diff --git a/Invoke-Locksmith.ps1 b/Invoke-Locksmith.ps1 index 035f291..7f1864d 100644 --- a/Invoke-Locksmith.ps1 +++ b/Invoke-Locksmith.ps1 @@ -259,31 +259,15 @@ function Find-ESC4 { $SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value } - if ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -match $UnsafeOwners) ) { + if ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) { $Issue = [pscustomobject]@{ - Forest = $_.CanonicalName.split('/')[0] - Name = $_.Name - DistinguishedName = $_.DistinguishedName - IdentityReference = $entry.IdentityReference - ActiveDirectoryRights = $entry.ActiveDirectoryRights - Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" - Fix = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" - Revert = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" - Technique = 'ESC4' - } - $Issue - } - elseif ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) { - $Issue = [pscustomobject]@{ - Forest = $_.CanonicalName.split('/')[0] - Name = $_.Name - DistinguishedName = $_.DistinguishedName - IdentityReference = $entry.IdentityReference - ActiveDirectoryRights = $entry.ActiveDirectoryRights - Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" - Fix = '[TODO]' - Revert = '[TODO]' - Technique = 'ESC4' + Forest = $_.CanonicalName.split('/')[0] + Name = $_.Name + DistinguishedName = $_.DistinguishedName + Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" + Fix = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" + Revert = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" + Technique = 'ESC4' } $Issue } @@ -298,6 +282,7 @@ function Find-ESC4 { } if ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -notmatch $SafeUsers) -and + ($entry.AccessControlType -eq 'Allow') -and ($entry.ActiveDirectoryRights -match $DangerousRights) -and ($entry.ActiveDirectoryRights.ObjectType -notmatch $SafeObjectTypes) ) { @@ -338,34 +323,16 @@ function Find-ESC5 { else { $SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value } - if ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -match $UnsafeOwners) ) { + + if ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) { $Issue = [pscustomobject]@{ - Forest = $_.CanonicalName.split('/')[0] - Name = $_.Name - DistinguishedName = $_.DistinguishedName - IdentityReference = $entry.IdentityReference - ActiveDirectoryRights = $entry.ActiveDirectoryRights - Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" - Fix = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" - Revert = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" - Technique = 'ESC5' - } - $Issue - } - elseif ( ($_.objectClass -ne 'pKICertificateTemplate') -and - ($SID -notmatch $SafeOwners) -and - ($entry.ActiveDirectoryRights.ObjectType -notmatch $SafeObjectTypes) - ) { - $Issue = [pscustomobject]@{ - Forest = $_.CanonicalName.split('/')[0] - Name = $_.Name - DistinguishedName = $_.DistinguishedName - IdentityReference = $entry.IdentityReference - ActiveDirectoryRights = $entry.ActiveDirectoryRights - Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this object" - Fix = '[TODO]' - Revert = '[TODO]' - Technique = 'ESC5' + Forest = $_.CanonicalName.split('/')[0] + Name = $_.Name + DistinguishedName = $_.DistinguishedName + Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" + Fix = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" + Revert = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" + Technique = 'ESC5' } $Issue } @@ -380,7 +347,9 @@ function Find-ESC5 { } if ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -notmatch $SafeUsers) -and - ($entry.ActiveDirectoryRights -match $DangerousRights) ) { + ($entry.AccessControlType -eq 'Allow') -and + ($entry.ActiveDirectoryRights -match $DangerousRights) -and + ($entry.ActiveDirectoryRights.ObjectType -notmatch $SafeObjectTypes) ) { $Issue = [pscustomobject]@{ Forest = $_.CanonicalName.split('/')[0] Name = $_.Name diff --git a/Private/Find-ESC4.ps1 b/Private/Find-ESC4.ps1 index 13e3aff..64129c2 100644 --- a/Private/Find-ESC4.ps1 +++ b/Private/Find-ESC4.ps1 @@ -18,32 +18,17 @@ $SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value } - if ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -match $UnsafeOwners) ) { + if ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) { $Issue = [pscustomobject]@{ Forest = $_.CanonicalName.split('/')[0] Name = $_.Name DistinguishedName = $_.DistinguishedName - IdentityReference = $entry.IdentityReference - ActiveDirectoryRights = $entry.ActiveDirectoryRights Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" Fix = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" Revert = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" Technique = 'ESC4' } $Issue - } elseif ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) { - $Issue = [pscustomobject]@{ - Forest = $_.CanonicalName.split('/')[0] - Name = $_.Name - DistinguishedName = $_.DistinguishedName - IdentityReference = $entry.IdentityReference - ActiveDirectoryRights = $entry.ActiveDirectoryRights - Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" - Fix = '[TODO]' - Revert = '[TODO]' - Technique = 'ESC4' - } - $Issue } foreach ($entry in $_.nTSecurityDescriptor.Access) { @@ -55,6 +40,7 @@ } if ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -notmatch $SafeUsers) -and + ($entry.AccessControlType -eq 'Allow') -and ($entry.ActiveDirectoryRights -match $DangerousRights) -and ($entry.ActiveDirectoryRights.ObjectType -notmatch $SafeObjectTypes) ) { diff --git a/Private/Find-ESC5.ps1 b/Private/Find-ESC5.ps1 index 865438a..51fa6b0 100644 --- a/Private/Find-ESC5.ps1 +++ b/Private/Find-ESC5.ps1 @@ -17,35 +17,18 @@ } else { $SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value } - if ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -match $UnsafeOwners) ) { + + if ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) { $Issue = [pscustomobject]@{ Forest = $_.CanonicalName.split('/')[0] Name = $_.Name DistinguishedName = $_.DistinguishedName - IdentityReference = $entry.IdentityReference - ActiveDirectoryRights = $entry.ActiveDirectoryRights Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" Fix = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" Revert = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" Technique = 'ESC5' } $Issue - } elseif ( ($_.objectClass -ne 'pKICertificateTemplate') -and - ($SID -notmatch $SafeOwners) -and - ($entry.ActiveDirectoryRights.ObjectType -notmatch $SafeObjectTypes) - ) { - $Issue = [pscustomobject]@{ - Forest = $_.CanonicalName.split('/')[0] - Name = $_.Name - DistinguishedName = $_.DistinguishedName - IdentityReference = $entry.IdentityReference - ActiveDirectoryRights = $entry.ActiveDirectoryRights - Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this object" - Fix = '[TODO]' - Revert = '[TODO]' - Technique = 'ESC5' - } - $Issue } foreach ($entry in $_.nTSecurityDescriptor.Access) { @@ -57,7 +40,9 @@ } if ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -notmatch $SafeUsers) -and - ($entry.ActiveDirectoryRights -match $DangerousRights) ) { + ($entry.AccessControlType -eq 'Allow') -and + ($entry.ActiveDirectoryRights -match $DangerousRights) -and + ($entry.ActiveDirectoryRights.ObjectType -notmatch $SafeObjectTypes) ) { $Issue = [pscustomobject]@{ Forest = $_.CanonicalName.split('/')[0] Name = $_.Name