search

trustedsec / CS-Situational-Awareness-BOF

Situational Awareness commands implemented using Beacon Object Files
GNU General Public License v2.0
1.28k stars 220 forks source link

enhance encoding of binary vars for bofhound compatibility #115

Closed j0wns closed 10 months ago

j0wns commented 10 months ago

External tools pyldapsearch [producer] and BOFHound [consumer] expect binary attributes to be formatted as Base64 or bracketed strings. This PR adds support for all of the attributes specified by pyldapsearch to establish feature parity and enhance compatibility of C2 log output.

    # bofhound expects some attributes in a certain format
    _base64_attributes = ['nTSecurityDescriptor', 'msDS-GenerationId', 'auditingPolicy', 'dSASignature', 'mS-DS-CreatorSID',
        'logonHours', 'schemaIDGUID']
    _raw_attributes = ['whenCreated', 'whenChanged', 'dSCorePropagationData', 'accountExpires', 'badPasswordTime', 'pwdLastSet',
        'lastLogonTimestamp', 'lastLogon', 'lastLogoff', 'maxPwdAge', 'minPwdAge', 'creationTime', 'lockOutObservationWindow',
        'lockoutDuration']
    _bracketed_attributes = ['objectGUID']
    _ignore_attributes = ['userCertificate']
freefirex commented 10 months ago

Thanks for the pull!

j0wns commented 10 months ago

Thanks for the pull!

My pleasure!