Fix B7-B9: LDAP domain validation, filtered task count, early SID skip

B7 - LDAP Empty Domain Bug (FIXED):
- Added domain validation to resolve_name_to_sid_via_ldap(), resolve_sid_via_ldap(),
  batch_get_user_attributes(), and fetch_tier0_members()
- Functions return None/empty early if domain is empty or doesn't contain dots
- Prevents invalidDNSyntax errors when base DN becomes 'DC='
- Added 7 new tests for empty domain handling

B8 - TaskCount Shows Filtered vs Total (FIXED):
- Added filtered_count counter that increments after should_include check
- Updated TaskCount output: '15 domain tasks (120 total), 0 Privileged'
- Clearer UX - users now see how many tasks passed the filter vs raw total

B9 - Early Skip for Well-Known SIDs (FIXED):
- Added early skip check before SID resolution using looks_like_domain_user()
- Skips resolution for S-1-5-18 (SYSTEM), S-1-5-19, S-1-5-20 when include_local=False
- Avoids unnecessary cache lookups for tasks that will be filtered anyway

Author: r0BIT

taskhound/engine/online.py

@@ -552,6 +552,7 @@ def process_target(
                     traceback.print_exc()
 
     total = len(items)
+    filtered_count = 0  # Count of tasks that pass should_include filter
     priv_count = 0
     priv_lines: List[str] = []
     task_lines: List[str] = []
@@ -702,29 +703,38 @@ def process_target(
         # Resolve SID early if runas is a SID - store result for credential matching and output
         # This ensures we only resolve once per task, and the result is available for all uses
         # Skipped in OPSEC mode to avoid SMB/LSARPC and LDAP queries
+        # Also skip well-known local SIDs (S-1-5-18 SYSTEM, S-1-5-19, S-1-5-20) - they'll be filtered anyway
         if is_sid(runas) and not opsec:
-            # Derive local domain SID prefix from computer SID for foreign domain detection
-            from ..utils.sid_resolver import get_domain_sid_prefix
-            local_domain_prefix = get_domain_sid_prefix(server_sid) if server_sid else None
-            
-            _, row.resolved_runas = format_runas_with_sid_resolution(
-                runas,
-                hv_loader=hv,
-                bh_connector=bh_connector,
-                smb_connection=smb,
-                no_ldap=no_ldap,
-                domain=domain,
-                dc_ip=dc_ip,
-                username=username,
-                password=password,
-                hashes=hashes,
-                kerberos=kerberos,
-                ldap_domain=ldap_domain,
-                ldap_user=ldap_user,
-                ldap_password=ldap_password,
-                ldap_hashes=ldap_hashes,
-                local_domain_sid_prefix=local_domain_prefix,
-            )
+            # Skip SID resolution for well-known local SIDs that will be filtered out
+            # This avoids unnecessary cache lookups for SYSTEM (S-1-5-18), etc.
+            from ..utils.sid_resolver import looks_like_domain_user
+            if not looks_like_domain_user(runas) and not include_local:
+                # This SID is a local/system account and we're not including locals
+                # Skip resolution - the task will be filtered out in classify_task()
+                pass
+            else:
+                # Derive local domain SID prefix from computer SID for foreign domain detection
+                from ..utils.sid_resolver import get_domain_sid_prefix
+                local_domain_prefix = get_domain_sid_prefix(server_sid) if server_sid else None
+                
+                _, row.resolved_runas = format_runas_with_sid_resolution(
+                    runas,
+                    hv_loader=hv,
+                    bh_connector=bh_connector,
+                    smb_connection=smb,
+                    no_ldap=no_ldap,
+                    domain=domain,
+                    dc_ip=dc_ip,
+                    username=username,
+                    password=password,
+                    hashes=hashes,
+                    kerberos=kerberos,
+                    ldap_domain=ldap_domain,
+                    ldap_user=ldap_user,
+                    ldap_password=ldap_password,
+                    ldap_hashes=ldap_hashes,
+                    local_domain_sid_prefix=local_domain_prefix,
+                )
 
         # Enrich row with decrypted password if available from DPAPI loot
         if decrypted_creds:
@@ -762,6 +772,8 @@ def process_target(
         if not result.should_include:
             continue
 
+        filtered_count += 1  # Task passed the filter
+
         # Format output block based on classification
         if result.task_type in ("TIER-0", "PRIV"):
             priv_lines.extend(
@@ -841,8 +853,12 @@ def process_target(
 
     priv_display = priv_count if (hv and hv.loaded) else 'N/A'
     status(f"[Collecting] {target} [+]")
-    status(f"[TaskCount] {total} Tasks, {priv_display} Privileged")
-    good(f"{target}: Found {total} tasks, privileged {priv_display}{backup_msg}{laps_msg}")
+    # Show filtered count (domain tasks) vs total (all tasks including SYSTEM)
+    if filtered_count < total:
+        status(f"[TaskCount] {filtered_count} domain tasks ({total} total), {priv_display} Privileged")
+    else:
+        status(f"[TaskCount] {total} Tasks, {priv_display} Privileged")
+    good(f"{target}: Found {filtered_count} tasks (of {total} total), privileged {priv_display}{backup_msg}{laps_msg}")
 
