From 6fd7445bb54822cc669757fa086358143fd4a931 Mon Sep 17 00:00:00 2001 From: TrimarcJake Date: Thu, 25 Jul 2024 09:33:24 -0500 Subject: [PATCH] Updated ESC1-3 with here-string fixes and reverts too! --- Invoke-Locksmith.ps1 | 40 ++++++++++++++++++++++++++------- Private/Find-ESC1.ps1 | 10 +++++++-- Private/Find-ESC2.ps1 | 10 +++++++-- Private/Find-ESC3Condition1.ps1 | 10 +++++++-- Private/Find-ESC3Condition2.ps1 | 10 +++++++-- 5 files changed, 64 insertions(+), 16 deletions(-) diff --git a/Invoke-Locksmith.ps1 b/Invoke-Locksmith.ps1 index 6adb7e0..55145cb 100644 --- a/Invoke-Locksmith.ps1 +++ b/Invoke-Locksmith.ps1 @@ -229,8 +229,14 @@ function Find-ESC1 { IdentityReference = $entry.IdentityReference ActiveDirectoryRights = $entry.ActiveDirectoryRights Issue = "$($entry.IdentityReference) can enroll in this Client Authentication template using a SAN without Manager Approval" - Fix = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0}" - Revert = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1}" + Fix = @" +`$Object = `'$($_.DistinguishedName)`' +Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0} +"@ + Revert = @" +`$Object = `'$($_.DistinguishedName)`' +Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1} +"@ Technique = 'ESC1' } $Issue @@ -294,8 +300,14 @@ function Find-ESC2 { IdentityReference = $entry.IdentityReference ActiveDirectoryRights = $entry.ActiveDirectoryRights Issue = "$($entry.IdentityReference) can request a SubCA certificate without Manager Approval" - Fix = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0}" - Revert = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1}" + Fix = @" +`$Object = `'$($_.DistinguishedName)`' +Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0} +"@ + Revert = @" +`$Object = `'$($_.DistinguishedName)`' +Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1} +"@ Technique = 'ESC2' } $Issue @@ -358,8 +370,14 @@ function Find-ESC3Condition1 { IdentityReference = $entry.IdentityReference ActiveDirectoryRights = $entry.ActiveDirectoryRights Issue = "$($entry.IdentityReference) can enroll in this Enrollment Agent template without Manager Approval" - Fix = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0}" - Revert = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1}" + Fix = @" +`$Object = `'$($_.DistinguishedName)`' +Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0} +"@ + Revert = @" +`$Object = `'$($_.DistinguishedName)`' +Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1} +"@ Technique = 'ESC3' } $Issue @@ -424,8 +442,14 @@ function Find-ESC3Condition2 { IdentityReference = $entry.IdentityReference ActiveDirectoryRights = $entry.ActiveDirectoryRights Issue = "$($entry.IdentityReference) can enroll in this Client Authentication template using a SAN without Manager Approval" - Fix = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0}" - Revert = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1}" + Fix = @" +`$Object = `'$($_.DistinguishedName)`' +Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0} +"@ + Revert = @" +`$Object = `'$($_.DistinguishedName)`' +Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1} +"@ Technique = 'ESC3' } $Issue diff --git a/Private/Find-ESC1.ps1 b/Private/Find-ESC1.ps1 index cf7ec93..a6499e3 100644 --- a/Private/Find-ESC1.ps1 +++ b/Private/Find-ESC1.ps1 @@ -52,8 +52,14 @@ IdentityReference = $entry.IdentityReference ActiveDirectoryRights = $entry.ActiveDirectoryRights Issue = "$($entry.IdentityReference) can enroll in this Client Authentication template using a SAN without Manager Approval" - Fix = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0}" - Revert = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1}" + Fix = @" +`$Object = `'$($_.DistinguishedName)`' +Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0} +"@ + Revert = @" +`$Object = `'$($_.DistinguishedName)`' +Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1} +"@ Technique = 'ESC1' } $Issue diff --git a/Private/Find-ESC2.ps1 b/Private/Find-ESC2.ps1 index 040526c..9d333a1 100644 --- a/Private/Find-ESC2.ps1 +++ b/Private/Find-ESC2.ps1 @@ -52,8 +52,14 @@ IdentityReference = $entry.IdentityReference ActiveDirectoryRights = $entry.ActiveDirectoryRights Issue = "$($entry.IdentityReference) can request a SubCA certificate without Manager Approval" - Fix = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0}" - Revert = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1}" + Fix = @" +`$Object = `'$($_.DistinguishedName)`' +Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0} +"@ + Revert = @" +`$Object = `'$($_.DistinguishedName)`' +Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1} +"@ Technique = 'ESC2' } $Issue diff --git a/Private/Find-ESC3Condition1.ps1 b/Private/Find-ESC3Condition1.ps1 index ad45dcc..7da08ee 100644 --- a/Private/Find-ESC3Condition1.ps1 +++ b/Private/Find-ESC3Condition1.ps1 @@ -51,8 +51,14 @@ IdentityReference = $entry.IdentityReference ActiveDirectoryRights = $entry.ActiveDirectoryRights Issue = "$($entry.IdentityReference) can enroll in this Enrollment Agent template without Manager Approval" - Fix = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0}" - Revert = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1}" + Fix = @" +`$Object = `'$($_.DistinguishedName)`' +Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0} +"@ + Revert = @" +`$Object = `'$($_.DistinguishedName)`' +Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1} +"@ Technique = 'ESC3' } $Issue diff --git a/Private/Find-ESC3Condition2.ps1 b/Private/Find-ESC3Condition2.ps1 index 4458e00..1ab9503 100644 --- a/Private/Find-ESC3Condition2.ps1 +++ b/Private/Find-ESC3Condition2.ps1 @@ -53,8 +53,14 @@ IdentityReference = $entry.IdentityReference ActiveDirectoryRights = $entry.ActiveDirectoryRights Issue = "$($entry.IdentityReference) can enroll in this Client Authentication template using a SAN without Manager Approval" - Fix = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0}" - Revert = "Get-ADObject `'$($_.DistinguishedName)`' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1}" + Fix = @" +`$Object = `'$($_.DistinguishedName)`' +Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0} +"@ + Revert = @" +`$Object = `'$($_.DistinguishedName)`' +Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 1} +"@ Technique = 'ESC3' } $Issue