This month’s Locksmith release finally introduces full ESC3 detections. Insecure Enrollment Agent templates and Client Authentication templates requiring signing by a single Enrollment Agent certificate will now be flagged. This closes the door on a pretty large hole in Locksmith’s detections.

This release also marks a change in my (@TrimarcJake) role in Locksmith. I am refocusing my development time toward a new tool for finding and fixing issues in Active Directory-integrated DNS called BlueTuxedo. Until BlueTuxedo is released and gets stable, I will not be writing any new code for Locksmith.

But as you can see by this month’s contributions, @techspence and @SamErde are more than capable of running the show for a while. :D


  • Added checks for ESC3 Condition 1 (@TrimarcJake) and Condition 2 (@techspence)
  • Sorted list output for improved readability (@SamErde)
  • Moved the AD module check above the first use of ActiveDirectory cmdlets (@SamErde)
  • Other refactoring of code to make consistent use of formatting (@SamErde)
  • Added detailed output for failed severity checks (@SamErde)
  • Improved performance of Set-AdditionalCAProperty by reducing ping count to 1 (@techspence)
  • ESC3 Condition 1 template generated by Invoke-TSS.ps1 lab build script. (@TrimarcJake)

Known Issues:

  • In ESC4/ESC5 checks, when multiple ACEs exist on a PKI object, all ACEs are displayed. ESC4/ESC5 checks should emulate Effective Access in regular mode and list all ACEs in Verbose mode. (Thanks to Robert for bringing this to my attention in person at Blue Team Con!)

Unfinished Features in the Works:

  • Better severity ratings
  • More granular command line parameters (modes were a bad idea.)

Contributors to this release:

  • @SamErde
  • @techspence
  • @TrimarcJake

Honorary mention:

  • @PrzemyslawKlys

PK’s PSPublishModule has been invaluable for speeding up development in Locksmith. He’ll continue to get mentioned for quite some time.