     # Combine credential loot output with task listing output
     # Put credentials first since they're the most valuable

taskhound/utils/sid_resolver.py

@@ -333,6 +333,11 @@ def resolve_sid_via_ldap(
             debug("No valid credentials provided for LDAP SID resolution")
             return None
 
+        # Validate domain - must be non-empty and contain at least one dot for LDAP DN construction
+        if not domain or "." not in domain:
+            debug(f"Invalid domain '{domain}' for LDAP SID resolution - must be FQDN")
+            return None
+
         # If no DC IP provided, try to resolve it
         if not dc_ip:
             try:
@@ -465,6 +470,11 @@ def resolve_name_to_sid_via_ldap(
     else:
         cache_key = None  # Only cache computers for now
 
+    # Validate domain - must be non-empty and contain at least one dot for LDAP DN construction
+    if not domain or "." not in domain:
+        debug(f"Invalid domain '{domain}' for LDAP resolution - must be FQDN (e.g., 'corp.local')")
+        return None
+    
     try:
         # Extract just the name part if it's in USER@DOMAIN format
         search_name = name
@@ -885,6 +895,11 @@ def batch_get_user_attributes(
     if not users_to_query:
         return {}
 
+    # Validate domain - must be non-empty and contain at least one dot for LDAP DN construction
+    if not domain or "." not in domain:
+        debug(f"Invalid domain '{domain}' for batch user attribute lookup - must be FQDN")
+        return {}
+
     # Check cache first
     cache = get_cache()
     results = {}
@@ -1211,7 +1226,9 @@ def fetch_tier0_members(
     """
     tier0_cache: Tier0Cache = {}
 
-    if not domain:
+    # Validate domain - must be non-empty and contain at least one dot for LDAP DN construction
+    if not domain or "." not in domain:
+        debug(f"Invalid domain '{domain}' for Tier-0 pre-flight - must be FQDN")
         return tier0_cache
 
     # Check persistent cache first

tests/test_sid_resolver.py

@@ -344,3 +344,86 @@ def test_returns_false_when_no_local_prefix(self):
         foreign_sid = "S-1-5-21-999888777-666555444-333222111-1001"
 
         assert is_foreign_domain_sid(foreign_sid, None) is False
+
+
+class TestLDAPDomainValidation:
+    """Tests for LDAP domain validation (B7 bug fix)"""
+
+    def test_resolve_name_to_sid_via_ldap_rejects_empty_domain(self):
+        """Should return None for empty domain (prevents invalidDNSyntax error)"""
+        from taskhound.utils.sid_resolver import resolve_name_to_sid_via_ldap
+        
+        # Empty domain should return None immediately without attempting LDAP
+        result = resolve_name_to_sid_via_ldap(
+            name="testcomputer",
+            domain="",
+            is_computer=True,
+        )
+        
+        assert result is None
+
+    def test_resolve_name_to_sid_via_ldap_rejects_domain_without_dots(self):
+        """Should return None for domain without dots (not FQDN)"""
+        from taskhound.utils.sid_resolver import resolve_name_to_sid_via_ldap
+        
+        # Single-label domain (no dots) should return None
+        result = resolve_name_to_sid_via_ldap(
+            name="testcomputer",
+            domain="TESTDOMAIN",
+            is_computer=True,
+        )
+        
+        assert result is None
+
+    def test_resolve_sid_via_ldap_rejects_empty_domain(self):
+        """Should return None for empty domain in SID resolution"""
+        from taskhound.utils.sid_resolver import resolve_sid_via_ldap
+        
+        result = resolve_sid_via_ldap(
+            sid="S-1-5-21-123456789-987654321-111111111-1001",
+            domain="",
+            username="testuser",
+            password="testpass",
+        )
+        
+        assert result is None
+
+    def test_resolve_sid_via_ldap_rejects_domain_without_dots(self):
+        """Should return None for domain without dots in SID resolution"""
+        from taskhound.utils.sid_resolver import resolve_sid_via_ldap
+        
+        result = resolve_sid_via_ldap(
+            sid="S-1-5-21-123456789-987654321-111111111-1001",
+            domain="NODOTS",
+            username="testuser",
+            password="testpass",
+        )
+        
+        assert result is None
+
+    def test_batch_get_user_attributes_rejects_empty_domain(self):
+        """Should return empty dict for empty domain in batch query"""
+        from taskhound.utils.sid_resolver import batch_get_user_attributes
+        
+        result = batch_get_user_attributes(
+            usernames=["testuser"],
+            domain="",
+        )
+        
+        assert result == {}
+
+    def test_fetch_tier0_members_rejects_empty_domain(self):
+        """Should return empty dict for empty domain in Tier-0 preflight"""
+        from taskhound.utils.sid_resolver import fetch_tier0_members
+        
+        result = fetch_tier0_members(domain="")
+        
+        assert result == {}
+
+    def test_fetch_tier0_members_rejects_domain_without_dots(self):
+        """Should return empty dict for domain without dots"""
+        from taskhound.utils.sid_resolver import fetch_tier0_members
+        
+        result = fetch_tier0_members(domain="SINGLELABEL")
+        
+        assert result == {}