v2024.3

A Little Icing but Mostly Cake

Cake: Fixing bugs, adding new functionality
Icing: Making things look better for the end user or easier to use for developers

Improvements:

• Eliminated duplicated ownership check in ESC4/5. We can and should have opinions, and the opinion is that only AD Admins should own PKS objects and templates. (Cake, @TrimarcJake)
• Filtered Deny ACEs from ESC4/5. This is not an Effective Access check, but it does cut down on false positives. (Cake, @TrimarcJake)
• Added flowcharts that explain severity for each finding. (Icing, @TrimarcJake)
• Added comment-based help to every function. (Icing, @TrimarcJake and Copilot)
• Added instructions for Scans parameter to the README. (Icing, @SamErde)

In Progress:

• Check to see if Locksmith is up to date. Provide links for latest version if not up to date. (Icing, @SamErde)
• Check to see if user running Locksmith is a member of the Protected Users group. PUG membership will impact ESC8 checks. (Cake, @SamErde)
• Check for ESC9. It was announced in August 2022, so Locksmith is late to the game. (Cake, @SamErde)

Known Issues:

• msPKI-Certificate-Name-Flag check in ESC1-3 currently uses a direct comparison (-eq) instead of a bitwise comparison (-band) which could result in false negatives.

v2024.1

Mode 4 Now Fixes Ownership Issues Automatically!

No long-winded notes this month. Instead, I'll just wish my wife a happy birthday! She's the best. ❤️💜💙

Improvements:

• ESC4 and ESC5 Ownership issues can now be auto-remediated with -Mode 4. - @TrimarcJake
• Improved RSAT installation process (if you don't have it installed yet.) - @techspence
• Modern custom object creation (no more Add-Member means slightly faster code that's much easier to read code) - @TrimarcJake
• README now shows how to use the -Scans parameter to limit your search to just a specific issue. - @SamErde
• We now have CONTRIBUTING and CODE_OF_CONDUCT docs. They're not quite where we want them, but soon! - @TrimarcJake
• PSScriptAnalyzer actions run on commit now, so we can check if there's anything hinky going on. - @SamErde
• Badges! Icons! - @SamErde

Known Issues:

• Objects with both Allow and Deny ACEs reports two issues in output (I promise I'll think about working on this one for February. :D)

Contributors:

• @SamErde
• @techspence
• @TrimarcJake

v2023.12

Mode 4 in the Wild!

This month, the Locksmith team discovered people are actually using Mode 4 (auto-remediation) in the wild. To be honest, we let Mode 4 languish because none of us would trust a fully automated remediation tool... even if we wrote it!

But since it's being used, we should definitely improve it. The new Mode 4 is much more explicit about what the issue is, why it's an issue, and how it will be remediated. Lastly, the Operational Impact is spelled out in plain language and color coded so it's more obvious when a fix may negatively impact operations.

After Locksmith is done fixing stuff on your behalf, you'll get an indicator that it's done instead of just dropping back to the console.

We also resolved some output issues (fewer duplicates), false positives (bitwise math is weird), and cleaned up the scripts used to build the project.

Thank you for using ❤ Locksmith ❤

Improvements:

• Improved Mode 4 output
• Eliminated duplicate RAM
• Improved Manager Approval checks
• Eliminated duplicate ESC4/5 ownership findings
• Tweaked build scripts

Known Issues:

• In ESC4/ESC5 checks, when multiple ACEs exist on a PKS object, all ACEs are displayed instead of Effective Access.

Contributors to this release:

• @SamErde
• @TrimarcJake

v2023.11

November 2023: Sam Leads The Way

October 2023 was super-hectic for the Locksmith core team, so we decided to skip the October release.

That little break was so worth it because it gave @SamErde some time to finalize a new Locksmith feature: a -Scans parameter which can be used to specify exactly which misconfigurations Locksmith should search for. By default, all scan types will run, but if you want to search only for templates that match the definition of ESC1 and ESC3, try Invoke-Locksmith -Scans ESC1,ESC3!

Unsure which scan(s) you want to run? Try Invoke-Locksmith -Scans PromptMe! If you're running Windows Powershell or Powershell Core w/ Microsoft.PowerShell.ConsoleGuiTools installed, running Invoke-Locksmith -Scans PromptMe will give you a GridView window that you can use to select one or more scan types:

Powering the selection window is a dictionary class containing important info about each issue such as name, summary, links, finding code, and fixing code. As Locksmith moves forward, this dictionary will be a vital piece of improving Locksmith's usability.

Improvements:

• New command line parameter: -Scans with updated comment-based help explaining its use.
• New dictionary containing information about all finding types identified by Locksmith
• Light refactoring results in a much quicker startup time.
• Added support for Editor Config so all developers are using similar VS Code setups.

Known Issues:

• In ESC4/ESC5 checks, when multiple ACEs exist on a PKI object, all ACEs are displayed. ESC4/ESC5 checks should emulate Effective Access in regular mode and list all ACEs in Verbose mode. (Thanks to Robert for bringing this to my attention in person at Blue Team Con!) Maybe next release, Robert!

Contributors to this release:

• @SamErde

v2023.9

September 2023: Hello, ESC3! Goodbye (temporarily), TrimarcJake!

This month's Locksmith release finally introduces full ESC3 detections. Insecure Enrollment Agent templates and Client Authentication templates requiring signing by a single Enrollment Agent certificate will now be flagged. This closes the door on a pretty large hole in Locksmith's detections.

This release also marks a change in my (@TrimarcJake) role in Locksmith. I am refocusing my development time toward a new tool for finding and fixing issues in Active Directory-integrated DNS called BlueTuxedo. Until BlueTuxedo is released and gets stable, I will not be writing any new code for Locksmith.

But as you can see by this month's contributions, @techspence and @SamErde are more than capable of running the show for a while. :D

Improvements:

• Added checks for ESC3 Condition 1 (@TrimarcJake) and Condition 2 (@techspence)
• Sorted list output for improved readability (@SamErde)
• Moved the AD module check above the first use of ActiveDirectory cmdlets (@SamErde)
• Other refactoring of code to make consistent use of formatting (@SamErde)
• Added detailed output for failed severity checks (@SamErde)
• Improved performance of Set-AdditionalCAProperty by reducing ping count to 1 (@techspence)
• ESC3 Condition 1 template generated by Invoke-TSS.ps1 lab build script. (@TrimarcJake)

Known Issues:

• In ESC4/ESC5 checks, when multiple ACEs exist on a PKI object, all ACEs are displayed. ESC4/ESC5 checks should emulate Effective Access in regular mode and list all ACEs in Verbose mode. (Thanks to Robert for bringing this to my attention in person at Blue Team Con!)

Unfinished Features in the Works:

• Better severity ratings
• More granular command line parameters (modes were a bad idea.)

Contributors to this release:

• @SamErde
• @techspence
• @TrimarcJake

Honorary mention:

• @PrzemyslawKlys

PK's PSPublishModule has been invaluable for speeding up development in Locksmith. He'll continue to get mentioned for quite some time.

v2023.08

August 2023: Build Scripts, and Modules, and Testing, Oh My!

Shortly after the 2023.07 release of Locksmith, I (@TrimarcJake) was contacted by PowerShell OG @PrzemyslawKlys (PK) about modernizing and improving the usability of Locksmith via his building and publishing tool PSPublishModule. PK split Locksmith into Public and Private functions, each in their own .ps1 file. The functions get tested, formatted, and combined into module files which can be easily published by the Locksmith team and easily installed by end-users.

Unexpectedly (not really), separating functions into individual .ps1 files makes development much smoother. Did you know scrolling a multi-hundred line script to find stuff gets confusing?

This month was mostly spent testing this new process, but we also took some time to add a few goodies including a script that will COMPLETELY AND UTTERLY DESTROY the security of an AD CS environment if you really want to test your tools. DO NOT USE IN PRODUCTION.

I hope you enjoy!

Improvements:

• Locksmith is now a module! You can download Locksmith-v2023.08.zip, expand it, and do Import-Module .\Locksmith.psd1 or (once it's been published) install it from the PSGallery with Install-Module Locksmith. The addition of PSGallery support should make Locksmith a cinch to use. (@PrzemyslawKlys)
  Note: we have no plans to deprecate the single-file Invoke-Locksmith.ps1 version of Locksmith. I personally appreciate the simplicity of a single-file download and install, and I don't want to remove that functionality.
• Build script! This is mostly useful for the Locksmith team, but if you want to play around with PSPbulishModule or built a customized version of Invoke-Locksmith.ps1 or the Locksmith module, have a go! (@PrzemyslawKlys)
• Lab build script! Manually recreating vulnerable templates was getting annoying, so I spent some downtime creating "Tactical Speed Square" - a small script which creates a ton of vulnerable templates/objects, disables auditing on all CAs, and enables the ESC6 flag on all CAs. DO NOT USE IN PRODUCTION. (@TrimarcJake)
• GREATLY Reduced ESC4 and ESC5 false positives. (@TrimarcJake) This was possible because of two things:
  1. Improved enumeration of Safe Group membership. Objects/templates will no longer be marked as vulnerable if the Identity Reference is a member of the domain Administrators, Cert Publishers, Domain Admins, or Enterprise Admins groups in any domain in a multi-domain forest even if they are in nested groups.
  2. Now, if an ACE is only for Enroll/AutoEnroll extended rights, that ACE is filtered out and does not trigger ESC4/ESC5. These rights are not dangerous.
• ESC2 Checks now include the "Any Purpose" Extended Key Usage. Previously, these were only included in the ESC1 results. (@TrimarcJake)

Bug Fixes:

• No more errors when attempting to enumerate Safe Groups in a multi-domain forest. (@TrimarcJake)
• Unneeded files are no longer created when there are no issues in the environment. (@SamErde)

Known Issues:

• None (FOR THE MOMENT)

Unfinished Features in the Works:

• ESC3 Coverage (@TrimarcJake)
• Adding Severity Ratings to Findings (@techspence)

Contributors to this release:

• @PrzemyslawKlys
• @SamErde
• @techspence
• @TrimarcJake

v2023.07

The first official release!

The Locksmith core team (@SamErde, @techspence, @TrimarcJake) has settled on a monthly release cadence. New releases should come out during the first weekend of every month and will include any work performed during the preceding month. If you have any feature requests, please raise an Issue! At this point, we are accepting almost every request, no matter how wild!

Improvements:

• All modes: Auditing check now uses FQDNs to contact CAs which should improve results in multi-domain forests. (RGR)
• All modes: ESC2 check now includes "Any Purpose" EKU. (@TrimarcJake)
• All modes: Direct members of the domain Administrators, Cert Publishers, and Domain Admins groups from the invoking domain and direct members of the Enterprise Admins group have been added to the $SafeUsers list. This should minimize false positives in ESC1, ESC2, ESC4, and ESC5 checks. (@TrimarcJake)
• Modes 2 & 3: Technique IDs have been added to CSV output for easier reading. (@SamErde)
• General: usability improvements. (@SamErde)

Major bugs resolved:

• All modes: ESC8 checks now work in Powershell 7. (@TrimarcJake)
• Mode 4: if no issues are found, Locksmith no longer crashes when attempting to create a script to revert its changes. (@techspence)

Known Issues:

• All modes: In multi-domain forests, red error text will flash immediately after invoking Locksmith. This is because Get-ADGroupMember doesn't allow the use of global catalog servers, and @TrimarcJake is too tired to fix it right now.
• All modes: related to the issue above, domain Administrators, Cert Publishers, and Domain Admins from domains other than the domain where Locksmith was initially invoked are not added to the $SafeUsers list. These results are false positives.
• All modes: Members of groups nested in domain Administrators, Cert Publishers, Domain Admins, and Enterprise Admins are not added to the $SafeUsers list.

Contributors to this release:

• "RGR" (not on GitHub)
• @SamErde
• @techspence
• @TrimarcJake