From 440835a04d2fe0fdd1893e906ca19ce0742dd014 Mon Sep 17 00:00:00 2001 From: TrimarcJake Date: Sun, 25 Feb 2024 20:08:07 -0600 Subject: [PATCH] Removed unnecessary $UnsafeOwners and rights checks. --- Invoke-Locksmith.ps1 | 54 ++++++++----------------------------------- Private/Find-ESC4.ps1 | 17 +------------- Private/Find-ESC5.ps1 | 21 ++--------------- 3 files changed, 13 insertions(+), 79 deletions(-) diff --git a/Invoke-Locksmith.ps1 b/Invoke-Locksmith.ps1 index df9c734..7f1864d 100644 --- a/Invoke-Locksmith.ps1 +++ b/Invoke-Locksmith.ps1 @@ -259,31 +259,15 @@ function Find-ESC4 { $SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value } - if ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -match $UnsafeOwners) ) { + if ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) { $Issue = [pscustomobject]@{ - Forest = $_.CanonicalName.split('/')[0] - Name = $_.Name - DistinguishedName = $_.DistinguishedName - IdentityReference = $entry.IdentityReference - ActiveDirectoryRights = $entry.ActiveDirectoryRights - Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" - Fix = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" - Revert = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" - Technique = 'ESC4' - } - $Issue - } - elseif ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) { - $Issue = [pscustomobject]@{ - Forest = $_.CanonicalName.split('/')[0] - Name = $_.Name - DistinguishedName = $_.DistinguishedName - IdentityReference = $entry.IdentityReference - ActiveDirectoryRights = $entry.ActiveDirectoryRights - Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" - Fix = '[TODO]' - Revert = '[TODO]' - Technique = 'ESC4' + Forest = $_.CanonicalName.split('/')[0] + Name = $_.Name + DistinguishedName = $_.DistinguishedName + Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" + Fix = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" + Revert = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" + Technique = 'ESC4' } $Issue } @@ -339,13 +323,12 @@ function Find-ESC5 { else { $SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value } - if ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -match $UnsafeOwners) ) { + + if ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) { $Issue = [pscustomobject]@{ Forest = $_.CanonicalName.split('/')[0] Name = $_.Name DistinguishedName = $_.DistinguishedName - # IdentityReference = $entry.IdentityReference - # ActiveDirectoryRights = $entry.ActiveDirectoryRights Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" Fix = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" Revert = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" @@ -353,23 +336,6 @@ function Find-ESC5 { } $Issue } - elseif ( ($_.objectClass -ne 'pKICertificateTemplate') -and - ($SID -notmatch $SafeOwners) -and - ($entry.ActiveDirectoryRights.ObjectType -notmatch $SafeObjectTypes) - ) { - $Issue = [pscustomobject]@{ - Forest = $_.CanonicalName.split('/')[0] - Name = $_.Name - DistinguishedName = $_.DistinguishedName - # IdentityReference = $entry.IdentityReference - # ActiveDirectoryRights = $entry.ActiveDirectoryRights - Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this object" - Fix = '[TODO]' - Revert = '[TODO]' - Technique = 'ESC5' - } - $Issue - } foreach ($entry in $_.nTSecurityDescriptor.Access) { $Principal = New-Object System.Security.Principal.NTAccount($entry.IdentityReference) diff --git a/Private/Find-ESC4.ps1 b/Private/Find-ESC4.ps1 index 90f3141..64129c2 100644 --- a/Private/Find-ESC4.ps1 +++ b/Private/Find-ESC4.ps1 @@ -18,32 +18,17 @@ $SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value } - if ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -match $UnsafeOwners) ) { + if ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) { $Issue = [pscustomobject]@{ Forest = $_.CanonicalName.split('/')[0] Name = $_.Name DistinguishedName = $_.DistinguishedName - IdentityReference = $entry.IdentityReference - ActiveDirectoryRights = $entry.ActiveDirectoryRights Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" Fix = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" Revert = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" Technique = 'ESC4' } $Issue - } elseif ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) { - $Issue = [pscustomobject]@{ - Forest = $_.CanonicalName.split('/')[0] - Name = $_.Name - DistinguishedName = $_.DistinguishedName - IdentityReference = $entry.IdentityReference - ActiveDirectoryRights = $entry.ActiveDirectoryRights - Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" - Fix = '[TODO]' - Revert = '[TODO]' - Technique = 'ESC4' - } - $Issue } foreach ($entry in $_.nTSecurityDescriptor.Access) { diff --git a/Private/Find-ESC5.ps1 b/Private/Find-ESC5.ps1 index 1bebbcc..51fa6b0 100644 --- a/Private/Find-ESC5.ps1 +++ b/Private/Find-ESC5.ps1 @@ -17,35 +17,18 @@ } else { $SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value } - if ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -match $UnsafeOwners) ) { + + if ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) { $Issue = [pscustomobject]@{ Forest = $_.CanonicalName.split('/')[0] Name = $_.Name DistinguishedName = $_.DistinguishedName - # IdentityReference = $entry.IdentityReference - # ActiveDirectoryRights = $entry.ActiveDirectoryRights Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" Fix = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" Revert = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" Technique = 'ESC5' } $Issue - } elseif ( ($_.objectClass -ne 'pKICertificateTemplate') -and - ($SID -notmatch $SafeOwners) -and - ($entry.ActiveDirectoryRights.ObjectType -notmatch $SafeObjectTypes) - ) { - $Issue = [pscustomobject]@{ - Forest = $_.CanonicalName.split('/')[0] - Name = $_.Name - DistinguishedName = $_.DistinguishedName - # IdentityReference = $entry.IdentityReference - # ActiveDirectoryRights = $entry.ActiveDirectoryRights - Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this object" - Fix = '[TODO]' - Revert = '[TODO]' - Technique = 'ESC5' - } - $Issue } foreach ($entry in $_.nTSecurityDescriptor.Access) {