Skip to content

Commit 2095cc0

Browse files
jakehildrethjakehildreth
authored
Merge branch 'testing' into 221-esc15-check-within-esc3-generates-key-cannot-be-null
2 parents 4f8f9ef + 2b1944f commit 2095cc0

13 files changed

+99
-98
lines changed

Invoke-Locksmith.ps1

+50-49
Original file line numberDiff line numberDiff line change
@@ -174,15 +174,15 @@ function Find-AuditingIssue {
174174
Technique = 'DETECT'
175175
Issue = "Auditing is not fully enabled on $($_.CAFullName). Important security events may go unnoticed."
176176
Fix = @"
177-
certutil.exe -config `'$($_.CAFullname)`' -setreg `'CA\AuditFilter`' 127
178-
Invoke-Command -ComputerName `'$($_.dNSHostName)`' -ScriptBlock {
179-
Get-Service -Name `'certsvc`' | Restart-Service -Force
177+
certutil.exe -config '$($_.CAFullname)' -setreg CA\AuditFilter 127
178+
Invoke-Command -ComputerName '$($_.dNSHostName)' -ScriptBlock {
179+
Get-Service -Name 'certsvc' | Restart-Service -Force
180180
}
181181
"@
182182
Revert = @"
183-
certutil.exe -config $($_.CAFullname) -setreg CA\AuditFilter $($_.AuditFilter)
184-
Invoke-Command -ComputerName `'$($_.dNSHostName)`' -ScriptBlock {
185-
Get-Service -Name `'certsvc`' | Restart-Service -Force
183+
certutil.exe -config '$($_.CAFullname)' -setreg CA\AuditFilter $($_.AuditFilter)
184+
Invoke-Command -ComputerName '$($_.dNSHostName)' -ScriptBlock {
185+
Get-Service -Name 'certsvc' | Restart-Service -Force
186186
}
187187
"@
188188
}
@@ -282,12 +282,12 @@ More info:
282282
"@
283283
Fix = @"
284284
# Enable Manager Approval
285-
`$Object = `'$($_.DistinguishedName)`'
285+
`$Object = '$($_.DistinguishedName)'
286286
Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Enrollment-Flag' = 2}
287287
"@
288288
Revert = @"
289289
# Disable Manager Approval
290-
`$Object = `'$($_.DistinguishedName)`'
290+
`$Object = '$($_.DistinguishedName)'
291291
Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Enrollment-Flag' = 0}
292292
"@
293293
Technique = 'ESC1'
@@ -366,20 +366,20 @@ More info:
366366
'@
367367
$Issue.Fix = @"
368368
# Enable the flag
369-
certutil -config $CAFullname -setreg CA\InterfaceFlags +IF_ENFORCEENCRYPTICERTREQUEST
369+
certutil -config '$CAFullname' -setreg CA\InterfaceFlags +IF_ENFORCEENCRYPTICERTREQUEST
370370
371371
# Restart the Certificate Authority service
372-
Invoke-Command -ComputerName `'$($_.dNSHostName)`' -ScriptBlock {
373-
Get-Service -Name `'certsvc`' | Restart-Service -Force
372+
Invoke-Command -ComputerName '$($_.dNSHostName)' -ScriptBlock {
373+
Get-Service -Name certsvc | Restart-Service -Force
374374
}
375375
"@
376376
$Issue.Revert = @"
377377
# Disable the flag
378-
certutil -config $CAFullname -setreg CA\InterfaceFlags -IF_ENFORCEENCRYPTICERTREQUEST
378+
certutil -config '$CAFullname' -setreg CA\InterfaceFlags -IF_ENFORCEENCRYPTICERTREQUEST
379379
380380
# Restart the Certificate Authority service
381-
Invoke-Command -ComputerName `'$($_.dNSHostName)`' -ScriptBlock {
382-
Get-Service -Name `'certsvc`' | Restart-Service -Force
381+
Invoke-Command -ComputerName '$($_.dNSHostName)' -ScriptBlock {
382+
Get-Service -Name certsvc | Restart-Service -Force
383383
}
384384
"@
385385
}
@@ -474,12 +474,12 @@ More info:
474474
"@
475475
Fix = @"
476476
# Enable Manager Approval
477-
`$Object = `'$($_.DistinguishedName)`'
477+
`$Object = '$($_.DistinguishedName)'
478478
Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Enrollment-Flag' = 2}
479479
"@
480480
Revert = @"
481481
# Disable Manager Approval
482-
`$Object = `'$($_.DistinguishedName)`'
482+
`$Object = '$($_.DistinguishedName)'
483483
Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Enrollment-Flag' = 0}
484484
"@
485485
Technique = 'ESC13'
@@ -681,12 +681,12 @@ More info:
