From f98d62a7285b4b32134056c9d9485a036f1219c8 Mon Sep 17 00:00:00 2001 From: Jake Hildreth Date: Sat, 22 Feb 2025 08:15:42 -0600 Subject: [PATCH] Resolves Issue #225 --- Invoke-Locksmith.ps1 | 17 +++++++++++++---- Locksmith.psd1 | 2 +- Private/Find-ESC5.ps1 | 14 +++++++++++--- 3 files changed, 25 insertions(+), 8 deletions(-) diff --git a/Invoke-Locksmith.ps1 b/Invoke-Locksmith.ps1 index ec1e12d9..1b1e2513 100644 --- a/Invoke-Locksmith.ps1 +++ b/Invoke-Locksmith.ps1 @@ -1164,7 +1164,15 @@ function Find-ESC5 { } $IssueDetail = '' - if ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) { + $DangerousOwner = $false + if ( ($_.objectClass -eq 'computer') -and ($SID -match '-512$') ) { + $DangerousOwner = $false + } + elseif ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) { + $DangerousOwner = $true + } + + if ($DangerousOwner) { switch ($_.objectClass) { container { $IssueDetail = @" @@ -1177,7 +1185,8 @@ CA objects, new templates, new OIDs, etc. to create novel escalation paths. $IssueDetail = @" This computer is hosting a Certification Authority (CA). -There is no reason for anyone other than AD Admins to have own CA host objects. +There is no reason for anyone other than Enterprise Admins or Domain Admins to +own CA host objects. "@ } 'msPKI-Cert-Template-OID' { @@ -1197,7 +1206,7 @@ Ownership rights can be used to enable currently disabled templates. If this prinicpal also has control over a disabled certificate template (aka ESC4), they could modify the template into an ESC1 template and enable the certificate. -This ensabled certificate could be use for privilege escalation and persistence. +This enabled certificate could be use for privilege escalation and persistence. "@ } } @@ -4381,7 +4390,7 @@ function Invoke-Locksmith { [System.Management.Automation.PSCredential]$Credential ) - $Version = '2025.1.14' + $Version = '2025.2.22' $LogoPart1 = @' _ _____ _______ _ _ _______ _______ _____ _______ _ _ | | | | |____/ |______ | | | | | |_____| diff --git a/Locksmith.psd1 b/Locksmith.psd1 index 52305381..b350ddc7 100644 --- a/Locksmith.psd1 +++ b/Locksmith.psd1 @@ -8,7 +8,7 @@ FunctionsToExport = 'Invoke-Locksmith' GUID = 'b1325b42-8dc4-4f17-aa1f-dcb5984ca14a' HelpInfoURI = 'https://raw.githubusercontent.com/jakehildreth/Locksmith/main/en-US/' - ModuleVersion = '2025.1.14' + ModuleVersion = '2025.2.22' PowerShellVersion = '5.1' PrivateData = @{ PSData = @{ diff --git a/Private/Find-ESC5.ps1 b/Private/Find-ESC5.ps1 index 797eef86..0640efd8 100644 --- a/Private/Find-ESC5.ps1 +++ b/Private/Find-ESC5.ps1 @@ -87,7 +87,14 @@ } $IssueDetail = '' - if ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) { + $DangerousOwner = $false + if ( ($_.objectClass -eq 'computer') -and ($SID -match '-512$') ) { + $DangerousOwner = $false + } elseif ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) { + $DangerousOwner = $true + } + + if ($DangerousOwner) { switch ($_.objectClass) { container { $IssueDetail = @" @@ -100,7 +107,8 @@ CA objects, new templates, new OIDs, etc. to create novel escalation paths. $IssueDetail = @" This computer is hosting a Certification Authority (CA). -There is no reason for anyone other than AD Admins to have own CA host objects. +There is no reason for anyone other than Enterprise Admins or Domain Admins to +own CA host objects. "@ } 'msPKI-Cert-Template-OID' { @@ -120,7 +128,7 @@ Ownership rights can be used to enable currently disabled templates. If this prinicpal also has control over a disabled certificate template (aka ESC4), they could modify the template into an ESC1 template and enable the certificate. -This ensabled certificate could be use for privilege escalation and persistence. +This enabled certificate could be use for privilege escalation and persistence. "@ } }