Merge pull request rapid7#19856 from bwatters-r7/update/esc8-auto-dc

jheysel-r7 · web-flow · commit 476ad5bb94f2 · 2025-02-05T09:44:47.000-08:00
Change behavior of esc8 'AUTO' mode to attempt to get a cert based on DC and Machine types
diff --git a/documentation/modules/auxiliary/server/relay/esc8.md b/documentation/modules/auxiliary/server/relay/esc8.md
@@ -20,10 +20,12 @@ The issue mode. This controls what the module will do once an authenticated sess
 server. Must be one of the following options:
 
 * ALL: Enumerate all available certificate templates and then issue each of them
-* AUTO: Automatically select either the `User` or `Machine` template to issue based on if the authenticated user is a
-  user or machine account. The determination is based on checking for a `$` at the end of the name, which means that it
-  is a machine account.
-* QUERY_ONLY: Enumerate all available certificate templates but do not issue any
+* AUTO: Automatically select either the `User` or `DomainController` and `Machine` (`Computer`) templates to issue
+  based on if the authenticated user is a user or machine account. The determination is based on checking for a `$` 
+  at the end of the name, which means that it is a machine account.
+* QUERY_ONLY: Enumerate all available certificate templates but do not issue any.  Not all certificate templates
+  available for use will be displayed; templates with the flag CT_FLAG_MACHINE_TYPE set will not show available and 
+  include `Machine` (AKA `Computer`) and `DomainController`  
 * SPECIFIC_TEMPLATE: Issue the certificate template specified in the `CERT_TEMPLATE` option
 
 ### CERT_TEMPLATE
diff --git a/modules/auxiliary/server/relay/esc8.rb b/modules/auxiliary/server/relay/esc8.rb
@@ -107,11 +107,12 @@ def run
   def on_relay_success(relay_connection:, relay_identity:)
     case datastore['MODE']
     when 'AUTO'
-      cert_template = relay_identity.end_with?('$') ? 'Computer' : 'User'
-      retrieve_cert(relay_connection, relay_identity, cert_template)
+      cert_template = relay_identity.end_with?('$') ? ['DomainController', 'Machine'] : ['User']
+      retrieve_certs(relay_connection, relay_identity, cert_template)
     when 'ALL', 'QUERY_ONLY'
       cert_templates = get_cert_templates(relay_connection)
       unless cert_templates.nil? || cert_templates.empty?
+        print_status('***Templates with CT_FLAG_MACHINE_TYPE set like Machine and DomainController will not display as available, even if they are.***')
         print_good("Available Certificates for #{relay_identity} on #{datastore['RELAY_TARGET']}: #{cert_templates.join(', ')}")
         if datastore['MODE'] == 'ALL'
           retrieve_certs(relay_connection, relay_identity, cert_templates)
