Skip to content

Commit

Permalink
Merge pull request #136 from TrimarcJake/133-fix-false-positives
Browse files Browse the repository at this point in the history
  • Loading branch information
@SamErde
SamErde authored Jul 16, 2024
2 parents f34c0e1 + 4b41ceb commit a35474e
Show file tree
Hide file tree
Showing 5 changed files with 47 additions and 22 deletions.
35 changes: 24 additions & 11 deletions Invoke-Locksmith.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -446,6 +446,9 @@ function Find-ESC4 {
.PARAMETER SafeUsers
Specifies the list of SIDs of safe users who are allowed to have specific rights on the objects. This parameter is mandatory.
.PARAMETER SafeObjectTypes
Specifices a list of ObjectTypes which are not a security concern. This parameter is mandatory.
.OUTPUTS
The script outputs an array of custom objects representing the matching ADCS objects and their associated information.
Expand All @@ -454,7 +457,8 @@ function Find-ESC4 {
$DangerousRights = @('GenericAll', 'WriteProperty', 'WriteOwner', 'WriteDacl')
$SafeOwners = '-512$|-519$|-544$|-18$|-517$|-500$'
$SafeUsers = '-512$|-519$|-544$|-18$|-517$|-500$|-516$|-9$|-526$|-527$|S-1-5-10'
$Results = $ADCSObjects | Find-ESC4 -DangerousRights $DangerousRights -SafeOwners $SafeOwners -SafeUsers $SafeUsers
$SafeObjectTypes = '0e10c968-78fb-11d2-90d4-00c04f79dc55|a05b8cc2-17bc-4802-a710-e7c15ab866a2'
$Results = $ADCSObjects | Find-ESC4 -DangerousRights $DangerousRights -SafeOwners $SafeOwners -SafeUsers $SafeUsers -SafeObjectTypes $SafeObjectTypes
$Results
#>
[CmdletBinding()]
Expand All @@ -466,7 +470,9 @@ function Find-ESC4 {
[Parameter(Mandatory = $true)]
$SafeOwners,
[Parameter(Mandatory = $true)]
$SafeUsers
$SafeUsers,
[Parameter(Mandatory = $true)]
$SafeObjectTypes
)
$ADCSObjects | ForEach-Object {
$Principal = New-Object System.Security.Principal.NTAccount($_.nTSecurityDescriptor.Owner)
Expand Down Expand Up @@ -502,7 +508,7 @@ function Find-ESC4 {
($SID -notmatch $SafeUsers) -and
($entry.AccessControlType -eq 'Allow') -and
($entry.ActiveDirectoryRights -match $DangerousRights) -and
($entry.ActiveDirectoryRights.ObjectType -notmatch $SafeObjectTypes)
($entry.ObjectType -notmatch $SafeObjectTypes)
) {
$Issue = [pscustomobject]@{
Forest = $_.CanonicalName.split('/')[0]
Expand Down Expand Up @@ -543,6 +549,9 @@ function Find-ESC5 {
.PARAMETER SafeUsers
Specifies the list of SIDs of safe users who are allowed to have specific rights on the objects. This parameter is mandatory.
.PARAMETER SafeObjectTypes
Specifices a list of ObjectTypes which are not a security concern. This parameter is mandatory.
.OUTPUTS
The script outputs an array of custom objects representing the matching ADCS objects and their associated information.
