Windows Plugin APIs
The Windows plugin(win_plugin) allows you to read different types of data from both Active Directory & Windows servers. Once configured as an actor, each actor object will have the following functions. All examples use the Baz shell to inspect the output.
GetRootDomain()
The API fetches information like cn, dn, attributes, nCName for the root domain from an Active Directory forest. There are no input parameters for this API.
Example
JSON.stringify(win.GetRootDomain(), null, 2);
Output
[
{
attributes: {
objectClass: ["top", "crossRef"],
distinguishedName:
"CN=CORP,CN=Partitions,CN=Configuration,DC=corp,DC=bazc,DC=com",
uSNCreated: 4118,
nETBIOSName: "CORP",
dSCorePropagationData: ["1601-01-01T00:00:00+00:00"],
uSNChanged: 12728,
showInAdvancedViewOnly: true,
objectGUID: "{89f93bd6-bd74-4f0b-8628-fc4f761cd97f}",
dnsRoot: ["corp.bazc.com"],
objectCategory:
"CN=Cross-Ref,CN=Schema,CN=Configuration,DC=corp,DC=bazc,DC=com",
"msDS-Behavior-Version": 7,
cn: "CORP",
instanceType: 4,
whenCreated: "2023-02-10T12:01:49+00:00",
nCName: "DC=corp,DC=bazc,DC=com",
nTMixedDomain: 0,
systemFlags: 3,
whenChanged: "2023-02-10T12:09:55+00:00",
name: "CORP",
},
dn: "CN=CORP,CN=Partitions,CN=Configuration,DC=corp,DC=bazc,DC=com",
},
];
GetDomainList()
The API fetches information on all domains and sub-domains from an Active Directory forest. There are no input parameters for this API.
Example
JSON.stringify(win.GetDomainList(), null, 2);
Output
[
{
nCName: "DC=corp,DC=bazc,DC=com",
dnsRoot: ["corp.bazc.com"],
netBIOSName: "CORP",
DN: "CN=CORP,CN=Partitions,CN=Configuration,DC=corp,DC=bazc,DC=com",
},
];
GetDCList(domain)
The API fetches the list of all domain controllers' DNS names for the domain.
| Name | Type | Description |
|---|---|---|
| domain | String | The DNS name of the domain, e.g. corp.bazc.com |
Example
JSON.stringify(win.GetDCList("corp.bazc.com"), null, 2);
Output
["Srv2.corp.bazc.com", "Srv3.corp.bazc.com"];
GetMSList(domain)
The API fetches the list of all domain members' DNS names for the domain.
| Name | Type | Description |
|---|---|---|
| domain | String | The DNS name of the domain, e.g. corp.bazc.com |
Example
JSON.stringify(win.GetMSList("corp.bazc.com"), null, 2);
Output
["Srv1.corp.bazc.com"];
GetServerRSoP(server)
The API fetches the effective security group policies for the server. The response policy is a result of both Local Policies & Group Policies.
| Name | Type | Description |
|---|---|---|
| server | String | The DNS name of the server, e.g., Srv1.corp.bazc.com |
Example
JSON.stringify(win.GetServerRSoP("Srv2.corp.bazc.com"), null, 2);
Output
{
"RSoP": {
"UserRightsAssignment": {
"SeMachineAccountPrivilege": [
"NT AUTHORITY\\Authenticated Users"
],
"SeRemoteInteractiveLogonRight": [
"Administrators",
"CORP\\abhispra",
"CORP\\Administrator",
"Remote Desktop Users"
],
"SeSecurityPrivilege": [
"Administrators",
"CORP\\Exchange Servers"
],
"SeEnableDelegationPrivilege": [
"Administrators"
],
"SeIncreaseQuotaPrivilege": [
"IIS APPPOOL\\DefaultAppPool",
"Administrators",
"NT AUTHORITY\\NETWORK SERVICE",
"NT AUTHORITY\\LOCAL SERVICE",
"IIS APPPOOL\\OCSPISAPIAppPool"
],
"SeSystemtimePrivilege": [
"Server Operators",
"Administrators",
"NT AUTHORITY\\LOCAL SERVICE"
],
"SeAuditPrivilege": [
"IIS APPPOOL\\DefaultAppPool",
"NT AUTHORITY\\NETWORK SERVICE",
"NT AUTHORITY\\LOCAL SERVICE",
"IIS APPPOOL\\OCSPISAPIAppPool"
],
"SeLoadDriverPrivilege": [
"Print Operators",
"Administrators"
],
"SeNetworkLogonRight": [
"Administrators",
"NT AUTHORITY\\Authenticated Users",
"CORP\\abhispra",
"CORP\\Domain Computers",
"NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS",
