From 85c860b30546a84ff81f6528f94d7eced7f38a8e Mon Sep 17 00:00:00 2001 From: techspence Date: Wed, 10 Jan 2024 20:49:35 -0800 Subject: [PATCH 01/10] Improve RSAT Installation Process #92 --- Invoke-Locksmith.ps1 | 204 +++++++++++++++++++++++---- Locksmith.psd1 | 8 +- Locksmith.psm1 | 2 +- Private/Install-RSATADPowerShell.ps1 | 61 ++++++++ Private/Test-IsRSATInstalled.ps1 | 15 ++ Public/Invoke-Locksmith.ps1 | 22 +-- 6 files changed, 260 insertions(+), 52 deletions(-) create mode 100644 Private/Install-RSATADPowerShell.ps1 create mode 100644 Private/Test-IsRSATInstalled.ps1 diff --git a/Invoke-Locksmith.ps1 b/Invoke-Locksmith.ps1 index eb1326b..8de5d0c 100644 --- a/Invoke-Locksmith.ps1 +++ b/Invoke-Locksmith.ps1 @@ -1,4 +1,4 @@ -param ( +param ( [int]$Mode, [Parameter()] [ValidateSet('Auditing', 'ESC1', 'ESC2', 'ESC3', 'ESC4', 'ESC5', 'ESC6', 'ESC8', 'All', 'PromptMe')] @@ -366,10 +366,7 @@ function Find-ESC5 { else { $SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value } - if ( ($_.objectClass -ne 'pKICertificateTemplate') -and - ($SID -notmatch $SafeOwners) -and - ($entry.ActiveDirectoryRights.ObjectType -notmatch $SafeObjectTypes) - ) { + if ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -match $UnsafeOwners) ) { $Issue = New-Object -TypeName pscustomobject $Issue | Add-Member -MemberType NoteProperty -Name Forest -Value $_.CanonicalName.split('/')[0] -Force $Issue | Add-Member -MemberType NoteProperty -Name Name -Value $_.Name -Force @@ -377,15 +374,18 @@ function Find-ESC5 { $Issue | Add-Member -MemberType NoteProperty -Name IdentityReference -Value $entry.IdentityReference -Force $Issue | Add-Member -MemberType NoteProperty -Name ActiveDirectoryRights -Value $entry.ActiveDirectoryRights -Force $Issue | Add-Member -MemberType NoteProperty -Name Issue ` - -Value "$($_.nTSecurityDescriptor.Owner) has Owner rights on this object" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Fix -Value '[TODO]' -Force - $Issue | Add-Member -MemberType NoteProperty -Name Revert -Value '[TODO]' -Force + -Value "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" -Force + $Issue | Add-Member -MemberType NoteProperty -Name Fix -Value "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" -Force + $Issue | Add-Member -MemberType NoteProperty -Name Revert -Value "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" -Force $Issue | Add-Member -MemberType NoteProperty -Name Technique -Value 'ESC5' $Severity = Set-Severity -Issue $Issue $Issue | Add-Member -MemberType NoteProperty -Name Severity -Value $Severity $Issue } - if ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -match $UnsafeOwners) ) { + elseif ( ($_.objectClass -ne 'pKICertificateTemplate') -and + ($SID -notmatch $SafeOwners) -and + ($entry.ActiveDirectoryRights.ObjectType -notmatch $SafeObjectTypes) + ) { $Issue = New-Object -TypeName pscustomobject $Issue | Add-Member -MemberType NoteProperty -Name Forest -Value $_.CanonicalName.split('/')[0] -Force $Issue | Add-Member -MemberType NoteProperty -Name Name -Value $_.Name -Force @@ -393,14 +393,15 @@ function Find-ESC5 { $Issue | Add-Member -MemberType NoteProperty -Name IdentityReference -Value $entry.IdentityReference -Force $Issue | Add-Member -MemberType NoteProperty -Name ActiveDirectoryRights -Value $entry.ActiveDirectoryRights -Force $Issue | Add-Member -MemberType NoteProperty -Name Issue ` - -Value "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Fix -Value "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Revert -Value "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" -Force + -Value "$($_.nTSecurityDescriptor.Owner) has Owner rights on this object" -Force + $Issue | Add-Member -MemberType NoteProperty -Name Fix -Value '[TODO]' -Force + $Issue | Add-Member -MemberType NoteProperty -Name Revert -Value '[TODO]' -Force $Issue | Add-Member -MemberType NoteProperty -Name Technique -Value 'ESC5' $Severity = Set-Severity -Issue $Issue $Issue | Add-Member -MemberType NoteProperty -Name Severity -Value $Severity $Issue } + foreach ($entry in $_.nTSecurityDescriptor.Access) { $Principal = New-Object System.Security.Principal.NTAccount($entry.IdentityReference) if ($Principal -match '^(S-1|O:)') { @@ -430,6 +431,7 @@ function Find-ESC5 { } } } + function Find-ESC6 { [CmdletBinding()] param( @@ -619,6 +621,73 @@ function Get-Target { } return $Targets } +function Install-RSATADPowerShell { + <# + .SYNOPSIS + Installs the RSAT AD PowerShell module. + .DESCRIPTION + This function checks if the current process is elevated and if it is it will prompt to install the RSAT AD PowerShell module. + .EXAMPLE + Install-RSATADPowerShell + #> + if (Test-IsElevated) { + $OS = (Get-CimInstance -ClassName Win32_OperatingSystem).ProductType + # 1 - workstation, 2 - domain controller, 3 - non-dc server + if ($OS -gt 1) { + Write-Warning "The Active Directory PowerShell module is not installed." + Write-Host "If you continue, Locksmith will attempt to install the Active Directory PowerShell module for you.`n" -ForegroundColor Yellow + Write-Host "`nCOMMAND: Install-WindowsFeature -Name RSAT-AD-PowerShell`n" -ForegroundColor Cyan + Write-Host "Continue with this operation? [Y] Yes " -NoNewline + Write-Host "[N] " -ForegroundColor Yellow -NoNewline + Write-Host "No: " -NoNewline + $WarningError = '' + $WarningError = Read-Host + if ($WarningError -like 'y') { + try { + Write-Host "Beginning the ActiveDirectory PowerShell module installation, please wait.." + # Attempt to install ActiveDirectory PowerShell module for Windows Server OSes, works with Windows Server 2012 R2 through Windows Server 2022 + Install-WindowsFeature -Name RSAT-AD-PowerShell + } + catch { + Write-Error 'Could not install ActiveDirectory PowerShell module. This module needs to be installed to run Locksmith successfully.' + } + } + else { + Write-Host "ActiveDirectory PowerShell module NOT installed. Please install to run Locksmith successfully.`n" -ForegroundColor Yellow + break; + } + } + else { + Write-Warning "The Active Directory PowerShell module is not installed." + Write-Host "If you continue, Locksmith will attempt to install the Active Directory PowerShell module for you.`n" -ForegroundColor Yellow + Write-Host "`nCOMMAND: Add-WindowsCapability -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 -Online`n" -ForegroundColor Cyan + Write-Host "Continue with this operation? [Y] Yes " -NoNewline + Write-Host "[N] " -ForegroundColor Yellow -NoNewline + Write-Host "No: " -NoNewline + $WarningError = '' + $WarningError = Read-Host + if ($WarningError -like 'y') { + try { + Write-Host "Beginning the ActiveDirectory PowerShell module installation, please wait.." + # Attempt to install ActiveDirectory PowerShell module for Windows Desktop OSes + Add-WindowsCapability -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 -Online + } + catch { + Write-Error 'Could not install ActiveDirectory PowerShell module. This module needs to be installed to run Locksmith successfully.' + } + } + else { + Write-Host "ActiveDirectory PowerShell module NOT installed. Please install to run Locksmith successfully.`n" -ForegroundColor Yellow + break; + } + } + } + else { + Write-Warning -Message "The ActiveDirectory PowerShell module is required for Locksmith, but is not installed. Please launch an elevated PowerShell session to have this module installed for you automatically." + # The goal here is to exit the script without closing the PowerShell window. Need to test. + Return + } +} function Invoke-Scans { [CmdletBinding()] param ( @@ -1045,6 +1114,93 @@ function Test-IsLocalAccountSession { } } +function Test-IsMemberOfProtectedUsers { + <# + .SYNOPSIS + Check to see if a user is a member of the Protected Users group. + + .DESCRIPTION + This function checks to see if a specified user or the current user is a member of the Protected Users group in AD. + + .PARAMETER User + The user that will be checked for membership in the Protected Users group. This parameter accepts input from the pipeline. + + .EXAMPLE + This example will check if JaneDoe is a member of the Protected Users group. + + Test-IsMemberOfProtectedUsers -User JaneDoe + + .EXAMPLE + This example will check if the current user is a member of the Protected Users group. + + Test-IsMemberOfProtectedUsers + + .INPUTS + Active Directory user object, user SID, SamAccountName, etc + + .OUTPUTS + Boolean + + .NOTES + Membership in Active Directory's Protect Users group can have implications for anything that relies on NTLM authentication. + +#> + + [CmdletBinding()] + param ( + # User parameter accepts any input that is valid for Get-ADUser + [Parameter( + ValueFromPipeline = $true + )] + $User + ) + + Import-Module ActiveDirectory + + # Use the currently logged in user if none is specified + # Get the user from Active Directory + if (-not($User)) { + $CurrentUser = ([System.Security.Principal.WindowsIdentity]::GetCurrent().Name).Split('\')[-1] + $CheckUser = Get-ADUser $CurrentUser + } + else { + $CheckUser = Get-ADUser $User + } + + # Get the Protected Users group by SID instead of by its name to ensure compatibility with any locale or language. + $DomainSID = (Get-ADDomain).DomainSID.Value + $ProtectedUsersSID = "$DomainSID-525" + + # Get members of the Protected Users group for the current domain. Recuse in case groups are nested in it. + $ProtectedUsers = Get-ADGroupMember -Identity $ProtectedUsersSID -Recursive | Select-Object -Unique + + # Check if the current user is in the 'Protected Users' group + if ($ProtectedUsers -contains $CheckUser) { + Write-Verbose "$($CheckUser.Name) ($($CheckUser.DistinguishedName)) is a member of the Protected Users group." + $true + } + else { + Write-Verbose "$($CheckUser.Name) ($($CheckUser.DistinguishedName)) is not a member of the Protected Users group." + $false + } +} + +function Test-IsRSATInstalled { + <# + .SYNOPSIS + Tests if the RSAT AD PowerShell module is installed. + .DESCRIPTION + This function returns True if the RSAT AD PowerShell module is installed or False if not. + .EXAMPLE + Test-IsElevated + #> + if (-not(Get-Module -Name 'ActiveDirectory' -ListAvailable)) { + $true + } + else { + $false + } +} function Invoke-Locksmith { <# .SYNOPSIS @@ -1142,24 +1298,12 @@ function Invoke-Locksmith { Write-Host $VersionBanner -ForegroundColor Red # Check if ActiveDirectory PowerShell module is available, and attempt to install if not found - if (-not(Get-Module -Name 'ActiveDirectory' -ListAvailable)) { - if (Test-IsElevated) { - $OS = (Get-CimInstance -ClassName Win32_OperatingSystem).ProductType - # 1 - workstation, 2 - domain controller, 3 - non-dc server - if ($OS -gt 1) { - # Attempt to install ActiveDirectory PowerShell module for Windows Server OSes, works with Windows Server 2012 R2 through Windows Server 2022 - Install-WindowsFeature -Name RSAT-AD-PowerShell - } - else { - # Attempt to install ActiveDirectory PowerShell module for Windows Desktop OSes - Add-WindowsCapability -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 -Online - } - } - else { - Write-Warning -Message "The ActiveDirectory PowerShell module is required for Locksmith, but is not installed. Please launch an elevated PowerShell session to have this module installed for you automatically." - # The goal here is to exit the script without closing the PowerShell window. Need to test. - Return - } + $RSATInstalled = Test-IsRSATInstalled + if (-not $RSATInstalled) { + # Continue + } + else { + Install-RSATADPowerShell } # Exit if running in restricted admin mode without explicit credentials diff --git a/Locksmith.psd1 b/Locksmith.psd1 index 726b94c..f56828f 100644 --- a/Locksmith.psd1 +++ b/Locksmith.psd1 @@ -1,9 +1,9 @@ -@{ +@{ AliasesToExport = @('*') Author = 'Jake Hildreth' CmdletsToExport = @() CompatiblePSEditions = @('Desktop', 'Core') - Copyright = '(c) 2022 - 2023. All rights reserved.' + Copyright = '(c) 2022 - 2024. All rights reserved.' Description = 'A small tool to find and fix common misconfigurations in Active Directory Certificate Services.' FunctionsToExport = @('*') GUID = 'b1325b42-8dc4-4f17-aa1f-dcb5984ca14a' @@ -11,9 +11,9 @@ PowerShellVersion = '5.1' PrivateData = @{ PSData = @{ - Tags = @('Windows', 'Locksmith', 'CA', 'PKI', 'ActiveDirectory', 'CertificateServices', 'ADCS') - ProjectUri = 'https://github.com/TrimarcJake/Locksmith' ExternalModuleDependencies = @('ActiveDirectory', 'ServerManager', 'Microsoft.PowerShell.Utility', 'Microsoft.PowerShell.LocalAccounts', 'Microsoft.PowerShell.Management', 'CimCmdlets', 'Dism') + ProjectUri = 'https://github.com/TrimarcJake/Locksmith' + Tags = @('Windows', 'Locksmith', 'CA', 'PKI', 'ActiveDirectory', 'CertificateServices', 'ADCS') } } RequiredModules = @('ActiveDirectory', 'ServerManager', 'Microsoft.PowerShell.Utility', 'Microsoft.PowerShell.LocalAccounts', 'Microsoft.PowerShell.Management', 'CimCmdlets', 'Dism') diff --git a/Locksmith.psm1 b/Locksmith.psm1 index f9b4d34..0869fc0 100644 --- a/Locksmith.psm1 +++ b/Locksmith.psm1 @@ -1,4 +1,4 @@ -# Get public and private function definition files. +# Get public and private function definition files. $Public = @( Get-ChildItem -Path $PSScriptRoot\Public\*.ps1 -ErrorAction SilentlyContinue -Recurse ) $Private = @( Get-ChildItem -Path $PSScriptRoot\Private\*.ps1 -ErrorAction SilentlyContinue -Recurse ) $Classes = @( Get-ChildItem -Path $PSScriptRoot\Classes\*.ps1 -ErrorAction SilentlyContinue -Recurse ) diff --git a/Private/Install-RSATADPowerShell.ps1 b/Private/Install-RSATADPowerShell.ps1 new file mode 100644 index 0000000..996b03f --- /dev/null +++ b/Private/Install-RSATADPowerShell.ps1 @@ -0,0 +1,61 @@ +function Install-RSATADPowerShell { + <# + .SYNOPSIS + Installs the RSAT AD PowerShell module. + .DESCRIPTION + This function checks if the current process is elevated and if it is it will prompt to install the RSAT AD PowerShell module. + .EXAMPLE + Install-RSATADPowerShell + #> + if (Test-IsElevated) { + $OS = (Get-CimInstance -ClassName Win32_OperatingSystem).ProductType + # 1 - workstation, 2 - domain controller, 3 - non-dc server + if ($OS -gt 1) { + Write-Warning "The Active Directory PowerShell module is not installed." + Write-Host "If you continue, Locksmith will attempt to install the Active Directory PowerShell module for you.