Added a few more special SIDs.

fccfa5ee · Raman Arora · 4cbb50b3 · fccfa5ee · fccfa5ee
Commit fccfa5ee authored 3 years ago by Raman Arora
--- a/bindings/java/src/org/sleuthkit/datamodel/WindowsAccountUtils.java
+++ b/bindings/java/src/org/sleuthkit/datamodel/WindowsAccountUtils.java
@@ -23,6 +23,7 @@
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Map.Entry;
+import java.util.Optional;
 import java.util.Set;
 /**
@@ -76,7 +77,8 @@ final class WindowsAccountUtils {
 	// Any SIDs with the following prefixes are group SID and should be excluded.
 	private static final Set<String> GROUP_SID_PREFIX = ImmutableSet.of(
-			"S-1-5-32"		// Builtin
+			"S-1-5-32",		// Builtin
+			"S-1-5-87"		// Task ID prefix
 	);
@@ -121,10 +123,11 @@ final class WindowsAccountUtils {
 			.build();
 	private static final Map<String, String> SPECIAL_SID_PREFIXES_MAP = ImmutableMap.<String, String>builder() 
-			.put("S-1-5-80", "All Services")
+			.put("S-1-5-80", "Service Virtual Account")
-			.put("S-1-5-82", "IIS AppPool")
+			.put("S-1-5-82", "IIS AppPool Virtual Account")
 			.put("S-1-5-83", "Virtual Machine Virtual Account")
 			.put("S-1-5-90", "Window Manager Virtual Account")
+			.put("S-1-5-94", "WinRM Virtual accountt")
 			.put("S-1-5-96", "Font Driver Host Virtual Account")
 			.build();
@@ -146,6 +149,16 @@ static boolean isWindowsSpecialSid(String sid) {
 				return true;
 			}
 		}
+		// All the prefixes in the range S-1-5-80 to S-1-5-111 are special
+		tempSID = tempSID.replaceFirst(DOMAIN_SID_PREFIX + "-", "");
+		String subAuthStr = tempSID.substring(0, tempSID.indexOf('-'));
+		Integer subAuth = Optional.ofNullable(subAuthStr).map(Integer::valueOf).orElse(0);
+		if (subAuth >= 80 && subAuth <= 111) {
+			return true;
+		}
 		return false;
 	}

--- a/bindings/java/test/org/sleuthkit/datamodel/OsAccountTest.java
+++ b/bindings/java/test/org/sleuthkit/datamodel/OsAccountTest.java
@@ -713,7 +713,13 @@ public void windowsSpecialAccountTests() throws TskCoreException, OsAccountManag
 				String specialSid3 = "S-1-5-90-0-2";
 				String specialSid4 = "S-1-5-96-0-3";
+				// All accounts in the range S-1-5-80 to S-1-5-111 are special and should be created with SPECIAL_WINDOWS_REALM_ADDR
+				String specialSid5 = "S-1-5-99-0-3";
+				String specialSid6 = "S-1-5-100-0-3";
+				String specialSid7 = "S-1-5-111-0-3";
+				String specialSid8 = "S-1-5-112-0-3"; // NOT SPECIAL SID
+				String specialSid9 = "S-1-5-79-0-3"; // NOT SPECIAL SID
 				OsAccount specialAccount1 = caseDB.getOsAccountManager().newWindowsOsAccount(specialSid1, null, null, host4, OsAccountRealm.RealmScope.UNKNOWN);
 				OsAccount specialAccount2 = caseDB.getOsAccountManager().newWindowsOsAccount(specialSid2, null, null, host4, OsAccountRealm.RealmScope.UNKNOWN);
 				OsAccount specialAccount3 = caseDB.getOsAccountManager().newWindowsOsAccount(specialSid3, null, null, host4, OsAccountRealm.RealmScope.UNKNOWN);
@@ -726,7 +732,18 @@ public void windowsSpecialAccountTests() throws TskCoreException, OsAccountManag
 				assertEquals(caseDB.getOsAccountRealmManager().getRealmByRealmId(specialAccount4.getRealmId()).getRealmAddr().orElse("").equalsIgnoreCase(SPECIAL_WINDOWS_REALM_ADDR), true);
-			}
+				OsAccount specialAccount5 = caseDB.getOsAccountManager().newWindowsOsAccount(specialSid5, null, null, host4, OsAccountRealm.RealmScope.UNKNOWN);
+				OsAccount specialAccount6 = caseDB.getOsAccountManager().newWindowsOsAccount(specialSid6, null, null, host4, OsAccountRealm.RealmScope.UNKNOWN);
+				OsAccount specialAccount7 = caseDB.getOsAccountManager().newWindowsOsAccount(specialSid7, null, null, host4, OsAccountRealm.RealmScope.UNKNOWN);
+				OsAccount specialAccount8 = caseDB.getOsAccountManager().newWindowsOsAccount(specialSid8, null, null, host4, OsAccountRealm.RealmScope.UNKNOWN);
+				OsAccount specialAccount9 = caseDB.getOsAccountManager().newWindowsOsAccount(specialSid9, null, null, host4, OsAccountRealm.RealmScope.UNKNOWN);
+				assertEquals(caseDB.getOsAccountRealmManager().getRealmByRealmId(specialAccount5.getRealmId()).getRealmAddr().orElse("").equalsIgnoreCase(SPECIAL_WINDOWS_REALM_ADDR), true);
+				assertEquals(caseDB.getOsAccountRealmManager().getRealmByRealmId(specialAccount6.getRealmId()).getRealmAddr().orElse("").equalsIgnoreCase(SPECIAL_WINDOWS_REALM_ADDR), true);
+				assertEquals(caseDB.getOsAccountRealmManager().getRealmByRealmId(specialAccount7.getRealmId()).getRealmAddr().orElse("").equalsIgnoreCase(SPECIAL_WINDOWS_REALM_ADDR), true);
+				assertEquals(caseDB.getOsAccountRealmManager().getRealmByRealmId(specialAccount8.getRealmId()).getRealmAddr().orElse("").equalsIgnoreCase(SPECIAL_WINDOWS_REALM_ADDR), false);  // specialSid8 is NOT special.
+				assertEquals(caseDB.getOsAccountRealmManager().getRealmByRealmId(specialAccount9.getRealmId()).getRealmAddr().orElse("").equalsIgnoreCase(SPECIAL_WINDOWS_REALM_ADDR), false);  // specialSid9 is NOT special.
+		}
 			// TEST: create accounts with a invalid user SIDs - these should generate an exception
 			{