Added support for non domain joined systems#269
Open
LuemmelSec wants to merge 2 commits into
Open
Conversation
No also runs from a non domain joined system via runas and supports forrests. Therefore we now have the -server flag ``` .\Invoke-Locksmith.ps1 -server root.domain ```
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates Invoke-Locksmith.ps1 to better support running Locksmith from non-domain-joined systems by introducing a -Server parameter (Domain Controller IP/FQDN) and threading it through many AD queries and risk scoring paths, with additional robustness improvements for identity translation and CA endpoint detection.
Changes:
- Add a
-Serverparameter and propagate it through scan functions and AD query logic to enable non-domain-joined execution and forest-wide targeting. - Harden identity/SID translation and adjust several scan behaviors to better tolerate unreachable CAs / placeholder values.
- Remove ESC17 scanning support from the script (no longer selectable/executed).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
9
to
+15
| [Parameter()] | ||
| [ValidateSet('Auditing', 'ESC1', 'ESC2', 'ESC3', 'ESC4', 'ESC5', 'ESC6', 'ESC7', 'ESC8', 'ESC9', 'ESC11', 'ESC13', 'ESC15', 'EKUwu', 'ESC16', 'ESC17', 'All', 'PromptMe')] | ||
| [ValidateSet('Auditing', 'ESC1', 'ESC2', 'ESC3', 'ESC4', 'ESC5', 'ESC6', 'ESC7', 'ESC8', 'ESC9', 'ESC11', 'ESC13', 'ESC15', 'EKUwu', 'ESC16', 'All', 'PromptMe')] | ||
| [array]$Scans = 'All', | ||
|
|
||
| # Domain Controller IP or FQDN. Required when running from non-domain-joined systems. | ||
| [Parameter()] | ||
| [ValidateScript({ Test-Path -Path $_ -PathType Container })] | ||
| [string]$OutputPath = $PWD | ||
| [string]$Server |
Comment on lines
+5891
to
+5896
| if ($Server) { | ||
| Invoke-Locksmith -Mode $Mode -Scans $Scans -Server $Server | ||
| } | ||
| else { | ||
| Invoke-Locksmith -Mode $Mode -Scans $Scans | ||
| } |
Comment on lines
716
to
718
| The Certification Authority (CA) $($_.CAFullName) has the szOID_NTDS_CA_SECURITY_EXT security extension disabled. When | ||
| this extension is disabled, every certificate issued by this CA will be unable to reliably map a certificate to a | ||
| this extension is disabled, every certificate issued from this template will be unable to to reliably map a certificate to a | ||
| user or computer account's SID for authentication. |
Comment on lines
+5604
to
+5607
| $Forest.Domains | ForEach-Object { | ||
| $DomainName = $_ | ||
| # From non-domain-joined systems, try multiple approaches to query each domain | ||
| $DomainDC = $null |
Comment on lines
+10
to
11
| [ValidateSet('Auditing', 'ESC1', 'ESC2', 'ESC3', 'ESC4', 'ESC5', 'ESC6', 'ESC7', 'ESC8', 'ESC9', 'ESC11', 'ESC13', 'ESC15', 'EKUwu', 'ESC16', 'All', 'PromptMe')] | ||
| [array]$Scans = 'All', |
Comment on lines
2887
to
2890
| Specifies the type of scans to perform. Multiple scan options can be provided as an array. The default value is 'All'. | ||
| The available scan options are: 'Auditing', 'ESC1', 'ESC2', 'ESC3', 'ESC4', 'ESC5', 'ESC6', 'ESC8', 'ESC9', 'ESC11', | ||
| 'ESC13', 'ESC15, 'EKUwu', 'ESC16', 'ESC17', 'All', 'PromptMe'. | ||
| 'ESC13', 'ESC15, 'EKUwu', 'ESC16', 'All', 'PromptMe'. | ||
|
|
Comment on lines
3879
to
3882
| # Template and object issues rely on a principal and have complex scoring. | ||
| if ($Issue.Technique -notin @('DETECT', 'ESC6', 'ESC7', 'ESC8', 'ESC11', 'ESC17')) { | ||
| if ($Issue.Technique -notin @('DETECT', 'ESC6', 'ESC7', 'ESC8', 'ESC11', 'ESC16')) { | ||
| $RiskScoring += 'Base Score: 0' | ||
|
|
Comment on lines
+4441
to
+4444
| while ($GroupsToProcess.Count -gt 0) { | ||
| $CurrentGroup = $GroupsToProcess[0] | ||
| $GroupsToProcess = $GroupsToProcess[1..($GroupsToProcess.Count - 1)] | ||
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Now also runs from a non domain joined system via runas and supports forrests. Therefore we have the
-serverflag where we can specify a Domain Controller or the the domain name of the root domain: