Sync main to testing

.github/FUNDING.yml

@@ -0,0 +1,15 @@
+# These are supported funding model platforms
+
+github: [jakehildreth] # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
+patreon: # Replace with a single Patreon username
+open_collective: # Replace with a single Open Collective username
+ko_fi: jakehildreth # Replace with a single Ko-fi username
+tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
+community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
+liberapay: # Replace with a single Liberapay username
+issuehunt: # Replace with a single IssueHunt username
+lfx_crowdfunding: # Replace with a single LFX Crowdfunding project-name e.g., cloud-foundry
+polar: # Replace with a single Polar username
+buy_me_a_coffee: # Replace with a single Buy Me a Coffee username
+thanks_dev: # Replace with a single thanks.dev username
+custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2']

Docs/index.md

@@ -79,7 +79,7 @@ Invoke-Locksmith
 # Script Syntax
 .\Invoke-Locksmith.ps1
 ```
-Example Output for Mode 0: <https://github.com/jakehildreth/Locksmith/blob/main/examples/Mode0.md>
+Example Output for Mode 0: <https://github.com/jakehildreth/Locksmith/blob/main/Docs/Examples/Mode0.md>
 
 <a name="Mode1" id="Mode1"></a>
 
@@ -94,7 +94,7 @@ Invoke-Locksmith -Mode 1
 # Script Syntax
 .\Invoke-Locksmith.ps1 -Mode 1
 ```
-Example Output for Mode 1: <https://github.com/jakehildreth/Locksmith/blob/main/examples/Mode1.md>
+Example Output for Mode 1: <https://github.com/jakehildreth/Locksmith/blob/main/Docs/Examples/Mode1.md>
 
 <a name="Mode2" id="Mode2"></a>
 
@@ -109,7 +109,7 @@ Invoke-Locksmith -Mode 2
 # Script Syntax
 .\Invoke-Locksmith.ps1 -Mode 2
 ```
-Example Output for Mode 2: <https://github.com/jakehildreth/Locksmith/blob/main/examples/Mode2.md>
+Example Output for Mode 2: <https://github.com/jakehildreth/Locksmith/blob/main/Docs/Examples/Mode2.md>
 
 <a name="Mode3" id="Mode3"></a>
 
@@ -123,7 +123,7 @@ Invoke-Locksmith -Mode 3
 # Script Syntax
 .\Invoke-Locksmith.ps1 -Mode 3
 ```
-Example Output for Mode 3: <https://github.com/jakehildreth/Locksmith/blob/main/examples/Mode3.md>
+Example Output for Mode 3: <https://github.com/jakehildreth/Locksmith/blob/main/Docs/Examples/Mode3.md>
 
 <a name="Mode4" id="Mode4"></a>
 
@@ -138,7 +138,7 @@ Invoke-Locksmith -Mode 4
 # Script Syntax
 .\Invoke-Locksmith.ps1 -Mode 4
 ```
-Example Output for Mode 4: <https://github.com/jakehildreth/Locksmith/blob/main/examples/Mode4.md>
+Example Output for Mode 4: <https://github.com/jakehildreth/Locksmith/blob/main/Docs/Examples/Mode4.md>
 
 <a name="Scans" id="Scans"></a>
 

Invoke-Locksmith.ps1

@@ -1164,7 +1164,15 @@ function Find-ESC5 {
         }
 
         $IssueDetail = ''
-        if ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) {
+        $DangerousOwner = $false
+        if ( ($_.objectClass -eq 'computer') -and ($SID -match '-512$') ) {
+            $DangerousOwner = $false
+        }
+        elseif ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) {
+            $DangerousOwner = $true
+        }
+
+        if ($DangerousOwner) {
             switch ($_.objectClass) {
                 container {
                     $IssueDetail = @"
@@ -1177,7 +1185,8 @@ CA objects, new templates, new OIDs, etc. to create novel escalation paths.
                     $IssueDetail = @"
 This computer is hosting a Certification Authority (CA).
 
-There is no reason for anyone other than AD Admins to have own CA host objects.
+There is no reason for anyone other than Enterprise Admins or Domain Admins to
+own CA host objects.
 "@
                 }
                 'msPKI-Cert-Template-OID' {
@@ -1197,7 +1206,7 @@ Ownership rights can be used to enable currently disabled templates.
 
 If this prinicpal also has control over a disabled certificate template (aka ESC4),
 they could modify the template into an ESC1 template and enable the certificate.
-This ensabled certificate could be use for privilege escalation and persistence.
+This enabled certificate could be use for privilege escalation and persistence.
 "@
                 }
             }

Private/Find-ESC5.ps1

@@ -87,7 +87,14 @@
         }
 
         $IssueDetail = ''
-        if ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) {
+        $DangerousOwner = $false
+        if ( ($_.objectClass -eq 'computer') -and ($SID -match '-512$') ) {
+            $DangerousOwner = $false
+        } elseif ( ($_.objectClass -ne 'pKICertificateTemplate') -and ($SID -notmatch $SafeOwners) ) {
+            $DangerousOwner = $true
+        }
+
+        if ($DangerousOwner) {
             switch ($_.objectClass) {
                 container {
                     $IssueDetail = @"
@@ -100,7 +107,8 @@ CA objects, new templates, new OIDs, etc. to create novel escalation paths.
                     $IssueDetail = @"
 This computer is hosting a Certification Authority (CA).
 
-There is no reason for anyone other than AD Admins to have own CA host objects.
+There is no reason for anyone other than Enterprise Admins or Domain Admins to
+own CA host objects.
 "@
                 }
                 'msPKI-Cert-Template-OID' {
@@ -120,7 +128,7 @@ Ownership rights can be used to enable currently disabled templates.
 
 If this prinicpal also has control over a disabled certificate template (aka ESC4),
 they could modify the template into an ESC1 template and enable the certificate.
-This ensabled certificate could be use for privilege escalation and persistence.
+This enabled certificate could be use for privilege escalation and persistence.
 "@
                 }
             }