Find and fix Active Directory Certificate Services (AD CS) security misconfigurations
Locksmith 2 is a comprehensive PowerShell module for auditing Active Directory Certificate Services (AD CS) infrastructure. It identifies security misconfigurations across certificate templates, certification authorities, and PKI infrastructure objects based on established ESC (Escalation) techniques.
Built for AD administrators, security professionals, and penetration testers, Locksmith 2 provides:
- Automated vulnerability scanning for ESC1-ESC16 techniques
- Detailed remediation scripts for each discovered issue
- Granular cmdlets for targeted security assessments
- Comprehensive reporting with human-readable output
- Educational resources explaining each vulnerability
Locksmith 2 represents the next generation in the Locksmith line of open-source AD CS security tooling, improving upon the original with better code organization, enhanced reporting, and deeper risk analysis.
- Scan certificate templates (ESC1, ESC2, ESC3, ESC4a (ACE), ESC4o (Ownership), ESC9)
- Audit certification authorities (ESC6, ESC7a (CA Administrator), ESC7m (Certificate Manager), ESC11, ESC16)
- Check PKI infrastructure objects (ESC5a (ACE), ESC5o (Ownership)
- Generate PowerShell remediation scripts
- Generate PowerShell scripts to revert remediations
- Support for non-domain-joined systems - excluding ESC6,7a/m, 11, 16)
- Object output
- HTML/CSV/PDF/Excel output
- Interactive TUI for guided remediation
Install-Module -Name Locksmith2 -Scope CurrentUser -Forcegit clone https://github.com/jakehildreth/Locksmith2.git
cd Locksmith2
Import-Module .\Locksmith2.psd1# Interactive mode - prompts for forest and credentials
Invoke-Locksmith2
# Specify credentials
$cred = Get-Credential
Invoke-Locksmith2 -Forest 'contoso.com' -Credential $cred
# Targeted scanning for specific techniques
Find-LS2VulnerableTemplate -Technique ESC1
Find-LS2VulnerableCA -Technique ESC6
# Inspect results
$stores = Get-LS2Stores
$stores.IssueStore['ESC1']| Technique | Description | Target Objects |
|---|---|---|
| ESC1 | Misconfigured Certificate Templates | Templates |
| ESC2 | Certificate SubCA Abuse | Templates |
| ESC3 | Enrollment Agent Restrictions | Templates |
| ESC4 | Vulnerable Access Control | Templates |
| ESC5 | Vulnerable PKI Object Access Control | Infrastructure Objects |
| ESC6 | EDITF_ATTRIBUTESUBJECTALTNAME2 Enabled | CAs |
| ESC7 | Vulnerable CA Administrator/Manager Roles | CAs |
| ESC9 | Weak Certificate Mappings | Templates |
| ESC11 | Missing RPC Encryption | CAs |
| ESC16 | Disabled CRL/AIA Security Extensions | CAs |
For detailed information on ESC techniques, see Certified Pre-Owned by SpecterOps.
Performs comprehensive AD CS security audit scanning for all known ESC vulnerabilities.
Invoke-Locksmith2 [-Forest <String>] [-Credential <PSCredential>]
[-SkipVersionCheck] [-SkipPowerShellCheck] [-SkipForestCheck]Scans certificate templates for specific ESC vulnerabilities.
Find-LS2VulnerableTemplate -Technique <String>
# Supported: ESC1, ESC2, ESC3c1, ESC3c2, ESC4a, ESC4o, ESC9Returns: LS2Issue objects for programmatic use
Scans certification authorities for configuration issues and dangerous role assignments.
Find-LS2VulnerableCA -Technique <String>
# Supported: ESC6, ESC7a, ESC7m, ESC11, ESC16Returns: LS2Issue objects for programmatic use
Scans PKI infrastructure objects (containers, computer accounts) for security issues.
Find-LS2VulnerableObject -Technique <String>
# Supported: ESC5a, ESC5oReturns: LS2Issue objects for programmatic use
Returns internal data stores populated during audits for inspection and analysis.
Get-LS2StoresReturns:
- PrincipalStore: Resolved principals by SID
- AdcsObjectStore: AD CS objects with security properties
- DomainStore: Domain information
- IssueStore: Discovered vulnerabilities by technique
- SafePrincipals: Acceptable high-privilege SIDs
- DangerousPrincipals: Risky broad-access SIDs
- StandardOwners: Acceptable owner SIDs for AD CS objects
Sets the target forest for scanning. Useful for running multiple scans or using Find-LS2Vulnerable* functions independently.
Set-LS2Forest -Forest <String>Sets credentials for AD queries. Useful for running multiple scans or using Find-LS2Vulnerable* functions independently.
Set-LS2Credential -Credential <PSCredential>- PowerShell: 5.1 or higher (Windows PowerShell)
- Permissions: Read access to Active Directory Configuration partition
- Network: Connectivity to domain controller LDAP/GC ports (389, 3268)
- Credentials: Domain user or computer account
Locksmith 2 is "Open Source, acknowledged contribution", this means that any contribution will have to be discussed with the Maintainers before being submitted.
- Open an issue and discuss your proposed change
- Fork the repository
- Write some code following PowerShell best practices and existing code style
- Write clear commit messages using conventional commits
- Submit a pull request
- Request a review from @jakehildreth
Author: Jake Hildreth (@jakehildreth)
Website: locksmith.ad | jakehildreth.com
License: MIT
- SpecterOps for groundbreaking AD CS research (Certified Pre-Owned)
- Original Locksmith contributors and community
- Sam Erde (@SamErde) for significant code contributions
- Locksmith - Original AD CS audit tool
- Certify - C# offensive AD CS toolkit
- PSPKIAudit - PowerShell PKI auditing
- Certipy - Python-based AD CS toolkit
Locksmith 2 is provided for legitimate security assessment and defensive purposes only. Users are responsible for obtaining proper authorization before running security audits. The authors are not responsible for misuse or damage caused by this tool.
- Issues: GitHub Issues
MIT License w/Commons Clause - see LICENSE file for details.
Made with 💜 by Jake Hildreth