681681
"@
682682
Fix = @"
683683
# Enable Manager Approval
684-
`$Object = `'$($_.DistinguishedName)`'
684+
`$Object = '$($_.DistinguishedName)'
685685
Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Enrollment-Flag' = 2}
686686
"@
687687
Revert = @"
688688
# Disable Manager Approval
689-
`$Object = `'$($_.DistinguishedName)`'
689+
`$Object = '$($_.DistinguishedName)'
690690
Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Enrollment-Flag' = 0}
691691
"@
692692
Technique = 'ESC2'
@@ -772,12 +772,12 @@ More info:
772772
"@
773773
Fix = @"
774774
# Enable Manager Approval
775-
`$Object = `'$($_.DistinguishedName)`'
775+
`$Object = '$($_.DistinguishedName)'
776776
Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Enrollment-Flag' = 2}
777777
"@
778778
Revert = @"
779779
# Disable Manager Approval
780-
`$Object = `'$($_.DistinguishedName)`'
780+
`$Object = '$($_.DistinguishedName)'
781781
Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Enrollment-Flag' = 0}
782782
"@
783783
Technique = 'ESC3'
@@ -865,12 +865,12 @@ More info:
865865
First, eliminate unused Enrollment Agent templates.
866866
Then, tightly scope any Enrollment Agent templates that remain and:
867867
# Enable Manager Approval
868-
`$Object = `'$($_.DistinguishedName)`'
868+
`$Object = '$($_.DistinguishedName)'
869869
Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Enrollment-Flag' = 2}
870870
"@
871871
Revert = @"
872872
# Disable Manager Approval
873-
`$Object = `'$($_.DistinguishedName)`'
873+
`$Object = '$($_.DistinguishedName)'
874874
Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Enrollment-Flag' = 0}
875875
"@
876876
Technique = 'ESC3'
@@ -996,16 +996,16 @@ More info:
996996
997997
"@
998998
Fix = @"
999-
`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`')
1000-
`$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'
999+
`$Owner = New-Object System.Security.Principal.SecurityIdentifier('$PreferredOwner')
1000+
`$ACL = Get-Acl -Path 'AD:$($_.DistinguishedName)'
10011001
`$ACL.SetOwner(`$Owner)
1002-
Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL
1002+
Set-ACL -Path 'AD:$($_.DistinguishedName)' -AclObject `$ACL
10031003
"@
10041004
Revert = @"
1005-
`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`')
1006-
`$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'
1005+
`$Owner = New-Object System.Security.Principal.SecurityIdentifier('$($_.nTSecurityDescriptor.Owner)')
1006+
`$ACL = Get-Acl -Path 'AD:$($_.DistinguishedName)'
10071007
`$ACL.SetOwner(`$Owner)
1008-
Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL
1008+
Set-ACL -Path 'AD:$($_.DistinguishedName)' -AclObject `$ACL
10091009
"@
10101010
Technique = 'ESC4'
10111011
}
@@ -1050,13 +1050,13 @@ More info:
10501050
10511051
"@
10521052
Fix = @"
1053-
`$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'
1053+
`$ACL = Get-Acl -Path 'AD:$($_.DistinguishedName)'
10541054
foreach ( `$ace in `$ACL.access ) {
10551055
if ( (`$ace.IdentityReference.Value -like '$($Principal.Value)' ) -and ( `$ace.ActiveDirectoryRights -notmatch '^ExtendedRight$') ) {
10561056
`$ACL.RemoveAccessRule(`$ace) | Out-Null
10571057
}
10581058
}
1059-
Set-Acl -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL
1059+
Set-Acl -Path 'AD:$($_.DistinguishedName)' -AclObject `$ACL
10601060
"@
10611061
Revert = '[TODO]'
10621062
Technique = 'ESC4'
@@ -1231,16 +1231,16 @@ More info:
12311231
12321232
"@
12331233
Fix = @"
1234-
`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`')
1235-
`$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'
1234+
`$Owner = New-Object System.Security.Principal.SecurityIdentifier('$PreferredOwner')
1235+
`$ACL = Get-Acl -Path 'AD:$($_.DistinguishedName)'
