From 24e749effbccab32df05114584c44b5fa88367bc Mon Sep 17 00:00:00 2001
From: Rohan Vazarkar <rvazarkr@gmail.com>
Date: Mon, 30 Jan 2023 16:26:09 -0500
Subject: [PATCH] fix: account for weird DNs in deleted objects when getting
 domain info

---
 src/CommonLib/Helpers.cs   | 13 +++++++++++--
 test/unit/LDAPUtilsTest.cs | 19 +++++++++++++++++++
 2 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/src/CommonLib/Helpers.cs b/src/CommonLib/Helpers.cs
index b5a931e9..77ae2cfc 100644
--- a/src/CommonLib/Helpers.cs
+++ b/src/CommonLib/Helpers.cs
@@ -107,8 +107,17 @@ public static string ConvertGuidToHexGuid(string guid)
         /// <returns>String representing the domain name of this object</returns>
         public static string DistinguishedNameToDomain(string distinguishedName)
         {
-            var idx = distinguishedName.IndexOf("DC=",
-                StringComparison.CurrentCultureIgnoreCase);
+            int idx;
+            if (distinguishedName.ToUpper().Contains("DELETED OBJECTS"))
+            {
+                idx = distinguishedName.IndexOf("DC=", 3, StringComparison.Ordinal);
+            }
+            else
+            {
+                idx = distinguishedName.IndexOf("DC=",
+                    StringComparison.CurrentCultureIgnoreCase);    
+            }
+            
             if (idx < 0)
                 return null;
 
diff --git a/test/unit/LDAPUtilsTest.cs b/test/unit/LDAPUtilsTest.cs
index c68cc132..1d6a295d 100644
--- a/test/unit/LDAPUtilsTest.cs
+++ b/test/unit/LDAPUtilsTest.cs
@@ -108,6 +108,25 @@ public void GetWellKnownPrincipal_WithDomain_ConvertsSID()
             Assert.Equal(Label.Group, typedPrincipal.ObjectType);
             Assert.Equal($"{_testDomainName}-S-1-5-32-544", typedPrincipal.ObjectIdentifier);
         }
+        
+        [Fact]
+        public void DistinguishedNameToDomain_RegularObject_CorrectDomain()
+        {
+            var result = SharpHoundCommonLib.Helpers.DistinguishedNameToDomain(
+                "CN=Account Operators,CN=Builtin,DC=testlab,DC=local");
+            Assert.Equal("TESTLAB.LOCAL", result);
+
+            result = SharpHoundCommonLib.Helpers.DistinguishedNameToDomain("DC=testlab,DC=local");
+            Assert.Equal("TESTLAB.LOCAL", result);
+        }
+
+        [Fact]
+        public void DistinguishedNameToDomain_DeletedObjects_CorrectDomain()
+        {
+            var result = SharpHoundCommonLib.Helpers.DistinguishedNameToDomain(
+                @"DC=..Deleted-_msdcs.testlab.local\0ADEL:af1f072f-28d7-4b86-9b87-a408bfc9cb0d,CN=Deleted Objects,DC=testlab,DC=local");
+            Assert.Equal("TESTLAB.LOCAL", result);
+        }
 
         [Fact]
         public void QueryLDAP_With_Exception()