-
-
Notifications
You must be signed in to change notification settings - Fork 100
/
Copy pathInvoke-Scans.ps1
158 lines (145 loc) · 8.04 KB
/
Invoke-Scans.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
function Invoke-Scans {
<#
.SYNOPSIS
Invoke-Scans.ps1 is a script that performs various scans on ADCS (Active Directory Certificate Services) objects.
.PARAMETER Scans
Specifies the type of scans to perform. Multiple scan options can be provided as an array. The default value is 'All'.
The available scan options are: 'Auditing', 'ESC1', 'ESC2', 'ESC3', 'ESC4', 'ESC5', 'ESC6', 'ESC8', 'ESC11', 'ESC13', 'All', 'PromptMe'.
.NOTES
- The script requires the following functions to be defined: Find-AuditingIssue, Find-ESC1, Find-ESC2, Find-ESC3Condition1,
Find-ESC3Condition2, Find-ESC4, Find-ESC5, Find-ESC6, Find-ESC8, Find-ESC11, Find-ESC13
- The script uses Out-GridView or Out-ConsoleGridView for interactive selection when the 'PromptMe' scan option is chosen.
- The script returns a hash table containing the results of the scans.
.EXAMPLE
Invoke-Scans
# Perform all scans
.EXAMPLE
Invoke-Scans -Scans 'Auditing', 'ESC1'
# Perform only the 'Auditing' and 'ESC1' scans
.EXAMPLE
Invoke-Scans -Scans 'PromptMe'
# Prompt the user to select the scans to perform
#>
[CmdletBinding()]
[OutputType([hashtable])]
[System.Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseSingularNouns', 'Invoke-Scans', Justification = 'Performing multiple scans.')]
param (
# Could split Scans and PromptMe into separate parameter sets.
[Parameter()]
$ClientAuthEkus,
$DangerousRights,
$EnrollmentAgentEKU,
[int]$Mode,
$SafeObjectTypes,
$SafeOwners,
[ValidateSet('Auditing', 'ESC1', 'ESC2', 'ESC3', 'ESC4', 'ESC5', 'ESC6', 'ESC8', 'ESC11', 'ESC13', 'All', 'PromptMe')]
[array]$Scans = 'All',
$UnsafeOwners,
$UnsafeUsers,
$PreferredOwner
)
# Is this needed?
if ($Scans -eq $IsNullOrEmpty) {
$Scans = 'All'
}
if ( $Scans -eq 'PromptMe' ) {
$GridViewTitle = 'Select the tests to run and press Enter or click OK to continue...'
# Check for Out-GridView or Out-ConsoleGridView
if ((Get-Command Out-ConsoleGridView -ErrorAction SilentlyContinue) -and ($PSVersionTable.PSVersion.Major -ge 7)) {
[array]$Scans = ($Dictionary | Select-Object Name, Category, Subcategory | Out-ConsoleGridView -OutputMode Multiple -Title $GridViewTitle).Name | Sort-Object -Property Name
} elseif (Get-Command -Name Out-GridView -ErrorAction SilentlyContinue) {
[array]$Scans = ($Dictionary | Select-Object Name, Category, Subcategory | Out-GridView -PassThru -Title $GridViewTitle).Name | Sort-Object -Property Name
} else {
# To Do: Check for admin and prompt to install features/modules or revert to 'All'.
Write-Information "Out-GridView and Out-ConsoleGridView were not found on your system. Defaulting to `'All`'."
$Scans = 'All'
}
}
switch ( $Scans ) {
Auditing {
Write-Host 'Identifying auditing issues...'
[array]$AuditingIssues = Find-AuditingIssue -ADCSObjects $ADCSObjects
}
ESC1 {
Write-Host 'Identifying AD CS templates with dangerous ESC1 configurations...'
[array]$ESC1 = Find-ESC1 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers -ClientAuthEKUs $ClientAuthEkus
}
ESC2 {
Write-Host 'Identifying AD CS templates with dangerous ESC2 configurations...'
[array]$ESC2 = Find-ESC2 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers
}
ESC3 {
Write-Host 'Identifying AD CS templates with dangerous ESC3 configurations...'
[array]$ESC3 = Find-ESC3Condition1 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers
[array]$ESC3 += Find-ESC3Condition2 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers
}
ESC4 {
Write-Host 'Identifying AD CS templates with poor access control (ESC4)...'