12361236
`$ACL.SetOwner(`$Owner)
1237-
Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL
1237+
Set-ACL -Path 'AD:$($_.DistinguishedName)' -AclObject `$ACL
12381238
"@
12391239
Revert = "
1240-
`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`')
1241-
`$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'
1240+
`$Owner = New-Object System.Security.Principal.SecurityIdentifier('$($_.nTSecurityDescriptor.Owner)')
1241+
`$ACL = Get-Acl -Path 'AD:$($_.DistinguishedName)'
12421242
`$ACL.SetOwner(`$Owner)
1243-
Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL"
1243+
Set-ACL -Path 'AD:$($_.DistinguishedName)' -AclObject `$ACL"
12441244
Technique = 'ESC5'
12451245
} # end switch ($_.objectClass)
12461246
if ($SkipRisk -eq $false) {
@@ -1331,14 +1331,14 @@ $IssueDetail
13311331
13321332
"@
13331333
Fix = @"
1334-
`$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'
1334+
`$ACL = Get-Acl -Path 'AD:$($_.DistinguishedName)'
13351335
foreach ( `$ace in `$ACL.access ) {
13361336
if ( (`$ace.IdentityReference.Value -like '$($Principal.Value)' ) -and
13371337
( `$ace.ActiveDirectoryRights -notmatch '^ExtendedRight$') ) {
13381338
`$ACL.RemoveAccessRule(`$ace) | Out-Null
13391339
}
13401340
}
1341-
Set-Acl -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL
1341+
Set-Acl -Path 'AD:$($_.DistinguishedName)' -AclObject `$ACL
13421342
"@
13431343
Revert = '[TODO]'
13441344
Technique = 'ESC5'
@@ -1416,20 +1416,20 @@ More info:
14161416
"@
14171417
$Issue.Fix = @"
14181418
# Disable the flag
1419-
certutil -config $CAFullname -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2
1419+
certutil -config '$CAFullname' -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2
14201420
14211421
# Restart the Certificate Authority service
1422-
Invoke-Command -ComputerName `'$($_.dNSHostName)`' -ScriptBlock {
1423-
Get-Service -Name `'certsvc`' | Restart-Service -Force
1422+
Invoke-Command -ComputerName '$($_.dNSHostName)' -ScriptBlock {
1423+
Get-Service -Name certsvc | Restart-Service -Force
14241424
}
14251425
"@
14261426
$Issue.Revert = @"
14271427
# Enable the flag
1428-
certutil -config $CAFullname -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
1428+
certutil -config '$CAFullname' -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
14291429
14301430
# Restart the Certificate Authority service
1431-
Invoke-Command -ComputerName `'$($_.dNSHostName)`' -ScriptBlock {
1432-
Get-Service -Name `'certsvc`' | Restart-Service -Force
1431+
Invoke-Command -ComputerName '$($_.dNSHostName)' -ScriptBlock {
1432+
Get-Service -Name certsvc | Restart-Service -Force
14331433
}
14341434
"@
14351435
}
@@ -2453,7 +2453,7 @@ function Invoke-Scans {
24532453
}
24542454
else {
24552455
# To Do: Check for admin and prompt to install features/modules or revert to 'All'.
2456-
Write-Information "Out-GridView and Out-ConsoleGridView were not found on your system. Defaulting to `'All`'."
2456+
Write-Information "Out-GridView and Out-ConsoleGridView were not found on your system. Defaulting to 'All'."
24572457
$Scans = 'All'
24582458
}
24592459
}
@@ -3794,11 +3794,11 @@ function Update-ESC1Remediation {
37943794
# to a smaller group or a single user/service account.
37953795
37963796
# 2. Remove the ability to submit a SAN (aka disable "Supply in the request").
3797-
`$Object = `'$($_.DistinguishedName)`'
3797+
`$Object = '$($_.DistinguishedName)'
37983798
Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0}
37993799
38003800
# 3. Enable Manager Approval
3801-
`$Object = `'$($_.DistinguishedName)`'
3801+
`$Object = '$($_.DistinguishedName)'
38023802
Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Enrollment-Flag' = 2}
38033803
"@
38043804

