Skip to content

Commit

Permalink
PKI Attribute decoding experiment
Browse files Browse the repository at this point in the history
  • Loading branch information
lkarlslund committed Jun 20, 2023
1 parent 02c07d7 commit 1af7c1e
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 0 deletions.
2 changes: 2 additions & 0 deletions modules/integrations/activedirectory/attributes.go
Original file line number Diff line number Diff line change
Expand Up @@ -90,5 +90,7 @@ var (
ScriptPath = engine.NewAttribute("scriptPath").Tag("AD").Single()
MSPKICertificateNameFlag = engine.NewAttribute("msPKI-Certificate-Name-Flag").Tag("AD").Type(engine.AttributeTypeInt)
PKIExtendedUsage = engine.NewAttribute("pKIExtendedKeyUsage").Tag("AD")
PKIExpirationPeriod = engine.NewAttribute("pKIExpirationPeriod").Tag("AD")
PKIOverlapPeriod = engine.NewAttribute("pKIOverlapPeriod").Tag("AD")
MsDSBehaviourVersion = engine.NewAttribute("msDS-Behavior-Version").Type(engine.AttributeTypeInt)
)
22 changes: 22 additions & 0 deletions modules/integrations/activedirectory/rawobject.go
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
package activedirectory

import (
"encoding/binary"
"fmt"
"strconv"
"strings"
"sync"
Expand Down Expand Up @@ -127,6 +129,26 @@ func EncodeAttributeData(attribute engine.Attribute, values []string) engine.Att
default:
ui.Warn().Msgf("Failed to convert attribute %v value %2x to timestamp (unsupported length): %v", attribute.String(), tvalue)
}
case PKIExpirationPeriod, PKIOverlapPeriod:
nss := binary.BigEndian.Uint64([]byte(value))
secs := nss / 10000000
var period string
if (secs%31536000) == 0 && (secs/31536000) > 1 {
period = fmt.Sprintf("v% years", secs/31536000)
} else if (secs%2592000) == 0 && (secs/2592000) > 1 {
period = fmt.Sprintf("v% months", secs/2592000)
} else if (secs%604800) == 0 && (secs/604800) > 1 {
period = fmt.Sprintf("v% weeks", secs/604800)
} else if (secs%86400) == 0 && (secs/86400) > 1 {
period = fmt.Sprintf("v% days", secs/86400)
} else if (secs%3600) == 0 && (secs/3600) > 1 {
period = fmt.Sprintf("v% hours", secs/3600)
}
if period != "" {
attributevalue = engine.AttributeValueString(period)
} else {
attributevalue = engine.AttributeValueString(value)
}
case AttributeSecurityGUID, SchemaIDGUID, MSDSConsistencyGUID, RightsGUID:
switch len(value) {
case 16:
Expand Down

0 comments on commit 1af7c1e

Please sign in to comment.