feat: collect ECA RoleSeparation

BloodHoundAD · Apr 26, 2024 · 6c70fcf · 6c70fcf
1 parent c313eed
commit 6c70fcf
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/src/Runtime/ObjectProcessors.cs b/src/Runtime/ObjectProcessors.cs
@@ -634,6 +634,7 @@ private async Task<EnterpriseCA> ProcessEnterpriseCA(ISearchResultEntry entry, R
                 var cASecurityCollected = false;
                 var enrollmentAgentRestrictionsCollected = false;
                 var isUserSpecifiesSanEnabledCollected = false;
+                var roleSeparationEnabledCollected = false;
                 var caName = entry.GetProperty(LDAPProperties.Name);
                 var dnsHostName = entry.GetProperty(LDAPProperties.DNSHostName);
                 if ((_methods & ResolvedCollectionMethod.CARegistry) != 0 && caName != null && dnsHostName != null)
@@ -650,6 +651,7 @@ private async Task<EnterpriseCA> ProcessEnterpriseCA(ISearchResultEntry entry, R
                     CARegistryData cARegistryData = new()
                     {
                         IsUserSpecifiesSanEnabled = _certAbuseProcessor.IsUserSpecifiesSanEnabled(dnsHostName, caName),
+                        RoleSeparationEnabled = _certAbuseProcessor.RoleSeparationEnabled(dnsHostName, caName),
                         EnrollmentAgentRestrictions = await _certAbuseProcessor.ProcessEAPermissions(caName, resolvedSearchResult.Domain, dnsHostName, ret.HostingComputer),
 
                         // The CASecurity exist in the AD object DACL and in registry of the CA server. We prefer to use the values from registry as they are the ground truth.
@@ -660,12 +662,14 @@ private async Task<EnterpriseCA> ProcessEnterpriseCA(ISearchResultEntry entry, R
                     cASecurityCollected = cARegistryData.CASecurity.Collected;
                     enrollmentAgentRestrictionsCollected = cARegistryData.EnrollmentAgentRestrictions.Collected;
                     isUserSpecifiesSanEnabledCollected = cARegistryData.IsUserSpecifiesSanEnabled.Collected;
+                    roleSeparationEnabledCollected = cARegistryData.RoleSeparationEnabled.Collected;
                     ret.CARegistryData = cARegistryData;
                 }
 
                 ret.Properties.Add("casecuritycollected", cASecurityCollected);
                 ret.Properties.Add("enrollmentagentrestrictionscollected", enrollmentAgentRestrictionsCollected);
                 ret.Properties.Add("isuserspecifiessanenabledcollected", isUserSpecifiesSanEnabledCollected);
+                ret.Properties.Add("roleseparationenabledcollected", roleSeparationEnabledCollected);
             }
 
             return ret;