19 package org.sleuthkit.datamodel;
21 import com.google.common.collect.ImmutableMap;
22 import com.google.common.collect.ImmutableSet;
23 import java.util.HashMap;
25 import java.util.Map.Entry;
26 import java.util.Optional;
37 final class WindowsAccountUtils {
40 final static String SPECIAL_WINDOWS_REALM_ADDR =
"SPECIAL_WINDOWS_ACCOUNTS";
42 final static String SPECIAL_WINDOWS_BACK_UP_POSTFIX =
".bak";
48 private static final Set<String> GROUP_SIDS = ImmutableSet.of(
79 private static final Set<String> GROUP_SID_PREFIX = ImmutableSet.of(
86 private static final String DOMAIN_SID_PREFIX =
"S-1-5";
87 private static final Set<String> DOMAIN_GROUP_SID_SUFFIX = ImmutableSet.of(
119 private static final Map<String, String> SPECIAL_SIDS_MAP = ImmutableMap.<String, String>builder()
120 .put(
"S-1-5-18",
"Local System Account")
121 .put(
"S-1-5-19",
"Local Service Account")
122 .put(
"S-1-5-20",
"Network Service Account")
125 private static final Map<String, String> SPECIAL_SID_PREFIXES_MAP = ImmutableMap.<String, String>builder()
126 .put(
"S-1-5-80",
"Service Virtual Account")
127 .put(
"S-1-5-82",
"IIS AppPool Virtual Account")
128 .put(
"S-1-5-83",
"Virtual Machine Virtual Account")
129 .put(
"S-1-5-90",
"Window Manager Virtual Account")
130 .put(
"S-1-5-94",
"WinRM Virtual accountt")
131 .put(
"S-1-5-96",
"Font Driver Host Virtual Account")
141 static boolean isWindowsSpecialSid(String sid) {
142 String tempSID = stripWindowsBackupPostfix(sid);
144 if (SPECIAL_SIDS_MAP.containsKey(tempSID)) {
147 for (String specialPrefix: SPECIAL_SID_PREFIXES_MAP.keySet()) {
148 if (tempSID.startsWith(specialPrefix)) {
154 tempSID = tempSID.replaceFirst(DOMAIN_SID_PREFIX +
"-",
"");
155 String subAuthStr = tempSID.substring(0, tempSID.indexOf(
'-'));
156 Integer subAuth = Optional.ofNullable(subAuthStr).map(Integer::valueOf).orElse(0);
157 if (subAuth >= 80 && subAuth <= 111) {
172 static String getWindowsSpecialSidName(String sid) {
173 String tempSID = stripWindowsBackupPostfix(sid);
175 if (SPECIAL_SIDS_MAP.containsKey(tempSID)) {
176 return SPECIAL_SIDS_MAP.get(tempSID);
178 for (Entry<String, String> specialPrefixEntry: SPECIAL_SID_PREFIXES_MAP.entrySet()) {
179 if (tempSID.startsWith(specialPrefixEntry.getKey())) {
180 return specialPrefixEntry.getValue();
195 static boolean isWindowsUserSid(String sid) {
197 String tempSID = stripWindowsBackupPostfix(sid);
199 if (GROUP_SIDS.contains(tempSID)) {
203 for (String prefix: GROUP_SID_PREFIX) {
204 if (tempSID.startsWith(prefix)) {
210 if (tempSID.startsWith(DOMAIN_SID_PREFIX)) {
211 for (String suffix : DOMAIN_GROUP_SID_SUFFIX) {
212 if (tempSID.endsWith(suffix)) {
235 public static String getWindowsRealmAddress(String sid)
throws TskCoreException {
238 String tempSID = stripWindowsBackupPostfix(sid);
241 if (isWindowsSpecialSid(tempSID) || tempSID.equals(SPECIAL_WINDOWS_REALM_ADDR)) {
242 realmAddr = SPECIAL_WINDOWS_REALM_ADDR;
245 if (
org.apache.commons.lang3.StringUtils.countMatches(tempSID,
"-") < 4) {
246 throw new TskCoreException(String.format(
"Invalid SID %s for a host/domain", tempSID));
249 realmAddr = sid.substring(0, tempSID.lastIndexOf(
'-'));
263 private static String stripWindowsBackupPostfix(String sid) {
264 String tempSID = sid;
266 if(tempSID.endsWith(SPECIAL_WINDOWS_BACK_UP_POSTFIX)) {
267 tempSID = tempSID.replace(SPECIAL_WINDOWS_BACK_UP_POSTFIX,
"");