Skip to content

Enhance error handling in Get-CAHostObject and Find-ESC7 scripts #248

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jakehildreth merged 2 commits into from
May 20, 2025
Merged

Enhance error handling in Get-CAHostObject and Find-ESC7 scripts #248

jakehildreth merged 2 commits into from
May 20, 2025

Conversation

@rebelinux
Copy link
Contributor

@rebelinux rebelinux commented May 19, 2025

  • Improved error handling in the Get-CAHostObject and Find-ESC7 scripts by verifying the presence of CAHostDistinguishedName before retrieving AD objects.

I did not modify the Invoke-Locksmith.ps1 file because my editor automatically changes the spacing between 'if' and 'else'. I'm unsure if this is a bug or if the file does not adhere to the specified formatting option.

“powershell.codeFormatting.preset": ‘OTBS’.

Before fix:

PS C:\Users\blabla\Documents\WindowsPowerShell\Modules\Locksmith> Invoke-Locksmith -Scans ESC7 -Verbose
    _       _____  _______ _     _ _______ _______ _____ _______ _     _
    |      |     | |       |____/  |______ |  |  |   |      |    |_____|
    |_____ |_____| |_____  |    \_ ______| |  |  | __|__    |    |     |
        .--.                  .--.                  .--.
       /.-. '----------.     /.-. '----------.     /.-. '----------.
       \'-' .---'-''-'-'     \'-' .--'--''-'-'     \'-' .--'--'-''-'
        '--'                  '--'                  '--'
                                                          v<ModuleVersion>
Gathering AD CS Objects from pharmax.local...
WARNING: Unable to resolve pharmax-CAYEY-DC-01V-CA Fully Qualified Domain Name (FQDN)
Get-ADObject : Cannot validate argument on parameter 'Identity'. The argument is null. Provide a valid value for the argument, and then try running the command again.
At C:\Users\blabla\Documents\WindowsPowerShell\Modules\Locksmith\Private\Get-CAHostObject.ps1:47 char:30
+                 Get-ADObject $_.CAHostDistinguishedName -Properties * ...
+                              ~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-ADObject], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.GetADObject
 
Identifying Issuing CAs with ESC7...
Exception calling "Translate" with "1" argument(s): "The trust relationship between the primary domain and the trusted domain failed.
"
At C:\Users\blabla\Documents\WindowsPowerShell\Modules\Locksmith\Private\Convert-IdentityReferenceToSid.ps1:33 char:9
+         $SID = ($Principal.Translate([System.Security.Principal.Secur ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : SystemException
 
Exception calling "Translate" with "1" argument(s): "The trust relationship between the primary domain and the trusted domain failed.
"
At C:\Users\blabla\Documents\WindowsPowerShell\Modules\Locksmith\Private\Convert-IdentityReferenceToSid.ps1:33 char:9
+         $SID = ($Principal.Translate([System.Security.Principal.Secur ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : SystemException

05/19/2025 14:54:52 : No ADCS issues were found.
PS C:\Users\blabla\Documents\WindowsPowerShell\Modules\Locksmith>

After fix:

PS C:\Users\blabla\Documents\WindowsPowerShell\Modules\Locksmith> Invoke-Locksmith -Scans ESC7 -Verbose
    _       _____  _______ _     _ _______ _______ _____ _______ _     _
    |      |     | |       |____/  |______ |  |  |   |      |    |_____|
    |_____ |_____| |_____  |    \_ ______| |  |  | __|__    |    |     |
        .--.                  .--.                  .--.
       /.-. '----------.     /.-. '----------.     /.-. '----------.
       \'-' .---'-''-'-'     \'-' .--'--''-'-'     \'-' .--'--'-''-'
        '--'                  '--'                  '--'
                                                          v<ModuleVersion>
Gathering AD CS Objects from pharmax.local...
WARNING: Unable to resolve pharmax-CAYEY-DC-01V-CA Fully Qualified Domain Name (FQDN)
WARNING: Get-CAHostObject: Unable to get information from pharmax-CAYEY-DC-01V-CA
Identifying Issuing CAs with ESC7...
----------------------------------------
     ESC7 - Non-standard PKI Admins     
----------------------------------------

Technique CA Name                  Risk   Issue
--------- -------                  ----   -----
ESC7      pharmax-SERVER-DC-01V-CA Medium Unexpected prinicipals (NT AUTHORITY\Authenticated Users) are granted "CA Administrator" rights on this Certification Authority.
                                          Unexpected prinicipals (NT AUTHORITY\Authenticated Users) are granted "Certificate Manager" rights on this Certification Authority.

                                          More info:
                                            - https://posts.specterops.io/certified-pre-owned-d95910965cd2



[!] You ran Locksmith in Mode 0 which only provides an high-level overview of issues
identified in the environment. For more details including:

  - DistinguishedName of impacted object(s)
  - Remediation guidance and/or code
  - Revert guidance and/or code (in case remediation breaks something!)

Run Locksmith in Mode 1!

# Module version
Invoke-Locksmith -Mode 1

# Script version
.\Invoke-Locksmith.ps1 -Mode 1

Thank you for using Locksmith <3

@rebelinux
Enhance error handling in Get-CAHostObject and Find-ESC7 scripts by c…
2252abd 
…hecking for CAHostDistinguishedName before retrieving AD objects.
@jakehildreth
Copy link
Owner

jakehildreth commented May 19, 2025

DUDE. You're a beast. I'll look at this later tonight.

@rebelinux
Copy link
Contributor Author

rebelinux commented May 19, 2025

It also produced incorrect results in ESC16 when the CA was unavailable.

PS C:\Users\blabla\Documents\WindowsPowerShell\Modules\Locksmith> Invoke-Locksmith -Scans ESC16 -Verbose
    _       _____  _______ _     _ _______ _______ _____ _______ _     _
    |      |     | |       |____/  |______ |  |  |   |      |    |_____|
    |_____ |_____| |_____  |    \_ ______| |  |  | __|__    |    |     |
        .--.                  .--.                  .--.
       /.-. '----------.     /.-. '----------.     /.-. '----------.      
       \'-' .---'-''-'-'     \'-' .--'--''-'-'     \'-' .--'--'-''-'      
        '--'                  '--'                  '--'
                                                          v<ModuleVersion>
Gathering AD CS Objects from pharmax.local...
WARNING: Unable to resolve pharmax-CAYEY-DC-01V-CA Fully Qualified Domain Name (FQDN)
Get-ADObject : Cannot validate argument on parameter 'Identity'. The argument is null. Provide a valid value for the argument, and then try running the command again.
At C:\Users\blabla\Documents\WindowsPowerShell\Modules\Locksmith\Private\Get-CAHostObject.ps1:47 char:30
+                 Get-ADObject $_.CAHostDistinguishedName -Properties * ...
+                              ~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-ADObject], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.GetADObject
 
Identifying Issuing CAs with szOID_NTDS_CA_SECURITY_EXT disabled (ESC16)...
---------------------------------------------------------------
     ESC16 - szOID_NTDS_CA_SECURITY_EXT Extension Disabled     
---------------------------------------------------------------

Technique CA Name                 Risk   Issue
--------- -------                 ----   -----
ESC16     pharmax-CAYEY-DC-01V-CA Medium **CA Unavailable**


[!] You ran Locksmith in Mode 0 which only provides an high-level overview of issues
identified in the environment. For more details including:

  - DistinguishedName of impacted object(s)
  - Remediation guidance and/or code
  - Revert guidance and/or code (in case remediation breaks something!)

Run Locksmith in Mode 1!

# Module version
Invoke-Locksmith -Mode 1

# Script version
.\Invoke-Locksmith.ps1 -Mode 1

Thank you for using Locksmith <3

PS C:\Users\blabla\Documents\WindowsPowerShell\Modules\Locksmith>

@jakehildreth
Copy link
Owner

jakehildreth commented May 19, 2025

Do you mind syncing your branch with the testing branch? There were a few updates that you are missing.

@rebelinux
Copy link
Contributor Author

rebelinux commented May 20, 2025

Done!

jakehildreth
jakehildreth approved these changes May 20, 2025
View reviewed changes
Copy link
Owner

@jakehildreth jakehildreth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmmmm, still not synced, but that's okay. It's only like 3 lines, so i'll do the work. Thank you for your PR!

@jakehildreth jakehildreth merged commit 7951bfb into jakehildreth:testing May 20, 2025
4 checks passed
@jakehildreth jakehildreth mentioned this pull request May 20, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jakehildreth jakehildreth jakehildreth approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rebelinux @jakehildreth