Fixed problem with local users that are deleted since they logged in

lkarlslund · Nov 5, 2021 · 4a17008 · 4a17008
1 parent de15566
commit 4a17008
Showing 1 changed file with 18 additions and 6 deletions.
diff --git a/modules/integrations/localmachine/analyze/analyzer.go b/modules/integrations/localmachine/analyze/analyzer.go
@@ -250,10 +250,14 @@ func ImportCollectorInfo(cinfo localmachine.Info, ao *engine.Objects) error {
 			usersid = localsid.AddComponent(usersid.RID())
 		}
 
-		user, _ := ao.FindOrAdd(
+		user, _ := ao.MergeOrAdd(
 			activedirectory.ObjectSid, engine.AttributeValueSID(usersid),
-			engine.DownLevelLogonName, engine.AttributeValueString(login.Name),
 		)
+
+		if !strings.HasSuffix(login.Name, "\\") {
+			user.Set(engine.DownLevelLogonName, engine.AttributeValueString(login.Name))
+		}
+
 		computerobject.Pwns(user, PwnLocalSessionLastDay)
 	}
 
@@ -272,10 +276,14 @@ func ImportCollectorInfo(cinfo localmachine.Info, ao *engine.Objects) error {
 			usersid = localsid.AddComponent(usersid.RID())
 		}
 
-		user, _ := ao.FindOrAdd(
+		user, _ := ao.MergeOrAdd(
 			activedirectory.ObjectSid, engine.AttributeValueSID(usersid),
-			engine.DownLevelLogonName, engine.AttributeValueString(login.Name),
 		)
+
+		if !strings.HasSuffix(login.Name, "\\") {
+			user.Set(engine.DownLevelLogonName, engine.AttributeValueString(login.Name))
+		}
+
 		computerobject.Pwns(user, PwnLocalSessionLastWeek)
 	}
 
@@ -294,10 +302,14 @@ func ImportCollectorInfo(cinfo localmachine.Info, ao *engine.Objects) error {
 			usersid = localsid.AddComponent(usersid.RID())
 		}
 
-		user, _ := ao.FindOrAdd(
+		user, _ := ao.MergeOrAdd(
 			activedirectory.ObjectSid, engine.AttributeValueSID(usersid),
-			engine.DownLevelLogonName, engine.AttributeValueString(login.Name),
 		)
+
+		if !strings.HasSuffix(login.Name, "\\") {
+			user.Set(engine.DownLevelLogonName, engine.AttributeValueString(login.Name))
+		}
+
 		computerobject.Pwns(user, PwnLocalSessionLastMonth)
 	}