ESC11 Detections #177
ESC11 Detections #177
Conversation
🦙 MegaLinter status:
|
| Descriptor | Linter | Files | Fixed | Errors | Elapsed time |
|---|---|---|---|---|---|
| jscpd | yes | 18 | 1.99s | ||
| editorconfig-checker | 14 | 1 | 0.1s | ||
| markdownlint | 1 | 11 | 1.18s | ||
| markdown-link-check | 1 | 8 | 3.31s | ||
| ✅ MARKDOWN | markdown-table-formatter | 1 | 0 | 0.26s | |
| powershell | 13 | 7 | 22.47s | ||
| ✅ POWERSHELL | powershell_formatter | 13 | 0 | 15.98s | |
| checkov | yes | 1 | 12.56s | ||
| ✅ REPOSITORY | gitleaks | yes | no | 0.61s | |
| ✅ REPOSITORY | git_diff | yes | no | 0.02s | |
| ✅ REPOSITORY | grype | yes | no | 16.61s | |
| ✅ REPOSITORY | secretlint | yes | no | 0.91s | |
| ✅ REPOSITORY | trivy | yes | no | 5.82s | |
| ✅ REPOSITORY | trivy-sbom | yes | no | 1.39s | |
| ✅ REPOSITORY | trufflehog | yes | no | 7.16s | |
| cspell | 15 | 286 | 8.02s |
See detailed report in MegaLinter reports
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff
MegaLinter is graciously provided by
Private/Find-ESC11.ps1
Outdated
| Name = $_.Name | ||
| DistinguishedName = $_.DistinguishedName | ||
| Technique = 'ESC11' | ||
| Issue = $_.AuditFilter |
There was a problem hiding this comment.
Just double checking because I haven't run and tested results yet: is $_.AuditFilter right? What should that return?
There was a problem hiding this comment.
Nice catch. I also updated the ESC6 logic which does the same check!
Private/Invoke-Remediation.ps1
Outdated
| @@ -27,6 +27,9 @@ function Invoke-Remediation { | |||
| .PARAMETER ESC6 | |||
| A PS Object containing all necessary information about ESC6 issues. | |||
|
|
|||
| .PARAMETER ESC6 | |||
There was a problem hiding this comment.
Copy/paste fix needed here for "ESC11."
Private/Invoke-Scans.ps1
Outdated
|
|
||
| .NOTES | ||
| - The script requires the following functions to be defined: Find-AuditingIssue, Find-ESC1, Find-ESC2, Find-ESC3Condition1, | ||
| Find-ESC3Condition2, Find-ESC4, Find-ESC5, Find-ESC6, Find-ESC8. | ||
| Find-ESC3Condition2, Find-ESC4, Find-ESC5, Find-ESC6, Find-ESC8, Find-ESC8. |
There was a problem hiding this comment.
Copy/paste fix for "Find-ESC11" needed.
Private/Invoke-Scans.ps1
Outdated
| [array]$ESC6 = Find-ESC6 -ADCSObjects $ADCSObjects | ||
| } | ||
| ESC8 { | ||
| Write-Host 'Identifying HTTP-based certificate enrollment interfaces (ESC8)...' | ||
| [array]$ESC8 = Find-ESC8 -ADCSObjects $ADCSObjects | ||
| } | ||
| ESC6 { |
There was a problem hiding this comment.
Copy/paste fix "ESC6" to "ESC11"
Private/Invoke-Scans.ps1
Outdated
| [array]$ESC6 = Find-ESC6 -ADCSObjects $ADCSObjects | ||
| } | ||
| ESC8 { | ||
| Write-Host 'Identifying HTTP-based certificate enrollment interfaces (ESC8)...' | ||
| [array]$ESC8 = Find-ESC8 -ADCSObjects $ADCSObjects | ||
| } | ||
| ESC6 { | ||
| Write-Host 'Identifying Issuing CAs with IF_ENFORCEENCRYPTICERTREQUEST disabled (ESC11)...' | ||
| [array]$ESC6 = Find-ESC6 -ADCSObjects $ADCSObjects |
There was a problem hiding this comment.
Copy/paste fix "ESC6" to "ESC11"
Private/Invoke-Scans.ps1
Outdated
|
|
||
| # If these are all empty = no issues found, exit | ||
| if ((!$AuditingIssues) -and (!$ESC1) -and (!$ESC2) -and (!$ESC3) -and (!$ESC4) -and (!$ESC5) -and (!$ESC6) -and (!$ESC8) ) { | ||
| if ((!$AuditingIssues) -and (!$ESC1) -and (!$ESC2) -and (!$ESC3) -and (!$ESC4) -and (!$ESC5) -and (!$ESC6) -and (!$ESC8) -and ($ESC11) ) { |
There was a problem hiding this comment.
new segment should be -and (!($ESC11) ) { but is missing the ! operator.
| # FixIt = {Write-Output 'Add code to fix the vulnerable configuration.'} | ||
| # ReferenceUrls = '' | ||
| # }, | ||
| [VulnerableConfigurationItem]@{ |
There was a problem hiding this comment.
Changes to the dictionary should include a bump in the dictionary version attribute on line 24, which is currently: static [string] $Version = '2023.10.01.000'.
| @@ -123,11 +123,21 @@ public class TrustAllCertsPolicy : ICertificatePolicy { | |||
| $CertutilFlag = certutil -config $CAFullName -getreg policy\EditFlags | |||
| } | |||
| } catch { | |||
| $AuditFilter = 'Failure' | |||
There was a problem hiding this comment.
Summarize changes here, please? What is being added/removed/changed?
There was a problem hiding this comment.
ESC11 requires checking for the existence (or non-existence, really) of the IF_ENFORCEENCRYPTICERTREQUEST flag on a CA. These changes add that logic as a new attribute on the issue object.
Also, I noticed the $AuditFilter was being used in places it shouldn't have been, so those were cleaned up. (Though I obviously forgot to clean them up in Get-ESC11 😬
Includes: