Skip to content

Commit

Permalink
Merge pull request #116 from TrimarcJake/filter-deny
Browse files Browse the repository at this point in the history
  • Loading branch information
@TrimarcJake
TrimarcJake authored Feb 27, 2024
2 parents 27e8f36 + 440835a commit 4946f84
Show file tree
Hide file tree
Showing 3 changed files with 28 additions and 88 deletions.
73 changes: 21 additions & 52 deletions Invoke-Locksmith.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -259,31 +259,15 @@ function Find-ESC4 {
$SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value
}

if ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -match $UnsafeOwners) ) {
if ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) {
$Issue = [pscustomobject]@{
Forest = $_.CanonicalName.split('/')[0]
Name = $_.Name
DistinguishedName = $_.DistinguishedName
IdentityReference = $entry.IdentityReference
ActiveDirectoryRights = $entry.ActiveDirectoryRights
Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template"
Fix = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL"
Revert = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL"
Technique = 'ESC4'
}
$Issue
}
elseif ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) {
$Issue = [pscustomobject]@{
Forest = $_.CanonicalName.split('/')[0]
Name = $_.Name
DistinguishedName = $_.DistinguishedName
IdentityReference = $entry.IdentityReference
ActiveDirectoryRights = $entry.ActiveDirectoryRights
Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template"
Fix = '[TODO]'
Revert = '[TODO]'
Technique = 'ESC4'
Forest = $_.CanonicalName.split('/')[0]
Name = $_.Name
DistinguishedName = $_.DistinguishedName
Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template"
Fix = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL"
Revert = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL"
Technique = 'ESC4'
}
$Issue
}
Expand All @@ -298,6 +282,7 @@ function Find-ESC4 {
}
if ( ($_.objectClass -eq 'pKICertificateTemplate') -and
($SID -notmatch $SafeUsers) -and
($entry.AccessControlType -eq 'Allow') -and
($entry.ActiveDirectoryRights -match $DangerousRights) -and
($entry.ActiveDirectoryRights.ObjectType -notmatch $SafeObjectTypes)
) {
Expand Down Expand Up @@ -338,34 +323,16 @@ function Find-ESC5 {
else {
$SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value
}
if ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -match $UnsafeOwners) ) {

if ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) {
$Issue = [pscustomobject]@{
Forest = $_.CanonicalName.split('/')[0]
Name = $_.Name
DistinguishedName = $_.DistinguishedName
IdentityReference = $entry.IdentityReference
ActiveDirectoryRights = $entry.ActiveDirectoryRights
Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template"
Fix = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL"
Revert = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL"
Technique = 'ESC5'
}
$Issue
}
elseif ( ($_.objectClass -ne 'pKICertificateTemplate') -and
($SID -notmatch $SafeOwners) -and
($entry.ActiveDirectoryRights.ObjectType -notmatch $SafeObjectTypes)
) {
$Issue = [pscustomobject]@{
Forest = $_.CanonicalName.split('/')[0]
Name = $_.Name
DistinguishedName = $_.DistinguishedName
IdentityReference = $entry.IdentityReference
ActiveDirectoryRights = $entry.ActiveDirectoryRights
Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this object"
Fix = '[TODO]'
Revert = '[TODO]'
Technique = 'ESC5'
Forest = $_.CanonicalName.split('/')[0]
Name = $_.Name
DistinguishedName = $_.DistinguishedName
Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template"
Fix = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL"
Revert = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL"
Technique = 'ESC5'
}
$Issue
}
Expand All @@ -380,7 +347,9 @@ function Find-ESC5 {
}
if ( ($_.objectClass -ne 'pKICertificateTemplate') -and
($SID -notmatch $SafeUsers) -and
($entry.ActiveDirectoryRights -match $DangerousRights) ) {
($entry.AccessControlType -eq 'Allow') -and
($entry.ActiveDirectoryRights -match $DangerousRights) -and
($entry.ActiveDirectoryRights.ObjectType -notmatch $SafeObjectTypes) ) {
$Issue = [pscustomobject]@{
Forest = $_.CanonicalName.split('/')[0]
Name = $_.Name
Expand Down
18 changes: 2 additions & 16 deletions Private/Find-ESC4.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,32 +18,17 @@
$SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value
}

if ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -match $UnsafeOwners) ) {
if ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) {
$Issue = [pscustomobject]@{
Forest = $_.CanonicalName.split('/')[0]
Name = $_.Name
DistinguishedName = $_.DistinguishedName
IdentityReference = $entry.IdentityReference
ActiveDirectoryRights = $entry.ActiveDirectoryRights
Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template"
Fix = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL"
Revert = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL"
Technique = 'ESC4'
}
$Issue
} elseif ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) {
$Issue = [pscustomobject]@{
Forest = $_.CanonicalName.split('/')[0]
Name = $_.Name
DistinguishedName = $_.DistinguishedName
IdentityReference = $entry.IdentityReference
ActiveDirectoryRights = $entry.ActiveDirectoryRights
Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template"
Fix = '[TODO]'
Revert = '[TODO]'
Technique = 'ESC4'
}
$Issue
}

foreach ($entry in $_.nTSecurityDescriptor.Access) {
Expand All @@ -55,6 +40,7 @@
}
if ( ($_.objectClass -eq 'pKICertificateTemplate') -and
($SID -notmatch $SafeUsers) -and
($entry.AccessControlType -eq 'Allow') -and
($entry.ActiveDirectoryRights -match $DangerousRights) -and
($entry.ActiveDirectoryRights.ObjectType -notmatch $SafeObjectTypes)
) {
Expand Down
25 changes: 5 additions & 20 deletions Private/Find-ESC5.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,35 +17,18 @@
} else {
$SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value
}
if ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -match $UnsafeOwners) ) {

if ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) {
$Issue = [pscustomobject]@{
Forest = $_.CanonicalName.split('/')[0]
Name = $_.Name
DistinguishedName = $_.DistinguishedName
IdentityReference = $entry.IdentityReference
ActiveDirectoryRights = $entry.ActiveDirectoryRights
Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template"
Fix = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL"
Revert = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL"
Technique = 'ESC5'
}
$Issue
} elseif ( ($_.objectClass -ne 'pKICertificateTemplate') -and
($SID -notmatch $SafeOwners) -and
($entry.ActiveDirectoryRights.ObjectType -notmatch $SafeObjectTypes)
) {
$Issue = [pscustomobject]@{
Forest = $_.CanonicalName.split('/')[0]
Name = $_.Name
DistinguishedName = $_.DistinguishedName
IdentityReference = $entry.IdentityReference
ActiveDirectoryRights = $entry.ActiveDirectoryRights
Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this object"
Fix = '[TODO]'
Revert = '[TODO]'
Technique = 'ESC5'
}
$Issue
}

foreach ($entry in $_.nTSecurityDescriptor.Access) {
Expand All @@ -57,7 +40,9 @@
}
if ( ($_.objectClass -ne 'pKICertificateTemplate') -and
($SID -notmatch $SafeUsers) -and
($entry.ActiveDirectoryRights -match $DangerousRights) ) {
($entry.AccessControlType -eq 'Allow') -and
($entry.ActiveDirectoryRights -match $DangerousRights) -and
($entry.ActiveDirectoryRights.ObjectType -notmatch $SafeObjectTypes) ) {
$Issue = [pscustomobject]@{
Forest = $_.CanonicalName.split('/')[0]
Name = $_.Name
Expand Down

0 comments on commit 4946f84

Please sign in to comment.