"Remote Desktop Users",
"Remote Management Users"
],
"SeProfileSingleProcessPrivilege": [
"Administrators"
],
"SeShutdownPrivilege": [
"Print Operators",
"Server Operators",
"Backup Operators",
"Administrators"
],
"SeSystemProfilePrivilege": [
"NT SERVICE\\WdiServiceHost",
"Administrators"
],
"SeTakeOwnershipPrivilege": [
"Administrators"
],
"SeAssignPrimaryTokenPrivilege": [
"IIS APPPOOL\\DefaultAppPool",
"NT AUTHORITY\\NETWORK SERVICE",
"NT AUTHORITY\\LOCAL SERVICE",
"IIS APPPOOL\\OCSPISAPIAppPool"
],
"SeDebugPrivilege": [
"Administrators"
],
"SeIncreaseBasePriorityPrivilege": [
"Window Manager\\Window Manager Group",
"Administrators"
],
"SeRestorePrivilege": [
"Server Operators",
"Backup Operators",
"Administrators"
],
"SeSystemEnvironmentPrivilege": [
"Administrators"
]
},
"Registry": {
"machine\\system\\currentcontrolset\\control\\lsa\\auditbaseobjects": 1,
"machine\\system\\currentcontrolset\\services\\ntds\\parameters\\ldapserverintegrity": 1,
"machine\\system\\currentcontrolset\\services\\netlogon\\parameters\\requiresignorseal": 1,
"machine\\system\\currentcontrolset\\services\\lanmanserver\\parameters\\requiresecuritysignature": 1,
"machine\\system\\currentcontrolset\\services\\lanmanserver\\parameters\\enablesecuritysignature": 1
},
"LocalAccount": {
"EnableGuestAccount": 1
}
}
}
GetServerProperties(server)
The API fetches server properties, including installed roles.
| Name | Type | Description |
|---|---|---|
| server | String | The DNS name of the server, e.g., Srv2.corp.bazc.com |
Example
JSON.stringify(win.GetServerProperties("Srv2.corp.bazc.com"), null, 2);
Output
{
"Name": "Srv2.corp.bazc.com",
"Attributes": {
"dnsHostName": "Srv2.corp.bazc.com",
"userAccountControl": 532480,
"roles": [
"AD-Certificate",
"ADCS-Cert-Authority",
"ADCS-Enroll-Web-Pol",
"ADCS-Online-Cert",
"AD-Domain-Services",
"ADLDS",
"DNS",
"FileAndStorage-Services",
"File-Services",
"FS-FileServer",
"Storage-Services",
"Web-Server",
"Web-WebServer",
"Web-Common-Http",
"Web-Default-Doc",
"Web-Dir-Browsing",
"Web-Http-Errors",
"Web-Static-Content",
"Web-Http-Redirect",
"Web-Health",
"Web-Http-Logging",
"Web-Log-Libraries",
"Web-Request-Monitor",
"Web-Http-Tracing",
"Web-Performance",
"Web-Stat-Compression",
"Web-Security",
"Web-Filtering",
"Web-Client-Auth",
"Web-Cert-Auth",
"Web-Windows-Auth",
"Web-App-Dev",
"Web-Net-Ext45",
"Web-ASP",
"Web-Asp-Net45",
"Web-ISAPI-Ext",
"Web-ISAPI-Filter",
"Web-Mgmt-Tools",
"Web-Mgmt-Console",
"Web-Mgmt-Compat",
"Web-Metabase",
"Web-Scripting-Tools",
"NET-Framework-45-Features",
"NET-Framework-45-Core",
"NET-Framework-45-ASPNET",
"NET-WCF-Services45",
"NET-WCF-HTTP-Activation45",
"NET-WCF-TCP-PortSharing45",
"GPMC",
"Windows-Defender",
"RSAT",
"RSAT-Role-Tools",
"RSAT-AD-Tools",
"RSAT-AD-PowerShell",
"RSAT-ADDS",
"RSAT-AD-AdminCenter",
"RSAT-ADDS-Tools",
"RSAT-ADLDS",
"RSAT-ADCS",
"RSAT-ADCS-Mgmt",
"RSAT-Online-Responder",
"RSAT-DNS-Server",
"System-DataArchiver",
"PowerShellRoot",
"PowerShell",
"WAS",
"WAS-Process-Model",
"WAS-Config-APIs",
"WoW64-Support",
"XPS-Viewer"
],
"dn": "CN=SRV2,OU=Domain Controllers,DC=corp,DC=bazc,DC=com",
"domain": "corp.bazc.com",
"samAccountName": "SRV2$",
"OS": {
"DisplayVersion": "21H2",
"Name": "Windows Server 2022 Datacenter Evaluation",
"Edition": "ServerDatacenterEval",
"Type": "Server",
"MajorVersion": 10,
"MinorVersion": 0,
"Build": "20348",
"Release": "2009"
},
"cn": "SRV2",
"type": "Domain Controller"
}
}
GetObjList(domain, base, filter, scope, attributes)
This API can search Active Directory objects with the specified base, filter, and scope. It returns an array of objects with properties.
