Skip to content

Commit 1f76288

Browse files
jakehildrethjakehildreth
authored
Breakin' the law \m/
fix: applied updated ESC1 detection logic to other template-based ESCs
2 parents 0c9cd49 + c4dc429 commit 1f76288

File tree

9 files changed

+80
-22
lines changed

9 files changed

+80
-22
lines changed

Invoke-Locksmith.ps1

Lines changed: 40 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -463,7 +463,12 @@ function Find-ESC13 {
463463
else {
464464
$SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value
465465
}
466-
if ( ($SID -notmatch $SafeUsers) -and ($entry.ActiveDirectoryRights -match 'ExtendedRight') ) {
466+
if (
467+
($SID -notmatch $SafeUsers) -and
468+
( ( ($entry.ActiveDirectoryRights -match 'ExtendedRight') -and
469+
( $entry.ObjectType -match '0e10c968-78fb-11d2-90d4-00c04f79dc55|00000000-0000-0000-0000-000000000000' ) ) -or
470+
($entry.ActiveDirectoryRights -match 'GenericAll') )
471+
) {
467472
$Issue = [pscustomobject]@{
468473
Forest = $_.CanonicalName.split('/')[0]
469474
Name = $_.Name
@@ -556,7 +561,12 @@ function Find-ESC15 {
556561
else {
557562
$SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value
558563
}
559-
if ( ($SID -notmatch $SafeUsers) -and ( ($entry.ActiveDirectoryRights -match 'ExtendedRight') -or ($entry.ActiveDirectoryRights -match 'GenericAll') ) ) {
564+
if (
565+
($SID -notmatch $SafeUsers) -and
566+
( ( ($entry.ActiveDirectoryRights -match 'ExtendedRight') -and
567+
( $entry.ObjectType -match '0e10c968-78fb-11d2-90d4-00c04f79dc55|00000000-0000-0000-0000-000000000000' ) ) -or
568+
($entry.ActiveDirectoryRights -match 'GenericAll') )
569+
) {
560570
$Issue = [pscustomobject]@{
561571
Forest = $_.CanonicalName.split('/')[0]
562572
Name = $_.Name
@@ -651,7 +661,7 @@ function Find-ESC16 {
651661
if ($_.DisableExtensionList -eq 'Yes') {
652662
$Issue.Issue = @"
653663
The Certification Authority (CA) $($_.CAFullName) has the szOID_NTDS_CA_SECURITY_EXT security extension disabled. When
654-
this extension is disabled, every certificate issued by this CA will be unable to to reliably map a certificate to a
664+
this extension is disabled, every certificate issued from this template will be unable to reliably map a certificate to a
655665
user or computer account's SID for authentication.
656666
657667
More info:
@@ -734,7 +744,12 @@ function Find-ESC2 {
734744
else {
735745
$SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value
736746
}
737-
if ( ($SID -notmatch $SafeUsers) -and ( ($entry.ActiveDirectoryRights -match 'ExtendedRight') -or ($entry.ActiveDirectoryRights -match 'GenericAll') ) ) {
747+
if (
748+
($SID -notmatch $SafeUsers) -and
749+
( ( ($entry.ActiveDirectoryRights -match 'ExtendedRight') -and
750+
( $entry.ObjectType -match '0e10c968-78fb-11d2-90d4-00c04f79dc55|00000000-0000-0000-0000-000000000000' ) ) -or
751+
($entry.ActiveDirectoryRights -match 'GenericAll') )
752+
) {
738753
$Issue = [pscustomobject]@{
739754
Forest = $_.CanonicalName.split('/')[0]
740755
Name = $_.Name
@@ -838,7 +853,12 @@ function Find-ESC3C1 {
838853
else {
839854
$SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value
840855
}
841-
if ( ($SID -notmatch $SafeUsers) -and ( ($entry.ActiveDirectoryRights -match 'ExtendedRight') -or ($entry.ActiveDirectoryRights -match 'GenericAll') ) ) {
856+
if (
857+
($SID -notmatch $SafeUsers) -and
858+
( ( ($entry.ActiveDirectoryRights -match 'ExtendedRight') -and
859+
( $entry.ObjectType -match '0e10c968-78fb-11d2-90d4-00c04f79dc55|00000000-0000-0000-0000-000000000000' ) ) -or
860+
($entry.ActiveDirectoryRights -match 'GenericAll') )
861+
) {
842862
$Issue = [pscustomobject]@{
843863
Forest = $_.CanonicalName.split('/')[0]
844864
Name = $_.Name
@@ -931,7 +951,12 @@ function Find-ESC3C2 {
931951
else {
932952
$SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value
933953
}
934-
if ( ($SID -notmatch $SafeUsers) -and ( ($entry.ActiveDirectoryRights -match 'ExtendedRight') -or ($entry.ActiveDirectoryRights -match 'GenericAll') ) ) {
954+
if (
955+
($SID -notmatch $SafeUsers) -and
956+
( ( ($entry.ActiveDirectoryRights -match 'ExtendedRight') -and
957+
( $entry.ObjectType -match '0e10c968-78fb-11d2-90d4-00c04f79dc55|00000000-0000-0000-0000-000000000000' ) ) -or
958+
($entry.ActiveDirectoryRights -match 'GenericAll') )
959+
) {
935960
$Issue = [pscustomobject]@{
936961
Forest = $_.CanonicalName.split('/')[0]
937962
Name = $_.Name
@@ -1813,7 +1838,12 @@ function Find-ESC9 {
18131838
else {
18141839
$SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value
18151840
}
1816-
if ( ($SID -notmatch $SafeUsers) -and ( ($entry.ActiveDirectoryRights -match 'ExtendedRight') -or ($entry.ActiveDirectoryRights -match 'GenericAll') ) ) {
1841+
if (
1842+
($SID -notmatch $SafeUsers) -and
1843+
( ( ($entry.ActiveDirectoryRights -match 'ExtendedRight') -and
1844+
( $entry.ObjectType -match '0e10c968-78fb-11d2-90d4-00c04f79dc55|00000000-0000-0000-0000-000000000000' ) ) -or
1845+
($entry.ActiveDirectoryRights -match 'GenericAll') )
1846+
) {
18171847
$Issue = [pscustomobject]@{
18181848
Forest = $_.CanonicalName.split('/')[0]
18191849
Name = $_.Name
@@ -3076,7 +3106,6 @@ function Set-AdditionalCAProperty {
30763106
process {
30773107
$ADCSObjects | Where-Object objectClass -Match 'pKIEnrollmentService' | ForEach-Object {
30783108
$CAEnrollmentEndpoint = @()
3079-
#[array]$CAEnrollmentEndpoint = $_.'msPKI-Enrollment-Servers' | Select-String 'http.*' | ForEach-Object { $_.Matches[0].Value }
30803109
foreach ($directory in @('certsrv/', "$($_.Name)_CES_Kerberos/service.svc", "$($_.Name)_CES_Kerberos/service.svc/CES", 'ADPolicyProvider_CEP_Kerberos/service.svc', 'certsrv/mscep/')) {
30813110
$URL = "://$($_.dNSHostName)/$directory"
30823111
try {
@@ -3086,7 +3115,7 @@ function Set-AdditionalCAProperty {
30863115
$Cache = [System.Net.CredentialCache]::New()
30873116
$Cache.Add([System.Uri]::new($FullURL), $Auth, [System.Net.CredentialCache]::DefaultNetworkCredentials)
30883117
$Request.Credentials = $Cache
3089-
$Request.Timeout = 1000
3118+
$Request.Timeout = 100
30903119
$Request.GetResponse() | Out-Null
30913120
$CAEnrollmentEndpoint += @{
30923121
'URL' = $FullURL
@@ -3101,7 +3130,7 @@ function Set-AdditionalCAProperty {
31013130
$Cache = [System.Net.CredentialCache]::New()
31023131
$Cache.Add([System.Uri]::new($FullURL), $Auth, [System.Net.CredentialCache]::DefaultNetworkCredentials)
31033132
$Request.Credentials = $Cache
3104-
$Request.Timeout = 1000
3133+
$Request.Timeout = 100
31053134
$Request.GetResponse() | Out-Null
31063135
$CAEnrollmentEndpoint += @{
31073136
'URL' = $FullURL
@@ -3116,7 +3145,7 @@ function Set-AdditionalCAProperty {
31163145
$Cache = [System.Net.CredentialCache]::New()
31173146
$Cache.Add([System.Uri]::new($FullURL), $Auth, [System.Net.CredentialCache]::DefaultNetworkCredentials)
31183147
$Request.Credentials = $Cache
3119-
$Request.Timeout = 1000
3148+
$Request.Timeout = 100
31203149
$Request.GetResponse() | Out-Null
31213150
$CAEnrollmentEndpoint += @{
31223151
'URL' = $FullURL

Private/Find-ESC13.ps1

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -56,7 +56,12 @@ function Find-ESC13 {
5656
} else {
5757
$SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value
5858
}
59-
if ( ($SID -notmatch $SafeUsers) -and ($entry.ActiveDirectoryRights -match 'ExtendedRight') ) {
59+
if (
60+
($SID -notmatch $SafeUsers) -and
61+
( ( ($entry.ActiveDirectoryRights -match 'ExtendedRight') -and
62+
( $entry.ObjectType -match '0e10c968-78fb-11d2-90d4-00c04f79dc55|00000000-0000-0000-0000-000000000000' ) ) -or
63+
($entry.ActiveDirectoryRights -match 'GenericAll') )
64+
) {
6065
$Issue = [pscustomobject]@{
6166
Forest = $_.CanonicalName.split('/')[0]
6267
Name = $_.Name

Private/Find-ESC15.ps1

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,12 @@ function Find-ESC15 {
4444
} else {
4545
$SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value
4646
}
47-
if ( ($SID -notmatch $SafeUsers) -and ( ($entry.ActiveDirectoryRights -match 'ExtendedRight') -or ($entry.ActiveDirectoryRights -match 'GenericAll') ) ) {
47+
if (
48+
($SID -notmatch $SafeUsers) -and
49+
( ( ($entry.ActiveDirectoryRights -match 'ExtendedRight') -and
50+
( $entry.ObjectType -match '0e10c968-78fb-11d2-90d4-00c04f79dc55|00000000-0000-0000-0000-000000000000' ) ) -or
51+
($entry.ActiveDirectoryRights -match 'GenericAll') )
52+
) {
4853
$Issue = [pscustomobject]@{
4954
Forest = $_.CanonicalName.split('/')[0]
5055
Name = $_.Name

Private/Find-ESC16.ps1

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -40,7 +40,7 @@
4040
if ($_.DisableExtensionList -eq 'Yes') {
4141
$Issue.Issue = @"
4242
The Certification Authority (CA) $($_.CAFullName) has the szOID_NTDS_CA_SECURITY_EXT security extension disabled. When
43-
this extension is disabled, every certificate issued by this CA will be unable to to reliably map a certificate to a
43+
this extension is disabled, every certificate issued from this template will be unable to reliably map a certificate to a
4444
user or computer account's SID for authentication.
4545
4646
More info:

Private/Find-ESC2.ps1

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -46,7 +46,12 @@
4646
} else {
4747
$SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value
4848
}
49-
if ( ($SID -notmatch $SafeUsers) -and ( ($entry.ActiveDirectoryRights -match 'ExtendedRight') -or ($entry.ActiveDirectoryRights -match 'GenericAll') ) ) {
49+
if (
50+
($SID -notmatch $SafeUsers) -and
51+
( ( ($entry.ActiveDirectoryRights -match 'ExtendedRight') -and
52+
( $entry.ObjectType -match '0e10c968-78fb-11d2-90d4-00c04f79dc55|00000000-0000-0000-0000-000000000000' ) ) -or
53+
($entry.ActiveDirectoryRights -match 'GenericAll') )
54+
) {
5055
$Issue = [pscustomobject]@{
5156
Forest = $_.CanonicalName.split('/')[0]
5257
Name = $_.Name

Private/Find-ESC3C1.ps1

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -46,7 +46,12 @@
4646
} else {
4747
$SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value
4848
}
49-
if ( ($SID -notmatch $SafeUsers) -and ( ($entry.ActiveDirectoryRights -match 'ExtendedRight') -or ($entry.ActiveDirectoryRights -match 'GenericAll') ) ) {
49+
if (
50+
($SID -notmatch $SafeUsers) -and
51+
( ( ($entry.ActiveDirectoryRights -match 'ExtendedRight') -and
52+
( $entry.ObjectType -match '0e10c968-78fb-11d2-90d4-00c04f79dc55|00000000-0000-0000-0000-000000000000' ) ) -or
53+
($entry.ActiveDirectoryRights -match 'GenericAll') )
54+
) {
5055
$Issue = [pscustomobject]@{
5156
Forest = $_.CanonicalName.split('/')[0]
5257
Name = $_.Name

