Skip to content

fix: new logic should resolve ESC1 false positives. #262

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
SamErde merged 2 commits into from
Sep 8, 2025
Merged

fix: new logic should resolve ESC1 false positives. #262

SamErde merged 2 commits into from
Sep 8, 2025

Conversation

@jakehildreth
Copy link
Owner

@jakehildreth jakehildreth commented Sep 8, 2025

I believe this simple logic change should resolve #261.

@vilacham - if you have a moment, can you test this in your Terraform/GCP lab?

This comment was marked as outdated.

Sign in to view

@vilacham
Copy link

vilacham commented Sep 8, 2025

@jakehildreth I tested this in my lab. Good news: the fix removes the false positives when a non-Enroll Control Access GUID is present. However, it introduces false negatives by missing valid ESC1 cases where enrollment is granted via a standard ACCESS_ALLOWED_ACE with control access bit set in the access mask (rule 2 per MS-CRTD).

Minimal change: include the zeroed GUID alongside the enroll GUID by replacing the content of line 268 in Invoke-Locksmith.ps1 and line 61 in Private/Find-ESC1.ps1 (ObjectType check) with:

( ( ($entry.ActiveDirectoryRights -match 'ExtendedRight') -and ( ($entry.ObjectType -eq '0e10c968-78fb-11d2-90d4-00c04f79dc55') -or ($entry.ObjectType -eq '00000000-0000-0000-0000-000000000000') ) ) -or

This small check for the zeroed GUID keeps the false positives out while preventing the new false negatives, and it aligns fully with Microsoft’s documentation. I can re-run the lab tests after the change.

@vilacham vilacham mentioned this pull request Sep 8, 2025
Closed
@jakehildreth
Copy link
Owner Author

jakehildreth commented Sep 8, 2025

Thank you, friend! This is fantastic feedback. I will update the logic on Find-ESC1 shortly then apply the same logic to all template issues that require Enroll rights.

@jakehildreth
Copy link
Owner Author

jakehildreth commented Sep 8, 2025

@vilacham How's this update look?

@jakehildreth jakehildreth requested a review from Copilot September 8, 2025 10:16
Copilot AI reviewed Sep 8, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes false positives in the ESC1 vulnerability detection by adding a more specific check for the ExtendedRight permission to only flag the certificate enrollment right (0e10c968-78fb-11d2-90d4-00c04f79dc55) or all object types (00000000-0000-0000-0000-000000000000). The change also updates the module version.

  • Enhanced ESC1 detection logic to reduce false positives by checking specific ObjectType GUIDs for ExtendedRight permissions
  • Updated module version from 2025.8.25 to 2025.9.8

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
Private/Find-ESC1.ps1 Added ObjectType GUID validation for ExtendedRight permissions to prevent false positives
Locksmith.psd1 Updated module version number
Invoke-Locksmith.ps1 Applied same ESC1 logic fix and updated version number

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

SamErde
SamErde approved these changes Sep 8, 2025
View reviewed changes
Copy link
Collaborator

@SamErde SamErde left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work, @jakehildreth and @vilacham!

@SamErde SamErde merged commit 0c9cd49 into testing Sep 8, 2025
6 checks passed
@vilacham
Copy link

vilacham commented Sep 8, 2025

@jakehildreth @SamErde Tested the updated version, no ESC1 false positives or false negatives.

2025-09-08 10_18_56 2025-09-08 10_19_32

@jakehildreth jakehildreth deleted the fix-esc1-false-positives branch September 8, 2025 13:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@SamErde SamErde SamErde approved these changes

@techspence techspence Awaiting requested review from techspence

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jakehildreth @vilacham @SamErde