-
-
Notifications
You must be signed in to change notification settings - Fork 100
/
Copy pathFind-ESC13.ps1
91 lines (82 loc) · 4.26 KB
/
Find-ESC13.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
function Find-ESC13 {
<#
.SYNOPSIS
This script finds AD CS (Active Directory Certificate Services) objects that have the ESC13 vulnerability.
.DESCRIPTION
The script takes an array of ADCS objects as input and filters them based on the specified conditions.
For each matching object, it creates a custom object with properties representing various information about
the object, such as Forest, Name, DistinguishedName, IdentityReference, ActiveDirectoryRights, Issue, Fix, Revert, and Technique.
.PARAMETER ADCSObjects
Specifies the array of ADCS objects to be processed. This parameter is mandatory.
.PARAMETER SafeUsers
Specifies the list of SIDs of safe users who are allowed to have specific rights on the objects. This parameter is mandatory.
.PARAMETER ClientAuthEKUs
A list of EKUs that can be used for client authentication.
.OUTPUTS
The script outputs an array of custom objects representing the matching ADCS objects and their associated information.
.EXAMPLE
$ADCSObjects = Get-ADCSObjects
$SafeUsers = '-512$|-519$|-544$|-18$|-517$|-500$|-516$|-9$|-526$|-527$|S-1-5-10'
$ClientAuthEKUs = '1\.3\.6\.1\.5\.5\.7\.3\.2|1\.3\.6\.1\.5\.2\.3\.4|1\.3\.6\.1\.4\.1\.311\.20\.2\.2|2\.5\.29\.37\.0'
$Results = $ADCSObjects | Find-ESC13 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers -ClientAuthEKUs $ClientAuthEKUs
$Results
#>
[CmdletBinding()]
param(
[Parameter(Mandatory)]
[Microsoft.ActiveDirectory.Management.ADEntity[]]$ADCSObjects,
[Parameter(Mandatory)]
[array]$SafeUsers,
[Parameter(Mandatory)]
$ClientAuthEKUs
)
$ADCSObjects | Where-Object {
($_.objectClass -eq 'pKICertificateTemplate') -and
($_.pkiExtendedKeyUsage -match $ClientAuthEKUs) -and
($_.'msPKI-Certificate-Policy')
} | ForEach-Object {
foreach ($policy in $_.'msPKI-Certificate-Policy') {
if ($ADCSObjects.'msPKI-Cert-Template-OID' -contains $policy) {
$OidToCheck = $ADCSObjects | Where-Object 'msPKI-Cert-Template-OID' -eq $policy
if ($OidToCheck.'msDS-OIDToGroupLink') {
foreach ($entry in $_.nTSecurityDescriptor.Access) {
$Principal = New-Object System.Security.Principal.NTAccount($entry.IdentityReference)
if ($Principal -match '^(S-1|O:)') {
$SID = $Principal
} else {
$SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value
}
if ( ($SID -notmatch $SafeUsers) -and ($entry.ActiveDirectoryRights -match 'ExtendedRight') ) {
$Issue = [pscustomobject]@{
Forest = $_.CanonicalName.split('/')[0]
Name = $_.Name
DistinguishedName = $_.DistinguishedName
IdentityReference = $entry.IdentityReference
ActiveDirectoryRights = $entry.ActiveDirectoryRights
LinkedGroup = $OidToCheck.'msDS-OIDToGroupLink'
Issue = @"
$($entry.IdentityReference) can enroll in this Client Authentication template
which is linked to the group $($OidToCheck.'msDS-OIDToGroupLink').
If $($entry.IdentityReference) uses this certificate for authentication, they
will gain the rights of the linked group while the group membership appears empty.
"@
Fix = @"
# Enable Manager Approval
`$Object = `'$($_.DistinguishedName)`'
Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Enrollment-Flag' = 2}
"@
Revert = @"
# Disable Manager Approval
`$Object = `'$($_.DistinguishedName)`'
Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Enrollment-Flag' = 0}
"@
Technique = 'ESC13'
}
$Issue
}
}
}
}
}
}
}