0x00000020)
  • UnconstrainedDelegation: Bit flag check on UAC (UAC & 0x00080000)
  • PwdNeverExpires: Bit flag check on UAC (UAC & 0x00010000)
  • Enabled: Bit flag check on UAC (!(UAC & 2))
  • TrustedToAuth: Bit flag check on UAC (UAC & 0x01000000)
  • LastLogon: Extracted from lastLogon, formatted via FormatTime2() (Windows FILETIME)
  • LastLogonTimestamp: Extracted from lastLogonTimestamp, formatted via FormatTime2(), defaults to -1 if 0
  • PwdLastSet: Extracted from pwdLastSet, formatted via FormatTime2()
  • ServicePrincipalNames: Extracted from servicePrincipalName multi-value LDAP attribute
  • HasSPN: Computed as len(ServicePrincipalNames) > 0
  • DisplayName: Extracted from displayName LDAP attribute
  • Email: Extracted from mail LDAP attribute
  • Title: Extracted from title LDAP attribute
  • HomeDirectory: Extracted from homeDirectory LDAP attribute
  • UserPassword: Extracted from userPassword LDAP attribute
  • UnixPassword: Extracted from unixUserPassword LDAP attribute
  • UnicodePassword: Extracted from unicodePwd LDAP attribute
  • SFUPassword: Extracted from msSFU30Password LDAP attribute
  • LogonScript: Extracted from scriptPath LDAP attribute
  • AllowedToDelegate: Extracted from msDS-AllowedToDelegateTo multi-value LDAP attribute
  • AdminCount: Extracted from adminCount LDAP attribute (check for "1")
  • SIDHistory: Extracted from sIDHistory multi-value LDAP attribute
  • AdminSDHolderProtected: Computed by comparing security descriptor hash with AdminSDHolder hash via IsAdminSDHolderProtected()
  • DoesAnyAceGrantOwnerRights: Computed from ACE list
  • DoesAnyInheritedAceGrantOwnerRights: Computed from ACE list

Group

Built by BuildGroupFromEntry() from group LDAP entries.

Filter: (objectClass=group)

Base attributes:

Properties:

  • Domain: Extracted from DN
  • DistinguishedName: Uppercased DN
  • DomainSID: Retrieved from DomainSIDCache
  • Description: Extracted from description
  • WhenCreated: Extracted from whenCreated, formatted via FormatTime1()
  • Name: Constructed as sAMAccountName@DOMAIN (uppercased)
  • SAMAccountName: Extracted from sAMAccountName LDAP attribute
  • IsACLProtected: Copied from BaseADObject
  • AdminCount: Extracted from adminCount (check for "1")
  • HighValue: Computed via isHighValue() checking for well-known high-value SIDs (ends with -512, -516, -519, or matches S-1-5-32-(544|548|549|550|551))
  • SIDHistory: Extracted from sIDHistory multi-value attribute
  • AdminSDHolderProtected: Computed by comparing security descriptor hash with AdminSDHolder hash
  • DoesAnyAceGrantOwnerRights: Computed from ACE list
  • DoesAnyInheritedAceGrantOwnerRights: Computed from ACE list

Container

Built by BuildContainerFromEntry() from container LDAP entries.

Filter: (&(!(objectClass=groupPolicyContainer))(objectClass=container))

Base attributes:

Properties:

  • Domain: Extracted from DN
  • DistinguishedName: Uppercased DN
  • DomainSID: Retrieved from DomainSIDCache
  • Description: Extracted from description
  • WhenCreated: Extracted from whenCreated, formatted via FormatTime1()
  • Name: Constructed from name or cn LDAP attribute + @DOMAIN (uppercased)
  • HighValue: Hardcoded false
  • IsACLProtected: Copied from BaseADObject
  • DoesAnyAceGrantOwnerRights: Computed from ACE list
  • DoesAnyInheritedAceGrantOwnerRights: Computed from ACE list

Certain containers are filtered out via IsFilteredContainer().

OU

Built by BuildOUFromEntry() from OU LDAP entries.

