-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathCheck-ADCSESC13.ps1
85 lines (72 loc) · 4.03 KB
/
Check-ADCSESC13.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
<#
Prints OIDs and certificate templates that may be used in an ADCS ESC13 abuse
The script will check for:
1. OIDs with non-default ownership
2. OIDs with non-default ACE
3. OIDs linked to a group
4. Certificate templates configured with OID linked to a group
#>
Import-Module ActiveDirectory
# Get OIDs and certificate templates with msPKI-Certificate-Policy
$ADRootDSE = Get-ADRootDSE
$ConfigurationNC = $ADRootDSE.configurationNamingContext
$OIDContainer = "CN=OID,CN=Public Key Services,CN=Services,$ConfigurationNC"
$TemplateContainer = "CN=Certificate Templates,CN=Public Key Services,CN=Services,$ConfigurationNC"
$OIDs = Get-ADObject -Filter * -SearchBase $OIDContainer -Properties DisplayName,Name,msPKI-Cert-Template-OID,msDS-OIDToGroupLink,nTSecurityDescriptor
$Templates = Get-ADObject -Filter * -SearchBase $TemplateContainer -Properties msPKI-Certificate-Policy | ? {$_."msPKI-Certificate-Policy"} | select name,msPKI-Certificate-Policy
if ($OIDs) {
Write-Host "Enumerating OIDs"
Write-Host "------------------------"
# Iterate through each OID
foreach ($OID in $OIDs) {
if ($OID."msDS-OIDToGroupLink") {
Write-Host "OID $($OID.Name) links to group: $($OID."msDS-OIDToGroupLink")`r`n"
Write-Host "OID DisplayName: $($OID."msPKI-Cert-Template-OID")"
Write-Host "OID DistinguishedName: $($OID."DistinguishedName")"
Write-Host "OID msPKI-Cert-Template-OID: $($OID."msPKI-Cert-Template-OID")"
Write-Host "OID msDS-OIDToGroupLink: $($OID."msDS-OIDToGroupLink")"
Write-Host "------------------------"
}
if ($OID.nTSecurityDescriptor.Owner -notlike "*\Enterprise Admins") {
Write-Host "OID $($OID.Name) has non-default owner: $($OID.nTSecurityDescriptor.Owner)`r`n"
Write-Host "OID DisplayName: $($OID."msPKI-Cert-Template-OID")"
Write-Host "OID DistinguishedName: $($OID."DistinguishedName")"
Write-Host "OID msPKI-Cert-Template-OID: $($OID."msPKI-Cert-Template-OID")"
Write-Host "------------------------"
}
$ACEs = $OID.nTSecurityDescriptor.Access
foreach ($ACE in $ACEs) {
if ($ACE.IdentityReference -like "*\Domain Admins" -or $ACE.IdentityReference -like "*\Enterprise Admins" -or $ACE.IdentityReference -like "*\SYSTEM") {
continue
} elseif ($ACE.IdentityReference -like "*\Authenticated Users" -and $ACE.ActiveDirectoryRights -eq "GenericRead") {
continue
} else {
Write-Host "OID $($OID.Name) has non-default ACE:"
Write-Output $ACE
Write-Host "OID DisplayName: $($OID."msPKI-Cert-Template-OID")"
Write-Host "OID DistinguishedName: $($OID."DistinguishedName")"
Write-Host "OID msPKI-Cert-Template-OID: $($OID."msPKI-Cert-Template-OID")"
Write-Host "------------------------"
}
}
}
Write-Host "Enumerating certificate templates"
Write-Host "------------------------"
# Iterate through each template
foreach ($Template in $Templates) {
# Check if the Template OID matches any OID in the list
$MatchingOID = $OIDs | ? { $_."msDS-OIDToGroupLink" -and $Template."msPKI-Certificate-Policy" -contains $_."msPKI-Cert-Template-OID" }
if ($MatchingOID) {
Write-Host "Certificate template $($Template.Name) may be used to obtain membership of $($MatchingOID."msDS-OIDToGroupLink")`r`n"
Write-Host "Certificate template Name: $($Template.Name)"
Write-Host "OID DisplayName: $($MatchingOID."msPKI-Cert-Template-OID")"
Write-Host "OID DistinguishedName: $($MatchingOID."DistinguishedName")"
Write-Host "OID msPKI-Cert-Template-OID: $($MatchingOID."msPKI-Cert-Template-OID")"
Write-Host "OID msDS-OIDToGroupLink: $($MatchingOID."msDS-OIDToGroupLink")"
Write-Host "------------------------"
}
}
Write-Host "Done"
} else {
Write-Host "Error: No OIDs were found."
}