Expand All @@ -551,7 +560,8 @@ function Find-ESC5 {
$DangerousRights = @('GenericAll', 'WriteProperty', 'WriteOwner', 'WriteDacl')
$SafeOwners = '-512$|-519$|-544$|-18$|-517$|-500$'
$SafeUsers = '-512$|-519$|-544$|-18$|-517$|-500$|-516$|-9$|-526$|-527$|S-1-5-10'
$Results = $ADCSObjects | Find-ESC5 -DangerousRights $DangerousRights -SafeOwners $SafeOwners -SafeUsers $SafeUsers
$SafeObjectTypes = '0e10c968-78fb-11d2-90d4-00c04f79dc55|a05b8cc2-17bc-4802-a710-e7c15ab866a2'
$Results = $ADCSObjects | Find-ESC5 -DangerousRights $DangerousRights -SafeOwners $SafeOwners -SafeUsers $SafeUsers -SafeObjectTypes $SafeObjectTypes
$Results
#>
[CmdletBinding()]
Expand All @@ -563,7 +573,9 @@ function Find-ESC5 {
[Parameter(Mandatory = $true)]
$SafeOwners,
[Parameter(Mandatory = $true)]
$SafeUsers
$SafeUsers,
[Parameter(Mandatory = $true)]
$SafeObjectTypes
)
$ADCSObjects | ForEach-Object {
$Principal = New-Object System.Security.Principal.NTAccount($_.nTSecurityDescriptor.Owner)
Expand Down Expand Up @@ -599,7 +611,7 @@ function Find-ESC5 {
($SID -notmatch $SafeUsers) -and
($entry.AccessControlType -eq 'Allow') -and
($entry.ActiveDirectoryRights -match $DangerousRights) -and
($entry.ActiveDirectoryRights.ObjectType -notmatch $SafeObjectTypes) ) {
($entry.ObjectType -notmatch $SafeObjectTypes) ) {
$Issue = [pscustomobject]@{
Forest = $_.CanonicalName.split('/')[0]
Name = $_.Name
Expand Down Expand Up @@ -1528,11 +1540,11 @@ function Invoke-Scans {
}
ESC4 {
Write-Host 'Identifying AD CS template and other objects with poor access control (ESC4)...'
[array]$ESC4 = Find-ESC4 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers -DangerousRights $DangerousRights -SafeOwners $SafeOwners
[array]$ESC4 = Find-ESC4 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers -DangerousRights $DangerousRights -SafeOwners $SafeOwners -SafeObjectTypes $SafeObjectTypes
}
ESC5 {
Write-Host 'Identifying AD CS template and other objects with poor access control (ESC5)...'
[array]$ESC5 = Find-ESC5 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers -DangerousRights $DangerousRights -SafeOwners $SafeOwners
[array]$ESC5 = Find-ESC5 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers -DangerousRights $DangerousRights -SafeOwners $SafeOwners -SafeObjectTypes $SafeObjectTypes
}
ESC6 {
Write-Host 'Identifying AD CS template and other objects with poor access control (ESC6)...'
Expand All @@ -1553,9 +1565,9 @@ function Invoke-Scans {
[array]$ESC3 = Find-ESC3Condition1 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers
[array]$ESC3 += Find-ESC3Condition2 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers
Write-Host 'Identifying AD CS template and other objects with poor access control (ESC4)...'
[array]$ESC4 = Find-ESC4 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers -DangerousRights $DangerousRights -SafeOwners $SafeOwners
[array]$ESC4 = Find-ESC4 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers -DangerousRights $DangerousRights -SafeOwners $SafeOwners -SafeObjectTypes $SafeObjectTypes
Write-Host 'Identifying AD CS template and other objects with poor access control (ESC5)...'
[array]$ESC5 = Find-ESC5 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers -DangerousRights $DangerousRights -SafeOwners $SafeOwners
[array]$ESC5 = Find-ESC5 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers -DangerousRights $DangerousRights -SafeOwners $SafeOwners -SafeObjectTypes $SafeObjectTypes
Write-Host 'Identifying Certificate Authorities configured with dangerous flags (ESC6)...'
[array]$ESC6 = Find-ESC6 -ADCSObjects $ADCSObjects
Write-Host 'Identifying HTTP-based certificate enrollment interfaces (ESC8)...'
Expand Down Expand Up @@ -1926,7 +1938,7 @@ function Test-IsADAdmin {
#>
if (
# Need to test to make sure this checks domain groups and not local groups, particularly for 'Administrators' (reference SID instead of name?).
