Skip to content

Commit

Permalink
Merge pull request #144 from TrimarcJake/convert-esc1-esc2-esc3-to-he…
Browse files Browse the repository at this point in the history 
…re-string

Updated ESC1-3 with here-string fixes and reverts too!
  • Loading branch information
@TrimarcJake
TrimarcJake authored Jul 29, 2024
2 parents 60c2691 + 6fd7445 commit 9713135
Show file tree
Hide file tree
Showing 5 changed files with 64 additions and 16 deletions.
40 changes: 32 additions & 8 deletions Invoke-Locksmith.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -229,8 +229,14 @@ function Find-ESC1 {
IdentityReference = $entry.IdentityReference
ActiveDirectoryRights = $entry.ActiveDirectoryRights
Issue = "$($entry.IdentityReference) can enroll in this Client Authentication template using a SAN without Manager Approval"
Fix = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0}"
Revert = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1}"
Fix = @"
`$Object = `'$($_.DistinguishedName)`'
Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0}
"@
Revert = @"
`$Object = `'$($_.DistinguishedName)`'
Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1}
"@
Technique = 'ESC1'
}
$Issue
Expand Down Expand Up @@ -294,8 +300,14 @@ function Find-ESC2 {
IdentityReference = $entry.IdentityReference
ActiveDirectoryRights = $entry.ActiveDirectoryRights
Issue = "$($entry.IdentityReference) can request a SubCA certificate without Manager Approval"
Fix = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0}"
Revert = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1}"
Fix = @"
`$Object = `'$($_.DistinguishedName)`'
Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0}
"@
Revert = @"
`$Object = `'$($_.DistinguishedName)`'
Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1}
"@
Technique = 'ESC2'
}
$Issue
Expand Down Expand Up @@ -358,8 +370,14 @@ function Find-ESC3Condition1 {
IdentityReference = $entry.IdentityReference
ActiveDirectoryRights = $entry.ActiveDirectoryRights
Issue = "$($entry.IdentityReference) can enroll in this Enrollment Agent template without Manager Approval"
Fix = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0}"
Revert = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1}"
Fix = @"
`$Object = `'$($_.DistinguishedName)`'
Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0}
"@
Revert = @"
`$Object = `'$($_.DistinguishedName)`'
Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1}
"@
Technique = 'ESC3'
}
$Issue
Expand Down Expand Up @@ -424,8 +442,14 @@ function Find-ESC3Condition2 {
IdentityReference = $entry.IdentityReference
ActiveDirectoryRights = $entry.ActiveDirectoryRights
Issue = "$($entry.IdentityReference) can enroll in this Client Authentication template using a SAN without Manager Approval"
Fix = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0}"
Revert = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1}"
Fix = @"
`$Object = `'$($_.DistinguishedName)`'
Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0}
"@
Revert = @"
`$Object = `'$($_.DistinguishedName)`'
Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1}
"@
Technique = 'ESC3'
}
$Issue
Expand Down
10 changes: 8 additions & 2 deletions Private/Find-ESC1.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,8 +52,14 @@
IdentityReference = $entry.IdentityReference
ActiveDirectoryRights = $entry.ActiveDirectoryRights
Issue = "$($entry.IdentityReference) can enroll in this Client Authentication template using a SAN without Manager Approval"
Fix = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0}"
Revert = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1}"
Fix = @"
`$Object = `'$($_.DistinguishedName)`'
Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0}
"@
Revert = @"
`$Object = `'$($_.DistinguishedName)`'
Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1}
"@
Technique = 'ESC1'
}
$Issue
Expand Down
10 changes: 8 additions & 2 deletions Private/Find-ESC2.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,8 +52,14 @@
IdentityReference = $entry.IdentityReference
ActiveDirectoryRights = $entry.ActiveDirectoryRights
Issue = "$($entry.IdentityReference) can request a SubCA certificate without Manager Approval"
Fix = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0}"
Revert = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1}"
Fix = @"
`$Object = `'$($_.DistinguishedName)`'
Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0}
"@
Revert = @"
`$Object = `'$($_.DistinguishedName)`'
Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1}
"@
Technique = 'ESC2'
}
$Issue
Expand Down
10 changes: 8 additions & 2 deletions Private/Find-ESC3Condition1.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,8 +51,14 @@
IdentityReference = $entry.IdentityReference
ActiveDirectoryRights = $entry.ActiveDirectoryRights
Issue = "$($entry.IdentityReference) can enroll in this Enrollment Agent template without Manager Approval"
Fix = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0}"
Revert = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1}"
Fix = @"
`$Object = `'$($_.DistinguishedName)`'
Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0}
"@
Revert = @"
`$Object = `'$($_.DistinguishedName)`'
Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1}
"@
Technique = 'ESC3'
}
$Issue
Expand Down
10 changes: 8 additions & 2 deletions Private/Find-ESC3Condition2.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,8 +53,14 @@
IdentityReference = $entry.IdentityReference
ActiveDirectoryRights = $entry.ActiveDirectoryRights
Issue = "$($entry.IdentityReference) can enroll in this Client Authentication template using a SAN without Manager Approval"
Fix = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0}"
Revert = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1}"
Fix = @"
`$Object = `'$($_.DistinguishedName)`'
Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0}
"@
Revert = @"
`$Object = `'$($_.DistinguishedName)`'
Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1}
"@
Technique = 'ESC3'
}
$Issue
Expand Down

0 comments on commit 9713135

Please sign in to comment.