August 2023: Build Scripts, and Modules, and Testing, Oh My!

Shortly after the 2023.07 release of Locksmith, I (@TrimarcJake) was contacted by PowerShell OG @PrzemyslawKlys (PK) about modernizing and improving the usability of Locksmith via his building and publishing tool PSPublishModule.

PK split Locksmith into Public and Private functions, each in their own .ps1 file. The functions get tested, formatted, and combined into module files which can be easily published by the Locksmith team and easily installed by end-users.

Unexpectedly (not really), separating functions into individual .ps1 files makes development much smoother. Did you know scrolling a multi-hundred line script to find stuff gets confusing?

This month was mostly spent testing this new process, but we also took some time to add a few goodies including a script that will COMPLETELY AND UTTERLY DESTROY the security of an AD CS environment if you really want to test your tools. DO NOT USE IN PRODUCTION.

I hope you enjoy!

Improvements:

  • Locksmith is now a module! You can download Locksmith-v2023.08.zip, expand it, and do Import-Module .\Locksmith.psd1 or install it from the PSGallery with Install-Module -Name Locksmith. The addition of PSGallery support should make Locksmith a cinch to use. (@PrzemyslawKlys) Note: we have no plans to deprecate the single-file Invoke-Locksmith.ps1 version of Locksmith. I personally appreciate the simplicity of a single-file download and install, and I don’t want to remove that functionality.
  • Build script! This is mostly useful for the Locksmith team, but if you want to play around with PSPbulishModule or built a customized version of Invoke-Locksmith.ps1 or the Locksmith module, have a go! (@PrzemyslawKlys)
  • Lab build script! Manually recreating vulnerable templates was getting annoying, so I spent some downtime creating “Tactical Speed Square” - a small script which creates a ton of vulnerable templates/objects, disables auditing on all CAs, and enables the ESC6 flag on all CAs. DO NOT USE IN PRODUCTION. (@TrimarcJake)
  • GREATLY Reduced ESC4 and ESC5 false positives. (@TrimarcJake) This was possible because of two things:
    1. Improved enumeration of Safe Group membership. Objects/templates will no longer be marked as vulnerable if the Identity Reference is a member of the domain Administrators, Cert Publishers, Domain Admins, or Enterprise Admins groups in any domain in a multi-domain forest even if they are in nested groups.
    2. Now, if an ACE is only for Enroll/AutoEnroll extended rights, that ACE is filtered out and does not trigger ESC4/ESC5. These rights are not dangerous.
  • ESC2 Checks now include the “Any Purpose” Extended Key Usage. Previously, these were only included in the ESC1 results. (@TrimarcJake)

Bug Fixes:

  • No more errors when attempting to enumerate Safe Groups in a multi-domain forest. (@TrimarcJake)
  • Unneeded files are no longer created when there are no issues in the environment. (@SamErde)

Known Issues:

  • None (FOR THE MOMENT)

Unfinished Features in the Works:

  • ESC3 Coverage (@TrimarcJake)
  • Adding Severity Ratings to Findings (@techspence)

Contributors to this release:

  • @PrzemyslawKlys
  • @SamErde
  • @techspence
  • @TrimarcJake