v2025.9.8

This PR solves one issue:

• False positives in ESC1 as identified by @vilacham in two articles: The Schrödinger’s ESC1 Vulnerability & The Schrödinger’s ESC1 Vulnerability: Benchmark Update. The new detection logic has been applied to all template-based ESCs.

Additionally, the PR improves the following functionality:

• Previously, when template-based ESCs were identified along with 1+ ESC5 issues on the Certification Authority object itself, Locksmith would only raise the risk score by one point, regardless of how many principals could abuse this configuration. This release adds some granularity to this additional risk.

There were also some minor wording changes. Thanks, Copilot!

What's Changed

• Patches and Lint Removal by @SamErde in #251
• Syncing testing to main by @jakehildreth in #252
• Fix anchor and TOC hyperlink by @SamErde in #253
• Sync testing w/Main by @jakehildreth in #254
• Resolve permissions issue in Deploy MkDocs.yml by @SamErde in #259
• Added description about ESC by @andrePKI in #258
• Updates The Arose From a Demo by @jakehildreth in #260
• fix: new logic should resolve ESC1 false positives. by @jakehildreth in #262
• fix: applied updated ESC1 detection logic to other template-based ESCs by @jakehildreth in #264
• 2025.9.8 - Reduced False Positives! by @jakehildreth in #265

New Contributors

• @andrePKI made their first contribution in #258
• @vilacham provided the impetus to get this release out the door.

Full Changelog: v2025.5.26...v2025.9.8

v2025.5.26

What's Changed

• Add ESC7 Checks by @jakehildreth in #246
• ESC16 detections by @jakehildreth in #247
• Enhance error handling in Get-CAHostObject and Find-ESC7 scripts by @rebelinux in #248
• Add ESC9 and Improve Risk Ratings by @jakehildreth in #249
• 2025.5.26 Release by @jakehildreth in #250

Full Changelog: v2025.4.20...v2025.5.26

v2025.4.20

What's Changed

• Update mode examples by @emmanuel-ferdman in #235
• Sync main to testing by @SamErde in #236
• Update Deploy MkDocs.yml by @SamErde in #239
• Minor update and fix pre-merge script block by @SamErde in #238
• Update Deploy MkDocs.yml by @SamErde in #242
• Unable to scan Forest with child domains by @rebelinux in #241
• Sync main to testing by @SamErde in #243
• Fix Issue #240 with updated URL by @jakehildreth in #244
• 2025.04.20 Release Build Thing by @jakehildreth in #245

New Contributors

• @emmanuel-ferdman made their first contribution in #235
• @rebelinux made their first contribution in #241

Full Changelog: v2025.2.22...v2025.4.20

v2025.2.22

What's Changed

• Lint Remover by @SamErde in #214
• Update Deploy MkDocs.yml by @SamErde in #216
• Move examples and update hyperlinks by @SamErde in #215
• Push repository workflow and linting improvements to main by @SamErde in #217
• Clean up quotation marks (#220) by @jakehildreth in #222
• Resolve #221 by @jakehildreth in #223
• New release with updated URLs by @jakehildreth in #224
• Bugfix for ESC8 Check by @brokenvhs in #227
• Domain Admins w/ Ownership of CA Host Object Is Not a Risk! by @jakehildreth in #231
• It's been a while since we did a release, so why not!? by @jakehildreth in #232
• Add Risk-related Fields to CSV Outputs by @jakehildreth in #233
• Testing to Main for Release Prep by @jakehildreth in #234

Full Changelog: v2025.1.1...v2025.2.22

v2025.1.1

New Year, New Features!

Hello, friends!

It's now 2025 which is officially the future. And in the future, your open-source AD CS auditing tools should provide risk ratings for their findings. So... that's what you're getting with this release of Locksmith!

Risk Ratings

Every identified issue includes a risk score which maps to a risk level according to the following scale:

• 0-1: Informational
• 2: Low
• 3: Medium
• 4: High
• 5+: Critical

Note: These ratings are mostly correct, but assigning risk to highly complex systems is highly complex. 🤷 Expect more tuning in the future. But if you run Locksmith with no parameters defined or -Mode 0 and you see a risk rating that doesn't make sense to you, try -Mode 1. This mode includes a full breakdown of the risk score so you can better understand it.

More Interactive

Another new addition: in Modes 1, 3, and 4 Locksmith will ask you questions whenever it discovers an ESC1. These questions will help Locksmith provide customized remediation for your specific use case.

DevOps?

Additionally, @SamErde is now the official Locksmith CI/CD wizard! His first task as wizard was to automate the creation of an MkDocs site for Locksmith. You can check it out at its temporary home, but don't get too attached to that URI as it will be moving in the future.

More Community!

Finally, we had a few new contributors in this release:

• @JimSycurity made their first contribution in #185
• @brokenvhs made their first contribution in #201

Thanks for finding and fixing stuff, folks!

Until Next Release!
@TrimarcJake (Jake Hildreth)

Full Changelog: v2024.11.11...v2025.1.1

v2024.11.11

What's Changed

• Sync branch by @TrimarcJake in #180
• Update Invoke-Scans.ps1 by @SamErde in #181

Full Changelog: v2024.11.10...v2024.11.11

v2024.11.10

What's Changed

• Catchup by @TrimarcJake in #173
• Catchup by @TrimarcJake in #174
• PS7 Versions of Detections Never PRed into testing or main. Oops. by @TrimarcJake in #175
• Added logic to prevent custom C# type from being added twice by @TrimarcJake in #176
• linkfix and add Prerequisites by @ruppde in #169
• ESC11 Detections by @TrimarcJake in #177
• ESC13 Detections and Issue Description Improvements. by @TrimarcJake in #178
• Accelerated Release Schedule in Preparation for Antisyphon Training by @TrimarcJake in #179

New Contributors

• @ruppde made their first contribution in #169

Full Changelog: v2024.10...v2024.11.10

v2024.10

What's Changed

• Correction for console display of ending message by @mrhousz in #152
• Use placeholder for version in script source by @SamErde in #154
• Update issue templates by @SamErde in #156
• Fix ESC8 False Negatives by @TrimarcJake in #155
• Update issue templates by @TrimarcJake in #157
• Code quality updates for 2024.9 by @SamErde in #159
• PSScriptAnalyzer code quality updates by @SamErde in #160
• Implement the OutputPath variable by @SamErde in #158
• Improve ESC3 Condition 2 detections by @TrimarcJake in #162
• Fixing Typos Created By @techspence by @TrimarcJake in #164
• 2024.10 Release by @TrimarcJake in #165

New Contributors

• @mrhousz made their first contribution in #152

Full Changelog: v2024.8...v2024.10

v2024.8

We're back!

Hello, friends! Locksmith is not dead, but the core team has been poking at it a little more slowly and deliberately than usual. This has resulted in a slower release cadence but a more usable and trustworthy product (hopefully.)

Additionally, more people outside of the Locksmith core team are submitting issues and PRs. Sometimes, these issues take a while to replicate and investigate, but we wouldn't have it any other way. 😄 Thanks for your submissions and contributions, folks!

Bug Fixes:

• Fixed typo in Private/Test-IsADAdmin.ps1 (submitted by @jracz18, fixed by @TrimarcJake)
• Eliminated false positives on expected rights in ESC4/5 checks (submitted by @mfgjwaterman, fixed by @TrimarcJake)
• Eliminated false negatives when used in PS7 due to Missing Microsoft.PowerShell.Security Module (submitted by @mrhousz, fixed by @SamErde)
• Eliminated false negatives when safe groups are empty (submitted and fixed by @techBrandon)
• Converted ESC1-3 checks from -eq checks to -band checks to improve identification of those issues. (found and fixed by @TrimarcJake)

Enhancements:

• Improved ESC4 remediation code to recreate Enroll/AutoEnroll ExtendedRight when needed. (suggested by @vegaeny, completed by @TrimarcJake)
• Converted all fixes to here-strings (@TrimarcJake)
• Minor grammar/formatting cleanup (@SamErde, @TrimarcJake)
• Updated criticality flowcharts (@TrimarcJake)
• Improved comments and comment-based help (@SamErde, @TrimarcJake)

v2024.3

A Little Icing but Mostly Cake

Cake: Fixing bugs, adding new functionality
Icing: Making things look better for the end user or easier to use for developers

Improvements:

• Eliminated duplicated ownership check in ESC4/5. We can and should have opinions, and the opinion is that only AD Admins should own PKS objects and templates. (Cake, @TrimarcJake)
• Filtered Deny ACEs from ESC4/5. This is not an Effective Access check, but it does cut down on false positives. (Cake, @TrimarcJake)
• Added flowcharts that explain severity for each finding. (Icing, @TrimarcJake)
• Added comment-based help to every function. (Icing, @TrimarcJake and Copilot)
• Added instructions for Scans parameter to the README. (Icing, @SamErde)

In Progress:

• Check to see if Locksmith is up to date. Provide links for latest version if not up to date. (Icing, @SamErde)
• Check to see if user running Locksmith is a member of the Protected Users group. PUG membership will impact ESC8 checks. (Cake, @SamErde)
• Check for ESC9. It was announced in August 2022, so Locksmith is late to the game. (Cake, @SamErde)

Known Issues:

• msPKI-Certificate-Name-Flag check in ESC1-3 currently uses a direct comparison (-eq) instead of a bitwise comparison (-band) which could result in false negatives.