Locksmith
Locksmith copied to clipboard
TrimarcJake
A small tool built to find and fix common misconfigurations in Active Directory Certificate Services.
This file has a typo "Domain Admins" is missing the s ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole("Domain Admin")
Hi, It seems that ESC8 identification is not accurate. In my case I can confirm web enrollment is not installed and Windows authentication for CEP and CES is set to:...
We need a methodology for ranking risk. This should be in place before we surface risk ratings to the user.
ESC4 and ESC5 should report issues based on effective access instead of just filtering out Deny ACEs. Filtering Denys cuts down on false positives but doesn't provide a picture of...
msPKI-Certificate-Name-Flag check in ESC1-3 currently uses a direct comparison (`-eq`) instead of a bitwise comparison (`-band`) which could result in false negatives in situations where multiple msPKI-Certificate-Name-Flag bits are enabled.
Current text colors work fine on dark terminal backgrounds but not so well on light backgrounds.
Hi, LockSmith Version: v2024.3 On a Windows Server 2022 PKI Infrastructure. I use the following command in an elevated PowerShell: `Invoke-Locksmith -Scans ESC4` The output is: ``` Technique Name Issue...
Hi, I'm trying this out on a pentest where I've got an admin cmd box open as DOMAIN\compromiseduser. When I run Locksmith it complains in red a lot about not...
Metadata
Owner
Metadata
A small tool built to find and fix common misconfigurations in Active Directory Certificate Services.