Sleuth Kit Java Bindings (JNI)  4.10.2
Java bindings for using The Sleuth Kit
WindowsAccountUtils.java
Go to the documentation of this file.
1 /*
2  * Sleuth Kit Data Model
3  *
4  * Copyright 2021 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.datamodel;
20 
21 import com.google.common.collect.ImmutableSet;
22 import java.util.Set;
23 
28 final class WindowsAccountUtils {
29 
30  // Special Windows Accounts with short SIDS are given a special realm "address".
31  final static String SPECIAL_WINDOWS_REALM_ADDR = "SPECIAL_WINDOWS_ACCOUNTS";
32 
33 
34  // Windows uses SIDs for groups as well as users.
35  // We dont want to create "User" account for group SIDs.
36  // The lists here help us identify and weed out group SIDs when creating accounts.
37  private static final Set<String> GROUP_SIDS = ImmutableSet.of(
38  "S-1-0-0", // Null SID
39  "S-1-1-0", // Everyone
40  "S-1-2-0", // Local - anyone who has logged on locally
41  "S-1-2-1", // Console Logon
42 
43  "S-1-3-1", // Creator
44  "S-1-3-4", // Owner rights
45 
46  "S-1-5-1", // Dialup
47  "S-1-5-2", // Network
48  "S-1-5-3", // Batch
49  "S-1-5-4", // Interactive
50  "S-1-5-6", // Service
51  "S-1-5-7", // Anonymous
52  "S-1-5-9", // Enterprise Domain Controllers
53 
54  "S-1-5-11", // Authenticated Users
55  "S-1-5-12", // Restricted Code - not a group but not a user SID either
56  "S-1-5-13", // Terminal Server Users
57  "S-1-5-14", // Remote Interactive Logon
58 
59  "S-1-5-15", // This Organization
60 
61  "S-1-5-80-0", // All Services
62  "S-1-5-83-0", // NT Virtual Machine\Virtual Machines
63  "S-1-5-90-0" // Windows Manager\Windows Manager Group
64 
65  );
66 
67  // Any SIDs with the following prefixes are group SID and should be excluded.
68  private static final Set<String> GROUP_SID_PREFIX = ImmutableSet.of(
69  "S-1-5-32" // Builtin
70 
71  );
72 
73  // SIDS that begin with a domain SID prefix and have on of these
74  private static final String DOMAIN_SID_PREFIX = "S-1-5";
75  private static final Set<String> DOMAIN_GROUP_SID_SUFFIX = ImmutableSet.of(
76  "-512", // Domain Admins
77  "-513", // Domain Users
78 
79  "-514", // Domain Guests
80  "-515", // Domain Computers
81  "-516", // Domain Controllers
82  "-517", // Cert Publishers
83 
84  "-518", // Schema Admins
85  "-519", // Enterprise Admins
86  "-520", // Group Policy Creator Owners
87 
88  "-526", // Key Admins
89  "-527", // Enterprise Key Admins
90 
91  "-533", // RAS and IAS Servers
92 
93  // Windows 2008 and later
94  "-498", // Enterprise Read-only Domain Controllers
95  "-521", // Read-only Domain Controllers
96  "-571", // Allowed RODC Password Replication Group
97  "-572", // Denied RODC Password Replication Group
98 
99  // Windows 2012 and later
100  "-522" // Cloneable Domain Controllers
101  );
102 
103 
104 
105  // Some windows SID indicate special account.
106  // These should be handled differently from regular user accounts.
107  private static final Set<String> SPECIAL_SIDS = ImmutableSet.of(
108  "S-1-5-18", // LOCAL_SYSTEM_ACCOUNT
109  "S-1-5-19", // LOCAL_SERVICE_ACCOUNT
110  "S-1-5-20" // NETWORK_SERVICE_ACCOUNT
111  );
112  private static final Set<String> SPECIAL_SID_PREFIXES = ImmutableSet.of(
113  "S-1-5-80", // Virtual Service accounts
114  "S-1-5-82", // AppPoolIdentity Virtual accounts.
115  "S-1-5-83", // Virtual Machine Virtual Accounts.
116  "S-1-5-90", // Windows Manager Virtual Accounts.
117  "S-1-5-96" // Font Drive Host Virtual Accounts.
118  );
119 
120 
128  static boolean isWindowsSpecialSid(String sid) {
129  if (SPECIAL_SIDS.contains(sid)) {
130  return true;
131  }
132  for (String specialPrefix: SPECIAL_SID_PREFIXES) {
133  if (sid.startsWith(specialPrefix)) {
134  return true;
135  }
136  }
137  return false;
138  }
139 
140 
150  static boolean isWindowsUserSid(String sid) {
151 
152  if (GROUP_SIDS.contains(sid)) {
153  return false;
154  }
155 
156  for (String prefix: GROUP_SID_PREFIX) {
157  if (sid.startsWith(prefix)) {
158  return false;
159  }
160  }
161 
162  // check for domain groups - they have a domains specific identifier but have a fixed prefix and suffix
163  if (sid.startsWith(DOMAIN_SID_PREFIX)) {
164  for (String suffix : DOMAIN_GROUP_SID_SUFFIX) {
165  if (sid.endsWith(suffix)) {
166  return false;
167  }
168  }
169  }
170 
171  return true;
172 
173  }
174 
188  public static String getWindowsRealmAddress(String sid) throws TskCoreException {
189 
190  String realmAddr;
191 
192  // When copying realms into portable cases, the SID may already be set to the special windows string.
193  if (isWindowsSpecialSid(sid) || sid.equals(SPECIAL_WINDOWS_REALM_ADDR)) {
194  realmAddr = SPECIAL_WINDOWS_REALM_ADDR;
195  } else {
196  // regular SIDs should have at least 5 components: S-1-x-y-z
197  if (org.apache.commons.lang3.StringUtils.countMatches(sid, "-") < 4) {
198  throw new TskCoreException(String.format("Invalid SID %s for a host/domain", sid));
199  }
200  // get the sub authority SID
201  realmAddr = sid.substring(0, sid.lastIndexOf('-'));
202  }
203 
204  return realmAddr;
205  }
206 
207 }

Copyright © 2011-2021 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.