Feature: Add collection of Active Directory Sites ACLs and data

.gitignore

@@ -603,3 +603,6 @@ FodyWeavers.xsd
 # JetBrains Rider
 .idea/
 *.sln.iml
+
+# Codex local workspace state
+.codex

src/CommonLib/DirectoryObjects/DirectoryObjectExtensions.cs

@@ -22,6 +22,13 @@ public static bool IsGMSA(this IDirectoryObject directoryObject) {
     }
 
     public static bool GetObjectIdentifier(this IDirectoryObject directoryObject, out string objectIdentifier) {
+        // Builtin container has a SID (always "S-1-5-32"). We use the ObjectGUID as ID like for other containers 
+        if (directoryObject.TryGetArrayProperty(LDAPProperties.ObjectClass, out var objectClasses) &&
+            objectClasses.Contains(ObjectClass.BuiltinDomainClass, StringComparer.OrdinalIgnoreCase) &&
+            directoryObject.TryGetGuid(out objectIdentifier) && !string.IsNullOrWhiteSpace(objectIdentifier)) {
+            return true;
+        }
+
         if (directoryObject.TryGetSecurityIdentifier(out objectIdentifier) && !string.IsNullOrWhiteSpace(objectIdentifier)) {
             return true;
         }
@@ -68,4 +75,4 @@ public static bool HasLAPS(this IDirectoryObject directoryObject) {
 
         return false;
     }
-}
+}

src/CommonLib/Enums/CollectionMethod.cs

@@ -27,14 +27,15 @@ public enum CollectionMethod {
         WebClientService = 1 << 21,
         SmbInfo = 1 << 22,
         NTLMRegistry = 1 << 23,
+        Site = 1 << 24,
         //TODO: Re-introduce this when we're ready for Event Log collection
         //EventLogs = 1 << 23,
         LocalGroups = DCOM | RDP | LocalAdmin | PSRemote,
         ComputerOnly = LocalGroups | Session | UserRights | CARegistry | DCRegistry | WebClientService | SmbInfo | NTLMRegistry,
-        DCOnly = ACL | Container | Group | ObjectProps | Trusts | GPOLocalGroup | CertServices,
+        DCOnly = ACL | Container | Group | ObjectProps | Trusts | GPOLocalGroup | CertServices | Site,
 
         Default = Group | Session | Trusts | ACL | ObjectProps | LocalGroups | SPNTargets | Container | CertServices |
-                  LdapServices | SmbInfo | WebClientService,
+                  LdapServices | SmbInfo | WebClientService | Site,
 
         All = Default | LoggedOn | GPOLocalGroup | UserRights | CARegistry | DCRegistry | WebClientService |
               LdapServices | NTLMRegistry

src/CommonLib/Enums/DataType.cs

@@ -15,5 +15,8 @@ public static class DataType
         public const string EnterpriseCAs = "enterprisecas";
         public const string CertTemplates = "certtemplates";
         public const string IssuancePolicies = "issuancepolicies";
+        public const string Sites = "sites";
+        public const string SiteServers = "siteservers";
+        public const string SiteSubnets = "sitesubnets";
     }
 }

src/CommonLib/Enums/EdgeNames.cs

@@ -24,6 +24,7 @@ public static class EdgeNames
         public const string WriteGPLink = "WriteGPLink";
         public const string WriteAltSecurityIdentities = "WriteAltSecurityIdentities";
         public const string WritePublicInformation = "WritePublicInformation";
+        public const string ServerIs = "ServerIs";
 
         //CertAbuse edges
         public const string WritePKIEnrollmentFlag = "WritePKIEnrollmentFlag";
@@ -32,4 +33,4 @@ public static class EdgeNames
         public const string ManageCertificates = "ManageCertificates";
         public const string Enroll = "Enroll";
     }
-}
+}

src/CommonLib/Enums/LDAPProperties.cs

@@ -96,5 +96,7 @@ public static class LDAPProperties
         public const string LockOutObservationWindow = "lockoutobservationwindow";
         public const string PrincipalName = "msds-principalname";
         public const string GroupType = "grouptype";
+        public const string ServerReference = "serverreference";
+        public const string SiteObject = "siteobject";
     }
 }

src/CommonLib/Enums/Labels.cs

@@ -18,6 +18,9 @@ public enum Label
         AIACA,
         EnterpriseCA,
         NTAuthStore,
-        IssuancePolicy
+        IssuancePolicy,
+        Site,
+        SiteServer,
+        SiteSubnet
     }
 }