`n" -ForegroundColor Yellow + Write-Host "`nCOMMAND: Install-WindowsFeature -Name RSAT-AD-PowerShell`n" -ForegroundColor Cyan + Write-Host "Continue with this operation? [Y] Yes " -NoNewline + Write-Host "[N] " -ForegroundColor Yellow -NoNewline + Write-Host "No: " -NoNewLine + $WarningError = '' + $WarningError = Read-Host + if ($WarningError -like 'y') { + try { + Write-Host "Beginning the ActiveDirectory PowerShell module installation, please wait.." + # Attempt to install ActiveDirectory PowerShell module for Windows Server OSes, works with Windows Server 2012 R2 through Windows Server 2022 + Install-WindowsFeature -Name RSAT-AD-PowerShell + } catch { + Write-Error 'Could not install ActiveDirectory PowerShell module. This module needs to be installed to run Locksmith successfully.' + } + } else { + Write-Host "ActiveDirectory PowerShell module NOT installed. Please install to run Locksmith successfully.`n" -ForegroundColor Yellow + break; + } + } else { + Write-Warning "The Active Directory PowerShell module is not installed." + Write-Host "If you continue, Locksmith will attempt to install the Active Directory PowerShell module for you.`n" -ForegroundColor Yellow + Write-Host "`nCOMMAND: Add-WindowsCapability -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 -Online`n" -ForegroundColor Cyan + Write-Host "Continue with this operation? [Y] Yes " -NoNewline + Write-Host "[N] " -ForegroundColor Yellow -NoNewline + Write-Host "No: " -NoNewLine + $WarningError = '' + $WarningError = Read-Host + if ($WarningError -like 'y') { + try { + Write-Host "Beginning the ActiveDirectory PowerShell module installation, please wait.." + # Attempt to install ActiveDirectory PowerShell module for Windows Desktop OSes + Add-WindowsCapability -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 -Online + } catch { + Write-Error 'Could not install ActiveDirectory PowerShell module. This module needs to be installed to run Locksmith successfully.' + } + } else { + Write-Host "ActiveDirectory PowerShell module NOT installed. Please install to run Locksmith successfully.`n" -ForegroundColor Yellow + break; + } + } + } else { + Write-Warning -Message "The ActiveDirectory PowerShell module is required for Locksmith, but is not installed. Please launch an elevated PowerShell session to have this module installed for you automatically." + # The goal here is to exit the script without closing the PowerShell window. Need to test. + Return + } +} \ No newline at end of file diff --git a/Private/Test-IsRSATInstalled.ps1 b/Private/Test-IsRSATInstalled.ps1 new file mode 100644 index 0000000..7971f35 --- /dev/null +++ b/Private/Test-IsRSATInstalled.ps1 @@ -0,0 +1,15 @@ +function Test-IsRSATInstalled { + <# + .SYNOPSIS + Tests if the RSAT AD PowerShell module is installed. + .DESCRIPTION + This function returns True if the RSAT AD PowerShell module is installed or False if not. + .EXAMPLE + Test-IsElevated + #> + if (-not(Get-Module -Name 'ActiveDirectory' -ListAvailable)) { + $true + } else { + $false + } +} \ No newline at end of file diff --git a/Public/Invoke-Locksmith.ps1 b/Public/Invoke-Locksmith.ps1 index 443c9cf..967df88 100644 --- a/Public/Invoke-Locksmith.ps1 +++ b/Public/Invoke-Locksmith.ps1 @@ -95,23 +95,11 @@ Write-Host $VersionBanner -ForegroundColor Red # Check if ActiveDirectory PowerShell module is available, and attempt to install if not found - if (-not(Get-Module -Name 'ActiveDirectory' -ListAvailable)) { - if (Test-IsElevated) { - $OS = (Get-CimInstance -ClassName Win32_OperatingSystem).ProductType - # 1 - workstation, 2 - domain controller, 3 - non-dc server - if ($OS -gt 1) { - # Attempt to install ActiveDirectory PowerShell module for Windows Server OSes, works with Windows Server 2012 R2 through Windows Server 2022 - Install-WindowsFeature -Name RSAT-AD-PowerShell - } else { - # Attempt to install ActiveDirectory PowerShell module for Windows Desktop OSes - Add-WindowsCapability -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 -Online - } - } - else { - Write-Warning -Message "The ActiveDirectory PowerShell module is required for Locksmith, but is not installed. Please launch an elevated PowerShell session to have this module installed for you automatically." - # The goal here is to exit the script without closing the PowerShell window. Need to test. - Return - } + $RSATInstalled = Test-IsRSATInstalled + if (-not $RSATInstalled) { + # Continue + } else { + Install-RSATADPowerShell } # Exit if running in restricted admin mode without explicit credentials From 3499ead105c923eccfbb7dcd38104b137a87cd33 Mon Sep 17 00:00:00 2001 From: techspence Date: Sat, 13 Jan 2024 11:05:51 -0800 Subject: [PATCH 02/10] Fixed RSAT logic --- Invoke-Locksmith.ps1 | 4 ++-- Private/Test-IsRSATInstalled.ps1 | 2 +- Public/Invoke-Locksmith.ps1 | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Invoke-Locksmith.ps1 b/Invoke-Locksmith.ps1 index 8de5d0c..14b381b 100644 --- a/Invoke-Locksmith.ps1 +++ b/Invoke-Locksmith.ps1 @@ -1194,7 +1194,7 @@ function Test-IsRSATInstalled { .EXAMPLE Test-IsElevated #> - if (-not(Get-Module -Name 'ActiveDirectory' -ListAvailable)) { + if (Get-Module -Name 'ActiveDirectory' -ListAvailable) { $true } else { @@ -1299,7 +1299,7 @@ function Invoke-Locksmith { # Check if ActiveDirectory PowerShell module is available, and attempt to install if not found $RSATInstalled = Test-IsRSATInstalled - if (-not $RSATInstalled) { + if ($RSATInstalled) { # Continue } else { diff --git a/Private/Test-IsRSATInstalled.ps1 b/Private/Test-IsRSATInstalled.ps1 index 7971f35..88ed836 100644 --- a/Private/Test-IsRSATInstalled.ps1 +++ b/Private/Test-IsRSATInstalled.ps1 @@ -7,7 +7,7 @@ .EXAMPLE Test-IsElevated #> - if (-not(Get-Module -Name 'ActiveDirectory' -ListAvailable)) { + if (Get-Module -Name 'ActiveDirectory' -ListAvailable) { $true } else { $false diff --git a/Public/Invoke-Locksmith.ps1 b/Public/Invoke-Locksmith.ps1 index 967df88..83ce6f4 100644 --- a/Public/Invoke-Locksmith.ps1 +++ b/Public/Invoke-Locksmith.ps1 @@ -96,7 +96,7 @@ # Check if ActiveDirectory PowerShell module is available, and attempt to install if not found $RSATInstalled = Test-IsRSATInstalled - if (-not $RSATInstalled) { + if ($RSATInstalled) { # Continue } else { Install-RSATADPowerShell From 4656046bf8755643ff2f0eb569bd558990d033fe Mon Sep 17 00:00:00 2001 From: Jake Hildreth Date: Sun, 14 Jan 2024 09:16:58 -0500 Subject: [PATCH 03/10] Replaced Add-Member in Majority of Find- functions --- Invoke-Locksmith.ps1 | 284 ++++++++++++++------------------ Private/Find-AuditingIssue.ps1 | 2 - Private/Find-ESC1.ps1 | 26 ++- Private/Find-ESC2.ps1 | 26 ++- Private/Find-ESC3Condition1.ps1 | 26 ++- Private/Find-ESC3Condition2.ps1 | 26 ++- Private/Find-ESC4.ps1 | 72 ++++---- Private/Find-ESC5.ps1 | 72 ++++---- Private/Find-ESC6.ps1 | 26 ++- Private/Find-ESC8.ps1 | 10 +- 10 files changed, 252 insertions(+), 318 deletions(-) diff --git a/Invoke-Locksmith.ps1 b/Invoke-Locksmith.ps1 index 14b381b..28c881f 100644 --- a/Invoke-Locksmith.ps1 +++ b/Invoke-Locksmith.ps1 @@ -74,8 +74,6 @@ function Find-AuditingIssue { -Value "certutil.exe -config $($_.CAFullname) -setreg CA\AuditFilter $($_.AuditFilter); Invoke-Command -ComputerName `'$($_.dNSHostName)`' -ScriptBlock { Get-Service -Name `'certsvc`' | Restart-Service -Force }" -Force $Issue | Add-Member -MemberType NoteProperty -Name 'Technique' -Value 'DETECT' -Force } - $Severity = Set-Severity -Issue $Issue - $Issue | Add-Member -MemberType NoteProperty -Name 'Severity' -Value $Severity $Issue } } @@ -104,21 +102,17 @@ function Find-ESC1 { $SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value } if ( ($SID -notmatch $SafeUsers) -and ($entry.ActiveDirectoryRights -match 'ExtendedRight') ) { - $Issue = New-Object -TypeName pscustomobject - $Issue | Add-Member -MemberType NoteProperty -Name Forest -Value $_.CanonicalName.split('/')[0] -Force - $Issue | Add-Member -MemberType NoteProperty -Name Name -Value $_.Name -Force - $Issue | Add-Member -MemberType NoteProperty -Name DistinguishedName -Value $_.DistinguishedName -Force - $Issue | Add-Member -MemberType NoteProperty -Name IdentityReference -Value $entry.IdentityReference -Force - $Issue | Add-Member -MemberType NoteProperty -Name ActiveDirectoryRights -Value $entry.ActiveDirectoryRights -Force - $Issue | Add-Member -MemberType NoteProperty -Name Issue ` - -Value "$($entry.IdentityReference) can enroll in this Client Authentication template using a SAN without Manager Approval" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Fix ` - -Value "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0}" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Revert ` - -Value "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1}" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Technique -Value 'ESC1' - $Severity = Set-Severity -Issue $Issue - $Issue | Add-Member -MemberType NoteProperty -Name Severity -Value $Severity + $Issue = [pscustomobject]@{ + Forest = $_.CanonicalName.split('/')[0] + Name = $_.Name + DistinguishedName = $_.DistinguishedName + IdentityReference = $entry.IdentityReference + ActiveDirectoryRights = $entry.ActiveDirectoryRights + Issue = "$($entry.IdentityReference) can enroll in this Client Authentication template using a SAN without Manager Approval" + Fix = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0}" + Revert = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1}" + Technique = 'ESC1' + } $Issue } } @@ -149,21 +143,17 @@ function Find-ESC2 { $SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value } if ( ($SID -notmatch $SafeUsers) -and ($entry.ActiveDirectoryRights -match 'ExtendedRight') ) { - $Issue = New-Object -TypeName pscustomobject - $Issue | Add-Member -MemberType NoteProperty -Name Forest -Value $_.CanonicalName.split('/')[0] -Force - $Issue | Add-Member -MemberType NoteProperty -Name Name -Value $_.Name -Force - $Issue | Add-Member -MemberType NoteProperty -Name DistinguishedName -Value $_.DistinguishedName -Force - $Issue | Add-Member -MemberType NoteProperty -Name IdentityReference -Value $entry.IdentityReference -Force - $Issue | Add-Member -MemberType NoteProperty -Name ActiveDirectoryRights -Value $entry.ActiveDirectoryRights -Force - $Issue | Add-Member -MemberType NoteProperty -Name Issue ` - -Value "$($entry.IdentityReference) can request a SubCA certificate without Manager Approval" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Fix ` - -Value "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0}" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Revert ` - -Value "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1}" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Technique -Value 'ESC2' - $Severity = Set-Severity -Issue $Issue - $Issue | Add-Member -MemberType NoteProperty -Name Severity -Value $Severity + $Issue = [pscustomobject]@{ + Forest = $_.CanonicalName.split('/')[0] + Name = $_.Name + DistinguishedName = $_.DistinguishedName + IdentityReference = $entry.IdentityReference + ActiveDirectoryRights = $entry.ActiveDirectoryRights + Issue = "$($entry.IdentityReference) can request a SubCA certificate without Manager Approval" + Fix = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0}" + Revert = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1}" + Technique = 'ESC2' + } $Issue } } @@ -193,21 +183,17 @@ function Find-ESC3Condition1 { $SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value } if ( ($SID -notmatch $SafeUsers) -and ($entry.ActiveDirectoryRights -match 'ExtendedRight') ) { - $Issue = New-Object -TypeName pscustomobject - $Issue | Add-Member -MemberType NoteProperty -Name Forest -Value $_.CanonicalName.split('/')[0] -Force - $Issue | Add-Member -MemberType NoteProperty -Name Name -Value $_.Name -Force - $Issue | Add-Member -MemberType NoteProperty -Name DistinguishedName -Value $_.DistinguishedName -Force - $Issue | Add-Member -MemberType NoteProperty -Name IdentityReference -Value $entry.IdentityReference -Force - $Issue | Add-Member -MemberType NoteProperty -Name ActiveDirectoryRights -Value $entry.ActiveDirectoryRights -Force - $Issue | Add-Member -MemberType NoteProperty -Name Issue ` - -Value "$($entry.IdentityReference) can enroll in this Enrollment Agent template without Manager Approval" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Fix ` - -Value "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0}" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Revert ` - -Value "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1}" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Technique -Value 'ESC3' - $Severity = Set-Severity -Issue $Issue - $Issue | Add-Member -MemberType NoteProperty -Name Severity -Value $Severity + $Issue = [pscustomobject]@{ + Forest = $_.CanonicalName.split('/')[0] + Name = $_.Name + DistinguishedName = $_.DistinguishedName + IdentityReference = $entry.IdentityReference + ActiveDirectoryRights = $entry.ActiveDirectoryRights + Issue = "$($entry.IdentityReference) can enroll in this Enrollment Agent template without Manager Approval" + Fix = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0}" + Revert = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1}" + Technique = 'ESC3' + } $Issue } } @@ -239,21 +225,17 @@ function Find-ESC3Condition2 { $SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value } if ( ($SID -notmatch $SafeUsers) -and ($entry.ActiveDirectoryRights -match 'ExtendedRight') ) { - $Issue = New-Object -TypeName pscustomobject - $Issue | Add-Member -MemberType NoteProperty -Name Forest -Value $_.CanonicalName.split('/')[0] -Force - $Issue | Add-Member -MemberType NoteProperty -Name Name -Value $_.Name -Force - $Issue | Add-Member -MemberType NoteProperty -Name DistinguishedName -Value $_.DistinguishedName -Force - $Issue | Add-Member -MemberType NoteProperty -Name IdentityReference -Value $entry.IdentityReference -Force - $Issue | Add-Member -MemberType NoteProperty -Name ActiveDirectoryRights -Value $entry.ActiveDirectoryRights -Force - $Issue | Add-Member -MemberType NoteProperty -Name Issue ` - -Value "$($entry.IdentityReference) can enroll in this Client Authentication template using a SAN without Manager Approval" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Fix ` - -Value "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0}" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Revert ` - -Value "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1}" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Technique -Value 'ESC3' - $Severity = Set-Severity -Issue $Issue - $Issue | Add-Member -MemberType NoteProperty -Name Severity -Value $Severity + $Issue = [pscustomobject]@{ + Forest = $_.CanonicalName.split('/')[0] + Name = $_.Name + DistinguishedName = $_.DistinguishedName + IdentityReference = $entry.IdentityReference + ActiveDirectoryRights = $entry.ActiveDirectoryRights + Issue = "$($entry.IdentityReference) can enroll in this Client Authentication template using a SAN without Manager Approval" + Fix = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0}" + Revert = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1}" + Technique = 'ESC3' + } $Issue } } @@ -282,35 +264,31 @@ function Find-ESC4 { } if ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -match $UnsafeOwners) ) { - $Issue = New-Object -TypeName pscustomobject - $Issue | Add-Member -MemberType NoteProperty -Name Forest -Value $_.CanonicalName.split('/')[0] -Force - $Issue | Add-Member -MemberType NoteProperty -Name Name -Value $_.Name -Force - $Issue | Add-Member -MemberType NoteProperty -Name DistinguishedName -Value $_.DistinguishedName -Force - $Issue | Add-Member -MemberType NoteProperty -Name IdentityReference -Value $entry.IdentityReference -Force - $Issue | Add-Member -MemberType NoteProperty -Name ActiveDirectoryRights -Value $entry.ActiveDirectoryRights -Force - $Issue | Add-Member -MemberType NoteProperty -Name Issue ` - -Value "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Fix -Value "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Revert -Value "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Technique -Value 'ESC4' - $Severity = Set-Severity -Issue $Issue - $Issue | Add-Member -MemberType NoteProperty -Name Severity -Value $Severity + $Issue = [pscustomobject]@{ + Forest = $_.CanonicalName.split('/')[0] + Name = $_.Name + DistinguishedName = $_.DistinguishedName + IdentityReference = $entry.IdentityReference + ActiveDirectoryRights = $entry.ActiveDirectoryRights + Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" + Fix = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" + Revert = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" + Technique = 'ESC4' + } $Issue } elseif ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) { - $Issue = New-Object -TypeName pscustomobject - $Issue | Add-Member -MemberType NoteProperty -Name Forest -Value $_.CanonicalName.split('/')[0] -Force - $Issue | Add-Member -MemberType NoteProperty -Name Name -Value $_.Name -Force - $Issue | Add-Member -MemberType NoteProperty -Name DistinguishedName -Value $_.DistinguishedName -Force - $Issue | Add-Member -MemberType NoteProperty -Name IdentityReference -Value $entry.IdentityReference -Force - $Issue | Add-Member -MemberType NoteProperty -Name ActiveDirectoryRights -Value $entry.ActiveDirectoryRights -Force - $Issue | Add-Member -MemberType NoteProperty -Name Issue ` - -Value "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Fix -Value '[TODO]' -Force - $Issue | Add-Member -MemberType NoteProperty -Name Revert -Value '[TODO]' -Force - $Issue | Add-Member -MemberType NoteProperty -Name Technique -Value 'ESC4' - $Severity = Set-Severity -Issue $Issue - $Issue | Add-Member -MemberType NoteProperty -Name Severity -Value $Severity + $Issue = [pscustomobject]@{ + Forest = $_.CanonicalName.split('/')[0] + Name = $_.Name + DistinguishedName = $_.DistinguishedName + IdentityReference = $entry.IdentityReference + ActiveDirectoryRights = $entry.ActiveDirectoryRights + Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" + Fix = '[TODO]' + Revert = '[TODO]' + Technique = 'ESC4' + } $Issue } @@ -327,19 +305,17 @@ function Find-ESC4 { ($entry.ActiveDirectoryRights -match $DangerousRights) -and ($entry.ActiveDirectoryRights.ObjectType -notmatch $SafeObjectTypes) ) { - $Issue = New-Object -TypeName pscustomobject - $Issue | Add-Member -MemberType NoteProperty -Name Forest -Value $_.CanonicalName.split('/')[0] -Force - $Issue | Add-Member -MemberType NoteProperty -Name Name -Value $_.Name -Force - $Issue | Add-Member -MemberType NoteProperty -Name DistinguishedName -Value $_.DistinguishedName -Force - $Issue | Add-Member -MemberType NoteProperty -Name IdentityReference -Value $entry.IdentityReference -Force - $Issue | Add-Member -MemberType NoteProperty -Name ActiveDirectoryRights -Value $entry.ActiveDirectoryRights -Force - $Issue | Add-Member -MemberType NoteProperty -Name Issue ` - -Value "$($entry.IdentityReference) has $($entry.ActiveDirectoryRights) rights on this template" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Fix -Value "`$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; foreach ( `$ace in `$ACL.access ) { if ( (`$ace.IdentityReference.Value -like '$($Principal.Value)' ) -and ( `$ace.ActiveDirectoryRights -notmatch '^ExtendedRight$') ) { `$ACL.RemoveAccessRule(`$ace) | Out-Null ; Set-Acl -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL } }" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Revert -Value '[TODO]' -Force - $Issue | Add-Member -MemberType NoteProperty -Name Technique -Value 'ESC4' - $Severity = Set-Severity -Issue $Issue - $Issue | Add-Member -MemberType NoteProperty -Name Severity -Value $Severity + $Issue = [pscustomobject]@{ + Forest = $_.CanonicalName.split('/')[0] + Name = $_.Name + DistinguishedName = $_.DistinguishedName + IdentityReference = $entry.IdentityReference + ActiveDirectoryRights = $entry.ActiveDirectoryRights + Issue = "$($entry.IdentityReference) has $($entry.ActiveDirectoryRights) rights on this template" + Fix = "`$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; foreach ( `$ace in `$ACL.access ) { if ( (`$ace.IdentityReference.Value -like '$($Principal.Value)' ) -and ( `$ace.ActiveDirectoryRights -notmatch '^ExtendedRight$') ) { `$ACL.RemoveAccessRule(`$ace) | Out-Null ; Set-Acl -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL } }" + Revert = '[TODO]' + Technique = 'ESC4' + } $Issue } } @@ -367,38 +343,34 @@ function Find-ESC5 { $SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value } if ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -match $UnsafeOwners) ) { - $Issue = New-Object -TypeName pscustomobject - $Issue | Add-Member -MemberType NoteProperty -Name Forest -Value $_.CanonicalName.split('/')[0] -Force - $Issue | Add-Member -MemberType NoteProperty -Name Name -Value $_.Name -Force - $Issue | Add-Member -MemberType NoteProperty -Name DistinguishedName -Value $_.DistinguishedName -Force - $Issue | Add-Member -MemberType NoteProperty -Name IdentityReference -Value $entry.IdentityReference -Force - $Issue | Add-Member -MemberType NoteProperty -Name ActiveDirectoryRights -Value $entry.ActiveDirectoryRights -Force - $Issue | Add-Member -MemberType NoteProperty -Name Issue ` - -Value "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Fix -Value "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Revert -Value "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Technique -Value 'ESC5' - $Severity = Set-Severity -Issue $Issue - $Issue | Add-Member -MemberType NoteProperty -Name Severity -Value $Severity + $Issue = [pscustomobject]@{ + Forest = $_.CanonicalName.split('/')[0] + Name = $_.Name + DistinguishedName = $_.DistinguishedName + IdentityReference = $entry.IdentityReference + ActiveDirectoryRights = $entry.ActiveDirectoryRights + Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" + Fix = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" + Revert = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" + Technique = 'ESC5' + } $Issue } elseif ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) -and ($entry.ActiveDirectoryRights.ObjectType -notmatch $SafeObjectTypes) ) { - $Issue = New-Object -TypeName pscustomobject - $Issue | Add-Member -MemberType NoteProperty -Name Forest -Value $_.CanonicalName.split('/')[0] -Force - $Issue | Add-Member -MemberType NoteProperty -Name Name -Value $_.Name -Force - $Issue | Add-Member -MemberType NoteProperty -Name DistinguishedName -Value $_.DistinguishedName -Force - $Issue | Add-Member -MemberType NoteProperty -Name IdentityReference -Value $entry.IdentityReference -Force - $Issue | Add-Member -MemberType NoteProperty -Name ActiveDirectoryRights -Value $entry.ActiveDirectoryRights -Force - $Issue | Add-Member -MemberType NoteProperty -Name Issue ` - -Value "$($_.nTSecurityDescriptor.Owner) has Owner rights on this object" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Fix -Value '[TODO]' -Force - $Issue | Add-Member -MemberType NoteProperty -Name Revert -Value '[TODO]' -Force - $Issue | Add-Member -MemberType NoteProperty -Name Technique -Value 'ESC5' - $Severity = Set-Severity -Issue $Issue - $Issue | Add-Member -MemberType NoteProperty -Name Severity -Value $Severity + $Issue = [pscustomobject]@{ + Forest = $_.CanonicalName.split('/')[0] + Name = $_.Name + DistinguishedName = $_.DistinguishedName + IdentityReference = $entry.IdentityReference + ActiveDirectoryRights = $entry.ActiveDirectoryRights + Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this object" + Fix = '[TODO]' + Revert = '[TODO]' + Technique = 'ESC5' + } $Issue } @@ -413,19 +385,17 @@ function Find-ESC5 { if ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -notmatch $SafeUsers) -and ($entry.ActiveDirectoryRights -match $DangerousRights) ) { - $Issue = New-Object -TypeName pscustomobject - $Issue | Add-Member -MemberType NoteProperty -Name Forest -Value $_.CanonicalName.split('/')[0] -Force - $Issue | Add-Member -MemberType NoteProperty -Name Name -Value $_.Name -Force - $Issue | Add-Member -MemberType NoteProperty -Name DistinguishedName -Value $_.DistinguishedName -Force - $Issue | Add-Member -MemberType NoteProperty -Name IdentityReference -Value $entry.IdentityReference -Force - $Issue | Add-Member -MemberType NoteProperty -Name ActiveDirectoryRights -Value $entry.ActiveDirectoryRights -Force - $Issue | Add-Member -MemberType NoteProperty -Name Issue ` - -Value "$($entry.IdentityReference) has $($entry.ActiveDirectoryRights) rights on this object" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Fix -Value "`$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; foreach ( `$ace in `$ACL.access ) { if ( (`$ace.IdentityReference.Value -like '$($Principal.Value)' ) -and ( `$ace.ActiveDirectoryRights -notmatch '^ExtendedRight$') ) { `$ACL.RemoveAccessRule(`$ace) | Out-Null ; Set-Acl -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL } }" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Revert -Value '[TODO]' -Force - $Issue | Add-Member -MemberType NoteProperty -Name Technique -Value 'ESC5' - $Severity = Set-Severity -Issue $Issue - $Issue | Add-Member -MemberType NoteProperty -Name Severity -Value $Severity + $Issue = [pscustomobject]@{ + Forest = $_.CanonicalName.split('/')[0] + Name = $_.Name + DistinguishedName = $_.DistinguishedName + IdentityReference = $entry.IdentityReference + ActiveDirectoryRights = $entry.ActiveDirectoryRights + Issue = "$($entry.IdentityReference) has $($entry.ActiveDirectoryRights) rights on this object" + Fix = "`$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; foreach ( `$ace in `$ACL.access ) { if ( (`$ace.IdentityReference.Value -like '$($Principal.Value)' ) -and ( `$ace.ActiveDirectoryRights -notmatch '^ExtendedRight$') ) { `$ACL.RemoveAccessRule(`$ace) | Out-Null ; Set-Acl -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL } }" + Revert = '[TODO]' + Technique = 'ESC5' + } $Issue } } @@ -445,28 +415,27 @@ function Find-ESC6 { } | ForEach-Object { [string]$CAFullName = "$($_.dNSHostName)\$($_.Name)" $Issue = New-Object -TypeName pscustomobject - $Issue | Add-Member -MemberType NoteProperty -Name Forest -Value $_.CanonicalName.split('/')[0] -Force - $Issue | Add-Member -MemberType NoteProperty -Name Name -Value $_.Name -Force - $Issue | Add-Member -MemberType NoteProperty -Name DistinguishedName -Value $_.DistinguishedName -Force + $Issue | Add-Member -MemberType NoteProperty -Name Forest = $_.CanonicalName.split('/')[0] -Force + $Issue | Add-Member -MemberType NoteProperty -Name Name = $_.Name -Force + $Issue | Add-Member -MemberType NoteProperty -Name DistinguishedName = $_.DistinguishedName -Force if ($_.SANFlag -eq 'Yes') { - $Issue | Add-Member -MemberType NoteProperty -Name Issue -Value 'EDITF_ATTRIBUTESUBJECTALTNAME2 is enabled.' -Force - $Issue | Add-Member -MemberType NoteProperty -Name Fix ` - -Value "certutil -config $CAFullname -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2; Invoke-Command -ComputerName `"$($_.dNSHostName)`" -ScriptBlock { Get-Service -Name `'certsvc`' | Restart-Service -Force }" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Revert ` - -Value "certutil -config $CAFullname -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2; Invoke-Command -ComputerName `"$($_.dNSHostName)`" -ScriptBlock { Get-Service -Name `'certsvc`' | Restart-Service -Force }" -Force + $Issue | Add-Member -MemberType NoteProperty -Name Issue = 'EDITF_ATTRIBUTESUBJECTALTNAME2 is enabled.' -Force + $Issue | Add-Member -MemberType NoteProperty -Name Fix = "certutil -config $CAFullname -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2; Invoke-Command -ComputerName `"$($_.dNSHostName)`" -ScriptBlock { Get-Service -Name `'certsvc`' | Restart-Service -Force }" -Force + $Issue | Add-Member -MemberType NoteProperty -Name Revert = "certutil -config $CAFullname -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2; Invoke-Command -ComputerName `"$($_.dNSHostName)`" -ScriptBlock { Get-Service -Name `'certsvc`' | Restart-Service -Force }" -Force } else { - $Issue | Add-Member -MemberType NoteProperty -Name Issue -Value $_.AuditFilter -Force - $Issue | Add-Member -MemberType NoteProperty -Name Fix -Value 'N/A' -Force - $Issue | Add-Member -MemberType NoteProperty -Name Revert -Value 'N/A' -Force + $Issue | Add-Member -MemberType NoteProperty -Name Issue = $_.AuditFilter -Force + $Issue | Add-Member -MemberType NoteProperty -Name Fix = 'N/A' -Force + $Issue | Add-Member -MemberType NoteProperty -Name Revert = 'N/A' -Force } - $Issue | Add-Member -MemberType NoteProperty -Name Technique -Value 'ESC6' + $Issue | Add-Member -MemberType NoteProperty -Name Technique = 'ESC6' $Severity = Set-Severity -Issue $Issue - $Issue | Add-Member -MemberType NoteProperty -Name Severity -Value $Severity + $Issue | Add-Member -MemberType NoteProperty -Name Severity = $Severity $Issue } } } + function Find-ESC8 { [CmdletBinding()] param( @@ -477,10 +446,11 @@ function Find-ESC8 { $ADCSObjects | Where-Object { $_.CAEnrollmentEndpoint } | ForEach-Object { - $Issue = [ordered] @{ + $Issue = [pscustomobject]@{ Forest = $_.CanonicalName.split('/')[0] Name = $_.Name DistinguishedName = $_.DistinguishedName + Technique = 'ESC8' } if ($_.CAEnrollmentEndpoint -like '^http*') { $Issue['Issue'] = 'HTTP enrollment is enabled.' @@ -494,13 +464,11 @@ function Find-ESC8 { $Issue['Fix'] = 'TBD - Remediate by doing 1, 2, and 3' $Issue['Revert'] = 'TBD' } - $Issue['Technique'] = 'ESC8' - $Severity = Set-Severity -Issue $Issue - $Issue['Severity'] = $Severity - [PSCustomObject] $Issue + [PSCustomObject]$Issue } } } + function Format-Result { [CmdletBinding()] param( diff --git a/Private/Find-AuditingIssue.ps1 b/Private/Find-AuditingIssue.ps1 index 560f056..9e06eb6 100644 --- a/Private/Find-AuditingIssue.ps1 +++ b/Private/Find-AuditingIssue.ps1 @@ -26,8 +26,6 @@ -Value "certutil.exe -config $($_.CAFullname) -setreg CA\AuditFilter $($_.AuditFilter); Invoke-Command -ComputerName `'$($_.dNSHostName)`' -ScriptBlock { Get-Service -Name `'certsvc`' | Restart-Service -Force }" -Force $Issue | Add-Member -MemberType NoteProperty -Name 'Technique' -Value 'DETECT' -Force } - $Severity = Set-Severity -Issue $Issue - $Issue | Add-Member -MemberType NoteProperty -Name 'Severity' -Value $Severity $Issue } } diff --git a/Private/Find-ESC1.ps1 b/Private/Find-ESC1.ps1 index f311a75..122a9fd 100644 --- a/Private/Find-ESC1.ps1 +++ b/Private/Find-ESC1.ps1 @@ -21,21 +21,17 @@ $SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value } if ( ($SID -notmatch $SafeUsers) -and ($entry.ActiveDirectoryRights -match 'ExtendedRight') ) { - $Issue = New-Object -TypeName pscustomobject - $Issue | Add-Member -MemberType NoteProperty -Name Forest -Value $_.CanonicalName.split('/')[0] -Force - $Issue | Add-Member -MemberType NoteProperty -Name Name -Value $_.Name -Force - $Issue | Add-Member -MemberType NoteProperty -Name DistinguishedName -Value $_.DistinguishedName -Force - $Issue | Add-Member -MemberType NoteProperty -Name IdentityReference -Value $entry.IdentityReference -Force - $Issue | Add-Member -MemberType NoteProperty -Name ActiveDirectoryRights -Value $entry.ActiveDirectoryRights -Force - $Issue | Add-Member -MemberType NoteProperty -Name Issue ` - -Value "$($entry.IdentityReference) can enroll in this Client Authentication template using a SAN without Manager Approval" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Fix ` - -Value "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0}" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Revert ` - -Value "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1}" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Technique -Value 'ESC1' - $Severity = Set-Severity -Issue $Issue - $Issue | Add-Member -MemberType NoteProperty -Name Severity -Value $Severity + $Issue = [pscustomobject]@{ + Forest = $_.CanonicalName.split('/')[0] + Name = $_.Name + DistinguishedName = $_.DistinguishedName + IdentityReference = $entry.IdentityReference + ActiveDirectoryRights = $entry.ActiveDirectoryRights + Issue = "$($entry.IdentityReference) can enroll in this Client Authentication template using a SAN without Manager Approval" + Fix = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0}" + Revert = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1}" + Technique = 'ESC1' + } $Issue } } diff --git a/Private/Find-ESC2.ps1 b/Private/Find-ESC2.ps1 index b23d712..884aa08 100644 --- a/Private/Find-ESC2.ps1 +++ b/Private/Find-ESC2.ps1 @@ -21,21 +21,17 @@ $SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value } if ( ($SID -notmatch $SafeUsers) -and ($entry.ActiveDirectoryRights -match 'ExtendedRight') ) { - $Issue = New-Object -TypeName pscustomobject - $Issue | Add-Member -MemberType NoteProperty -Name Forest -Value $_.CanonicalName.split('/')[0] -Force - $Issue | Add-Member -MemberType NoteProperty -Name Name -Value $_.Name -Force - $Issue | Add-Member -MemberType NoteProperty -Name DistinguishedName -Value $_.DistinguishedName -Force - $Issue | Add-Member -MemberType NoteProperty -Name IdentityReference -Value $entry.IdentityReference -Force - $Issue | Add-Member -MemberType NoteProperty -Name ActiveDirectoryRights -Value $entry.ActiveDirectoryRights -Force - $Issue | Add-Member -MemberType NoteProperty -Name Issue ` - -Value "$($entry.IdentityReference) can request a SubCA certificate without Manager Approval" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Fix ` - -Value "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0}" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Revert ` - -Value "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1}" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Technique -Value 'ESC2' - $Severity = Set-Severity -Issue $Issue - $Issue | Add-Member -MemberType NoteProperty -Name Severity -Value $Severity + $Issue = [pscustomobject]@{ + Forest = $_.CanonicalName.split('/')[0] + Name = $_.Name + DistinguishedName = $_.DistinguishedName + IdentityReference = $entry.IdentityReference + ActiveDirectoryRights = $entry.ActiveDirectoryRights + Issue = "$($entry.IdentityReference) can request a SubCA certificate without Manager Approval" + Fix = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0}" + Revert = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1}" + Technique = 'ESC2' + } $Issue } } diff --git a/Private/Find-ESC3Condition1.ps1 b/Private/Find-ESC3Condition1.ps1 index 15b4b4e..3665ca5 100644 --- a/Private/Find-ESC3Condition1.ps1 +++ b/Private/Find-ESC3Condition1.ps1 @@ -20,21 +20,17 @@ $SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value } if ( ($SID -notmatch $SafeUsers) -and ($entry.ActiveDirectoryRights -match 'ExtendedRight') ) { - $Issue = New-Object -TypeName pscustomobject - $Issue | Add-Member -MemberType NoteProperty -Name Forest -Value $_.CanonicalName.split('/')[0] -Force - $Issue | Add-Member -MemberType NoteProperty -Name Name -Value $_.Name -Force - $Issue | Add-Member -MemberType NoteProperty -Name DistinguishedName -Value $_.DistinguishedName -Force - $Issue | Add-Member -MemberType NoteProperty -Name IdentityReference -Value $entry.IdentityReference -Force - $Issue | Add-Member -MemberType NoteProperty -Name ActiveDirectoryRights -Value $entry.ActiveDirectoryRights -Force - $Issue | Add-Member -MemberType NoteProperty -Name Issue ` - -Value "$($entry.IdentityReference) can enroll in this Enrollment Agent template without Manager Approval" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Fix ` - -Value "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0}" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Revert ` - -Value "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1}" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Technique -Value 'ESC3' - $Severity = Set-Severity -Issue $Issue - $Issue | Add-Member -MemberType NoteProperty -Name Severity -Value $Severity + $Issue = [pscustomobject]@{ + Forest = $_.CanonicalName.split('/')[0] + Name = $_.Name + DistinguishedName = $_.DistinguishedName + IdentityReference = $entry.IdentityReference + ActiveDirectoryRights = $entry.ActiveDirectoryRights + Issue = "$($entry.IdentityReference) can enroll in this Enrollment Agent template without Manager Approval" + Fix = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0}" + Revert = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1}" + Technique = 'ESC3' + } $Issue } } diff --git a/Private/Find-ESC3Condition2.ps1 b/Private/Find-ESC3Condition2.ps1 index cf3680f..0e85e58 100644 --- a/Private/Find-ESC3Condition2.ps1 +++ b/Private/Find-ESC3Condition2.ps1 @@ -22,21 +22,17 @@ $SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value } if ( ($SID -notmatch $SafeUsers) -and ($entry.ActiveDirectoryRights -match 'ExtendedRight') ) { - $Issue = New-Object -TypeName pscustomobject - $Issue | Add-Member -MemberType NoteProperty -Name Forest -Value $_.CanonicalName.split('/')[0] -Force - $Issue | Add-Member -MemberType NoteProperty -Name Name -Value $_.Name -Force - $Issue | Add-Member -MemberType NoteProperty -Name DistinguishedName -Value $_.DistinguishedName -Force - $Issue | Add-Member -MemberType NoteProperty -Name IdentityReference -Value $entry.IdentityReference -Force - $Issue | Add-Member -MemberType NoteProperty -Name ActiveDirectoryRights -Value $entry.ActiveDirectoryRights -Force - $Issue | Add-Member -MemberType NoteProperty -Name Issue ` - -Value "$($entry.IdentityReference) can enroll in this Client Authentication template using a SAN without Manager Approval" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Fix ` - -Value "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0}" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Revert ` - -Value "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1}" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Technique -Value 'ESC3' - $Severity = Set-Severity -Issue $Issue - $Issue | Add-Member -MemberType NoteProperty -Name Severity -Value $Severity + $Issue = [pscustomobject]@{ + Forest = $_.CanonicalName.split('/')[0] + Name = $_.Name + DistinguishedName = $_.DistinguishedName + IdentityReference = $entry.IdentityReference + ActiveDirectoryRights = $entry.ActiveDirectoryRights + Issue = "$($entry.IdentityReference) can enroll in this Client Authentication template using a SAN without Manager Approval" + Fix = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0}" + Revert = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1}" + Technique = 'ESC3' + } $Issue } } diff --git a/Private/Find-ESC4.ps1 b/Private/Find-ESC4.ps1 index bf66bfe..13e3aff 100644 --- a/Private/Find-ESC4.ps1 +++ b/Private/Find-ESC4.ps1 @@ -19,34 +19,30 @@ } if ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -match $UnsafeOwners) ) { - $Issue = New-Object -TypeName pscustomobject - $Issue | Add-Member -MemberType NoteProperty -Name Forest -Value $_.CanonicalName.split('/')[0] -Force - $Issue | Add-Member -MemberType NoteProperty -Name Name -Value $_.Name -Force - $Issue | Add-Member -MemberType NoteProperty -Name DistinguishedName -Value $_.DistinguishedName -Force - $Issue | Add-Member -MemberType NoteProperty -Name IdentityReference -Value $entry.IdentityReference -Force - $Issue | Add-Member -MemberType NoteProperty -Name ActiveDirectoryRights -Value $entry.ActiveDirectoryRights -Force - $Issue | Add-Member -MemberType NoteProperty -Name Issue ` - -Value "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Fix -Value "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Revert -Value "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Technique -Value 'ESC4' - $Severity = Set-Severity -Issue $Issue - $Issue | Add-Member -MemberType NoteProperty -Name Severity -Value $Severity + $Issue = [pscustomobject]@{ + Forest = $_.CanonicalName.split('/')[0] + Name = $_.Name + DistinguishedName = $_.DistinguishedName + IdentityReference = $entry.IdentityReference + ActiveDirectoryRights = $entry.ActiveDirectoryRights + Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" + Fix = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" + Revert = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" + Technique = 'ESC4' + } $Issue } elseif ( ($_.objectClass -eq 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) { - $Issue = New-Object -TypeName pscustomobject - $Issue | Add-Member -MemberType NoteProperty -Name Forest -Value $_.CanonicalName.split('/')[0] -Force - $Issue | Add-Member -MemberType NoteProperty -Name Name -Value $_.Name -Force - $Issue | Add-Member -MemberType NoteProperty -Name DistinguishedName -Value $_.DistinguishedName -Force - $Issue | Add-Member -MemberType NoteProperty -Name IdentityReference -Value $entry.IdentityReference -Force - $Issue | Add-Member -MemberType NoteProperty -Name ActiveDirectoryRights -Value $entry.ActiveDirectoryRights -Force - $Issue | Add-Member -MemberType NoteProperty -Name Issue ` - -Value "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Fix -Value '[TODO]' -Force - $Issue | Add-Member -MemberType NoteProperty -Name Revert -Value '[TODO]' -Force - $Issue | Add-Member -MemberType NoteProperty -Name Technique -Value 'ESC4' - $Severity = Set-Severity -Issue $Issue - $Issue | Add-Member -MemberType NoteProperty -Name Severity -Value $Severity + $Issue = [pscustomobject]@{ + Forest = $_.CanonicalName.split('/')[0] + Name = $_.Name + DistinguishedName = $_.DistinguishedName + IdentityReference = $entry.IdentityReference + ActiveDirectoryRights = $entry.ActiveDirectoryRights + Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" + Fix = '[TODO]' + Revert = '[TODO]' + Technique = 'ESC4' + } $Issue } @@ -62,19 +58,17 @@ ($entry.ActiveDirectoryRights -match $DangerousRights) -and ($entry.ActiveDirectoryRights.ObjectType -notmatch $SafeObjectTypes) ) { - $Issue = New-Object -TypeName pscustomobject - $Issue | Add-Member -MemberType NoteProperty -Name Forest -Value $_.CanonicalName.split('/')[0] -Force - $Issue | Add-Member -MemberType NoteProperty -Name Name -Value $_.Name -Force - $Issue | Add-Member -MemberType NoteProperty -Name DistinguishedName -Value $_.DistinguishedName -Force - $Issue | Add-Member -MemberType NoteProperty -Name IdentityReference -Value $entry.IdentityReference -Force - $Issue | Add-Member -MemberType NoteProperty -Name ActiveDirectoryRights -Value $entry.ActiveDirectoryRights -Force - $Issue | Add-Member -MemberType NoteProperty -Name Issue ` - -Value "$($entry.IdentityReference) has $($entry.ActiveDirectoryRights) rights on this template" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Fix -Value "`$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; foreach ( `$ace in `$ACL.access ) { if ( (`$ace.IdentityReference.Value -like '$($Principal.Value)' ) -and ( `$ace.ActiveDirectoryRights -notmatch '^ExtendedRight$') ) { `$ACL.RemoveAccessRule(`$ace) | Out-Null ; Set-Acl -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL } }" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Revert -Value '[TODO]' -Force - $Issue | Add-Member -MemberType NoteProperty -Name Technique -Value 'ESC4' - $Severity = Set-Severity -Issue $Issue - $Issue | Add-Member -MemberType NoteProperty -Name Severity -Value $Severity + $Issue = [pscustomobject]@{ + Forest = $_.CanonicalName.split('/')[0] + Name = $_.Name + DistinguishedName = $_.DistinguishedName + IdentityReference = $entry.IdentityReference + ActiveDirectoryRights = $entry.ActiveDirectoryRights + Issue = "$($entry.IdentityReference) has $($entry.ActiveDirectoryRights) rights on this template" + Fix = "`$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; foreach ( `$ace in `$ACL.access ) { if ( (`$ace.IdentityReference.Value -like '$($Principal.Value)' ) -and ( `$ace.ActiveDirectoryRights -notmatch '^ExtendedRight$') ) { `$ACL.RemoveAccessRule(`$ace) | Out-Null ; Set-Acl -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL } }" + Revert = '[TODO]' + Technique = 'ESC4' + } $Issue } } diff --git a/Private/Find-ESC5.ps1 b/Private/Find-ESC5.ps1 index 8471086..865438a 100644 --- a/Private/Find-ESC5.ps1 +++ b/Private/Find-ESC5.ps1 @@ -18,37 +18,33 @@ $SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value } if ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -match $UnsafeOwners) ) { - $Issue = New-Object -TypeName pscustomobject - $Issue | Add-Member -MemberType NoteProperty -Name Forest -Value $_.CanonicalName.split('/')[0] -Force - $Issue | Add-Member -MemberType NoteProperty -Name Name -Value $_.Name -Force - $Issue | Add-Member -MemberType NoteProperty -Name DistinguishedName -Value $_.DistinguishedName -Force - $Issue | Add-Member -MemberType NoteProperty -Name IdentityReference -Value $entry.IdentityReference -Force - $Issue | Add-Member -MemberType NoteProperty -Name ActiveDirectoryRights -Value $entry.ActiveDirectoryRights -Force - $Issue | Add-Member -MemberType NoteProperty -Name Issue ` - -Value "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Fix -Value "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Revert -Value "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Technique -Value 'ESC5' - $Severity = Set-Severity -Issue $Issue - $Issue | Add-Member -MemberType NoteProperty -Name Severity -Value $Severity + $Issue = [pscustomobject]@{ + Forest = $_.CanonicalName.split('/')[0] + Name = $_.Name + DistinguishedName = $_.DistinguishedName + IdentityReference = $entry.IdentityReference + ActiveDirectoryRights = $entry.ActiveDirectoryRights + Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this template" + Fix = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$PreferredOwner`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" + Revert = "`$Owner = New-Object System.Security.Principal.SecurityIdentifier(`'$($_.nTSecurityDescriptor.Owner)`'); `$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; `$ACL.SetOwner(`$Owner); Set-ACL -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL" + Technique = 'ESC5' + } $Issue } elseif ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) -and ($entry.ActiveDirectoryRights.ObjectType -notmatch $SafeObjectTypes) ) { - $Issue = New-Object -TypeName pscustomobject - $Issue | Add-Member -MemberType NoteProperty -Name Forest -Value $_.CanonicalName.split('/')[0] -Force - $Issue | Add-Member -MemberType NoteProperty -Name Name -Value $_.Name -Force - $Issue | Add-Member -MemberType NoteProperty -Name DistinguishedName -Value $_.DistinguishedName -Force - $Issue | Add-Member -MemberType NoteProperty -Name IdentityReference -Value $entry.IdentityReference -Force - $Issue | Add-Member -MemberType NoteProperty -Name ActiveDirectoryRights -Value $entry.ActiveDirectoryRights -Force - $Issue | Add-Member -MemberType NoteProperty -Name Issue ` - -Value "$($_.nTSecurityDescriptor.Owner) has Owner rights on this object" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Fix -Value '[TODO]' -Force - $Issue | Add-Member -MemberType NoteProperty -Name Revert -Value '[TODO]' -Force - $Issue | Add-Member -MemberType NoteProperty -Name Technique -Value 'ESC5' - $Severity = Set-Severity -Issue $Issue - $Issue | Add-Member -MemberType NoteProperty -Name Severity -Value $Severity + $Issue = [pscustomobject]@{ + Forest = $_.CanonicalName.split('/')[0] + Name = $_.Name + DistinguishedName = $_.DistinguishedName + IdentityReference = $entry.IdentityReference + ActiveDirectoryRights = $entry.ActiveDirectoryRights + Issue = "$($_.nTSecurityDescriptor.Owner) has Owner rights on this object" + Fix = '[TODO]' + Revert = '[TODO]' + Technique = 'ESC5' + } $Issue } @@ -62,19 +58,17 @@ if ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -notmatch $SafeUsers) -and ($entry.ActiveDirectoryRights -match $DangerousRights) ) { - $Issue = New-Object -TypeName pscustomobject - $Issue | Add-Member -MemberType NoteProperty -Name Forest -Value $_.CanonicalName.split('/')[0] -Force - $Issue | Add-Member -MemberType NoteProperty -Name Name -Value $_.Name -Force - $Issue | Add-Member -MemberType NoteProperty -Name DistinguishedName -Value $_.DistinguishedName -Force - $Issue | Add-Member -MemberType NoteProperty -Name IdentityReference -Value $entry.IdentityReference -Force - $Issue | Add-Member -MemberType NoteProperty -Name ActiveDirectoryRights -Value $entry.ActiveDirectoryRights -Force - $Issue | Add-Member -MemberType NoteProperty -Name Issue ` - -Value "$($entry.IdentityReference) has $($entry.ActiveDirectoryRights) rights on this object" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Fix -Value "`$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; foreach ( `$ace in `$ACL.access ) { if ( (`$ace.IdentityReference.Value -like '$($Principal.Value)' ) -and ( `$ace.ActiveDirectoryRights -notmatch '^ExtendedRight$') ) { `$ACL.RemoveAccessRule(`$ace) | Out-Null ; Set-Acl -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL } }" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Revert -Value '[TODO]' -Force - $Issue | Add-Member -MemberType NoteProperty -Name Technique -Value 'ESC5' - $Severity = Set-Severity -Issue $Issue - $Issue | Add-Member -MemberType NoteProperty -Name Severity -Value $Severity + $Issue = [pscustomobject]@{ + Forest = $_.CanonicalName.split('/')[0] + Name = $_.Name + DistinguishedName = $_.DistinguishedName + IdentityReference = $entry.IdentityReference + ActiveDirectoryRights = $entry.ActiveDirectoryRights + Issue = "$($entry.IdentityReference) has $($entry.ActiveDirectoryRights) rights on this object" + Fix = "`$ACL = Get-Acl -Path `'AD:$($_.DistinguishedName)`'; foreach ( `$ace in `$ACL.access ) { if ( (`$ace.IdentityReference.Value -like '$($Principal.Value)' ) -and ( `$ace.ActiveDirectoryRights -notmatch '^ExtendedRight$') ) { `$ACL.RemoveAccessRule(`$ace) | Out-Null ; Set-Acl -Path `'AD:$($_.DistinguishedName)`' -AclObject `$ACL } }" + Revert = '[TODO]' + Technique = 'ESC5' + } $Issue } } diff --git a/Private/Find-ESC6.ps1 b/Private/Find-ESC6.ps1 index 7b23659..b5ed2e6 100644 --- a/Private/Find-ESC6.ps1 +++ b/Private/Find-ESC6.ps1 @@ -11,25 +11,23 @@ } | ForEach-Object { [string]$CAFullName = "$($_.dNSHostName)\$($_.Name)" $Issue = New-Object -TypeName pscustomobject - $Issue | Add-Member -MemberType NoteProperty -Name Forest -Value $_.CanonicalName.split('/')[0] -Force - $Issue | Add-Member -MemberType NoteProperty -Name Name -Value $_.Name -Force - $Issue | Add-Member -MemberType NoteProperty -Name DistinguishedName -Value $_.DistinguishedName -Force + $Issue | Add-Member -MemberType NoteProperty -Name Forest = $_.CanonicalName.split('/')[0] -Force + $Issue | Add-Member -MemberType NoteProperty -Name Name = $_.Name -Force + $Issue | Add-Member -MemberType NoteProperty -Name DistinguishedName = $_.DistinguishedName -Force if ($_.SANFlag -eq 'Yes') { - $Issue | Add-Member -MemberType NoteProperty -Name Issue -Value 'EDITF_ATTRIBUTESUBJECTALTNAME2 is enabled.' -Force - $Issue | Add-Member -MemberType NoteProperty -Name Fix ` - -Value "certutil -config $CAFullname -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2; Invoke-Command -ComputerName `"$($_.dNSHostName)`" -ScriptBlock { Get-Service -Name `'certsvc`' | Restart-Service -Force }" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Revert ` - -Value "certutil -config $CAFullname -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2; Invoke-Command -ComputerName `"$($_.dNSHostName)`" -ScriptBlock { Get-Service -Name `'certsvc`' | Restart-Service -Force }" -Force + $Issue | Add-Member -MemberType NoteProperty -Name Issue = 'EDITF_ATTRIBUTESUBJECTALTNAME2 is enabled.' -Force + $Issue | Add-Member -MemberType NoteProperty -Name Fix = "certutil -config $CAFullname -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2; Invoke-Command -ComputerName `"$($_.dNSHostName)`" -ScriptBlock { Get-Service -Name `'certsvc`' | Restart-Service -Force }" -Force + $Issue | Add-Member -MemberType NoteProperty -Name Revert = "certutil -config $CAFullname -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2; Invoke-Command -ComputerName `"$($_.dNSHostName)`" -ScriptBlock { Get-Service -Name `'certsvc`' | Restart-Service -Force }" -Force } else { - $Issue | Add-Member -MemberType NoteProperty -Name Issue -Value $_.AuditFilter -Force - $Issue | Add-Member -MemberType NoteProperty -Name Fix -Value 'N/A' -Force - $Issue | Add-Member -MemberType NoteProperty -Name Revert -Value 'N/A' -Force + $Issue | Add-Member -MemberType NoteProperty -Name Issue = $_.AuditFilter -Force + $Issue | Add-Member -MemberType NoteProperty -Name Fix = 'N/A' -Force + $Issue | Add-Member -MemberType NoteProperty -Name Revert = 'N/A' -Force } - $Issue | Add-Member -MemberType NoteProperty -Name Technique -Value 'ESC6' + $Issue | Add-Member -MemberType NoteProperty -Name Technique = 'ESC6' $Severity = Set-Severity -Issue $Issue - $Issue | Add-Member -MemberType NoteProperty -Name Severity -Value $Severity + $Issue | Add-Member -MemberType NoteProperty -Name Severity = $Severity $Issue } } -} \ No newline at end of file +} diff --git a/Private/Find-ESC8.ps1 b/Private/Find-ESC8.ps1 index 050b2c4..657969a 100644 --- a/Private/Find-ESC8.ps1 +++ b/Private/Find-ESC8.ps1 @@ -8,10 +8,11 @@ $ADCSObjects | Where-Object { $_.CAEnrollmentEndpoint } | ForEach-Object { - $Issue = [ordered] @{ + $Issue = [pscustomobject]@{ Forest = $_.CanonicalName.split('/')[0] Name = $_.Name DistinguishedName = $_.DistinguishedName + Technique = 'ESC8' } if ($_.CAEnrollmentEndpoint -like '^http*') { $Issue['Issue'] = 'HTTP enrollment is enabled.' @@ -24,10 +25,7 @@ $Issue['Fix'] = 'TBD - Remediate by doing 1, 2, and 3' $Issue['Revert'] = 'TBD' } - $Issue['Technique'] = 'ESC8' - $Severity = Set-Severity -Issue $Issue - $Issue['Severity'] = $Severity - [PSCustomObject] $Issue + [PSCustomObject]$Issue } } -} \ No newline at end of file +} From adf784fd52d8c1f5deb0eb39c25d1cc44ec8153a Mon Sep 17 00:00:00 2001 From: Jake Hildreth Date: Sun, 14 Jan 2024 09:33:36 -0500 Subject: [PATCH 04/10] Ope, overselected on that last find/replace. --- Invoke-Locksmith.ps1 | 22 ++++++++++------------ Private/Find-ESC6.ps1 | 22 ++++++++++------------ 2 files changed, 20 insertions(+), 24 deletions(-) diff --git a/Invoke-Locksmith.ps1 b/Invoke-Locksmith.ps1 index 28c881f..21a6029 100644 --- a/Invoke-Locksmith.ps1 +++ b/Invoke-Locksmith.ps1 @@ -415,22 +415,20 @@ function Find-ESC6 { } | ForEach-Object { [string]$CAFullName = "$($_.dNSHostName)\$($_.Name)" $Issue = New-Object -TypeName pscustomobject - $Issue | Add-Member -MemberType NoteProperty -Name Forest = $_.CanonicalName.split('/')[0] -Force - $Issue | Add-Member -MemberType NoteProperty -Name Name = $_.Name -Force - $Issue | Add-Member -MemberType NoteProperty -Name DistinguishedName = $_.DistinguishedName -Force + $Issue | Add-Member -MemberType NoteProperty -Name Forest -Value $_.CanonicalName.split('/')[0] -Force + $Issue | Add-Member -MemberType NoteProperty -Name Name -Value $_.Name -Force + $Issue | Add-Member -MemberType NoteProperty -Name DistinguishedName -Value $_.DistinguishedName -Force if ($_.SANFlag -eq 'Yes') { - $Issue | Add-Member -MemberType NoteProperty -Name Issue = 'EDITF_ATTRIBUTESUBJECTALTNAME2 is enabled.' -Force - $Issue | Add-Member -MemberType NoteProperty -Name Fix = "certutil -config $CAFullname -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2; Invoke-Command -ComputerName `"$($_.dNSHostName)`" -ScriptBlock { Get-Service -Name `'certsvc`' | Restart-Service -Force }" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Revert = "certutil -config $CAFullname -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2; Invoke-Command -ComputerName `"$($_.dNSHostName)`" -ScriptBlock { Get-Service -Name `'certsvc`' | Restart-Service -Force }" -Force + $Issue | Add-Member -MemberType NoteProperty -Name Issue -Value 'EDITF_ATTRIBUTESUBJECTALTNAME2 is enabled.' -Force + $Issue | Add-Member -MemberType NoteProperty -Name Fix -Value "certutil -config $CAFullname -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2; Invoke-Command -ComputerName `"$($_.dNSHostName)`" -ScriptBlock { Get-Service -Name `'certsvc`' | Restart-Service -Force }" -Force + $Issue | Add-Member -MemberType NoteProperty -Name Revert -Value "certutil -config $CAFullname -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2; Invoke-Command -ComputerName `"$($_.dNSHostName)`" -ScriptBlock { Get-Service -Name `'certsvc`' | Restart-Service -Force }" -Force } else { - $Issue | Add-Member -MemberType NoteProperty -Name Issue = $_.AuditFilter -Force - $Issue | Add-Member -MemberType NoteProperty -Name Fix = 'N/A' -Force - $Issue | Add-Member -MemberType NoteProperty -Name Revert = 'N/A' -Force + $Issue | Add-Member -MemberType NoteProperty -Name Issue -Value $_.AuditFilter -Force + $Issue | Add-Member -MemberType NoteProperty -Name Fix -Value 'N/A' -Force + $Issue | Add-Member -MemberType NoteProperty -Name Revert -Value 'N/A' -Force } - $Issue | Add-Member -MemberType NoteProperty -Name Technique = 'ESC6' - $Severity = Set-Severity -Issue $Issue - $Issue | Add-Member -MemberType NoteProperty -Name Severity = $Severity + $Issue | Add-Member -MemberType NoteProperty -Name Technique -Value 'ESC6' $Issue } } diff --git a/Private/Find-ESC6.ps1 b/Private/Find-ESC6.ps1 index b5ed2e6..7958fdf 100644 --- a/Private/Find-ESC6.ps1 +++ b/Private/Find-ESC6.ps1 @@ -11,22 +11,20 @@ } | ForEach-Object { [string]$CAFullName = "$($_.dNSHostName)\$($_.Name)" $Issue = New-Object -TypeName pscustomobject - $Issue | Add-Member -MemberType NoteProperty -Name Forest = $_.CanonicalName.split('/')[0] -Force - $Issue | Add-Member -MemberType NoteProperty -Name Name = $_.Name -Force - $Issue | Add-Member -MemberType NoteProperty -Name DistinguishedName = $_.DistinguishedName -Force + $Issue | Add-Member -MemberType NoteProperty -Name Forest -Value $_.CanonicalName.split('/')[0] -Force + $Issue | Add-Member -MemberType NoteProperty -Name Name -Value $_.Name -Force + $Issue | Add-Member -MemberType NoteProperty -Name DistinguishedName -Value $_.DistinguishedName -Force if ($_.SANFlag -eq 'Yes') { - $Issue | Add-Member -MemberType NoteProperty -Name Issue = 'EDITF_ATTRIBUTESUBJECTALTNAME2 is enabled.' -Force - $Issue | Add-Member -MemberType NoteProperty -Name Fix = "certutil -config $CAFullname -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2; Invoke-Command -ComputerName `"$($_.dNSHostName)`" -ScriptBlock { Get-Service -Name `'certsvc`' | Restart-Service -Force }" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Revert = "certutil -config $CAFullname -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2; Invoke-Command -ComputerName `"$($_.dNSHostName)`" -ScriptBlock { Get-Service -Name `'certsvc`' | Restart-Service -Force }" -Force + $Issue | Add-Member -MemberType NoteProperty -Name Issue -Value 'EDITF_ATTRIBUTESUBJECTALTNAME2 is enabled.' -Force + $Issue | Add-Member -MemberType NoteProperty -Name Fix -Value "certutil -config $CAFullname -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2; Invoke-Command -ComputerName `"$($_.dNSHostName)`" -ScriptBlock { Get-Service -Name `'certsvc`' | Restart-Service -Force }" -Force + $Issue | Add-Member -MemberType NoteProperty -Name Revert -Value "certutil -config $CAFullname -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2; Invoke-Command -ComputerName `"$($_.dNSHostName)`" -ScriptBlock { Get-Service -Name `'certsvc`' | Restart-Service -Force }" -Force } else { - $Issue | Add-Member -MemberType NoteProperty -Name Issue = $_.AuditFilter -Force - $Issue | Add-Member -MemberType NoteProperty -Name Fix = 'N/A' -Force - $Issue | Add-Member -MemberType NoteProperty -Name Revert = 'N/A' -Force + $Issue | Add-Member -MemberType NoteProperty -Name Issue -Value $_.AuditFilter -Force + $Issue | Add-Member -MemberType NoteProperty -Name Fix -Value 'N/A' -Force + $Issue | Add-Member -MemberType NoteProperty -Name Revert -Value 'N/A' -Force } - $Issue | Add-Member -MemberType NoteProperty -Name Technique = 'ESC6' - $Severity = Set-Severity -Issue $Issue - $Issue | Add-Member -MemberType NoteProperty -Name Severity = $Severity + $Issue | Add-Member -MemberType NoteProperty -Name Technique -Value 'ESC6' $Issue } } From 6fe0c0baa0036e1d1dadd9fbaf66f010b121e0d5 Mon Sep 17 00:00:00 2001 From: Jake Hildreth Date: Sun, 14 Jan 2024 10:11:56 -0500 Subject: [PATCH 05/10] Add-Member is almost completely --- Invoke-Locksmith.ps1 | 73 ++++++++++++++++------------------ Private/Find-AuditingIssue.ps1 | 26 ++++++------ Private/Find-ESC6.ps1 | 24 ++++++----- Private/Find-ESC8.ps1 | 22 +++++----- 4 files changed, 68 insertions(+), 77 deletions(-) diff --git a/Invoke-Locksmith.ps1 b/Invoke-Locksmith.ps1 index 21a6029..0df8f80 100644 --- a/Invoke-Locksmith.ps1 +++ b/Invoke-Locksmith.ps1 @@ -56,23 +56,21 @@ function Find-AuditingIssue { ($_.objectClass -eq 'pKIEnrollmentService') -and ($_.AuditFilter -ne '127') } | ForEach-Object { - $Issue = New-Object -TypeName pscustomobject - $Issue | Add-Member -MemberType NoteProperty -Name 'Forest' -Value $_.CanonicalName.split('/')[0] -Force - $Issue | Add-Member -MemberType NoteProperty -Name 'Name' -Value $_.Name -Force - $Issue | Add-Member -MemberType NoteProperty -Name 'DistinguishedName' -Value $_.DistinguishedName -Force + $Issue = [pscustomobject]@{ + Forest = $_.CanonicalName.split('/')[0] + Name = $_.Name + DistinguishedName = $_.DistinguishedName + Technique = 'DETECT' + } if ($_.AuditFilter -match 'CA Unavailable') { - $Issue | Add-Member -MemberType NoteProperty -Name 'Issue' -Value $_.AuditFilter -Force - $Issue | Add-Member -MemberType NoteProperty -Name 'Fix' -Value 'N/A' -Force - $Issue | Add-Member -MemberType NoteProperty -Name 'Revert' -Value 'N/A' -Force - $Issue | Add-Member -MemberType NoteProperty -Name 'Technique' -Value 'DETECT' -Force + $Issue['Issue'] = $_.AuditFilter + $Issue['Fix'] = 'N/A' + $Issue['Revert'] = 'N/A' } else { - $Issue | Add-Member -MemberType NoteProperty -Name 'Issue' -Value "Auditing is not fully enabled on $($_.CAFullName). Current value is $($_.AuditFilter)" -Force - $Issue | Add-Member -MemberType NoteProperty -Name 'Fix' ` - -Value "certutil.exe -config `'$($_.CAFullname)`' -setreg `'CA\AuditFilter`' 127; Invoke-Command -ComputerName `'$($_.dNSHostName)`' -ScriptBlock { Get-Service -Name `'certsvc`' | Restart-Service -Force }" -Force - $Issue | Add-Member -MemberType NoteProperty -Name 'Revert' ` - -Value "certutil.exe -config $($_.CAFullname) -setreg CA\AuditFilter $($_.AuditFilter); Invoke-Command -ComputerName `'$($_.dNSHostName)`' -ScriptBlock { Get-Service -Name `'certsvc`' | Restart-Service -Force }" -Force - $Issue | Add-Member -MemberType NoteProperty -Name 'Technique' -Value 'DETECT' -Force + $Issue['Issue'] = "Auditing is not fully enabled on $($_.CAFullName). Current value is $($_.AuditFilter)" + $Issue['Fix'] = "certutil.exe -config `'$($_.CAFullname)`' -setreg `'CA\AuditFilter`' 127; Invoke-Command -ComputerName `'$($_.dNSHostName)`' -ScriptBlock { Get-Service -Name `'certsvc`' | Restart-Service -Force }" + $Issue['Revert'] = "certutil.exe -config $($_.CAFullname) -setreg CA\AuditFilter $($_.AuditFilter); Invoke-Command -ComputerName `'$($_.dNSHostName)`' -ScriptBlock { Get-Service -Name `'certsvc`' | Restart-Service -Force }" } $Issue } @@ -414,21 +412,23 @@ function Find-ESC6 { ($_.SANFlag -ne 'No') } | ForEach-Object { [string]$CAFullName = "$($_.dNSHostName)\$($_.Name)" - $Issue = New-Object -TypeName pscustomobject - $Issue | Add-Member -MemberType NoteProperty -Name Forest -Value $_.CanonicalName.split('/')[0] -Force - $Issue | Add-Member -MemberType NoteProperty -Name Name -Value $_.Name -Force - $Issue | Add-Member -MemberType NoteProperty -Name DistinguishedName -Value $_.DistinguishedName -Force + $Issue = [pscustomobject]@{ + Forest = $_.CanonicalName.split('/')[0] + Name = $_.Name + DistinguishedName = $_.DistinguishedName + Technique = 'ESC6' + } if ($_.SANFlag -eq 'Yes') { - $Issue | Add-Member -MemberType NoteProperty -Name Issue -Value 'EDITF_ATTRIBUTESUBJECTALTNAME2 is enabled.' -Force - $Issue | Add-Member -MemberType NoteProperty -Name Fix -Value "certutil -config $CAFullname -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2; Invoke-Command -ComputerName `"$($_.dNSHostName)`" -ScriptBlock { Get-Service -Name `'certsvc`' | Restart-Service -Force }" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Revert -Value "certutil -config $CAFullname -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2; Invoke-Command -ComputerName `"$($_.dNSHostName)`" -ScriptBlock { Get-Service -Name `'certsvc`' | Restart-Service -Force }" -Force + $Issue['Issue'] = 'EDITF_ATTRIBUTESUBJECTALTNAME2 is enabled.' + $Issue['Fix'] = "certutil -config $CAFullname -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2; Invoke-Command -ComputerName `"$($_.dNSHostName)`" -ScriptBlock { Get-Service -Name `'certsvc`' | Restart-Service -Force }" + $Issue['Revert'] = "certutil -config $CAFullname -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2; Invoke-Command -ComputerName `"$($_.dNSHostName)`" -ScriptBlock { Get-Service -Name `'certsvc`' | Restart-Service -Force }" } else { - $Issue | Add-Member -MemberType NoteProperty -Name Issue -Value $_.AuditFilter -Force - $Issue | Add-Member -MemberType NoteProperty -Name Fix -Value 'N/A' -Force - $Issue | Add-Member -MemberType NoteProperty -Name Revert -Value 'N/A' -Force + $Issue['Issue'] = $_.AuditFilter + $Issue['Fix'] = 'N/A' + $Issue['Revert'] = 'N/A' } - $Issue | Add-Member -MemberType NoteProperty -Name Technique -Value 'ESC6' + $Issue } } @@ -445,22 +445,17 @@ function Find-ESC8 { $_.CAEnrollmentEndpoint } | ForEach-Object { $Issue = [pscustomobject]@{ - Forest = $_.CanonicalName.split('/')[0] - Name = $_.Name - DistinguishedName = $_.DistinguishedName - Technique = 'ESC8' - } - if ($_.CAEnrollmentEndpoint -like '^http*') { - $Issue['Issue'] = 'HTTP enrollment is enabled.' - $Issue['CAEnrollmentEndpoint'] = $_.CAEnrollmentEndpoint - $Issue['Fix'] = 'TBD - Remediate by doing 1, 2, and 3' - $Issue['Revert'] = 'TBD' + Forest = $_.CanonicalName.split('/')[0] + Name = $_.Name + DistinguishedName = $_.DistinguishedName + CAEnrollmentEndpoint = $_.CAEnrollmentEndpoint + Issue = 'HTTP enrollment is enabled.' + Fix = '[TODO]' + Revert = '[TODO]' + Technique = 'ESC8' } - else { + if ($_.CAEnrollmentEndpoint -like '^https*') { $Issue['Issue'] = 'HTTPS enrollment is enabled.' - $Issue['CAEnrollmentEndpoint'] = $_.CAEnrollmentEndpoint - $Issue['Fix'] = 'TBD - Remediate by doing 1, 2, and 3' - $Issue['Revert'] = 'TBD' } [PSCustomObject]$Issue } diff --git a/Private/Find-AuditingIssue.ps1 b/Private/Find-AuditingIssue.ps1 index 9e06eb6..c954b66 100644 --- a/Private/Find-AuditingIssue.ps1 +++ b/Private/Find-AuditingIssue.ps1 @@ -8,23 +8,21 @@ ($_.objectClass -eq 'pKIEnrollmentService') -and ($_.AuditFilter -ne '127') } | ForEach-Object { - $Issue = New-Object -TypeName pscustomobject - $Issue | Add-Member -MemberType NoteProperty -Name 'Forest' -Value $_.CanonicalName.split('/')[0] -Force - $Issue | Add-Member -MemberType NoteProperty -Name 'Name' -Value $_.Name -Force - $Issue | Add-Member -MemberType NoteProperty -Name 'DistinguishedName' -Value $_.DistinguishedName -Force + $Issue = [pscustomobject]@{ + Forest = $_.CanonicalName.split('/')[0] + Name = $_.Name + DistinguishedName = $_.DistinguishedName + Technique = 'DETECT' + } if ($_.AuditFilter -match 'CA Unavailable') { - $Issue | Add-Member -MemberType NoteProperty -Name 'Issue' -Value $_.AuditFilter -Force - $Issue | Add-Member -MemberType NoteProperty -Name 'Fix' -Value 'N/A' -Force - $Issue | Add-Member -MemberType NoteProperty -Name 'Revert' -Value 'N/A' -Force - $Issue | Add-Member -MemberType NoteProperty -Name 'Technique' -Value 'DETECT' -Force + $Issue['Issue'] = $_.AuditFilter + $Issue['Fix'] = 'N/A' + $Issue['Revert'] = 'N/A' } else { - $Issue | Add-Member -MemberType NoteProperty -Name 'Issue' -Value "Auditing is not fully enabled on $($_.CAFullName). Current value is $($_.AuditFilter)" -Force - $Issue | Add-Member -MemberType NoteProperty -Name 'Fix' ` - -Value "certutil.exe -config `'$($_.CAFullname)`' -setreg `'CA\AuditFilter`' 127; Invoke-Command -ComputerName `'$($_.dNSHostName)`' -ScriptBlock { Get-Service -Name `'certsvc`' | Restart-Service -Force }" -Force - $Issue | Add-Member -MemberType NoteProperty -Name 'Revert' ` - -Value "certutil.exe -config $($_.CAFullname) -setreg CA\AuditFilter $($_.AuditFilter); Invoke-Command -ComputerName `'$($_.dNSHostName)`' -ScriptBlock { Get-Service -Name `'certsvc`' | Restart-Service -Force }" -Force - $Issue | Add-Member -MemberType NoteProperty -Name 'Technique' -Value 'DETECT' -Force + $Issue['Issue'] = "Auditing is not fully enabled on $($_.CAFullName). Current value is $($_.AuditFilter)" + $Issue['Fix'] = "certutil.exe -config `'$($_.CAFullname)`' -setreg `'CA\AuditFilter`' 127; Invoke-Command -ComputerName `'$($_.dNSHostName)`' -ScriptBlock { Get-Service -Name `'certsvc`' | Restart-Service -Force }" + $Issue['Revert'] = "certutil.exe -config $($_.CAFullname) -setreg CA\AuditFilter $($_.AuditFilter); Invoke-Command -ComputerName `'$($_.dNSHostName)`' -ScriptBlock { Get-Service -Name `'certsvc`' | Restart-Service -Force }" } $Issue } diff --git a/Private/Find-ESC6.ps1 b/Private/Find-ESC6.ps1 index 7958fdf..8f2f9e3 100644 --- a/Private/Find-ESC6.ps1 +++ b/Private/Find-ESC6.ps1 @@ -10,21 +10,23 @@ ($_.SANFlag -ne 'No') } | ForEach-Object { [string]$CAFullName = "$($_.dNSHostName)\$($_.Name)" - $Issue = New-Object -TypeName pscustomobject - $Issue | Add-Member -MemberType NoteProperty -Name Forest -Value $_.CanonicalName.split('/')[0] -Force - $Issue | Add-Member -MemberType NoteProperty -Name Name -Value $_.Name -Force - $Issue | Add-Member -MemberType NoteProperty -Name DistinguishedName -Value $_.DistinguishedName -Force + $Issue = [pscustomobject]@{ + Forest = $_.CanonicalName.split('/')[0] + Name = $_.Name + DistinguishedName = $_.DistinguishedName + Technique = 'ESC6' + } if ($_.SANFlag -eq 'Yes') { - $Issue | Add-Member -MemberType NoteProperty -Name Issue -Value 'EDITF_ATTRIBUTESUBJECTALTNAME2 is enabled.' -Force - $Issue | Add-Member -MemberType NoteProperty -Name Fix -Value "certutil -config $CAFullname -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2; Invoke-Command -ComputerName `"$($_.dNSHostName)`" -ScriptBlock { Get-Service -Name `'certsvc`' | Restart-Service -Force }" -Force - $Issue | Add-Member -MemberType NoteProperty -Name Revert -Value "certutil -config $CAFullname -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2; Invoke-Command -ComputerName `"$($_.dNSHostName)`" -ScriptBlock { Get-Service -Name `'certsvc`' | Restart-Service -Force }" -Force + $Issue['Issue'] = 'EDITF_ATTRIBUTESUBJECTALTNAME2 is enabled.' + $Issue['Fix'] = "certutil -config $CAFullname -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2; Invoke-Command -ComputerName `"$($_.dNSHostName)`" -ScriptBlock { Get-Service -Name `'certsvc`' | Restart-Service -Force }" + $Issue['Revert'] = "certutil -config $CAFullname -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2; Invoke-Command -ComputerName `"$($_.dNSHostName)`" -ScriptBlock { Get-Service -Name `'certsvc`' | Restart-Service -Force }" } else { - $Issue | Add-Member -MemberType NoteProperty -Name Issue -Value $_.AuditFilter -Force - $Issue | Add-Member -MemberType NoteProperty -Name Fix -Value 'N/A' -Force - $Issue | Add-Member -MemberType NoteProperty -Name Revert -Value 'N/A' -Force + $Issue['Issue'] = $_.AuditFilter + $Issue['Fix'] = 'N/A' + $Issue['Revert'] = 'N/A' } - $Issue | Add-Member -MemberType NoteProperty -Name Technique -Value 'ESC6' + $Issue } } diff --git a/Private/Find-ESC8.ps1 b/Private/Find-ESC8.ps1 index 657969a..62351b2 100644 --- a/Private/Find-ESC8.ps1 +++ b/Private/Find-ESC8.ps1 @@ -9,21 +9,17 @@ $_.CAEnrollmentEndpoint } | ForEach-Object { $Issue = [pscustomobject]@{ - Forest = $_.CanonicalName.split('/')[0] - Name = $_.Name - DistinguishedName = $_.DistinguishedName - Technique = 'ESC8' + Forest = $_.CanonicalName.split('/')[0] + Name = $_.Name + DistinguishedName = $_.DistinguishedName + CAEnrollmentEndpoint = $_.CAEnrollmentEndpoint + Issue = 'HTTP enrollment is enabled.' + Fix = '[TODO]' + Revert = '[TODO]' + Technique = 'ESC8' } - if ($_.CAEnrollmentEndpoint -like '^http*') { - $Issue['Issue'] = 'HTTP enrollment is enabled.' - $Issue['CAEnrollmentEndpoint'] = $_.CAEnrollmentEndpoint - $Issue['Fix'] = 'TBD - Remediate by doing 1, 2, and 3' - $Issue['Revert'] = 'TBD' - } else { + if ($_.CAEnrollmentEndpoint -like '^https*') { $Issue['Issue'] = 'HTTPS enrollment is enabled.' - $Issue['CAEnrollmentEndpoint'] = $_.CAEnrollmentEndpoint - $Issue['Fix'] = 'TBD - Remediate by doing 1, 2, and 3' - $Issue['Revert'] = 'TBD' } [PSCustomObject]$Issue } From 63491e8402e17f31d0c0cfa94201e1cd59aa3ad3 Mon Sep 17 00:00:00 2001 From: Jake Hildreth Date: Sun, 14 Jan 2024 10:14:25 -0500 Subject: [PATCH 06/10] Fresh build. --- Invoke-Locksmith.ps1 | 3 ++- Private/Set-AdditionalCAProperty.ps1 | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/Invoke-Locksmith.ps1 b/Invoke-Locksmith.ps1 index 0df8f80..7bb9bea 100644 --- a/Invoke-Locksmith.ps1 +++ b/Invoke-Locksmith.ps1 @@ -895,7 +895,7 @@ function Set-AdditionalCAProperty { Mandatory = $true, ValueFromPipeline = $true)] [array]$ADCSObjects, - [System.Management.Automation.PSCredential]$Credential + [PSCredential]$Credential ) process { $ADCSObjects | Where-Object objectClass -Match 'pKIEnrollmentService' | ForEach-Object { @@ -973,6 +973,7 @@ function Set-AdditionalCAProperty { } } } + function Set-Severity { [CmdletBinding()] param( diff --git a/Private/Set-AdditionalCAProperty.ps1 b/Private/Set-AdditionalCAProperty.ps1 index 31be674..437f3d6 100644 --- a/Private/Set-AdditionalCAProperty.ps1 +++ b/Private/Set-AdditionalCAProperty.ps1 @@ -5,7 +5,7 @@ Mandatory = $true, ValueFromPipeline = $true)] [array]$ADCSObjects, - [System.Management.Automation.PSCredential]$Credential + [PSCredential]$Credential ) process { $ADCSObjects | Where-Object objectClass -Match 'pKIEnrollmentService' | ForEach-Object { @@ -73,4 +73,4 @@ Add-Member -InputObject $_ -MemberType NoteProperty -Name SANFlag -Value $SANFlag -Force } } -} \ No newline at end of file +} From 02943e56ab169d514c29f4ff0d33cfbd7e1a1e03 Mon Sep 17 00:00:00 2001 From: Jake Hildreth Date: Sun, 14 Jan 2024 10:31:35 -0500 Subject: [PATCH 07/10] Initial commit --- CONTRIBUTING.md | 71 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 CONTRIBUTING.md diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..08654b8 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,71 @@ +# Contributing to Locksmith + +First off, thanks for taking the time to contribute! ❤️ + +All types of contributions are encouraged and valued. See the [Table of Contents](#table-of-contents) for different ways to help and details about how this project handles them. Please make sure to read the relevant section before making your contribution. It will make it a lot easier for us maintainers and smooth out the experience for all involved. The community looks forward to your contributions. 