Filter: (objectClass=organizationalUnit)

Base attributes:

  • Links: GPO links parsed from gPLink LDAP attribute via parseGPLinkString(), resolved via MemberCache
    • Each GPLinkRef contains:
      • GUID: The GPO object identifier
      • IsEnforced: Boolean indicating if the link is enforced (from gPLink option == 2)
  • ChildObjects: Retrieved from ChildCache indexed by DN
  • GPOChanges(REMOTE): Populated during remote collection (GPOLocalGroup method)
    • AffectedComputers: Computers affected by GPO modifications
    • DcomUsers: Users granted DCOM rights via GPO
    • LocalAdmins: Users/groups granted local admin via GPO
    • PSRemoteUsers: Users granted PowerShell remoting rights via GPO
    • RemoteDesktopUsers: Users granted RDP rights via GPO
  • InheritanceHashes: Computed from security descriptor via GetInheritedAceHashes()

Properties:

  • Domain: Extracted from DN
  • DistinguishedName: Uppercased DN
  • DomainSID: Retrieved from DomainSIDCache
  • Description: Extracted from description
  • WhenCreated: Extracted from whenCreated, formatted via FormatTime1()
  • Name: Constructed from name or ou LDAP attribute + @DOMAIN (uppercased)
  • IsACLProtected: Copied from BaseADObject
  • HighValue: Hardcoded false
  • BlocksInheritance: Extracted from gPOptions LDAP attribute (check for "1")
  • DoesAnyAceGrantOwnerRights: Computed from ACE list
  • DoesAnyInheritedAceGrantOwnerRights: Computed from ACE list

GPO

Built by BuildGPOFromEntry() from GPO LDAP entries.

Filter: (objectCategory=groupPolicyContainer)

Properties:

  • Domain: Extracted from DN
  • DistinguishedName: Uppercased DN
  • DomainSID: Retrieved from DomainSIDCache
  • Description: Extracted from description
  • WhenCreated: Extracted from whenCreated, formatted via FormatTime1()
  • Name: Constructed from displayName LDAP attribute + @DOMAIN (uppercased)
  • IsACLProtected: Copied from BaseADObject
  • GPCPath: Extracted from gPCFileSysPath LDAP attribute (uppercased), points to SYSVOL location
  • HighValue: Hardcoded false
  • DoesAnyAceGrantOwnerRights: Computed from ACE list
  • DoesAnyInheritedAceGrantOwnerRights: Computed from ACE list

CertTemplate

Built by BuildCertTemplateFromEntry() from certificate template LDAP entries found in the Configuration partition.

Filter: (objectClass=pKICertificateTemplate) (applied during conversion from Configuration partition entries collected with (objectClass=*))

Properties:

  • Domain: Extracted from DN
  • DistinguishedName: Uppercased DN
  • DomainSID: Retrieved from DomainSIDCache
  • Description: Extracted from description
  • WhenCreated: Extracted from whenCreated, formatted via FormatTime1()
  • Name: Extracted from name LDAP attribute
  • ValidityPeriod: Parsed from pKIExpirationPeriod binary attribute via ConvertPKIPeriod() (converts 100-nanosecond intervals to human-readable)
  • RenewalPeriod: Parsed from pKIOverlapPeriod binary attribute via ConvertPKIPeriod()
  • SchemaVersion: Extracted from msPKI-Template-Schema-Version as uint32
  • DisplayName: Extracted from displayName LDAP attribute
  • OID: Extracted from msPKI-Cert-Template-OID LDAP attribute
  • EnrollmentFlag: Parsed from msPKI-Enrollment-Flag as bitfield, converted to string via parseFlagsToString()
  • RequiresManagerApproval: Bit check on enrollment flag (PEND_ALL_REQUESTS)
  • NoSecurityExtension: Bit check on enrollment flag (NO_SECURITY_EXTENSION)
  • CertificateNameFlag: Parsed from msPKI-Certificate-Name-Flag as bitfield, converted to string
  • EnrolleeSuppliesSubject: Bit check on name flag (ENROLLEE_SUPPLIES_SUBJECT)
  • SubjectAltRequireUPN: Bit check on name flag (SUBJECT_ALT_REQUIRE_UPN)
  • SubjectAltRequireDNS: Bit check on name flag (SUBJECT_ALT_REQUIRE_DNS)
  • SubjectAltRequireDomainDNS: Bit check on name flag (SUBJECT_ALT_REQUIRE_DOMAIN_DNS)
  • SubjectAltRequireEmail: Bit check on name flag (SUBJECT_ALT_REQUIRE_EMAIL)
  • SubjectAltRequireSPN: Bit check on name flag (SUBJECT_ALT_REQUIRE_SPN)
  • SubjectRequireEmail: Bit check on name flag (SUBJECT_REQUIRE_EMAIL)
  • EKUs: Extracted from pKIExtendedKeyUsage multi-value LDAP attribute (OID strings)
  • CertificateApplicationPolicy: Extracted from msPKI-Certificate-Application-Policy multi-value attribute
  • CertificatePolicy: Extracted from msPKI-Certificate-Policy multi-value attribute
  • AuthorizedSignatures: Extracted from msPKI-RA-Signature as int64
  • ApplicationPolicies: Parsed from msPKI-Certificate-Application-Policy via ParseCertTemplateApplicationPolicies() (handles backtick-delimited format based on schema version)
  • IssuancePolicies: Extracted from msPKI-RA-Application-Policies multi-value attribute
  • EffectiveEKUs: Computed based on schema version (v1 uses EKUs, v2+ uses CertificateApplicationPolicy)
  • AuthenticationEnabled: Computed by checking if EffectiveEKUs intersects with authentication OIDs or is empty
  • SchannelAuthenticationEnabled: Computed by checking if EffectiveEKUs intersects with Schannel OIDs or is empty
  • DoesAnyAceGrantOwnerRights: Computed from ACE list
  • DoesAnyInheritedAceGrantOwnerRights: Computed from ACE list

EnterpriseCA

Built by BuildEnterpriseCAFromEntry() from enterprise CA LDAP entries found in the Configuration partition.

Filter: (objectClass=pKIEnrollmentService) (applied during conversion from Configuration partition entries collected with (objectClass=*))

Base attributes:

  • HostingComputer(REMOTE): Resolved by querying the CA's dNSHostName attribute and performing DNS resolution to find the hosting server
  • CARegistryData(REMOTE): Populated during remote collection via WINREG RPC (CARegistry method)
    • Registry paths under HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<CAName>\*
    • CASecurity: ACEs read from Security registry value
    • EnrollmentAgentRestrictions: Read from CA-specific registry configuration
    • IsUserSpecifiesSanEnabled: Read from EditFlags registry value
    • IsRoleSeparationEnabled: Read from CA configuration registry
  • EnabledCertTemplates: Resolved from certificateTemplates multi-value attribute via CertTemplateCache (indexed by domain+template CN)
  • HttpEnrollmentEndpoints(REMOTE): Populated during remote collection (CertServices method) via HTTP/HTTPS probes to web enrollment endpoints
    • Endpoints tested: /certsrv/, /ADPolicyProvider_CEP_*/service.svc
    • Tests for NTLM authentication vulnerabilities (ESC8)
    • Checks channel binding requirements

Properties:

  • Domain: Extracted from DN
  • DistinguishedName: Uppercased DN
  • DomainSID: Retrieved from DomainSIDCache
  • Description: Extracted from description
  • WhenCreated: Extracted from whenCreated, formatted via FormatTime1()
  • Name: Constructed from name LDAP attribute + @DOMAIN
  • CAName: Extracted from name LDAP attribute
  • DNSHostname: Extracted from dNSHostName LDAP attribute
  • Flags: Parsed from flags LDAP attribute as bitfield via parseFlagsToString() using certificate authority flag definitions
  • CertThumbprint: Parsed from cACertificate binary attribute via parseCACertificate() (SHA1 hash)
  • CertName: Extracted from certificate subject
  • CertChain: Parsed certificate chain from cACertificate
  • HasBasicConstraints: Parsed from certificate basic constraints extension
  • BasicConstraintPathLength: Extracted from certificate basic constraints
  • CASecurityCollected: Boolean flag indicating whether CASecurity data was successfully collected during remote collection
  • EnrollmentAgentRestrictionsCollected: Boolean flag indicating whether EnrollmentAgentRestrictions data was successfully collected during remote collection
  • IsUserSpecifiesSanEnabledCollected: Boolean flag indicating whether IsUserSpecifiesSanEnabled data was successfully collected during remote collection
  • RoleSeparationEnabledCollected: Boolean flag indicating whether RoleSeparationEnabled data was successfully collected during remote collection
  • UnresolvedPublishedTemplates: Array of template CNs from certificateTemplates that couldn't be resolved via CertTemplateCache
  • DoesAnyAceGrantOwnerRights: Computed from ACE list
  • DoesAnyInheritedAceGrantOwnerRights: Computed from ACE list

RootCA

Built by BuildRootCAFromEntry() from root CA LDAP entries in the Configuration partition.

Filter: (objectClass=certificationAuthority) (applied during conversion from Configuration partition entries collected with (objectClass=*))

Base attributes:

Properties:

  • Domain: Extracted from DN
  • DistinguishedName: Uppercased DN
  • DomainSID: Retrieved from DomainSIDCache using domain name from DN
  • Description: Extracted from description
  • WhenCreated: Extracted from whenCreated, formatted via FormatTime1()
  • Name: Constructed from name LDAP attribute + @DOMAIN
  • CertThumbprint: Parsed from cACertificate binary attribute via parseCACertificate() (SHA1 hash)
  • CertName: Extracted from certificate subject
  • CertChain: Parsed certificate chain
  • HasBasicConstraints: Parsed from certificate basic constraints extension
  • BasicConstraintPathLength: Extracted from certificate basic constraints
  • DoesAnyAceGrantOwnerRights: Computed from ACE list
  • DoesAnyInheritedAceGrantOwnerRights: Computed from ACE list

AIACA

Built by BuildAIACAFromEntry() from Authority Information Access CA LDAP entries found in the Configuration partition.

Filter: (objectClass=certificationAuthority) with additional filtering for AIA-specific attributes (applied during conversion from Configuration partition entries collected with (objectClass=*))

Properties:

  • Domain: Extracted from DN
  • DistinguishedName: Uppercased DN
  • DomainSID: Retrieved from DomainSIDCache
  • Description: Extracted from description
  • WhenCreated: Extracted from whenCreated, formatted via FormatTime1()
  • Name: Constructed from name LDAP attribute + @DOMAIN
  • CrossCertificatePair: Raw binary data from crossCertificatePair LDAP attribute
  • HasCrossCertificatePair: Boolean check if crossCertificatePair has data
  • CertThumbprint: Parsed from cACertificate binary attribute via parseCACertificate() (SHA1 hash)
  • CertName: Extracted from certificate subject
  • CertChain: Parsed certificate chain
  • HasBasicConstraints: Parsed from certificate basic constraints extension
  • BasicConstraintPathLength: Extracted from certificate basic constraints
  • DoesAnyAceGrantOwnerRights: Computed from ACE list
  • DoesAnyInheritedAceGrantOwnerRights: Computed from ACE list

IssuancePolicy

Built by BuildIssuancePolicyFromEntry() from issuance policy LDAP entries found in the Configuration partition.

Filter: (objectClass=msPKI-Enterprise-Oid) (applied during conversion from Configuration partition entries collected with (objectClass=*))

Base attributes:

  • GroupLink: Resolved TypedPrincipal from msPKI-OID-Group-Link DN via MemberCache

Properties:

  • Domain: Extracted from DN
  • DistinguishedName: Uppercased DN
  • DomainSID: Retrieved from DomainSIDCache
  • Description: Extracted from description
  • WhenCreated: Extracted from whenCreated, formatted via FormatTime1()
  • Name: Constructed from displayName or cn LDAP attribute + @DOMAIN
  • DisplayName: Extracted from displayName LDAP attribute
  • CertTemplateOID: Extracted from msPKI-Cert-Template-OID LDAP attribute
  • OIDGroupLink: DN extracted from msPKI-OID-Group-Link, resolved via MemberCache to get ObjectIdentifier
  • DoesAnyAceGrantOwnerRights: Computed from ACE list
  • DoesAnyInheritedAceGrantOwnerRights: Computed from ACE list

NTAuthStore

Built by BuildNTAuthStoreFromEntry() from NTAuthStore LDAP entry in the Configuration partition.

Filter: (objectClass=certificationAuthority) at specific DN CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration (applied during conversion from Configuration partition entries collected with (objectClass=*))

Base attributes:

Properties:

  • Domain: Extracted from DN
  • DistinguishedName: Uppercased DN
  • DomainSID: Retrieved from DomainSIDCache using domain name from DN
  • Description: Extracted from description
  • WhenCreated: Extracted from whenCreated, formatted via FormatTime1()
  • Name: Constructed from name LDAP attribute + @DOMAIN
  • CertThumbprints: Array of SHA1 thumbprints parsed from cACertificate multi-value binary attribute via x509.ParseCertificate()
  • DoesAnyAceGrantOwnerRights: Computed from ACE list
  • DoesAnyInheritedAceGrantOwnerRights: Computed from ACE list

Computer

Built by BuildComputerFromEntry() from computer LDAP entries.

Filter: (&(sAMAccountType=805306369)(!(objectClass=msDS-GroupManagedServiceAccount))(!(objectClass=msDS-ManagedServiceAccount))) (excludes gMSA/MSA accounts which are collected as Users)

Base attributes:

  • DomainSID: Derived from objectSid
  • AllowedToAct: Parsed from msDS-AllowedToActOnBehalfOfOtherIdentity binary security descriptor via ParseBinaryACL(), filtering for GenericAll rights
  • AllowedToDelegate: Resolved from msDS-AllowedToDelegateTo via ResolveSpn()
  • UnconstrainedDelegation: Copied from Properties
  • PrimaryGroupSID: Constructed from domain SID + primaryGroupID
  • LocalGroups(REMOTE): Populated during remote collection (LocalGroups method) via SAMR RPC (SamrEnumerateAliasesInDomain, SamrGetMembersInAlias) with SID translation via LSAT RPC (LsatLookupSids)
  • Sessions(REMOTE): Populated during remote collection (Sessions method) via SRVS RPC (NetSessionEnum) retrieving active network sessions. Performs DNS reverse lookups for source IPs and resolves usernames via SamCache (indexed by domain+sAMAccountName)
  • PrivilegedSessions(REMOTE): Populated during remote collection (loggedon method) via WKSSVC RPC (NetWkstaUserEnum) retrieving currently logged-on users. Uses NetBIOSDomainCache for domain resolution and SamCache for user resolution
  • RegistrySessions(REMOTE): Populated during remote collection (RegSessions method) via WINREG RPC enumerating subkeys under HKEY_USERS (each subkey represents a user SID with loaded registry hive)
  • HasSIDHistory: Resolved from sIDHistory via ResolveSID()
  • Status(REMOTE): Populated when availability checks fail before remote collection; contains connectivity status (Connectable: bool) and error message details
  • UserRights(REMOTE): Populated during remote collection (UserRights method) via LSAD RPC (LsaEnumerateAccountsWithUserRight) querying SeRemoteInteractiveLogonRight privilege. Uses LSAT RPC for SID translation and WellKnown SID handling
  • DumpSMSAPassword: Resolved from msDS-HostServiceAccount multi-value attribute via MemberCache
  • DCRegistryData(REMOTE): Populated during remote collection (DCRegistry method) for domain controllers reading registry values:
    • CertificateMappingMethods: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\CertificateMappingMethods
    • StrongCertificateBindingEnforcement: HKLM\SYSTEM\CurrentControlSet\Services\Kdc\StrongCertificateBindingEnforcement
    • VulnerableNetlogonSecurityDescriptor: HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\VulnerableChannelAllowList
  • NTLMRegistryData(REMOTE): Populated during remote collection (NTLMRegistry method) via WINREG RPC reading NTLM configuration from HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\*
    • Examples: RestrictSendingNtlmTraffic, NtlmMinClientSec, LmCompatibilityLevel, ClientAllowedNTLMServers
  • IsWebClientRunning(REMOTE): Populated during remote collection (WebClient method) by attempting to connect to the named pipe DAV RPC SERVICE on the IPC$ share via SMB. Success indicates WebClient service is running
  • IsDC: Copied from Properties
  • SMBInfo(REMOTE): Populated during remote collection (SMBInfo method) via WINREG RPC reading signing requirement registry value