[array]$ESC4 = Find-ESC4 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers -DangerousRights $DangerousRights -SafeOwners $SafeOwners -SafeObjectTypes $SafeObjectTypes
}
ESC5 {
Write-Host 'Identifying AD CS objects with poor access control (ESC5)...'
[array]$ESC5 = Find-ESC5 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers -DangerousRights $DangerousRights -SafeOwners $SafeOwners -SafeObjectTypes $SafeObjectTypes
}
ESC6 {
Write-Host 'Identifying Issuing CAs with EDITF_ATTRIBUTESUBJECTALTNAME2 enabled (ESC6)...'
[array]$ESC6 = Find-ESC6 -ADCSObjects $ADCSObjects
}
ESC8 {
Write-Host 'Identifying HTTP-based certificate enrollment interfaces (ESC8)...'
[array]$ESC8 = Find-ESC8 -ADCSObjects $ADCSObjects
}
ESC11 {
Write-Host 'Identifying Issuing CAs with IF_ENFORCEENCRYPTICERTREQUEST disabled (ESC11)...'
[array]$ESC11 = Find-ESC11 -ADCSObjects $ADCSObjects
}
ESC13 {
Write-Host 'Identifying AD CS templates with dangerous ESC13 configurations...'
[array]$ESC11 = Find-ESC13 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers -ClientAuthEKUs $ClientAuthEKUs
}
All {
Write-Host 'Identifying auditing issues...'
[array]$AuditingIssues = Find-AuditingIssue -ADCSObjects $ADCSObjects
Write-Host 'Identifying AD CS templates with dangerous ESC1 configurations...'
[array]$ESC1 = Find-ESC1 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers -ClientAuthEKUs $ClientAuthEkus
Write-Host 'Identifying AD CS templates with dangerous ESC2 configurations...'
[array]$ESC2 = Find-ESC2 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers
Write-Host 'Identifying AD CS templates with dangerous ESC3 configurations...'
[array]$ESC3 = Find-ESC3Condition1 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers
[array]$ESC3 += Find-ESC3Condition2 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers
Write-Host 'Identifying AD CS templates with poor access control (ESC4)...'
[array]$ESC4 = Find-ESC4 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers -DangerousRights $DangerousRights -SafeOwners $SafeOwners -SafeObjectTypes $SafeObjectTypes -Mode $Mode
Write-Host 'Identifying AD CS objects with poor access control (ESC5)...'
[array]$ESC5 = Find-ESC5 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers -DangerousRights $DangerousRights -SafeOwners $SafeOwners -SafeObjectTypes $SafeObjectTypes
Write-Host 'Identifying Certificate Authorities with EDITF_ATTRIBUTESUBJECTALTNAME2 enabled v (ESC6)...'
[array]$ESC6 = Find-ESC6 -ADCSObjects $ADCSObjects
Write-Host 'Identifying HTTP-based certificate enrollment interfaces (ESC8)...'
[array]$ESC8 = Find-ESC8 -ADCSObjects $ADCSObjects
Write-Host 'Identifying Certificate Authorities with IF_ENFORCEENCRYPTICERTREQUEST disabled (ESC11)...'
[array]$ESC11 = Find-ESC11 -ADCSObjects $ADCSObjects
Write-Host 'Identifying AD CS templates with dangerous ESC13 configurations...'
[array]$ESC13 = Find-ESC13 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers -ClientAuthEKUs $ClientAuthEkus
Write-Host
}
}
[array]$AllIssues = $AuditingIssues + $ESC1 + $ESC2 + $ESC3 + $ESC4 + $ESC5 + $ESC6 + $ESC8 + $ESC11 + $ESC13
# If these are all empty = no issues found, exit
if ($AllIssues.Count -lt 1) {
Write-Host "`n$(Get-Date) : No ADCS issues were found." -ForegroundColor Green
break
}
# Return a hash table of array names (keys) and arrays (values) so they can be directly referenced with other functions
Return @{
AllIssues = $AllIssues
AuditingIssues = $AuditingIssues
ESC1 = $ESC1
ESC2 = $ESC2
ESC3 = $ESC3
ESC4 = $ESC4
ESC5 = $ESC5
ESC6 = $ESC6
ESC8 = $ESC8
ESC11 = $ESC11
ESC13 = $ESC13
}
}