| Name | Type | Description |
|---|---|---|
| domain | String | The DNS name of the domain, e.g. corp.bazc.com |
| base | String | The base DN of the search in LDAP format. |
| filter | String | The LDAP filter for this search. |
| scope | String | The scope of the search. Options - base, sub, or one. |
| attributes | String[] | The list of attributes to be returned or all attributes('*'). |
Example
JSON.stringify(
win.GetObjList(
"corp.bazc.com",
"CN=Freddy,CN=Users,DC=corp,DC=bazc,DC=com",
"(objectClass=Person)",
"base",
["*"]
),
null,
2
);
Output
[
{
dn: "CN=freddy,CN=Users,DC=corp,DC=bazc,DC=com",
attributes: {
pwdLastSet: "2023-04-12T12:34:16.155022+00:00",
logonCount: 11,
sAMAccountType: 805306368,
lastLogonTimestamp: "2023-04-12T12:34:48.369200+00:00",
givenName: "freddy",
whenChanged: "2023-04-12T12:34:48+00:00",
cn: "freddy",
memberOf: [
"CN=Remote Management Users,CN=Builtin,DC=corp,DC=bazc,DC=com",
"CN=Remote Desktop Users,CN=Builtin,DC=corp,DC=bazc,DC=com",
],
userAccountControl: 512,
sAMAccountName: "freddy",
name: "freddy",
countryCode: 0,
accountExpires: "9999-12-31T23:59:59.999999+00:00",
whenCreated: "2023-02-15T01:27:01+00:00",
objectGUID: "{b90c057f-e080-49ae-93a0-a75de87fff22}",
userPrincipalName: "freddy@corp.bazc.com",
displayName: "freddy",
badPasswordTime: "1601-01-01T00:00:00+00:00",
lastLogon: "2023-04-13T18:17:14.042213+00:00",
dSCorePropagationData: [
"2023-03-06T10:50:52+00:00",
"2023-03-06T10:06:37+00:00",
"2023-02-23T09:03:48+00:00",
"1601-01-01T00:00:00+00:00",
],
distinguishedName: "CN=freddy,CN=Users,DC=corp,DC=bazc,DC=com",
instanceType: 4,
uSNCreated: 86155,
badPwdCount: 0,
lastLogoff: "1601-01-01T00:00:00+00:00",
primaryGroupID: 513,
objectCategory:
"CN=Person,CN=Schema,CN=Configuration,DC=corp,DC=bazc,DC=com",
objectClass: ["top", "person", "organizationalPerson", "user"],
uSNChanged: 319664,
codePage: 0,
objectSid: "S-1-5-21-441460659-1755299167-613300733-1104",
adminCount: 1,
},
},
];
GetRegKey(server, regKeyPath)
The API fetches a registry key and its properties from the given server.
| Name | Type | Description |
|---|---|---|
| server | String | The DNS name of the server, e.g., Srv1.corp.bazc.com |
| regKeyPath | String | The path to the registry key starting with the hive. |
Example
JSON.stringify(
win.GetRegKey(
"Srv1.corp.bazc.com",
"HKLM:\\Software\\Microsoft\\Microsoft SQL Server\\Instance Names\\SQL"
),
null,
2
);
Output
{
"Name": "HKLM:\\Software\\Microsoft\\Microsoft SQL Server\\Instance Names\\SQL",
"Attributes": {
"MSSQLSERVER": "MSSQL16.MSSQLSERVER"
}
}