Properties:

  • Domain: Extracted from DN
  • DistinguishedName: Uppercased DN
  • DomainSID: Derived from objectSid by removing RID
  • Description: Extracted from description
  • WhenCreated: Extracted from whenCreated, formatted via FormatTime1()
  • Name: Constructed from dNSHostName, falls back to sAMAccountName (minus $) + .DOMAIN, then cn or name (uppercased)
  • SAMAccountName: Extracted from sAMAccountName LDAP attribute
  • HasLAPS: Checked via entry.HasLAPS() (presence of ms-Mcs-AdmPwd or msLAPS-Password attributes)
  • IsACLProtected: Copied from BaseADObject
  • AdminSDHolderProtected: Computed by comparing security descriptor hash with AdminSDHolder hash
  • Enabled: Bit flag check on userAccountControl (!(UAC & 2))
  • UnconstrainedDelegation: Bit flag check on UAC (UAC & 0x00080000)
  • TrustedToAuth: Bit flag check on UAC (UAC & 0x01000000)
  • IsDC: Bit flag check on UAC (UAC & 0x2000)
  • IsReadOnlyDC: Bit flag check on UAC (UAC & 0x04000000)
  • EncryptedTextPwdAllowed: Bit flag check on UAC (UAC & 0x0080)
  • UseDesKeyOnly: Bit flag check on UAC (UAC & 0x00200000)
  • LogonScriptEnabled: Bit flag check on UAC (UAC & 0x0001)
  • LockedOut: Bit flag check on UAC (UAC & 0x0010)
  • PasswordExpired: Bit flag check on UAC (UAC & 0x00800000)
  • SupportedEncryptionTypes: Parsed from msDS-SupportedEncryptionTypes via ConvertEncryptionTypes() (DES, RC4, AES128, AES256)
  • AdminCount: Extracted from adminCount (check for != "0")
  • LastLogon: Extracted from lastLogon, formatted via FormatTime2()
  • LastLogonTimestamp: Extracted from lastLogonTimestamp, formatted via FormatTime2(), defaults to -1 if "0"
  • PwdLastSet: Extracted from pwdLastSet, formatted via FormatTime2()
  • ServicePrincipalNames: Extracted from servicePrincipalName multi-value attribute
  • Email: Extracted from mail LDAP attribute
  • UserAccountControl: Raw UAC value as int64
  • OperatingSystem: Constructed from operatingSystem + operatingSystemServicePack (if present)
  • SIDHistory: Extracted from sIDHistory multi-value attribute
  • ObjectGUID: Extracted from objectGUID via entry.GetGUID()
  • AllowedToDelegate: Extracted from msDS-AllowedToDelegateTo multi-value attribute
  • LdapAvailable(REMOTE): Populated during remote collection (LdapServices method) - port check on TCP 389
  • LdapsAvailable(REMOTE): Populated during remote collection (LdapServices method) - port check on TCP 636
  • LdapSigning(REMOTE): Populated during remote collection (LdapServices method) - tests LDAP authentication to determine if signing is required (checks for "Strong Auth Required" error)
  • LdapsEpa(REMOTE): Populated during remote collection (LdapServices method) - tests LDAPS authentication with channel binding disabled to determine if Extended Protection for Authentication is required (checks for error code 0x80090346)
  • DoesAnyAceGrantOwnerRights: Computed from ACE list
  • DoesAnyInheritedAceGrantOwnerRights: Computed from ACE list

Clone this wiki locally