Private/Find-ESC3C2.ps1

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -47,7 +47,12 @@
4747
} else {
4848
$SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value
4949
}
50-
if ( ($SID -notmatch $SafeUsers) -and ( ($entry.ActiveDirectoryRights -match 'ExtendedRight') -or ($entry.ActiveDirectoryRights -match 'GenericAll') ) ) {
50+
if (
51+
($SID -notmatch $SafeUsers) -and
52+
( ( ($entry.ActiveDirectoryRights -match 'ExtendedRight') -and
53+
( $entry.ObjectType -match '0e10c968-78fb-11d2-90d4-00c04f79dc55|00000000-0000-0000-0000-000000000000' ) ) -or
54+
($entry.ActiveDirectoryRights -match 'GenericAll') )
55+
) {
5156
$Issue = [pscustomobject]@{
5257
Forest = $_.CanonicalName.split('/')[0]
5358
Name = $_.Name

Private/Find-ESC9.ps1

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -56,7 +56,12 @@
5656
} else {
5757
$SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value
5858
}
59-
if ( ($SID -notmatch $SafeUsers) -and ( ($entry.ActiveDirectoryRights -match 'ExtendedRight') -or ($entry.ActiveDirectoryRights -match 'GenericAll') ) ) {
59+
if (
60+
($SID -notmatch $SafeUsers) -and
61+
( ( ($entry.ActiveDirectoryRights -match 'ExtendedRight') -and
62+
( $entry.ObjectType -match '0e10c968-78fb-11d2-90d4-00c04f79dc55|00000000-0000-0000-0000-000000000000' ) ) -or
63+
($entry.ActiveDirectoryRights -match 'GenericAll') )
64+
) {
6065
$Issue = [pscustomobject]@{
6166
Forest = $_.CanonicalName.split('/')[0]
6267
Name = $_.Name

Private/Set-AdditionalCAProperty.ps1

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -71,7 +71,6 @@
7171
process {
7272
$ADCSObjects | Where-Object objectClass -Match 'pKIEnrollmentService' | ForEach-Object {
7373
$CAEnrollmentEndpoint = @()
74-
#[array]$CAEnrollmentEndpoint = $_.'msPKI-Enrollment-Servers' | Select-String 'http.*' | ForEach-Object { $_.Matches[0].Value }
7574
foreach ($directory in @('certsrv/', "$($_.Name)_CES_Kerberos/service.svc", "$($_.Name)_CES_Kerberos/service.svc/CES", 'ADPolicyProvider_CEP_Kerberos/service.svc', 'certsrv/mscep/')) {
7675
$URL = "://$($_.dNSHostName)/$directory"
7776
try {
@@ -81,7 +80,7 @@
8180
$Cache = [System.Net.CredentialCache]::New()
8281
$Cache.Add([System.Uri]::new($FullURL), $Auth, [System.Net.CredentialCache]::DefaultNetworkCredentials)
8382
$Request.Credentials = $Cache
84-
$Request.Timeout = 1000
83+
$Request.Timeout = 100
8584
$Request.GetResponse() | Out-Null
8685
$CAEnrollmentEndpoint += @{
8786
'URL' = $FullURL
@@ -95,7 +94,7 @@
9594
$Cache = [System.Net.CredentialCache]::New()
9695
$Cache.Add([System.Uri]::new($FullURL), $Auth, [System.Net.CredentialCache]::DefaultNetworkCredentials)
9796
$Request.Credentials = $Cache
98-
$Request.Timeout = 1000
97+
$Request.Timeout = 100
9998
$Request.GetResponse() | Out-Null
10099
$CAEnrollmentEndpoint += @{
101100
'URL' = $FullURL
@@ -109,7 +108,7 @@
109108
$Cache = [System.Net.CredentialCache]::New()
110109
$Cache.Add([System.Uri]::new($FullURL), $Auth, [System.Net.CredentialCache]::DefaultNetworkCredentials)
111110
$Request.Credentials = $Cache
112-
$Request.Timeout = 1000
111+
$Request.Timeout = 100
113112
$Request.GetResponse() | Out-Null
114113
$CAEnrollmentEndpoint += @{
115114
'URL' = $FullURL

0 commit comments

Comments
 (0)