src/CommonLib/Enums/ObjectClass.cs

@@ -6,10 +6,15 @@ public static class ObjectClass {
     public const string DomainClass = "domain";
     public const string ContainerClass = "container";
     public const string ConfigurationClass = "configuration";
+    public const string BuiltinDomainClass = "builtinDomain";
+    public const string SitesContainerClass = "sitesContainer";
     public const string PKICertificateTemplateClass = "pKICertificateTemplate";
     public const string PKIEnrollmentServiceClass = "pKIEnrollmentService";
     public const string CertificationAuthorityClass = "certificationAuthority";
     public const string OIDContainerClass = "msPKI-Enterprise-Oid";
     public const string GMSAClass = "msds-groupmanagedserviceaccount";
     public const string MSAClass = "msds-managedserviceaccount";
-}
+    public const string SiteClass = "site";
+    public const string SiteServerClass = "server";
+    public const string SiteSubnetClass = "subnet";
+}

src/CommonLib/LdapProducerQueryGenerator.cs

@@ -15,7 +15,8 @@ public static GeneratedLdapParameters GenerateDefaultPartitionParameters(Collect
 
         if (methods.HasFlag(CollectionMethod.ObjectProps) || methods.HasFlag(CollectionMethod.ACL) ||
             methods.HasFlag(CollectionMethod.Container)) {
-            filter = filter.AddComputers().AddDomains().AddUsers().AddContainers().AddGPOs().AddOUs().AddGroups();
+            filter = filter.AddComputers().AddDomains().AddUsers().AddContainers().AddBuiltinDomains().AddGPOs()
+                .AddOUs().AddGroups();
 
             if (methods.HasFlag(CollectionMethod.Container)) {
                 properties.AddRange(CommonProperties.ContainerProps);
@@ -103,10 +104,31 @@ public static GeneratedLdapParameters GenerateConfigurationPartitionParameters(C
         properties.AddRange(CommonProperties.BaseQueryProps);
         properties.AddRange(CommonProperties.TypeResolutionProps);
 
-        if (methods.HasFlag(CollectionMethod.ACL) || methods.HasFlag(CollectionMethod.ObjectProps) ||
-            methods.HasFlag(CollectionMethod.Container) || methods.HasFlag(CollectionMethod.CertServices)) {
-            filter = filter.AddContainers().AddConfiguration().AddCertificateTemplates().AddCertificateAuthorities()
-                .AddEnterpriseCertificationAuthorities().AddIssuancePolicies();
+        var collectBroadConfigObjects = methods.HasFlag(CollectionMethod.ACL) ||
+                                        methods.HasFlag(CollectionMethod.ObjectProps) ||
+                                        methods.HasFlag(CollectionMethod.Container);
+
+        if (collectBroadConfigObjects || methods.HasFlag(CollectionMethod.CertServices) ||
+            methods.HasFlag(CollectionMethod.Site)) {
+            filter = filter.AddContainers()
+                .AddConfiguration()
+                .AddSitesContainer();
+
+            if (collectBroadConfigObjects || methods.HasFlag(CollectionMethod.CertServices)) {
+                filter.AddCertificateTemplates()
+                    .AddCertificateAuthorities()
+                    .AddEnterpriseCertificationAuthorities()
+                    .AddIssuancePolicies();
+            }
+            else if (methods.HasFlag(CollectionMethod.CARegistry)) {
+                filter.AddEnterpriseCertificationAuthorities();
+            }
+
+            if (collectBroadConfigObjects || methods.HasFlag(CollectionMethod.Site)) {
+                filter.AddSites()
+                    .AddSiteServers()
+                    .AddSiteSubnets();
+            }
 
             if (methods.HasFlag(CollectionMethod.ObjectProps)) {
                 properties.AddRange(CommonProperties.ObjectPropsProps);
@@ -131,6 +153,13 @@ public static GeneratedLdapParameters GenerateConfigurationPartitionParameters(C
                 properties.AddRange(CommonProperties.CertAbuseProps);
             }
 
+            if (methods.HasFlag(CollectionMethod.Site))
+            {
+                properties.AddRange(CommonProperties.SiteProps);
+                properties.AddRange(CommonProperties.SiteServerProps);
+                properties.AddRange(CommonProperties.SiteSubnetProps);
+            }
+
             return new GeneratedLdapParameters {
                 Filter = filter,
                 Attributes = properties.Distinct().ToArray()
@@ -152,4 +181,4 @@ public static GeneratedLdapParameters GenerateConfigurationPartitionParameters(C
 public class GeneratedLdapParameters {
     public string[] Attributes { get; set; }
     public LdapFilter Filter { get; set; }
-}
+}

src/CommonLib/LdapQueries/CommonProperties.cs

@@ -9,7 +9,8 @@ public static class CommonProperties
             LDAPProperties.Flags
         };
 
-        public static readonly string[] ObjectID = { LDAPProperties.ObjectSID, LDAPProperties.ObjectGUID };
+        public static readonly string[] ObjectID =
+            { LDAPProperties.ObjectSID, LDAPProperties.ObjectGUID, LDAPProperties.ObjectClass };
         public static readonly string[] ObjectSID = { LDAPProperties.ObjectSID };
         public static readonly string[] GPCFileSysPath = { LDAPProperties.GPCFileSYSPath };
 
@@ -98,5 +99,23 @@ public static class CommonProperties
         public static readonly string[] StealthProperties = {
             LDAPProperties.HomeDirectory, LDAPProperties.ScriptPath, LDAPProperties.ProfilePath
         };
+
+        public static readonly string[] SiteProps =
+        {
+            LDAPProperties.DisplayName, LDAPProperties.Name, LDAPProperties.ObjectGUID, LDAPProperties.GPLink,
+            LDAPProperties.GroupPolicyOptions, LDAPProperties.ObjectClass
+        };
+
+        public static readonly string[] SiteServerProps =
+        {
+            LDAPProperties.DisplayName, LDAPProperties.Name, LDAPProperties.ObjectGUID, LDAPProperties.ObjectClass, LDAPProperties.DNSHostName,
+            LDAPProperties.ServerReference
+        };
+
+        public static readonly string[] SiteSubnetProps =
+        {
+            LDAPProperties.DisplayName, LDAPProperties.Name, LDAPProperties.CanonicalName, LDAPProperties.ObjectGUID, LDAPProperties.ObjectClass,
+            LDAPProperties.SiteObject
+        };
     }
-}
+}

src/CommonLib/LdapQueries/LdapFilter.cs

@@ -129,6 +129,17 @@ public LdapFilter AddContainers(params string[] conditions) {
             return this;
         }
 
+        /// <summary>
+        ///     Add a filter that will include Builtin domain container objects.
+        /// </summary>
+        /// <param name="conditions"></param>
+        /// <returns></returns>
+        public LdapFilter AddBuiltinDomains(params string[] conditions) {
+            _filterParts.Add(BuildString("(objectClass=builtinDomain)", conditions));
+
+            return this;
+        }
+
         /// <summary>
         ///     Add a filter that will include Configuration objects
         /// </summary>
@@ -140,6 +151,17 @@ public LdapFilter AddConfiguration(params string[] conditions) {
             return this;
         }
 
+        /// <summary>
+        ///     Add a filter that will include Sites container objects.
+        /// </summary>
+        /// <param name="conditions"></param>
+        /// <returns></returns>
+        public LdapFilter AddSitesContainer(params string[] conditions) {
+            _filterParts.Add(BuildString("(objectClass=sitesContainer)", conditions));
+
+            return this;
+        }
+
         /// <summary>
         ///     Add a filter that will include Computer objects
         ///
@@ -215,6 +237,45 @@ public LdapFilter AddComputersNoMSAs(params string[] conditions) {
             return this;
         }
 
+        /// <summary>
+        ///     Add a filter that will match Active Directory sites
+        /// </summary>
+        /// <param name="conditions"></param>
+        /// <returns></returns>
+        public LdapFilter AddSites(params string[] conditions)
+        {
+            _filterParts.Add(BuildString(
+                "(objectClass=site)",
+                conditions));
+            return this;
+        }
+
+        /// <summary>
+        ///     Add a filter that will match Active Directory site servers
+        /// </summary>
+        /// <param name="conditions"></param>
+        /// <returns></returns>
+        public LdapFilter AddSiteServers(params string[] conditions)
+        {
+            _filterParts.Add(BuildString(
+                "(objectClass=server)",
+                conditions));
+            return this;
+        }
+
+        /// <summary>
+        ///     Add a filter that will match Active Directory site subnets
+        /// </summary>
+        /// <param name="conditions"></param>
+        /// <returns></returns>
+        public LdapFilter AddSiteSubnets(params string[] conditions)
+        {
+            _filterParts.Add(BuildString(
+                "(objectClass=subnet)",
+                conditions));
+            return this;
+        }
+
         /// <summary>
         ///     Adds a generic user specified filter
         /// </summary>
@@ -274,4 +335,4 @@ public IEnumerable<string> GetFilterList() {
             }
         }
     }
-}
+}