From 4a17008762171deb8f3848cc56d8269f7c41f136 Mon Sep 17 00:00:00 2001
From: Lars Karlslund <lars@karlslund.dk>
Date: Fri, 5 Nov 2021 14:34:43 +0100
Subject: [PATCH] Fixed problem with local users that are deleted since they
 logged in

---
 .../localmachine/analyze/analyzer.go          | 24 ++++++++++++++-----
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/modules/integrations/localmachine/analyze/analyzer.go b/modules/integrations/localmachine/analyze/analyzer.go
index 141be45..6e1fb32 100644
--- a/modules/integrations/localmachine/analyze/analyzer.go
+++ b/modules/integrations/localmachine/analyze/analyzer.go
@@ -250,10 +250,14 @@ func ImportCollectorInfo(cinfo localmachine.Info, ao *engine.Objects) error {
 			usersid = localsid.AddComponent(usersid.RID())
 		}
 
-		user, _ := ao.FindOrAdd(
+		user, _ := ao.MergeOrAdd(
 			activedirectory.ObjectSid, engine.AttributeValueSID(usersid),
-			engine.DownLevelLogonName, engine.AttributeValueString(login.Name),
 		)
+
+		if !strings.HasSuffix(login.Name, "\\") {
+			user.Set(engine.DownLevelLogonName, engine.AttributeValueString(login.Name))
+		}
+
 		computerobject.Pwns(user, PwnLocalSessionLastDay)
 	}
 
@@ -272,10 +276,14 @@ func ImportCollectorInfo(cinfo localmachine.Info, ao *engine.Objects) error {
 			usersid = localsid.AddComponent(usersid.RID())
 		}
 
-		user, _ := ao.FindOrAdd(
+		user, _ := ao.MergeOrAdd(
 			activedirectory.ObjectSid, engine.AttributeValueSID(usersid),
-			engine.DownLevelLogonName, engine.AttributeValueString(login.Name),
 		)
+
+		if !strings.HasSuffix(login.Name, "\\") {
+			user.Set(engine.DownLevelLogonName, engine.AttributeValueString(login.Name))
+		}
+
 		computerobject.Pwns(user, PwnLocalSessionLastWeek)
 	}
 
@@ -294,10 +302,14 @@ func ImportCollectorInfo(cinfo localmachine.Info, ao *engine.Objects) error {
 			usersid = localsid.AddComponent(usersid.RID())
 		}
 
-		user, _ := ao.FindOrAdd(
+		user, _ := ao.MergeOrAdd(
 			activedirectory.ObjectSid, engine.AttributeValueSID(usersid),
-			engine.DownLevelLogonName, engine.AttributeValueString(login.Name),
 		)
+
+		if !strings.HasSuffix(login.Name, "\\") {
+			user.Set(engine.DownLevelLogonName, engine.AttributeValueString(login.Name))
+		}
+
 		computerobject.Pwns(user, PwnLocalSessionLastMonth)
 	}