([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole("Domain Admin") -or
([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole("Domain Admins") -or
([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole("Administrators") -or
([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole("Enterprise Admins")
) {
Expand Down Expand Up @@ -2425,4 +2437,5 @@ function Invoke-Locksmith {
}


# Export functions and aliases as required
Invoke-Locksmith -Mode $Mode -Scans $Scans
2 changes: 1 addition & 1 deletion Locksmith.psd1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
Description = 'A small tool to find and fix common misconfigurations in Active Directory Certificate Services.'
FunctionsToExport = @('*')
GUID = 'b1325b42-8dc4-4f17-aa1f-dcb5984ca14a'
ModuleVersion = '2024.3'
ModuleVersion = '2024.7'
PowerShellVersion = '5.1'
PrivateData = @{
PSData = @{
Expand Down
12 changes: 9 additions & 3 deletions Private/Find-ESC4.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,9 @@
.PARAMETER SafeUsers
Specifies the list of SIDs of safe users who are allowed to have specific rights on the objects. This parameter is mandatory.
.PARAMETER SafeObjectTypes
Specifices a list of ObjectTypes which are not a security concern. This parameter is mandatory.
.OUTPUTS
The script outputs an array of custom objects representing the matching ADCS objects and their associated information.
Expand All @@ -28,7 +31,8 @@
$DangerousRights = @('GenericAll', 'WriteProperty', 'WriteOwner', 'WriteDacl')
$SafeOwners = '-512$|-519$|-544$|-18$|-517$|-500$'
$SafeUsers = '-512$|-519$|-544$|-18$|-517$|-500$|-516$|-9$|-526$|-527$|S-1-5-10'
$Results = $ADCSObjects | Find-ESC4 -DangerousRights $DangerousRights -SafeOwners $SafeOwners -SafeUsers $SafeUsers
$SafeObjectTypes = '0e10c968-78fb-11d2-90d4-00c04f79dc55|a05b8cc2-17bc-4802-a710-e7c15ab866a2'
$Results = $ADCSObjects | Find-ESC4 -DangerousRights $DangerousRights -SafeOwners $SafeOwners -SafeUsers $SafeUsers -SafeObjectTypes $SafeObjectTypes
$Results
#>
[CmdletBinding()]
Expand All @@ -40,7 +44,9 @@
[Parameter(Mandatory = $true)]
$SafeOwners,
[Parameter(Mandatory = $true)]
$SafeUsers
$SafeUsers,
[Parameter(Mandatory = $true)]
$SafeObjectTypes
)
$ADCSObjects | ForEach-Object {
$Principal = New-Object System.Security.Principal.NTAccount($_.nTSecurityDescriptor.Owner)
Expand Down Expand Up @@ -74,7 +80,7 @@
($SID -notmatch $SafeUsers) -and
($entry.AccessControlType -eq 'Allow') -and
($entry.ActiveDirectoryRights -match $DangerousRights) -and
($entry.ActiveDirectoryRights.ObjectType -notmatch $SafeObjectTypes)
($entry.ObjectType -notmatch $SafeObjectTypes)
) {
$Issue = [pscustomobject]@{
Forest = $_.CanonicalName.split('/')[0]
Expand Down
12 changes: 9 additions & 3 deletions Private/Find-ESC5.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,9 @@
.PARAMETER SafeUsers
Specifies the list of SIDs of safe users who are allowed to have specific rights on the objects. This parameter is mandatory.
.PARAMETER SafeObjectTypes
Specifices a list of ObjectTypes which are not a security concern. This parameter is mandatory.
.OUTPUTS
The script outputs an array of custom objects representing the matching ADCS objects and their associated information.
Expand All @@ -28,7 +31,8 @@
$DangerousRights = @('GenericAll', 'WriteProperty', 'WriteOwner', 'WriteDacl')
$SafeOwners = '-512$|-519$|-544$|-18$|-517$|-500$'
$SafeUsers = '-512$|-519$|-544$|-18$|-517$|-500$|-516$|-9$|-526$|-527$|S-1-5-10'
$Results = $ADCSObjects | Find-ESC5 -DangerousRights $DangerousRights -SafeOwners $SafeOwners -SafeUsers $SafeUsers
$SafeObjectTypes = '0e10c968-78fb-11d2-90d4-00c04f79dc55|a05b8cc2-17bc-4802-a710-e7c15ab866a2'
$Results = $ADCSObjects | Find-ESC5 -DangerousRights $DangerousRights -SafeOwners $SafeOwners -SafeUsers $SafeUsers -SafeObjectTypes $SafeObjectTypes
$Results
#>
[CmdletBinding()]
Expand All @@ -40,7 +44,9 @@
[Parameter(Mandatory = $true)]
$SafeOwners,
[Parameter(Mandatory = $true)]
$SafeUsers
$SafeUsers,
[Parameter(Mandatory = $true)]
$SafeObjectTypes
)
$ADCSObjects | ForEach-Object {
$Principal = New-Object System.Security.Principal.NTAccount($_.nTSecurityDescriptor.Owner)
Expand Down Expand Up @@ -74,7 +80,7 @@
($SID -notmatch $SafeUsers) -and
($entry.AccessControlType -eq 'Allow') -and
($entry.ActiveDirectoryRights -match $DangerousRights) -and
($entry.ActiveDirectoryRights.ObjectType -notmatch $SafeObjectTypes) ) {
($entry.ObjectType -notmatch $SafeObjectTypes) ) {
$Issue = [pscustomobject]@{
Forest = $_.CanonicalName.split('/')[0]
Name = $_.Name
Expand Down
8 changes: 4 additions & 4 deletions Private/Invoke-Scans.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,11 +89,11 @@ function Invoke-Scans {
}
ESC4 {
Write-Host 'Identifying AD CS template and other objects with poor access control (ESC4)...'
[array]$ESC4 = Find-ESC4 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers -DangerousRights $DangerousRights -SafeOwners $SafeOwners
[array]$ESC4 = Find-ESC4 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers -DangerousRights $DangerousRights -SafeOwners $SafeOwners -SafeObjectTypes $SafeObjectTypes
}
ESC5 {
Write-Host 'Identifying AD CS template and other objects with poor access control (ESC5)...'
[array]$ESC5 = Find-ESC5 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers -DangerousRights $DangerousRights -SafeOwners $SafeOwners
[array]$ESC5 = Find-ESC5 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers -DangerousRights $DangerousRights -SafeOwners $SafeOwners -SafeObjectTypes $SafeObjectTypes
}
ESC6 {
Write-Host 'Identifying AD CS template and other objects with poor access control (ESC6)...'
Expand All @@ -114,9 +114,9 @@ function Invoke-Scans {
[array]$ESC3 = Find-ESC3Condition1 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers
[array]$ESC3 += Find-ESC3Condition2 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers
Write-Host 'Identifying AD CS template and other objects with poor access control (ESC4)...'
[array]$ESC4 = Find-ESC4 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers -DangerousRights $DangerousRights -SafeOwners $SafeOwners
[array]$ESC4 = Find-ESC4 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers -DangerousRights $DangerousRights -SafeOwners $SafeOwners -SafeObjectTypes $SafeObjectTypes
Write-Host 'Identifying AD CS template and other objects with poor access control (ESC5)...'
[array]$ESC5 = Find-ESC5 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers -DangerousRights $DangerousRights -SafeOwners $SafeOwners
[array]$ESC5 = Find-ESC5 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers -DangerousRights $DangerousRights -SafeOwners $SafeOwners -SafeObjectTypes $SafeObjectTypes
Write-Host 'Identifying Certificate Authorities configured with dangerous flags (ESC6)...'
[array]$ESC6 = Find-ESC6 -ADCSObjects $ADCSObjects
Write-Host 'Identifying HTTP-based certificate enrollment interfaces (ESC8)...'
Expand Down

0 comments on commit a35474e

Please sign in to comment.