You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Rewrite Sections 16, 17, 18, 19, and 20 of docs/spec/specifications.md to use PowerShell idioms instead of C#, with multi-version conditional support as defined in Section 0 of the current document.
Reference
The archived C#/.NET Framework 2.0 specification is at docs/spec/archive/specifications-dotnet-framework.md. Use it as the authoritative source for the functional requirements.
Section 16: Risk Classification and Insecure Delegation Detection
16.4.1 Tier 0 Resource Definitions: Same functional content, with dictionary construction translated to PowerShell: $tier0SidSet = New-Object 'System.Collections.Generic.Dictionary[string,bool]' (PS 1.0/2.0) or $tier0SidSet = [System.Collections.Generic.HashSet[string]]::new() (PS 3.0+). Document both. Note that the Tier 0 resource table row Rewrite Sections 12–15 (Edge Cases, Usability, Security, Assumptions/Limitations) #16 (AdminSDHolder) rationale now reads "SDProp periodically stamps this DACL onto AdminSDHolder-protected (SDProp in-scope) principals" — use this updated language in the PowerShell specification.
16.4.2 Tier 0 GPO Detection: Reading gpLink attribute: [string]$entry.Properties["gpLink"][0] with $entry.Properties["gpLink"].Count -gt 0 check. Parsing the [LDAP://...;status] format with [string]::Split() and [string]::IndexOf().
16.4.4 Tier 0 Resource Matching: Dictionary lookups translated to PowerShell: $tier0SidSet.ContainsKey($sid.Value) or $tier0SidSet.Contains($sid.Value) (for HashSet<T> on PS 3.0+).
Section 17: Dangerous Delegation Type Detection
Key translations:
17.1 Baseline Dangerous Delegation Types:
All bitwise checks: ($rule.ActiveDirectoryRights -band [System.DirectoryServices.ActiveDirectoryRights]::WriteOwner) -ne 0
In PowerShell 1.0, creating nested generic types via New-Object can be verbose. Document the full syntax.
Multi-version conditional: On PS 3.0+, consider using [System.Collections.Generic.Dictionary[string,[System.Collections.Generic.Dictionary[string,int]]]]::new([System.StringComparer]::OrdinalIgnoreCase) for cleaner syntax.
Section 18: Risk Classification Rules
Risk severity levels, classification matrix, and implementation approach are functional requirements with minimal code — translate any code examples to PowerShell.
currentIdentity.Groups → $currentIdentity.Groups (returns IdentityReferenceCollection of SecurityIdentifier objects)
Building the current user principals set: iterate $currentIdentity.Groups and add each SID's .Value to the dictionary/hashset.
Note: WindowsIdentity is Windows-only, which is consistent with the platform exclusion documented in Section 0. This further confirms that Linux/macOS PowerShell 7.x is not supported.
Section 20: Risk Output and Console Feedback
Key translations:
20.1 Risk Summary Messages: [Console]::Error.WriteLine(...) for stderr output.
Description
Rewrite Sections 16, 17, 18, 19, and 20 of
docs/spec/specifications.mdto use PowerShell idioms instead of C#, with multi-version conditional support as defined in Section 0 of the current document.Reference
The archived C#/.NET Framework 2.0 specification is at
docs/spec/archive/specifications-dotnet-framework.md. Use it as the authoritative source for the functional requirements.Section 16: Risk Classification and Insecure Delegation Detection
Key translations:
$domainSid.Value + "-513"— string concatenation for SID construction.DirectoryEntrydisposal inusing→try/finallypattern.$tier0SidSet = New-Object 'System.Collections.Generic.Dictionary[string,bool]'(PS 1.0/2.0) or$tier0SidSet = [System.Collections.Generic.HashSet[string]]::new()(PS 3.0+). Document both. Note that the Tier 0 resource table row Rewrite Sections 12–15 (Edge Cases, Usability, Security, Assumptions/Limitations) #16 (AdminSDHolder) rationale now reads "SDProp periodically stamps this DACL onto AdminSDHolder-protected (SDProp in-scope) principals" — use this updated language in the PowerShell specification.gpLinkattribute:[string]$entry.Properties["gpLink"][0]with$entry.Properties["gpLink"].Count -gt 0check. Parsing the[LDAP://...;status]format with[string]::Split()and[string]::IndexOf().$tier0SidSet.ContainsKey($sid.Value)or$tier0SidSet.Contains($sid.Value)(forHashSet<T>on PS 3.0+).Section 17: Dangerous Delegation Type Detection
Key translations:
17.1 Baseline Dangerous Delegation Types:
($rule.ActiveDirectoryRights -band [System.DirectoryServices.ActiveDirectoryRights]::WriteOwner) -ne 0([int]$rule.ActiveDirectoryRights -band 0xF01FF) -eq 0xF01FF([int]$rule.ActiveDirectoryRights -band 0x20028) -eq 0x20028$rule.ObjectType -eq [System.Guid]::Emptyand$rule.ObjectType -eq $spnGuid17.2 Object Type GUID Resolution: Schema map construction — same
Dictionary<string, Guid>approach translated to PowerShell.17.3 DCSync Compound Detection:
$dcSyncTracker = New-Object 'System.Collections.Generic.Dictionary[string,System.Collections.Generic.Dictionary[string,int]]'([System.StringComparer]::OrdinalIgnoreCase).New-Objectcan be verbose. Document the full syntax.[System.Collections.Generic.Dictionary[string,[System.Collections.Generic.Dictionary[string,int]]]]::new([System.StringComparer]::OrdinalIgnoreCase)for cleaner syntax.Section 18: Risk Classification Rules
Section 19: Current User Context Reporting
Key translations:
WindowsIdentity.GetCurrent()→[System.Security.Principal.WindowsIdentity]::GetCurrent()currentIdentity.User→$currentIdentity.User(returnsSecurityIdentifier)currentIdentity.Groups→$currentIdentity.Groups(returnsIdentityReferenceCollectionofSecurityIdentifierobjects)$currentIdentity.Groupsand add each SID's.Valueto the dictionary/hashset.WindowsIdentityis Windows-only, which is consistent with the platform exclusion documented in Section 0. This further confirms that Linux/macOS PowerShell 7.x is not supported.Section 20: Risk Output and Console Feedback
Key translations:
20.1 Risk Summary Messages:
[Console]::Error.WriteLine(...)for stderr output.20.2 Separate Filtered Output Reports: Parameter translations:
--risk-csv→-RiskCsv,--risk-level→-RiskLevel.20.3 Per-Naming-Context Risk Counts: Same stderr output pattern.
20.5 Implementation Data Structures: Update the .NET Framework 2.0 data structure table to a multi-version table:
Dictionary<string, bool>with.ContainsKey()HashSet<string>with.Contains()New-Object PSObject -Property @{...}[PSCustomObject]@{...}New-Object System.Collections.Specialized.OrderedDictionary[ordered]@{...}20.6 Performance Impact: Same analysis applies; dictionary/hashset lookups are still O(1).
Final review
After completing all sections, do a final consistency pass across the entire
docs/spec/specifications.mddocument to ensure:.ps1.usingstatement references are replaced withtry/finally+.Dispose()patterns.What NOT to work on (handled in future work efforts)
.ps1). This work is specification-only.