v2025.1.1

New Year, New Features!

Hello, friends!

It's now 2025 which is officially the future. And in the future, your open-source AD CS auditing tools should provide risk ratings for their findings. So... that's what you're getting with this release of Locksmith!

Risk Ratings

Every identified issue includes a risk score which maps to a risk level according to the following scale:

• 0-1: Informational
• 2: Low
• 3: Medium
• 4: High
• 5+: Critical

Note: These ratings are mostly correct, but assigning risk to highly complex systems is highly complex. 🤷 Expect more tuning in the future. But if you run Locksmith with no parameters defined or -Mode 0 and you see a risk rating that doesn't make sense to you, try -Mode 1. This mode includes a full breakdown of the risk score so you can better understand it.

More Interactive

Another new addition: in Modes 1, 3, and 4 Locksmith will ask you questions whenever it discovers an ESC1. These questions will help Locksmith provide customized remediation for your specific use case.

DevOps?

Additionally, @SamErde is now the official Locksmith CI/CD wizard! His first task as wizard was to automate the creation of an MkDocs site for Locksmith. You can check it out at its temporary home, but don't get too attached to that URI as it will be moving in the future.

More Community!

Finally, we had a few new contributors in this release:

• @JimSycurity made their first contribution in #185
• @brokenvhs made their first contribution in #201

Thanks for finding and fixing stuff, folks!

Until Next Release!
@TrimarcJake (Jake Hildreth)

Full Changelog: v2024.11.11...v2025.1.1

v2024.11.11

What's Changed

• Sync branch by @TrimarcJake in #180
• Update Invoke-Scans.ps1 by @SamErde in #181

Full Changelog: v2024.11.10...v2024.11.11

v2024.11.10

What's Changed

• Catchup by @TrimarcJake in #173
• Catchup by @TrimarcJake in #174
• PS7 Versions of Detections Never PRed into testing or main. Oops. by @TrimarcJake in #175
• Added logic to prevent custom C# type from being added twice by @TrimarcJake in #176
• linkfix and add Prerequisites by @ruppde in #169
• ESC11 Detections by @TrimarcJake in #177
• ESC13 Detections and Issue Description Improvements. by @TrimarcJake in #178
• Accelerated Release Schedule in Preparation for Antisyphon Training by @TrimarcJake in #179

New Contributors

• @ruppde made their first contribution in #169

Full Changelog: v2024.10...v2024.11.10

v2024.10

What's Changed

• Correction for console display of ending message by @mrhousz in #152
• Use placeholder for version in script source by @SamErde in #154
• Update issue templates by @SamErde in #156
• Fix ESC8 False Negatives by @TrimarcJake in #155
• Update issue templates by @TrimarcJake in #157
• Code quality updates for 2024.9 by @SamErde in #159
• PSScriptAnalyzer code quality updates by @SamErde in #160
• Implement the OutputPath variable by @SamErde in #158
• Improve ESC3 Condition 2 detections by @TrimarcJake in #162
• Fixing Typos Created By @techspence by @TrimarcJake in #164
• 2024.10 Release by @TrimarcJake in #165

New Contributors

• @mrhousz made their first contribution in #152

Full Changelog: v2024.8...v2024.10

v2024.8

We're back!

Hello, friends! Locksmith is not dead, but the core team has been poking at it a little more slowly and deliberately than usual. This has resulted in a slower release cadence but a more usable and trustworthy product (hopefully.)

Additionally, more people outside of the Locksmith core team are submitting issues and PRs. Sometimes, these issues take a while to replicate and investigate, but we wouldn't have it any other way. 😄 Thanks for your submissions and contributions, folks!

Bug Fixes:

• Fixed typo in Private/Test-IsADAdmin.ps1 (submitted by @jracz18, fixed by @TrimarcJake)
• Eliminated false positives on expected rights in ESC4/5 checks (submitted by @mfgjwaterman, fixed by @TrimarcJake)
• Eliminated false negatives when used in PS7 due to Missing Microsoft.PowerShell.Security Module (submitted by @mrhousz, fixed by @SamErde)
• Eliminated false negatives when safe groups are empty (submitted and fixed by @techBrandon)
• Converted ESC1-3 checks from -eq checks to -band checks to improve identification of those issues. (found and fixed by @TrimarcJake)

Enhancements:

• Improved ESC4 remediation code to recreate Enroll/AutoEnroll ExtendedRight when needed. (suggested by @vegaeny, completed by @TrimarcJake)
• Converted all fixes to here-strings (@TrimarcJake)
• Minor grammar/formatting cleanup (@SamErde, @TrimarcJake)
• Updated criticality flowcharts (@TrimarcJake)
• Improved comments and comment-based help (@SamErde, @TrimarcJake)

v2024.3

A Little Icing but Mostly Cake

Cake: Fixing bugs, adding new functionality
Icing: Making things look better for the end user or easier to use for developers

Improvements:

• Eliminated duplicated ownership check in ESC4/5. We can and should have opinions, and the opinion is that only AD Admins should own PKS objects and templates. (Cake, @TrimarcJake)
• Filtered Deny ACEs from ESC4/5. This is not an Effective Access check, but it does cut down on false positives. (Cake, @TrimarcJake)
• Added flowcharts that explain severity for each finding. (Icing, @TrimarcJake)
• Added comment-based help to every function. (Icing, @TrimarcJake and Copilot)
• Added instructions for Scans parameter to the README. (Icing, @SamErde)

In Progress:

• Check to see if Locksmith is up to date. Provide links for latest version if not up to date. (Icing, @SamErde)
• Check to see if user running Locksmith is a member of the Protected Users group. PUG membership will impact ESC8 checks. (Cake, @SamErde)
• Check for ESC9. It was announced in August 2022, so Locksmith is late to the game. (Cake, @SamErde)

Known Issues:

• msPKI-Certificate-Name-Flag check in ESC1-3 currently uses a direct comparison (-eq) instead of a bitwise comparison (-band) which could result in false negatives.

v2024.1

Mode 4 Now Fixes Ownership Issues Automatically!

No long-winded notes this month. Instead, I'll just wish my wife a happy birthday! She's the best. ❤️💜💙

Improvements:

• ESC4 and ESC5 Ownership issues can now be auto-remediated with -Mode 4. - @TrimarcJake
• Improved RSAT installation process (if you don't have it installed yet.) - @techspence
• Modern custom object creation (no more Add-Member means slightly faster code that's much easier to read code) - @TrimarcJake
• README now shows how to use the -Scans parameter to limit your search to just a specific issue. - @SamErde
• We now have CONTRIBUTING and CODE_OF_CONDUCT docs. They're not quite where we want them, but soon! - @TrimarcJake
• PSScriptAnalyzer actions run on commit now, so we can check if there's anything hinky going on. - @SamErde
• Badges! Icons! - @SamErde

Known Issues:

• Objects with both Allow and Deny ACEs reports two issues in output (I promise I'll think about working on this one for February. :D)

Contributors:

• @SamErde
• @techspence
• @TrimarcJake

v2023.12

Mode 4 in the Wild!

This month, the Locksmith team discovered people are actually using Mode 4 (auto-remediation) in the wild. To be honest, we let Mode 4 languish because none of us would trust a fully automated remediation tool... even if we wrote it!

But since it's being used, we should definitely improve it. The new Mode 4 is much more explicit about what the issue is, why it's an issue, and how it will be remediated. Lastly, the Operational Impact is spelled out in plain language and color coded so it's more obvious when a fix may negatively impact operations.

After Locksmith is done fixing stuff on your behalf, you'll get an indicator that it's done instead of just dropping back to the console.

We also resolved some output issues (fewer duplicates), false positives (bitwise math is weird), and cleaned up the scripts used to build the project.

Thank you for using ❤ Locksmith ❤

Improvements:

• Improved Mode 4 output
• Eliminated duplicate RAM
• Improved Manager Approval checks
• Eliminated duplicate ESC4/5 ownership findings
• Tweaked build scripts

Known Issues:

• In ESC4/ESC5 checks, when multiple ACEs exist on a PKS object, all ACEs are displayed instead of Effective Access.

Contributors to this release:

• @SamErde
• @TrimarcJake

v2023.11

November 2023: Sam Leads The Way

October 2023 was super-hectic for the Locksmith core team, so we decided to skip the October release.

That little break was so worth it because it gave @SamErde some time to finalize a new Locksmith feature: a -Scans parameter which can be used to specify exactly which misconfigurations Locksmith should search for. By default, all scan types will run, but if you want to search only for templates that match the definition of ESC1 and ESC3, try Invoke-Locksmith -Scans ESC1,ESC3!

Unsure which scan(s) you want to run? Try Invoke-Locksmith -Scans PromptMe! If you're running Windows Powershell or Powershell Core w/ Microsoft.PowerShell.ConsoleGuiTools installed, running Invoke-Locksmith -Scans PromptMe will give you a GridView window that you can use to select one or more scan types:

Powering the selection window is a dictionary class containing important info about each issue such as name, summary, links, finding code, and fixing code. As Locksmith moves forward, this dictionary will be a vital piece of improving Locksmith's usability.

Improvements:

• New command line parameter: -Scans with updated comment-based help explaining its use.
• New dictionary containing information about all finding types identified by Locksmith
• Light refactoring results in a much quicker startup time.
• Added support for Editor Config so all developers are using similar VS Code setups.

Known Issues:

• In ESC4/ESC5 checks, when multiple ACEs exist on a PKI object, all ACEs are displayed. ESC4/ESC5 checks should emulate Effective Access in regular mode and list all ACEs in Verbose mode. (Thanks to Robert for bringing this to my attention in person at Blue Team Con!) Maybe next release, Robert!

Contributors to this release:

• @SamErde

v2023.9

September 2023: Hello, ESC3! Goodbye (temporarily), TrimarcJake!

This month's Locksmith release finally introduces full ESC3 detections. Insecure Enrollment Agent templates and Client Authentication templates requiring signing by a single Enrollment Agent certificate will now be flagged. This closes the door on a pretty large hole in Locksmith's detections.

This release also marks a change in my (@TrimarcJake) role in Locksmith. I am refocusing my development time toward a new tool for finding and fixing issues in Active Directory-integrated DNS called BlueTuxedo. Until BlueTuxedo is released and gets stable, I will not be writing any new code for Locksmith.

But as you can see by this month's contributions, @techspence and @SamErde are more than capable of running the show for a while. :D

Improvements:

• Added checks for ESC3 Condition 1 (@TrimarcJake) and Condition 2 (@techspence)
• Sorted list output for improved readability (@SamErde)
• Moved the AD module check above the first use of ActiveDirectory cmdlets (@SamErde)
• Other refactoring of code to make consistent use of formatting (@SamErde)
• Added detailed output for failed severity checks (@SamErde)
• Improved performance of Set-AdditionalCAProperty by reducing ping count to 1 (@techspence)
• ESC3 Condition 1 template generated by Invoke-TSS.ps1 lab build script. (@TrimarcJake)

Known Issues:

• In ESC4/ESC5 checks, when multiple ACEs exist on a PKI object, all ACEs are displayed. ESC4/ESC5 checks should emulate Effective Access in regular mode and list all ACEs in Verbose mode. (Thanks to Robert for bringing this to my attention in person at Blue Team Con!)

Unfinished Features in the Works:

• Better severity ratings
• More granular command line parameters (modes were a bad idea.)

Contributors to this release:

• @SamErde
• @techspence
• @TrimarcJake

Honorary mention:

• @PrzemyslawKlys

PK's PSPublishModule has been invaluable for speeding up development in Locksmith. He'll continue to get mentioned for quite some time.