🎉 + +> And if you like the project, but just don't have time to contribute, that's fine. There are other easy ways to support the project and show your appreciation, which we would also be very happy about: +> - Star the project +> - Tweet about it +> - Refer this project in your project's readme +> - Mention the project at local meetups and tell your friends/colleagues + + +## Table of Contents + +- [Code of Conduct](#code-of-conduct) +- [I Have a Question](#i-have-a-question) +- [I Want To Contribute](#i-want-to-contribute) +- [Reporting Bugs](#reporting-bugs) +- [Suggesting Enhancements](#suggesting-enhancements) +- [Your First Code Contribution](#your-first-code-contribution) +- [Improving The Documentation](#improving-the-documentation) +- [Styleguides](#styleguides) +- [Commit Messages](#commit-messages) +- [Join The Project Team](#join-the-project-team) + + +## Code of Conduct + +This project and everyone participating in it is governed by the +[Locksmith Code of Conduct](https://github.com/TrimarcJake/Locksmithblob/master/CODE_OF_CONDUCT.md). +By participating, you are expected to uphold this code. Please report unacceptable behavior +to . + + +## I Have a Question + +> If you want to ask a question, we assume that you have read the available [Documentation](https://github.com/TrimarcJake/Locksmith/blob/main/README.md). + +Before you ask a question, it is best to search for existing [Issues](https://github.com/TrimarcJake/Locksmith/issues) that might help you. In case you have found a suitable issue and still need clarification, you can write your question in this issue. It is also advisable to search the internet for answers first. + +If you then still feel the need to ask a question and need clarification, we recommend the following: + +- Open an [Issue](https://github.com/TrimarcJake/Locksmith/issues/new). +- Provide as much context as you can about what you're running into. +- Provide project and platform versions (nodejs, npm, etc), depending on what seems relevant. + +We will then take care of the issue as soon as possible. + +## I Want To Contribute + +> ### Legal Notice +> When contributing to this project, you must agree that you have authored 100% of the content, that you have the necessary rights to the content and that the content you contribute may be provided under the project license. + +### Reporting Bugs + + +#### Before Submitting a Bug Report + +A good bug report shouldn't leave others needing to chase you up for more information. Therefore, we ask you to investigate carefully, collect information and describe the issue in detail in your report. Please complete the following steps in advance to help us fix any potential bug as fast as possible. + +- Make sure that you are using the latest version. +- Determine if your bug is really a bug and not an error on your side e.g. using incompatible environment components/versions (Make sure that you have read the [documentation](https://github.com/TrimarcJake/Locksmith/blob/main/README.md). If you are looking for support, you might want to check [this section](#i-have-a-question)). +- To see if other users have experienced (and potentially already solved) the same issue you are having, check if there is not already a bug report existing for your bug or error in the [bug tracker](https://github.com/TrimarcJake/Locksmithissues?q=label%3Abug). +- Also make sure to search the internet (including Stack Overflow) to see if users outside of the GitHub community have discussed the issue. +- Collect information about the bug: + - OS, Platform, and Version of Client Machine. (Locksmith is only supported on Windows 10+/2016+ at this time.) + - Single or multi-domain Forest? + - Powershell version (ISE/Windows Powershell/Powershell Core) + - Possibly your input and the output + - Can you reliably reproduce the issue? From 835e9fafc3d78f829288b5ea3fd9d217379c3cad Mon Sep 17 00:00:00 2001 From: Jake Hildreth Date: Sun, 14 Jan 2024 10:36:54 -0500 Subject: [PATCH 08/10] Added bug report and enhancement details. --- CONTRIBUTING.md | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 08654b8..f17fe5c 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -69,3 +69,44 @@ A good bug report shouldn't leave others needing to chase you up for more inform - Powershell version (ISE/Windows Powershell/Powershell Core) - Possibly your input and the output - Can you reliably reproduce the issue? + +#### How Do I Submit a Good Bug Report? + +> Never report security related issues, vulnerabilities, or bugs including sensitive information to the issue tracker or elsewhere in public. Instead sensitive bugs must be sent by email to security@dotdot.horse. + + +We use GitHub issues to track bugs and errors. If you run into an issue with the project: + +- Open an [Issue](https://github.com/TrimarcJake/Locksmith/issues/new). (Since we can't be sure at this point whether it is a bug or not, we ask you not to talk about a bug yet and not to label the issue.) +- Explain the behavior you would expect and the actual behavior. +- Please provide as much context as possible and describe the *reproduction steps* that someone else can follow to recreate the issue on their own. This usually includes your code. For good bug reports you should isolate the problem and create a reduced test case. +- Provide the information you collected in the previous section. + +Once it's filed: + +- The project team will label the issue accordingly. +- A team member will try to reproduce the issue with your provided steps. If there are no reproduction steps or no obvious way to reproduce the issue, the team will ask you for those steps and mark the issue as `needs-repro`. Bugs with the `needs-repro` tag will not be addressed until they are reproduced. +- If the team is able to reproduce the issue, it will be marked `needs-fix`, as well as possibly other tags (such as `critical`), and the issue will be left to be [implemented by someone](#your-first-code-contribution). + +### Suggesting Enhancements + +This section guides you through submitting an enhancement suggestion for Locksmith, **including completely new features and minor improvements to existing functionality**. Following these guidelines will help maintainers and the community to understand your suggestion and find related suggestions. + + +#### Before Submitting an Enhancement + +- Make sure that you are using the latest version. +- Read the [documentation](https://github.com/TrimarcJake/Locksmith/blob/main/README.md) carefully and find out if the functionality is already covered, maybe by an individual configuration. +- Perform a [search](https://github.com/TrimarcJake/Locksmith/issues) to see if the enhancement has already been suggested. If it has, add a comment to the existing issue instead of opening a new one. +- Find out whether your idea fits with the scope and aims of the project. It's up to you to make a strong case to convince the project's developers of the merits of this feature. Keep in mind that we want features that will be useful to the majority of our users and not just a small subset. If you're just targeting a minority of users, consider writing an add-on/plugin library. + + +#### How Do I Submit a Good Enhancement Suggestion? + +Enhancement suggestions are tracked as [GitHub issues](https://github.com/TrimarcJake/Locksmith/issues). + +- Use a **clear and descriptive title** for the issue to identify the suggestion. +- Provide a **step-by-step description of the suggested enhancement** in as many details as possible. +- **Describe the current behavior** and **explain which behavior you expected to see instead** and why. At this point you can also tell which alternatives do not work for you. +- You may want to **include screenshots and animated GIFs** which help you demonstrate the steps or point out the part which the suggestion is related to. You can use [this tool](https://www.cockos.com/licecap/) to record GIFs on macOS and Windows, and [this tool](https://github.com/colinkeenan/silentcast) or [this tool](https://github.com/GNOME/byzanz) on Linux. +- **Explain why this enhancement would be useful** to most Locksmith users. You may also want to point out the other projects that solved it better and which could serve as inspiration. From 11a01d91c02caf55607d78c4ee893d31022066c8 Mon Sep 17 00:00:00 2001 From: Jake Hildreth Date: Sun, 14 Jan 2024 10:40:27 -0500 Subject: [PATCH 09/10] Initial commit. --- CODE_OF_CONDUCT.md | 70 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 CODE_OF_CONDUCT.md diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 0000000..6e720a3 --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,70 @@ +# Code of Conduct - Locksmith + +## Our Pledge + +In the interest of fostering an open and welcoming environment, we as +contributors and maintainers pledge to make participation in our project and +our community a harassment-free experience for everyone, regardless of age, body +size, disability, ethnicity, sex characteristics, gender identity and expression, +level of experience, education, socio-economic status, nationality, personal +appearance, race, religion, or sexual identity and orientation. + +## Our Standards + +Examples of behavior that contributes to a positive environment for our +community include: + +* Demonstrating empathy and kindness toward other people +* Being respectful of differing opinions, viewpoints, and experiences +* Giving and gracefully accepting constructive feedback +* Accepting responsibility and apologizing to those affected by our mistakes, +and learning from the experience +* Focusing on what is best not just for us as individuals, but for the +overall community + +Examples of unacceptable behavior include: + +* The use of sexualized language or imagery, and sexual attention or +advances +* Trolling, insulting or derogatory comments, and personal or political attacks +* Public or private harassment +* Publishing others' private information, such as a physical or email +address, without their explicit permission +* Other conduct which could reasonably be considered inappropriate in a +professional setting + +## Our Responsibilities + +Project maintainers are responsible for clarifying and enforcing our standards of +acceptable behavior and will take appropriate and fair corrective action in +response to any instances of unacceptable behavior. + +Project maintainers have the right and responsibility to remove, edit, or reject +comments, commits, code, wiki edits, issues, and other contributions that are +not aligned to this Code of Conduct, or to ban +temporarily or permanently any contributor for other behaviors that they deem +inappropriate, threatening, offensive, or harmful. + +## Scope + +This Code of Conduct applies within all community spaces, and also applies when +an individual is officially representing the community in public spaces. +Examples of representing our community include using an official e-mail address, +posting via an official social media account, or acting as an appointed +representative at an online or offline event. + +## Enforcement + +Instances of abusive, harassing, or otherwise unacceptable behavior may be +reported to the community leaders responsible for enforcement at . +All complaints will be reviewed and investigated promptly and fairly. + +All community leaders are obligated to respect the privacy and security of the +reporter of any incident. + +## Attribution + +This Code of Conduct is adapted from the [Contributor Covenant](https://contributor-covenant.org/), version +[1.4](https://www.contributor-covenant.org/version/1/4/code-of-conduct/code_of_conduct.md) and +[2.0](https://www.contributor-covenant.org/version/2/0/code_of_conduct/code_of_conduct.md), +and was generated by [contributing-gen](https://github.com/bttger/contributing-gen). From f1a649077730aa9d40924146d4f247305c7f6d68 Mon Sep 17 00:00:00 2001 From: Sam Erde <20478745+SamErde@users.noreply.github.com> Date: Tue, 16 Jan 2024 02:24:14 -0500 Subject: [PATCH 10/10] Setup PSScriptAnalyzer action --- .github/workflows/powershell.yml | 49 ++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 .github/workflows/powershell.yml diff --git a/.github/workflows/powershell.yml b/.github/workflows/powershell.yml new file mode 100644 index 0000000..836fab5 --- /dev/null +++ b/.github/workflows/powershell.yml @@ -0,0 +1,49 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# https://github.com/microsoft/action-psscriptanalyzer +# For more information on PSScriptAnalyzer in general, see +# https://github.com/PowerShell/PSScriptAnalyzer + +name: PSScriptAnalyzer + +on: + push: + branches: [ "testing" ] + pull_request: + branches: [ "testing" ] + schedule: + - cron: '41 14 * * 4' + +permissions: + contents: read + +jobs: + build: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + name: PSScriptAnalyzer + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + - name: Run PSScriptAnalyzer + uses: microsoft/psscriptanalyzer-action@6b2948b1944407914a58661c49941824d149734f + with: + # Check https://github.com/microsoft/action-psscriptanalyzer for more info about the options. + # The below set up runs PSScriptAnalyzer to your entire repository and runs some basic security rules. + path: .\ + recurse: true + # Include your own basic security rules. Removing this option will run all the rules + includeRule: '"PSAvoidGlobalAliases", "PSAvoidUsingConvertToSecureStringWithPlainText"' + output: results.sarif + + # Upload the SARIF file generated in the previous step + - name: Upload SARIF results file + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif