From 63366422231a39ee14b89bff47782a15f637b6f1 Mon Sep 17 00:00:00 2001 From: TrimarcJake Date: Sun, 25 Feb 2024 19:58:01 -0600 Subject: [PATCH 1/2] Filtered Deny ACEs from ESC4 & ESC5. --- Invoke-Locksmith.ps1 | 41 ++++++++++++++++++++++------------------- Private/Find-ESC4.ps1 | 1 + Private/Find-ESC5.ps1 | 12 +++++++----- 3 files changed, 30 insertions(+), 24 deletions(-) diff --git a/Invoke-Locksmith.ps1 b/Invoke-Locksmith.ps1 index 035f291..df9c734 100644 --- a/Invoke-Locksmith.ps1 +++ b/Invoke-Locksmith.ps1 @@ -298,6 +298,7 @@ function Find-ESC4 { } if ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -notmatch $SafeUsers) -and + ($entry.AccessControlType -eq 'Allow') -and ($entry.ActiveDirectoryRights -match $DangerousRights) -and ($entry.ActiveDirectoryRights.ObjectType -notmatch $SafeObjectTypes) ) { @@ -340,15 +341,15 @@ function Find-ESC5 { } if ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -match $UnsafeOwners) ) { $Issue = [pscustomobject]@{ - Forest = $_.CanonicalName.split('/')[0] - Name = $_.Name - DistinguishedName = $_.DistinguishedName - IdentityReference = $entry.IdentityReference - ActiveDirectoryRights = $entry.ActiveDirectoryRights - Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" - Fix = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" - Revert = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" - Technique = 'ESC5' + Forest = $_.CanonicalName.split('/')[0] + Name = $_.Name + DistinguishedName = $_.DistinguishedName + # IdentityReference = $entry.IdentityReference + # ActiveDirectoryRights = $entry.ActiveDirectoryRights + Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" + Fix = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" + Revert = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" + Technique = 'ESC5' } $Issue } @@ -357,15 +358,15 @@ function Find-ESC5 { ($entry.ActiveDirectoryRights.ObjectType -notmatch $SafeObjectTypes) ) { $Issue = [pscustomobject]@{ - Forest = $_.CanonicalName.split('/')[0] - Name = $_.Name - DistinguishedName = $_.DistinguishedName - IdentityReference = $entry.IdentityReference - ActiveDirectoryRights = $entry.ActiveDirectoryRights - Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this object" - Fix = '[TODO]' - Revert = '[TODO]' - Technique = 'ESC5' + Forest = $_.CanonicalName.split('/')[0] + Name = $_.Name + DistinguishedName = $_.DistinguishedName + # IdentityReference = $entry.IdentityReference + # ActiveDirectoryRights = $entry.ActiveDirectoryRights + Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this object" + Fix = '[TODO]' + Revert = '[TODO]' + Technique = 'ESC5' } $Issue } @@ -380,7 +381,9 @@ function Find-ESC5 { } if ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -notmatch $SafeUsers) -and - ($entry.ActiveDirectoryRights -match $DangerousRights) ) { + ($entry.AccessControlType -eq 'Allow') -and + ($entry.ActiveDirectoryRights -match $DangerousRights) -and + ($entry.ActiveDirectoryRights.ObjectType -notmatch $SafeObjectTypes) ) { $Issue = [pscustomobject]@{ Forest = $_.CanonicalName.split('/')[0] Name = $_.Name diff --git a/Private/Find-ESC4.ps1 b/Private/Find-ESC4.ps1 index 13e3aff..90f3141 100644 --- a/Private/Find-ESC4.ps1 +++ b/Private/Find-ESC4.ps1 @@ -55,6 +55,7 @@ } if ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -notmatch $SafeUsers) -and + ($entry.AccessControlType -eq 'Allow') -and ($entry.ActiveDirectoryRights -match $DangerousRights) -and ($entry.ActiveDirectoryRights.ObjectType -notmatch $SafeObjectTypes) ) { diff --git a/Private/Find-ESC5.ps1 b/Private/Find-ESC5.ps1 index 865438a..1bebbcc 100644 --- a/Private/Find-ESC5.ps1 +++ b/Private/Find-ESC5.ps1 @@ -22,8 +22,8 @@ Forest = $_.CanonicalName.split('/')[0] Name = $_.Name DistinguishedName = $_.DistinguishedName - IdentityReference = $entry.IdentityReference - ActiveDirectoryRights = $entry.ActiveDirectoryRights + # IdentityReference = $entry.IdentityReference + # ActiveDirectoryRights = $entry.ActiveDirectoryRights Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" Fix = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" Revert = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" @@ -38,8 +38,8 @@ Forest = $_.CanonicalName.split('/')[0] Name = $_.Name DistinguishedName = $_.DistinguishedName - IdentityReference = $entry.IdentityReference - ActiveDirectoryRights = $entry.ActiveDirectoryRights + # IdentityReference = $entry.IdentityReference + # ActiveDirectoryRights = $entry.ActiveDirectoryRights Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this object" Fix = '[TODO]' Revert = '[TODO]' @@ -57,7 +57,9 @@ } if ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -notmatch $SafeUsers) -and - ($entry.ActiveDirectoryRights -match $DangerousRights) ) { + ($entry.AccessControlType -eq 'Allow') -and + ($entry.ActiveDirectoryRights -match $DangerousRights) -and + ($entry.ActiveDirectoryRights.ObjectType -notmatch $SafeObjectTypes) ) { $Issue = [pscustomobject]@{ Forest = $_.CanonicalName.split('/')[0] Name = $_.Name From 440835a04d2fe0fdd1893e906ca19ce0742dd014 Mon Sep 17 00:00:00 2001 From: TrimarcJake Date: Sun, 25 Feb 2024 20:08:07 -0600 Subject: [PATCH 2/2] Removed unnecessary $UnsafeOwners and rights checks. --- Invoke-Locksmith.ps1 | 54 ++++++++----------------------------------- Private/Find-ESC4.ps1 | 17 +------------- Private/Find-ESC5.ps1 | 21 ++--------------- 3 files changed, 13 insertions(+), 79 deletions(-) diff --git a/Invoke-Locksmith.ps1 b/Invoke-Locksmith.ps1 index df9c734..7f1864d 100644 --- a/Invoke-Locksmith.ps1 +++ b/Invoke-Locksmith.ps1 @@ -259,31 +259,15 @@ function Find-ESC4 { $SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value } - if ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -match $UnsafeOwners) ) { + if ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) { $Issue = [pscustomobject]@{ - Forest = $_.CanonicalName.split('/')[0] - Name = $_.Name - DistinguishedName = $_.DistinguishedName - IdentityReference = $entry.IdentityReference - ActiveDirectoryRights = $entry.ActiveDirectoryRights - Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" - Fix = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" - Revert = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" - Technique = 'ESC4' - } - $Issue - } - elseif ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) { - $Issue = [pscustomobject]@{ - Forest = $_.CanonicalName.split('/')[0] - Name = $_.Name - DistinguishedName = $_.DistinguishedName - IdentityReference = $entry.IdentityReference - ActiveDirectoryRights = $entry.ActiveDirectoryRights - Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" - Fix = '[TODO]' - Revert = '[TODO]' - Technique = 'ESC4' + Forest = $_.CanonicalName.split('/')[0] + Name = $_.Name + DistinguishedName = $_.DistinguishedName + Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" + Fix = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" + Revert = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" + Technique = 'ESC4' } $Issue } @@ -339,13 +323,12 @@ function Find-ESC5 { else { $SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value } - if ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -match $UnsafeOwners) ) { + + if ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) { $Issue = [pscustomobject]@{ Forest = $_.CanonicalName.split('/')[0] Name = $_.Name DistinguishedName = $_.DistinguishedName - # IdentityReference = $entry.IdentityReference - # ActiveDirectoryRights = $entry.ActiveDirectoryRights Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" Fix = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" Revert = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" @@ -353,23 +336,6 @@ function Find-ESC5 { } $Issue } - elseif ( ($_.objectClass -ne 'pKICertificateTemplate') -and - ($SID -notmatch $SafeOwners) -and - ($entry.ActiveDirectoryRights.ObjectType -notmatch $SafeObjectTypes) - ) { - $Issue = [pscustomobject]@{ - Forest = $_.CanonicalName.split('/')[0] - Name = $_.Name - DistinguishedName = $_.DistinguishedName - # IdentityReference = $entry.IdentityReference - # ActiveDirectoryRights = $entry.ActiveDirectoryRights - Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this object" - Fix = '[TODO]' - Revert = '[TODO]' - Technique = 'ESC5' - } - $Issue - } foreach ($entry in $_.nTSecurityDescriptor.Access) { $Principal = New-Object System.Security.Principal.NTAccount($entry.IdentityReference) diff --git a/Private/Find-ESC4.ps1 b/Private/Find-ESC4.ps1 index 90f3141..64129c2 100644 --- a/Private/Find-ESC4.ps1 +++ b/Private/Find-ESC4.ps1 @@ -18,32 +18,17 @@ $SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value } - if ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -match $UnsafeOwners) ) { + if ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) { $Issue = [pscustomobject]@{ Forest = $_.CanonicalName.split('/')[0] Name = $_.Name DistinguishedName = $_.DistinguishedName - IdentityReference = $entry.IdentityReference - ActiveDirectoryRights = $entry.ActiveDirectoryRights Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" Fix = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" Revert = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" Technique = 'ESC4' } $Issue - } elseif ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) { - $Issue = [pscustomobject]@{ - Forest = $_.CanonicalName.split('/')[0] - Name = $_.Name - DistinguishedName = $_.DistinguishedName - IdentityReference = $entry.IdentityReference - ActiveDirectoryRights = $entry.ActiveDirectoryRights - Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" - Fix = '[TODO]' - Revert = '[TODO]' - Technique = 'ESC4' - } - $Issue } foreach ($entry in $_.nTSecurityDescriptor.Access) { diff --git a/Private/Find-ESC5.ps1 b/Private/Find-ESC5.ps1 index 1bebbcc..51fa6b0 100644 --- a/Private/Find-ESC5.ps1 +++ b/Private/Find-ESC5.ps1 @@ -17,35 +17,18 @@ } else { $SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value } - if ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -match $UnsafeOwners) ) { + + if ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) { $Issue = [pscustomobject]@{ Forest = $_.CanonicalName.split('/')[0] Name = $_.Name DistinguishedName = $_.DistinguishedName - # IdentityReference = $entry.IdentityReference - # ActiveDirectoryRights = $entry.ActiveDirectoryRights Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" Fix = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" Revert = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" Technique = 'ESC5' } $Issue - } elseif ( ($_.objectClass -ne 'pKICertificateTemplate') -and - ($SID -notmatch $SafeOwners) -and - ($entry.ActiveDirectoryRights.ObjectType -notmatch $SafeObjectTypes) - ) { - $Issue = [pscustomobject]@{ - Forest = $_.CanonicalName.split('/')[0] - Name = $_.Name - DistinguishedName = $_.DistinguishedName - # IdentityReference = $entry.IdentityReference - # ActiveDirectoryRights = $entry.ActiveDirectoryRights - Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this object" - Fix = '[TODO]' - Revert = '[TODO]' - Technique = 'ESC5' - } - $Issue } foreach ($entry in $_.nTSecurityDescriptor.Access) {