Private/Find-ESC17.ps1
|
function Find-ESC17 { <# .SYNOPSIS This script finds AD CS (Active Directory Certificate Services) objects that have the ESC1 vulnerability. .DESCRIPTION The script takes an array of ADCS objects as input and filters them based on the specified conditions. For each matching object, it creates a custom object with properties representing various information about the object, such as Forest, Name, DistinguishedName, IdentityReference, ActiveDirectoryRights, Issue, Fix, Revert, and Technique. .PARAMETER ADCSObjects Specifies the array of ADCS objects to be processed. This parameter is mandatory. .PARAMETER SafeUsers Specifies the list of SIDs of safe users who are allowed to have specific rights on the objects. This parameter is mandatory. .PARAMETER ServerAuthEKUs A list of EKUs that can be used for server authentication. .OUTPUTS The script outputs an array of custom objects representing the matching ADCS objects and their associated information. .EXAMPLE $Targets = Get-Target $ADCSObjects = Get-ADCSObject -Targets $Targets $SafeUsers = '-512$|-519$|-544$|-18$|-517$|-500$|-516$|-521$|-498$|-9$|-526$|-527$|S-1-5-10' $ServerAuthEKUs = '1\.3\.6\.1\.5\.5\.7\.3\.1' $Results = Find-ESC1 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers -ClientAuthEKUs $ServerAuthEKUs $Results #> [CmdletBinding()] param( [Parameter(Mandatory)] [Microsoft.ActiveDirectory.Management.ADEntity[]]$ADCSObjects, [Parameter(Mandatory)] [string]$SafeUsers, [Parameter(Mandatory)] $ServerAuthEKUs, [Parameter(Mandatory)] [int]$Mode, [Parameter(Mandatory)] [string]$UnsafeUsers, [switch]$SkipRisk ) $ADCSObjects | Where-Object { ($_.objectClass -eq 'pKICertificateTemplate') -and ($_.pkiExtendedKeyUsage -match $ServerAuthEKUs) -and ($_.'msPKI-Certificate-Name-Flag' -band 1) -and !($_.'msPKI-Enrollment-Flag' -band 2) -and ( ($_.'msPKI-RA-Signature' -eq 0) -or ($null -eq $_.'msPKI-RA-Signature') ) } | ForEach-Object { foreach ($entry in $_.nTSecurityDescriptor.Access) { $Principal = New-Object System.Security.Principal.NTAccount($entry.IdentityReference) if ($Principal -match '^(S-1|O:)') { $SID = $Principal } else { $SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value } if ( ($SID -notmatch $SafeUsers) -and ( ( ($entry.ActiveDirectoryRights -match 'ExtendedRight') -and ( $entry.ObjectType -match '0e10c968-78fb-11d2-90d4-00c04f79dc55|00000000-0000-0000-0000-000000000000' ) ) -or ($entry.ActiveDirectoryRights -match 'GenericAll') ) ) { $Issue = [pscustomobject]@{ Forest = $_.CanonicalName.split('/')[0] Name = $_.Name DistinguishedName = $_.DistinguishedName IdentityReference = $entry.IdentityReference IdentityReferenceSID = $SID ActiveDirectoryRights = $entry.ActiveDirectoryRights Enabled = $_.Enabled EnabledOn = $_.EnabledOn Issue = @" $($entry.IdentityReference) can provide a Subject Alternative Name (SAN) while enrolling in this Server Authentication template, and enrollment does not require Manager Approval. The resultant certificate can be used by an attacker to impersonate servers and perform Machine-in-the-Middle Attacks More info: - https://trustedsec.com/blog/wsus-is-sus-ntlm-relay-attacks-in-plain-sight - https://blog.digitrace.de/2026/01/using-adcs-to-attack-https-enabled-wsus-clients/ "@ Fix = @" # Enable Manager Approval `$Object = '$($_.DistinguishedName)' Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Enrollment-Flag' = 2} "@ Revert = @" # Disable Manager Approval `$Object = '$($_.DistinguishedName)' Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Enrollment-Flag' = 0} "@ Technique = 'ESC17' } if ($SkipRisk -eq $false) { Set-RiskRating -ADCSObjects $ADCSObjects -Issue $Issue -SafeUsers $SafeUsers -UnsafeUsers $UnsafeUsers } # if ( $Mode -in @(1, 3, 4) ) { # Update-ESC1Remediation -Issue $Issue # } $Issue } } } } |