@@ -3807,11 +3807,11 @@ Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Enrollment-Flag' = 2}
38073807
# back to $($Issue.IdentityReference).
38083808
38093809
# 2. Restore the ability to submit a SAN.
3810-
`$Object = `'$($_.DistinguishedName)`'
3810+
`$Object = '$($_.DistinguishedName)'
38113811
Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1}
38123812
38133813
# 3. Disable Manager Approval
3814-
`$Object = `'$($_.DistinguishedName)`'
3814+
`$Object = '$($_.DistinguishedName)'
38153815
Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Enrollment-Flag' = 0}
38163816
"@
38173817
}
@@ -4382,6 +4382,7 @@ function Invoke-Locksmith {
43824382
)
43834383

43844384
$Version = '2025.1.12'
4385+
43854386
$LogoPart1 = @'
43864387
_ _____ _______ _ _ _______ _______ _____ _______ _ _
43874388
| | | | |____/ |______ | | | | | |_____|

Private/Find-AuditingIssue.ps1

+6-6
Original file line numberDiff line numberDiff line change
@@ -48,15 +48,15 @@
4848
Technique = 'DETECT'
4949
Issue = "Auditing is not fully enabled on $($_.CAFullName). Important security events may go unnoticed."
5050
Fix = @"
51-
certutil.exe -config `'$($_.CAFullname)`' -setreg `'CA\AuditFilter`' 127
52-
Invoke-Command -ComputerName `'$($_.dNSHostName)`' -ScriptBlock {
53-
Get-Service -Name `'certsvc`' | Restart-Service -Force
51+
certutil.exe -config '$($_.CAFullname)' -setreg CA\AuditFilter 127
52+
Invoke-Command -ComputerName '$($_.dNSHostName)' -ScriptBlock {
53+
Get-Service -Name 'certsvc' | Restart-Service -Force
5454
}
5555
"@
5656
Revert = @"
57-
certutil.exe -config $($_.CAFullname) -setreg CA\AuditFilter $($_.AuditFilter)
58-
Invoke-Command -ComputerName `'$($_.dNSHostName)`' -ScriptBlock {
59-
Get-Service -Name `'certsvc`' | Restart-Service -Force
57+
certutil.exe -config '$($_.CAFullname)' -setreg CA\AuditFilter $($_.AuditFilter)
58+
Invoke-Command -ComputerName '$($_.dNSHostName)' -ScriptBlock {
59+
Get-Service -Name 'certsvc' | Restart-Service -Force
6060
}
6161
"@
6262
}

Private/Find-ESC1.ps1

+2-2
Original file line numberDiff line numberDiff line change
@@ -81,12 +81,12 @@ More info:
8181
"@
8282
Fix = @"
8383
# Enable Manager Approval
84-
`$Object = `'$($_.DistinguishedName)`'
84+
`$Object = '$($_.DistinguishedName)'
8585
Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Enrollment-Flag' = 2}
8686
"@
8787
Revert = @"
8888
# Disable Manager Approval
89-
`$Object = `'$($_.DistinguishedName)`'
89+
`$Object = '$($_.DistinguishedName)'
9090
Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Enrollment-Flag' = 0}
9191
"@
9292
Technique = 'ESC1'

