Skip to content

Added support for non domain joined systems#269

Open
LuemmelSec wants to merge 2 commits into
jakehildreth:mainfrom
LuemmelSec:main
Open

Added support for non domain joined systems#269
LuemmelSec wants to merge 2 commits into
jakehildreth:mainfrom
LuemmelSec:main

Conversation

@LuemmelSec

Copy link
Copy Markdown

Now also runs from a non domain joined system via runas and supports forrests. Therefore we have the -server flag where we can specify a Domain Controller or the the domain name of the root domain:

.\Invoke-Locksmith.ps1 -server root.domain

No also runs from a non domain joined system via runas and supports forrests.
Therefore we now have the -server flag
```
.\Invoke-Locksmith.ps1 -server root.domain
```

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates Invoke-Locksmith.ps1 to better support running Locksmith from non-domain-joined systems by introducing a -Server parameter (Domain Controller IP/FQDN) and threading it through many AD queries and risk scoring paths, with additional robustness improvements for identity translation and CA endpoint detection.

Changes:

  • Add a -Server parameter and propagate it through scan functions and AD query logic to enable non-domain-joined execution and forest-wide targeting.
  • Harden identity/SID translation and adjust several scan behaviors to better tolerate unreachable CAs / placeholder values.
  • Remove ESC17 scanning support from the script (no longer selectable/executed).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread Invoke-Locksmith.ps1
Comment on lines 9 to +15
[Parameter()]
[ValidateSet('Auditing', 'ESC1', 'ESC2', 'ESC3', 'ESC4', 'ESC5', 'ESC6', 'ESC7', 'ESC8', 'ESC9', 'ESC11', 'ESC13', 'ESC15', 'EKUwu', 'ESC16', 'ESC17', 'All', 'PromptMe')]
[ValidateSet('Auditing', 'ESC1', 'ESC2', 'ESC3', 'ESC4', 'ESC5', 'ESC6', 'ESC7', 'ESC8', 'ESC9', 'ESC11', 'ESC13', 'ESC15', 'EKUwu', 'ESC16', 'All', 'PromptMe')]
[array]$Scans = 'All',

# Domain Controller IP or FQDN. Required when running from non-domain-joined systems.
[Parameter()]
[ValidateScript({ Test-Path -Path $_ -PathType Container })]
[string]$OutputPath = $PWD
[string]$Server
Comment thread Invoke-Locksmith.ps1
Comment on lines +5891 to +5896
if ($Server) {
Invoke-Locksmith -Mode $Mode -Scans $Scans -Server $Server
}
else {
Invoke-Locksmith -Mode $Mode -Scans $Scans
}
Comment thread Invoke-Locksmith.ps1
Comment on lines 716 to 718
The Certification Authority (CA) $($_.CAFullName) has the szOID_NTDS_CA_SECURITY_EXT security extension disabled. When
this extension is disabled, every certificate issued by this CA will be unable to reliably map a certificate to a
this extension is disabled, every certificate issued from this template will be unable to to reliably map a certificate to a
user or computer account's SID for authentication.
Comment thread Invoke-Locksmith.ps1
Comment on lines +5604 to +5607
$Forest.Domains | ForEach-Object {
$DomainName = $_
# From non-domain-joined systems, try multiple approaches to query each domain
$DomainDC = $null
Comment thread Invoke-Locksmith.ps1
Comment on lines +10 to 11
[ValidateSet('Auditing', 'ESC1', 'ESC2', 'ESC3', 'ESC4', 'ESC5', 'ESC6', 'ESC7', 'ESC8', 'ESC9', 'ESC11', 'ESC13', 'ESC15', 'EKUwu', 'ESC16', 'All', 'PromptMe')]
[array]$Scans = 'All',
Comment thread Invoke-Locksmith.ps1
Comment on lines 2887 to 2890
Specifies the type of scans to perform. Multiple scan options can be provided as an array. The default value is 'All'.
The available scan options are: 'Auditing', 'ESC1', 'ESC2', 'ESC3', 'ESC4', 'ESC5', 'ESC6', 'ESC8', 'ESC9', 'ESC11',
'ESC13', 'ESC15, 'EKUwu', 'ESC16', 'ESC17', 'All', 'PromptMe'.
'ESC13', 'ESC15, 'EKUwu', 'ESC16', 'All', 'PromptMe'.

Comment thread Invoke-Locksmith.ps1
Comment on lines 3879 to 3882
# Template and object issues rely on a principal and have complex scoring.
if ($Issue.Technique -notin @('DETECT', 'ESC6', 'ESC7', 'ESC8', 'ESC11', 'ESC17')) {
if ($Issue.Technique -notin @('DETECT', 'ESC6', 'ESC7', 'ESC8', 'ESC11', 'ESC16')) {
$RiskScoring += 'Base Score: 0'

Comment thread Invoke-Locksmith.ps1
Comment on lines +4441 to +4444
while ($GroupsToProcess.Count -gt 0) {
$CurrentGroup = $GroupsToProcess[0]
$GroupsToProcess = $GroupsToProcess[1..($GroupsToProcess.Count - 1)]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants