diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml new file mode 100644 index 00000000..6b0b65bd --- /dev/null +++ b/.github/FUNDING.yml @@ -0,0 +1,15 @@ +# These are supported funding model platforms + +github: [jakehildreth] # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2] +patreon: # Replace with a single Patreon username +open_collective: # Replace with a single Open Collective username +ko_fi: jakehildreth # Replace with a single Ko-fi username +tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel +community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry +liberapay: # Replace with a single Liberapay username +issuehunt: # Replace with a single IssueHunt username +lfx_crowdfunding: # Replace with a single LFX Crowdfunding project-name e.g., cloud-foundry +polar: # Replace with a single Polar username +buy_me_a_coffee: # Replace with a single Buy Me a Coffee username +thanks_dev: # Replace with a single thanks.dev username +custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2'] diff --git a/Docs/index.md b/Docs/index.md index b8571c68..66824219 100644 --- a/Docs/index.md +++ b/Docs/index.md @@ -79,7 +79,7 @@ Invoke-Locksmith # Script Syntax .\Invoke-Locksmith.ps1 ``` -Example Output for Mode 0: +Example Output for Mode 0: @@ -94,7 +94,7 @@ Invoke-Locksmith -Mode 1 # Script Syntax .\Invoke-Locksmith.ps1 -Mode 1 ``` -Example Output for Mode 1: +Example Output for Mode 1: @@ -109,7 +109,7 @@ Invoke-Locksmith -Mode 2 # Script Syntax .\Invoke-Locksmith.ps1 -Mode 2 ``` -Example Output for Mode 2: +Example Output for Mode 2: @@ -123,7 +123,7 @@ Invoke-Locksmith -Mode 3 # Script Syntax .\Invoke-Locksmith.ps1 -Mode 3 ``` -Example Output for Mode 3: +Example Output for Mode 3: @@ -138,7 +138,7 @@ Invoke-Locksmith -Mode 4 # Script Syntax .\Invoke-Locksmith.ps1 -Mode 4 ``` -Example Output for Mode 4: +Example Output for Mode 4: diff --git a/Invoke-Locksmith.ps1 b/Invoke-Locksmith.ps1 index a2730ebc..783ec8c3 100644 --- a/Invoke-Locksmith.ps1 +++ b/Invoke-Locksmith.ps1 @@ -1164,7 +1164,15 @@ function Find-ESC5 { } $IssueDetail = '' - if ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) { + $DangerousOwner = $false + if ( ($_.objectClass -eq 'computer') -and ($SID -match '-512$') ) { + $DangerousOwner = $false + } + elseif ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) { + $DangerousOwner = $true + } + + if ($DangerousOwner) { switch ($_.objectClass) { container { $IssueDetail = @" @@ -1177,7 +1185,8 @@ CA objects, new templates, new OIDs, etc. to create novel escalation paths. $IssueDetail = @" This computer is hosting a Certification Authority (CA). -There is no reason for anyone other than AD Admins to have own CA host objects. +There is no reason for anyone other than Enterprise Admins or Domain Admins to +own CA host objects. "@ } 'msPKI-Cert-Template-OID' { @@ -1197,7 +1206,7 @@ Ownership rights can be used to enable currently disabled templates. If this prinicpal also has control over a disabled certificate template (aka ESC4), they could modify the template into an ESC1 template and enable the certificate. -This ensabled certificate could be use for privilege escalation and persistence. +This enabled certificate could be use for privilege escalation and persistence. "@ } } diff --git a/Private/Find-ESC5.ps1 b/Private/Find-ESC5.ps1 index 797eef86..0640efd8 100644 --- a/Private/Find-ESC5.ps1 +++ b/Private/Find-ESC5.ps1 @@ -87,7 +87,14 @@ } $IssueDetail = '' - if ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) { + $DangerousOwner = $false + if ( ($_.objectClass -eq 'computer') -and ($SID -match '-512$') ) { + $DangerousOwner = $false + } elseif ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) { + $DangerousOwner = $true + } + + if ($DangerousOwner) { switch ($_.objectClass) { container { $IssueDetail = @" @@ -100,7 +107,8 @@ CA objects, new templates, new OIDs, etc. to create novel escalation paths. $IssueDetail = @" This computer is hosting a Certification Authority (CA). -There is no reason for anyone other than AD Admins to have own CA host objects. +There is no reason for anyone other than Enterprise Admins or Domain Admins to +own CA host objects. "@ } 'msPKI-Cert-Template-OID' { @@ -120,7 +128,7 @@ Ownership rights can be used to enable currently disabled templates. If this prinicpal also has control over a disabled certificate template (aka ESC4), they could modify the template into an ESC1 template and enable the certificate. -This ensabled certificate could be use for privilege escalation and persistence. +This enabled certificate could be use for privilege escalation and persistence. "@ } }