Removed unnecessary $UnsafeOwners and rights checks.

TrimarcJake · Feb 26, 2024 · 440835a · 440835a
1 parent 6336642
commit 440835a
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 79 deletions.
diff --git a/Invoke-Locksmith.ps1 b/Invoke-Locksmith.ps1
@@ -259,31 +259,15 @@ function Find-ESC4 {
             $SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value
         }
 
-        if ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -match $UnsafeOwners) ) {
+        if ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) {
             $Issue = [pscustomobject]@{
-                Forest                = $_.CanonicalName.split('/')[0]
-                Name                  = $_.Name
-                DistinguishedName     = $_.DistinguishedName
-                IdentityReference     = $entry.IdentityReference
-                ActiveDirectoryRights = $entry.ActiveDirectoryRights
-                Issue                 = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template"
-                Fix                   = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL"
-                Revert                = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL"
-                Technique             = 'ESC4'
-            }
-            $Issue
-        }
-        elseif ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) {
-            $Issue = [pscustomobject]@{
-                Forest                = $_.CanonicalName.split('/')[0]
-                Name                  = $_.Name
-                DistinguishedName     = $_.DistinguishedName
-                IdentityReference     = $entry.IdentityReference
-                ActiveDirectoryRights = $entry.ActiveDirectoryRights
-                Issue                 = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template"
-                Fix                   = '[TODO]'
-                Revert                = '[TODO]'
-                Technique             = 'ESC4'
+                Forest            = $_.CanonicalName.split('/')[0]
+                Name              = $_.Name
+                DistinguishedName = $_.DistinguishedName
+                Issue             = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template"
+                Fix               = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL"
+                Revert            = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL"
+                Technique         = 'ESC4'
             }
             $Issue
         }
@@ -339,37 +323,19 @@ function Find-ESC5 {
         else {
             $SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value
         }
-        if ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -match $UnsafeOwners) ) {
+
+        if ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) {
             $Issue = [pscustomobject]@{
                 Forest            = $_.CanonicalName.split('/')[0]
                 Name              = $_.Name
                 DistinguishedName = $_.DistinguishedName
-                # IdentityReference     = $entry.IdentityReference
-                # ActiveDirectoryRights = $entry.ActiveDirectoryRights
                 Issue             = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template"
                 Fix               = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL"
                 Revert            = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL"
                 Technique         = 'ESC5'
             }
             $Issue
         }
-        elseif ( ($_.objectClass -ne 'pKICertificateTemplate') -and
-            ($SID -notmatch $SafeOwners) -and
-            ($entry.ActiveDirectoryRights.ObjectType -notmatch $SafeObjectTypes)
-        ) {
-            $Issue = [pscustomobject]@{
-                Forest            = $_.CanonicalName.split('/')[0]
-                Name              = $_.Name
-                DistinguishedName = $_.DistinguishedName
-                # IdentityReference     = $entry.IdentityReference
-                # ActiveDirectoryRights = $entry.ActiveDirectoryRights
-                Issue             = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this object"
-                Fix               = '[TODO]'
-                Revert            = '[TODO]'
-                Technique         = 'ESC5'
-            }
-            $Issue
-        }
 
         foreach ($entry in $_.nTSecurityDescriptor.Access) {
             $Principal = New-Object System.Security.Principal.NTAccount($entry.IdentityReference)

diff --git a/Private/Find-ESC4.ps1 b/Private/Find-ESC4.ps1
@@ -18,32 +18,17 @@
             $SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value
         }
 
-        if ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -match $UnsafeOwners) ) {
+        if ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) {
             $Issue = [pscustomobject]@{
                 Forest                = $_.CanonicalName.split('/')[0]
                 Name                  = $_.Name
                 DistinguishedName     = $_.DistinguishedName
-                IdentityReference     = $entry.IdentityReference
-                ActiveDirectoryRights = $entry.ActiveDirectoryRights
                 Issue                 = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template"
                 Fix                   = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL"
                 Revert                = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL"
                 Technique             = 'ESC4'
             }
             $Issue
-        } elseif ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) {
-            $Issue = [pscustomobject]@{
-                Forest                = $_.CanonicalName.split('/')[0]
-                Name                  = $_.Name
-                DistinguishedName     = $_.DistinguishedName
-                IdentityReference     = $entry.IdentityReference
-                ActiveDirectoryRights = $entry.ActiveDirectoryRights
-                Issue                 = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template"
-                Fix                   = '[TODO]'
-                Revert                = '[TODO]'
-                Technique             = 'ESC4'
-            }
-            $Issue
         }
 
         foreach ($entry in $_.nTSecurityDescriptor.Access) {

diff --git a/Private/Find-ESC5.ps1 b/Private/Find-ESC5.ps1
@@ -17,35 +17,18 @@
         } else {
             $SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value
         }
-        if ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -match $UnsafeOwners) ) {
+
+        if ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) {
             $Issue = [pscustomobject]@{
                 Forest                = $_.CanonicalName.split('/')[0]
                 Name                  = $_.Name
                 DistinguishedName     = $_.DistinguishedName
-                # IdentityReference     = $entry.IdentityReference
-                # ActiveDirectoryRights = $entry.ActiveDirectoryRights
                 Issue                 = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template"
                 Fix                   = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL"
                 Revert                = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL"
                 Technique             = 'ESC5'
             }
             $Issue
-        } elseif ( ($_.objectClass -ne 'pKICertificateTemplate') -and
-            ($SID -notmatch $SafeOwners) -and
-            ($entry.ActiveDirectoryRights.ObjectType -notmatch $SafeObjectTypes)
-            ) {
-            $Issue = [pscustomobject]@{
-                Forest                = $_.CanonicalName.split('/')[0]
-                Name                  = $_.Name
-                DistinguishedName     = $_.DistinguishedName
-                # IdentityReference     = $entry.IdentityReference
-                # ActiveDirectoryRights = $entry.ActiveDirectoryRights
-                Issue                 = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this object"
-                Fix                   = '[TODO]'
-                Revert                = '[TODO]'
-                Technique             = 'ESC5'
-            }
-            $Issue
         }
 
         foreach ($entry in $_.nTSecurityDescriptor.Access) {