Private/Find-ESC11.ps1

+6-6
Original file line numberDiff line numberDiff line change
@@ -59,20 +59,20 @@ More info:
5959
'@
6060
$Issue.Fix = @"
6161
# Enable the flag
62-
certutil -config $CAFullname -setreg CA\InterfaceFlags +IF_ENFORCEENCRYPTICERTREQUEST
62+
certutil -config '$CAFullname' -setreg CA\InterfaceFlags +IF_ENFORCEENCRYPTICERTREQUEST
6363
6464
# Restart the Certificate Authority service
65-
Invoke-Command -ComputerName `'$($_.dNSHostName)`' -ScriptBlock {
66-
Get-Service -Name `'certsvc`' | Restart-Service -Force
65+
Invoke-Command -ComputerName '$($_.dNSHostName)' -ScriptBlock {
66+
Get-Service -Name certsvc | Restart-Service -Force
6767
}
6868
"@
6969
$Issue.Revert = @"
7070
# Disable the flag
71-
certutil -config $CAFullname -setreg CA\InterfaceFlags -IF_ENFORCEENCRYPTICERTREQUEST
71+
certutil -config '$CAFullname' -setreg CA\InterfaceFlags -IF_ENFORCEENCRYPTICERTREQUEST
7272
7373
# Restart the Certificate Authority service
74-
Invoke-Command -ComputerName `'$($_.dNSHostName)`' -ScriptBlock {
75-
Get-Service -Name `'certsvc`' | Restart-Service -Force
74+
Invoke-Command -ComputerName '$($_.dNSHostName)' -ScriptBlock {
75+
Get-Service -Name certsvc | Restart-Service -Force
7676
}
7777
"@
7878
}

Private/Find-ESC13.ps1

+2-2
Original file line numberDiff line numberDiff line change
@@ -80,12 +80,12 @@ More info:
8080
"@
8181
Fix = @"
8282
# Enable Manager Approval
83-
`$Object = `'$($_.DistinguishedName)`'
83+
`$Object = '$($_.DistinguishedName)'
8484
Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Enrollment-Flag' = 2}
8585
"@
8686
Revert = @"
8787
# Disable Manager Approval
88-
`$Object = `'$($_.DistinguishedName)`'
88+
`$Object = '$($_.DistinguishedName)'
8989
Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Enrollment-Flag' = 0}
9090
"@
9191
Technique = 'ESC13'

Private/Find-ESC2.ps1

+2-2
Original file line numberDiff line numberDiff line change
@@ -82,12 +82,12 @@ More info:
8282
"@
8383
Fix = @"
8484
# Enable Manager Approval
85-
`$Object = `'$($_.DistinguishedName)`'
85+
`$Object = '$($_.DistinguishedName)'
8686
Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Enrollment-Flag' = 2}
8787
"@
8888
Revert = @"
8989
# Disable Manager Approval
90-
`$Object = `'$($_.DistinguishedName)`'
90+
`$Object = '$($_.DistinguishedName)'
9191
Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Enrollment-Flag' = 0}
9292
"@
9393
Technique = 'ESC2'

Private/Find-ESC3C1.ps1

+2-2
Original file line numberDiff line numberDiff line change
@@ -69,12 +69,12 @@ More info:
6969
"@
7070
Fix = @"
7171
# Enable Manager Approval
72-
`$Object = `'$($_.DistinguishedName)`'
72+
`$Object = '$($_.DistinguishedName)'
7373
Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Enrollment-Flag' = 2}
7474
"@
7575
Revert = @"
7676
# Disable Manager Approval
77-
`$Object = `'$($_.DistinguishedName)`'
77+
`$Object = '$($_.DistinguishedName)'
7878
Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Enrollment-Flag' = 0}
7979
"@
8080
Technique = 'ESC3'

Private/Find-ESC3C2.ps1

+2-2
Original file line numberDiff line numberDiff line change
@@ -70,12 +70,12 @@ More info:
7070
First, eliminate unused Enrollment Agent templates.
7171
Then, tightly scope any Enrollment Agent templates that remain and:
7272
# Enable Manager Approval
73-
`$Object = `'$($_.DistinguishedName)`'
73+
`$Object = '$($_.DistinguishedName)'
7474
Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Enrollment-Flag' = 2}
7575
"@
7676
Revert = @"
7777
# Disable Manager Approval
78-
`$Object = `'$($_.DistinguishedName)`'
78+
`$Object = '$($_.DistinguishedName)'
7979
Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Enrollment-Flag' = 0}
8080
"@
8181
Technique = 'ESC3'

0 commit comments

Comments
 (0)