Rewrite Sections 16–20 (Risk Classification, Dangerous Delegations, Risk Rules, Current User Context, Risk Output)

[franklesniak]

Description

Rewrite Sections 16, 17, 18, 19, and 20 of docs/spec/specifications.md to use PowerShell idioms instead of C#, with multi-version conditional support as defined in Section 0 of the current document.

Reference

The archived C#/.NET Framework 2.0 specification is at docs/spec/archive/specifications-dotnet-framework.md. Use it as the authoritative source for the functional requirements.

Section 16: Risk Classification and Insecure Delegation Detection

Key translations:

• 16.3.1 Baseline Unsafe Trustee SIDs: Domain SID expansion pattern: $domainSid.Value + "-513" — string concatenation for SID construction. DirectoryEntry disposal in using→try/finally pattern.
• 16.4.1 Tier 0 Resource Definitions: Same functional content, with dictionary construction translated to PowerShell: $tier0SidSet = New-Object 'System.Collections.Generic.Dictionary[string,bool]' (PS 1.0/2.0) or $tier0SidSet = [System.Collections.Generic.HashSet[string]]::new() (PS 3.0+). Document both. Note that the Tier 0 resource table row Rewrite Sections 12–15 (Edge Cases, Usability, Security, Assumptions/Limitations) #16 (AdminSDHolder) rationale now reads "SDProp periodically stamps this DACL onto AdminSDHolder-protected (SDProp in-scope) principals" — use this updated language in the PowerShell specification.
• 16.4.2 Tier 0 GPO Detection: Reading gpLink attribute: [string]$entry.Properties["gpLink"][0] with $entry.Properties["gpLink"].Count -gt 0 check. Parsing the [LDAP://...;status] format with [string]::Split() and [string]::IndexOf().
• 16.4.4 Tier 0 Resource Matching: Dictionary lookups translated to PowerShell: $tier0SidSet.ContainsKey($sid.Value) or $tier0SidSet.Contains($sid.Value) (for HashSet<T> on PS 3.0+).

Section 17: Dangerous Delegation Type Detection

Key translations:

• 17.1 Baseline Dangerous Delegation Types:

  • All bitwise checks: ($rule.ActiveDirectoryRights -band [System.DirectoryServices.ActiveDirectoryRights]::WriteOwner) -ne 0
  • GenericAll check: ([int]$rule.ActiveDirectoryRights -band 0xF01FF) -eq 0xF01FF
  • GenericWrite check: ([int]$rule.ActiveDirectoryRights -band 0x20028) -eq 0x20028
  • GUID comparisons: $rule.ObjectType -eq [System.Guid]::Empty and $rule.ObjectType -eq $spnGuid

• 17.2 Object Type GUID Resolution: Schema map construction — same Dictionary<string, Guid> approach translated to PowerShell.

• 17.3 DCSync Compound Detection:

  • Nested dictionary: $dcSyncTracker = New-Object 'System.Collections.Generic.Dictionary[string,System.Collections.Generic.Dictionary[string,int]]'([System.StringComparer]::OrdinalIgnoreCase).
  • In PowerShell 1.0, creating nested generic types via New-Object can be verbose. Document the full syntax.
  • Multi-version conditional: On PS 3.0+, consider using [System.Collections.Generic.Dictionary[string,[System.Collections.Generic.Dictionary[string,int]]]]::new([System.StringComparer]::OrdinalIgnoreCase) for cleaner syntax.

Section 18: Risk Classification Rules

• Risk severity levels, classification matrix, and implementation approach are functional requirements with minimal code — translate any code examples to PowerShell.

Section 19: Current User Context Reporting

Key translations:

• WindowsIdentity.GetCurrent() → [System.Security.Principal.WindowsIdentity]::GetCurrent()
• currentIdentity.User → $currentIdentity.User (returns SecurityIdentifier)
• currentIdentity.Groups → $currentIdentity.Groups (returns IdentityReferenceCollection of SecurityIdentifier objects)
• Building the current user principals set: iterate $currentIdentity.Groups and add each SID's .Value to the dictionary/hashset.
• Note: WindowsIdentity is Windows-only, which is consistent with the platform exclusion documented in Section 0. This further confirms that Linux/macOS PowerShell 7.x is not supported.

Section 20: Risk Output and Console Feedback

Key translations:

• 20.1 Risk Summary Messages: [Console]::Error.WriteLine(...) for stderr output.

• 20.2 Separate Filtered Output Reports: Parameter translations: --risk-csv → -RiskCsv, --risk-level → -RiskLevel.

• 20.3 Per-Naming-Context Risk Counts: Same stderr output pattern.

• 20.5 Implementation Data Structures: Update the .NET Framework 2.0 data structure table to a multi-version table:

  Data Structure	PS 1.0/2.0 (.NET 2.0) Type	PS 3.0+ (.NET 4.0+) Type
  Set membership	Dictionary<string, bool> with .ContainsKey()	HashSet<string> with .Contains()
  Typed results	New-Object PSObject -Property @{...}	[PSCustomObject]@{...}
  Ordered collections	New-Object System.Collections.Specialized.OrderedDictionary	[ordered]@{...}

• 20.6 Performance Impact: Same analysis applies; dictionary/hashset lookups are still O(1).

Final review

After completing all sections, do a final consistency pass across the entire docs/spec/specifications.md document to ensure:

1. All code examples are in PowerShell (no remaining C# snippets).
2. All references to "C#", "compiled executable", or ".exe" are updated to reference PowerShell script/.ps1.
3. All using statement references are replaced with try/finally + .Dispose() patterns.
4. The "Version Detection and Conditional Feature Use" section (Section 0) is consistent with all conditional notes throughout the document.
5. The Table of Contents is complete and accurate.
6. No references to RSAT or the ActiveDirectory PowerShell module exist except in the explicit exclusion section.

What NOT to work on (handled in future work efforts)

• Do NOT rewrite Sections 1–15 (already completed).
• Do NOT write any actual PowerShell script files (.ps1). This work is specification-only.
• Do NOT modify the archived specification.
• Do NOT add or remove functional requirements — the goal is a faithful translation of implementation guidance from C# to PowerShell.