Skip to content

2025.9.8 - Reduced False Positives!#265

Merged
jakehildreth merged 14 commits intomainfrom
testing
Sep 11, 2025
Merged

2025.9.8 - Reduced False Positives!#265
jakehildreth merged 14 commits intomainfrom
testing

Conversation

@jakehildreth
Copy link
Owner

@jakehildreth jakehildreth commented Sep 11, 2025

This PR solves one issue:

Additionally, the PR improves the following functionality:

  • Previously, when template-based ESCs were identified along with 1+ ESC5 issues on the Certification Authority object itself, Locksmith would only raise the risk score by one point, regardless of how many principals could abuse this configuration. This release adds some granularity to this additional risk.

jakehildreth and others added 13 commits May 28, 2025 12:52
@jakehildreth
Merge pull request #254 from jakehildreth/main
ed6bfa2 
Sync testing w/Main
@jakehildreth
feat: improved risk ratings for template + ESC5 issues
601123b
@jakehildreth
chore: gardening. improved outro message, less complex dangerous rights
dbbe652
@jakehildreth
chore: fresh build
7cb25fc
@SamErde
Merge pull request #260 from jakehildreth/updates-from-semperis-demo
fa382c7 
Updates The Arose From a Demo
@jakehildreth
fix: new logic should resolve ESC1 false positives.
ae0a35c
@jakehildreth
fix: remove false negative when AllExtendedRights is granted on an ES…
1c8e193 
…C1 template
@SamErde
Merge pull request #262 from jakehildreth/fix-esc1-false-positives
0c9cd49 
fix: new logic should resolve ESC1 false positives.
@jakehildreth
fix: applied updated ESC1 detection logic to other template-based ESCs
149e0a5
@jakehildreth
Update Invoke-Locksmith.ps1
02cde02 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@jakehildreth
Update Private/Find-ESC16.ps1
5a63da4 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@jakehildreth
Update Private/Find-ESC13.ps1
c4dc429 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@jakehildreth
Breakin' the law \m/
1f76288 
fix: applied updated ESC1 detection logic to other template-based ESCs
Copilot AI reviewed Sep 11, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR addresses false positives in ESC vulnerability detection by refining the logic to check specific object types for Extended Rights permissions, as identified in research by @vilacham. The updated detection logic requires that Extended Rights permissions must be accompanied by specific object type GUIDs (Enroll or All) to qualify as vulnerabilities, reducing false positives across all template-based ESC checks.

  • Updated ESC detection logic to validate Extended Rights permissions against specific object type GUIDs
  • Enhanced ESC5 risk scoring to add granularity for individual principals beyond groups
  • Updated timeout values and improved code formatting consistency

Reviewed Changes

Copilot reviewed 14 out of 14 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
Public/Invoke-Locksmith.ps1 Updates version number, dangerous rights pattern, timeout message formatting, and GitHub link
Private/Set-RiskRating.ps1 Adds risk scoring for individual principals in ESC5 scenarios
Private/Set-AdditionalCAProperty.ps1 Reduces timeout values and removes commented code
Private/Find-ESC*.ps1 files Implements refined Extended Rights detection logic with object type validation
Locksmith.psm1 Minor code style improvements with consistent casing
Locksmith.psd1 Updates module version to 2025.9.8
Invoke-Locksmith.ps1 Applies same detection logic updates and formatting improvements as module files

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

Public/Invoke-Locksmith.ps1
# GenericAll, WriteDacl, and WriteOwner all permit full control of an AD object.
# WriteProperty may or may not permit full control depending the specific property and AD object type.
$DangerousRights = 'GenericAll|WriteDacl|WriteOwner|WriteProperty'
$DangerousRights = 'GenericAll|Write'
Copy link

Copilot AI Sep 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The regex pattern 'Write' is overly broad and will match unintended permissions like 'WriteExtendedAttributes' or 'WriteValidatedWrite'. Consider using more specific patterns like 'WriteDacl|WriteOwner|WriteProperty' to avoid false positives.

Suggested change
$DangerousRights = 'GenericAll|Write'
$DangerousRights = 'GenericAll|WriteDacl|WriteOwner|WriteProperty'

Copilot uses AI. Check for mistakes.
@jakehildreth
Update Private/Find-ESC16.ps1
3fa75b6 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@jakehildreth jakehildreth merged commit 1a69d51 into main Sep 11, 2025
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jakehildreth @SamErde