Fresh Build for 2025.04.20 release

Jake Hildreth · Jake Hildreth · commit 12333bede92d · 2025-04-20T05:37:48.000-05:00
diff --git a/Invoke-Locksmith.ps1 b/Invoke-Locksmith.ps1
@@ -1,5 +1,11 @@
-﻿param (
-    [int]$Mode,
+﻿[CmdletBinding(HelpUri = 'https://jakehildreth.github.io/Locksmith/Invoke-Locksmith')]
+param (
+    # The mode to run Locksmith in. Defaults to 0.
+    [Parameter(Mandatory = $false)]
+    [ValidateSet(0, 1, 2, 3, 4)]
+    [int]$Mode = 0,
+
+    # The scans to run. Defaults to 'All'.
     [Parameter()]
     [ValidateSet('Auditing', 'ESC1', 'ESC2', 'ESC3', 'ESC4', 'ESC5', 'ESC6', 'ESC8', 'ESC11', 'ESC13', 'ESC15', 'EKUwu', 'All', 'PromptMe')]
     [array]$Scans = 'All'
@@ -2900,7 +2906,12 @@ function Set-AdditionalCAProperty {
                 $CAHostDistinguishedName = (Get-ADObject -Filter { (Name -eq $CAHostName) -and (objectclass -eq 'computer') } -Server $ForestGC ).DistinguishedName
                 $CAHostFQDN = (Get-ADObject -Filter { (Name -eq $CAHostName) -and (objectclass -eq 'computer') } -Properties DnsHostname -Server $ForestGC).DnsHostname
             }
-            $ping = if ($CAHostFQDN) { Test-Connection -ComputerName $CAHostFQDN -Count 1 -Quiet } else { Write-Warning "Unable to resolve $($_.Name) Fully Qualified Domain Name (FQDN)" }
+            $ping = if ($CAHostFQDN) {
+                Test-Connection -ComputerName $CAHostFQDN -Count 1 -Quiet 
+            }
+            else {
+                Write-Warning "Unable to resolve $($_.Name) Fully Qualified Domain Name (FQDN)" 
+            }
             if ($ping) {
                 try {
                     if ($Credential) {
@@ -3395,23 +3406,23 @@ function Set-RiskRating {
             switch ($Issue.objectClass) {
                 # Being able to modify Root CA Objects is very bad.
                 'certificationAuthority' {
-                    $RiskValue += 2; $RiskScoring += 'Root Certification Authority bject: +2'
+                    $RiskValue += 2; $RiskScoring += 'Root Certification Authority bject: +2' 
                 }
                 # Being able to modify Issuing CA Objects is also very bad.
                 'pKIEnrollmentService' {
-                    $RiskValue += 2; $RiskScoring += 'Issuing Certification Authority Object: +2'
+                    $RiskValue += 2; $RiskScoring += 'Issuing Certification Authority Object: +2' 
                 }
                 # Being able to modify CA Hosts? Yeah... very bad.
                 'computer' {
-                    $RiskValue += 2; $RiskScoring += 'Certification Authority Host Computer: +2'
+                    $RiskValue += 2; $RiskScoring += 'Certification Authority Host Computer: +2' 
                 }
                 # Being able to modify OIDs could result in ESC13 vulns.
                 'msPKI-Enterprise-Oid' {
-                    $RiskValue += 1; $RiskScoring += 'OID: +1'
+                    $RiskValue += 1; $RiskScoring += 'OID: +1' 
                 }
                 # Being able to modify PKS containers is bad.
                 'container' {
-                    $RiskValue += 1; $RiskScoring += 'Container: +1'
+                    $RiskValue += 1; $RiskScoring += 'Container: +1' 
                 }
             }
         }
@@ -3420,19 +3431,19 @@ function Set-RiskRating {
     # Convert Value to Name
     $RiskName = switch ($RiskValue) {
         { $_ -le 1 } {
-            'Informational'
+            'Informational' 
         }
         2 {
-            'Low'
+            'Low' 
         }
         3 {
-            'Medium'
+            'Medium' 
         }
         4 {
-            'High'
+            'High' 
         }
         { $_ -ge 5 } {
-            'Critical'
+            'Critical' 
         }
     }
 
@@ -3981,7 +3992,7 @@ Set-Acl -Path `$Path -AclObject `$ACL
 "@
             }
             4 {
-                break
+                break 
             }
             5 {
                 $Issue.Fix = @"
@@ -4144,10 +4155,10 @@ Function Write-HostColorized {
             # We precompile them for better performance with many input objects.
             [System.Text.RegularExpressions.RegexOptions] $reOpts =
             if ($CaseSensitive) {
-                'Compiled, ExplicitCapture'
+                'Compiled, ExplicitCapture' 
             }
             else {
-                'Compiled, ExplicitCapture, IgnoreCase'
+                'Compiled, ExplicitCapture, IgnoreCase' 
             }
 
             # Transform the dictionary:
@@ -4169,10 +4180,10 @@ Function Write-HostColorized {
                 }
                 $colorArgs = @{ }
                 if ($fg) {
-                    $colorArgs['ForegroundColor'] = [ConsoleColor] $fg
+                    $colorArgs['ForegroundColor'] = [ConsoleColor] $fg 
                 }
                 if ($bg) {
-                    $colorArgs['BackgroundColor'] = [ConsoleColor] $bg
+                    $colorArgs['BackgroundColor'] = [ConsoleColor] $bg 
                 }
 
                 # Consolidate the patterns into a single pattern with alternation ('|'),
@@ -4191,7 +4202,7 @@ Function Write-HostColorized {
             }
         }
         catch {
-            throw
+            throw 
         }
 
         # Construct the arguments to pass to Out-String.
@@ -4214,7 +4225,7 @@ Function Write-HostColorized {
                     foreach ($m in $entry.Key.Matches($_)) {
                         @{ Index = $m.Index; Text = $m.Value; ColorArgs = $entry.Value }
                         if ($WholeLine) {
-                            break patternLoop
+                            break patternLoop 
                         }
                     }
                 }
@@ -4390,7 +4401,7 @@ function Invoke-Locksmith {
         [System.Management.Automation.PSCredential]$Credential
     )
 
-    $Version = '2025.3.28'
+    $Version = '2025.4.20'
     $LogoPart1 = @'
     _       _____  _______ _     _ _______ _______ _____ _______ _     _
     |      |     | |       |____/  |______ |  |  |   |      |    |_____|
diff --git a/Locksmith.psd1 b/Locksmith.psd1
@@ -8,14 +8,14 @@
     FunctionsToExport    = 'Invoke-Locksmith'
     GUID                 = 'b1325b42-8dc4-4f17-aa1f-dcb5984ca14a'
     HelpInfoURI          = 'https://raw.githubusercontent.com/jakehildreth/Locksmith/main/en-US/'
-    ModuleVersion        = '2025.3.28'
+    ModuleVersion        = '2025.4.20'
     PowerShellVersion    = '5.1'
     PrivateData          = @{
         PSData = @{
             ExternalModuleDependencies = @('ActiveDirectory', 'ServerManager', 'Microsoft.PowerShell.Utility', 'Microsoft.PowerShell.LocalAccounts', 'Microsoft.PowerShell.Management', 'Microsoft.PowerShell.Security', 'CimCmdlets', 'Dism')
             IconUri                    = 'https://raw.githubusercontent.com/jakehildreth/Locksmith/main/Images/locksmith.ico'
             ProjectUri                 = 'https://github.com/jakehildreth/Locksmith'
-            Tags                       = @('Windows', 'Locksmith', 'CA', 'PKI', 'ActiveDirectory', 'CertificateServices', 'ADCS')
+            Tags                       = @('Locksmith', 'ActiveDirectory', 'ADCS', 'CA', 'Certificate', 'CertificateAuthority', 'CertificateServices', 'PKI', 'X509', 'Windows')
         }
     }
     RequiredModules      = @('ActiveDirectory', 'ServerManager', 'Microsoft.PowerShell.Utility', 'Microsoft.PowerShell.LocalAccounts', 'Microsoft.PowerShell.Management', 'Microsoft.PowerShell.Security', 'CimCmdlets', 'Dism')

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,11 @@`
`1`		`-param (`
`2`		`- [int]$Mode,`
	`1`	`+[CmdletBinding(HelpUri = 'https://jakehildreth.github.io/Locksmith/Invoke-Locksmith')]`
	`2`	`+param (`
	`3`	`+ # The mode to run Locksmith in. Defaults to 0.`
	`4`	`+ [Parameter(Mandatory = $false)]`
	`5`	`+ [ValidateSet(0, 1, 2, 3, 4)]`
	`6`	`+ [int]$Mode = 0,`
	`7`	`+`
	`8`	`+ # The scans to run. Defaults to 'All'.`
`3`	`9`	`[Parameter()]`
`4`	`10`	`[ValidateSet('Auditing', 'ESC1', 'ESC2', 'ESC3', 'ESC4', 'ESC5', 'ESC6', 'ESC8', 'ESC11', 'ESC13', 'ESC15', 'EKUwu', 'All', 'PromptMe')]`
`5`	`11`	`[array]$Scans = 'All'`
`@@ -2900,7 +2906,12 @@ function Set-AdditionalCAProperty {`
`2900`	`2906`	`$CAHostDistinguishedName = (Get-ADObject -Filter { (Name -eq $CAHostName) -and (objectclass -eq 'computer') } -Server $ForestGC ).DistinguishedName`
`2901`	`2907`	`$CAHostFQDN = (Get-ADObject -Filter { (Name -eq $CAHostName) -and (objectclass -eq 'computer') } -Properties DnsHostname -Server $ForestGC).DnsHostname`
`2902`	`2908`	`}`
`2903`		`- $ping = if ($CAHostFQDN) { Test-Connection -ComputerName $CAHostFQDN -Count 1 -Quiet } else { Write-Warning "Unable to resolve $($_.Name) Fully Qualified Domain Name (FQDN)" }`
	`2909`	`+ $ping = if ($CAHostFQDN) {`
	`2910`	`+ Test-Connection -ComputerName $CAHostFQDN -Count 1 -Quiet`
	`2911`	`+ }`
	`2912`	`+ else {`
	`2913`	`+ Write-Warning "Unable to resolve $($_.Name) Fully Qualified Domain Name (FQDN)"`
	`2914`	`+ }`
`2904`	`2915`	`if ($ping) {`
`2905`	`2916`	`try {`
`2906`	`2917`	`if ($Credential) {`
`@@ -3395,23 +3406,23 @@ function Set-RiskRating {`
`3395`	`3406`	`switch ($Issue.objectClass) {`
`3396`	`3407`	`# Being able to modify Root CA Objects is very bad.`
`3397`	`3408`	`'certificationAuthority' {`
`3398`		`- $RiskValue += 2; $RiskScoring += 'Root Certification Authority bject: +2'`
	`3409`	`+ $RiskValue += 2; $RiskScoring += 'Root Certification Authority bject: +2'`
`3399`	`3410`	`}`
`3400`	`3411`	`# Being able to modify Issuing CA Objects is also very bad.`
`3401`	`3412`	`'pKIEnrollmentService' {`
`3402`		`- $RiskValue += 2; $RiskScoring += 'Issuing Certification Authority Object: +2'`
	`3413`	`+ $RiskValue += 2; $RiskScoring += 'Issuing Certification Authority Object: +2'`
`3403`	`3414`	`}`
`3404`	`3415`	`# Being able to modify CA Hosts? Yeah... very bad.`
`3405`	`3416`	`'computer' {`
`3406`		`- $RiskValue += 2; $RiskScoring += 'Certification Authority Host Computer: +2'`
	`3417`	`+ $RiskValue += 2; $RiskScoring += 'Certification Authority Host Computer: +2'`
`3407`	`3418`	`}`
`3408`	`3419`	`# Being able to modify OIDs could result in ESC13 vulns.`
`3409`	`3420`	`'msPKI-Enterprise-Oid' {`
`3410`		`- $RiskValue += 1; $RiskScoring += 'OID: +1'`
	`3421`	`+ $RiskValue += 1; $RiskScoring += 'OID: +1'`
`3411`	`3422`	`}`
`3412`	`3423`	`# Being able to modify PKS containers is bad.`
`3413`	`3424`	`'container' {`
`3414`		`- $RiskValue += 1; $RiskScoring += 'Container: +1'`
	`3425`	`+ $RiskValue += 1; $RiskScoring += 'Container: +1'`
`3415`	`3426`	`}`
`3416`	`3427`	`}`
`3417`	`3428`	`}`
`@@ -3420,19 +3431,19 @@ function Set-RiskRating {`
`3420`	`3431`	`# Convert Value to Name`
`3421`	`3432`	`$RiskName = switch ($RiskValue) {`
`3422`	`3433`	`{ $_ -le 1 } {`
`3423`		`- 'Informational'`
	`3434`	`+ 'Informational'`
`3424`	`3435`	`}`
`3425`	`3436`	`2 {`
`3426`		`- 'Low'`
	`3437`	`+ 'Low'`
`3427`	`3438`	`}`
`3428`	`3439`	`3 {`
`3429`		`- 'Medium'`
	`3440`	`+ 'Medium'`
`3430`	`3441`	`}`
`3431`	`3442`	`4 {`
`3432`		`- 'High'`
	`3443`	`+ 'High'`
`3433`	`3444`	`}`
`3434`	`3445`	`{ $_ -ge 5 } {`
`3435`		`- 'Critical'`
	`3446`	`+ 'Critical'`
`3436`	`3447`	`}`
`3437`	`3448`	`}`
`3438`	`3449`
@@ -3981,7 +3992,7 @@ Set-Acl -Path `$Path -AclObject `$ACL
`3981`	`3992`	`"@`
`3982`	`3993`	`}`
`3983`	`3994`	`4 {`
`3984`		`- break`
	`3995`	`+ break`
`3985`	`3996`	`}`
`3986`	`3997`	`5 {`
`3987`	`3998`	`$Issue.Fix = @"`
`@@ -4144,10 +4155,10 @@ Function Write-HostColorized {`
`4144`	`4155`	`# We precompile them for better performance with many input objects.`
`4145`	`4156`	`[System.Text.RegularExpressions.RegexOptions] $reOpts =`
`4146`	`4157`	`if ($CaseSensitive) {`
`4147`		`- 'Compiled, ExplicitCapture'`
	`4158`	`+ 'Compiled, ExplicitCapture'`
`4148`	`4159`	`}`
`4149`	`4160`	`else {`
`4150`		`- 'Compiled, ExplicitCapture, IgnoreCase'`
	`4161`	`+ 'Compiled, ExplicitCapture, IgnoreCase'`
`4151`	`4162`	`}`
`4152`	`4163`
`4153`	`4164`	`# Transform the dictionary:`
`@@ -4169,10 +4180,10 @@ Function Write-HostColorized {`
`4169`	`4180`	`}`
`4170`	`4181`	`$colorArgs = @{ }`
`4171`	`4182`	`if ($fg) {`
`4172`		`- $colorArgs['ForegroundColor'] = [ConsoleColor] $fg`
	`4183`	`+ $colorArgs['ForegroundColor'] = [ConsoleColor] $fg`
`4173`	`4184`	`}`
`4174`	`4185`	`if ($bg) {`
`4175`		`- $colorArgs['BackgroundColor'] = [ConsoleColor] $bg`
	`4186`	`+ $colorArgs['BackgroundColor'] = [ConsoleColor] $bg`
`4176`	`4187`	`}`
`4177`	`4188`
`4178`	`4189`	`# Consolidate the patterns into a single pattern with alternation ('\|'),`
`@@ -4191,7 +4202,7 @@ Function Write-HostColorized {`
`4191`	`4202`	`}`
`4192`	`4203`	`}`
`4193`	`4204`	`catch {`
`4194`		`- throw`
	`4205`	`+ throw`
`4195`	`4206`	`}`
`4196`	`4207`
`4197`	`4208`	`# Construct the arguments to pass to Out-String.`
`@@ -4214,7 +4225,7 @@ Function Write-HostColorized {`
`4214`	`4225`	`foreach ($m in $entry.Key.Matches($_)) {`
`4215`	`4226`	`@{ Index = $m.Index; Text = $m.Value; ColorArgs = $entry.Value }`
`4216`	`4227`	`if ($WholeLine) {`
`4217`		`- break patternLoop`
	`4228`	`+ break patternLoop`
`4218`	`4229`	`}`
`4219`	`4230`	`}`
`4220`	`4231`	`}`
`@@ -4390,7 +4401,7 @@ function Invoke-Locksmith {`
`4390`	`4401`	`[System.Management.Automation.PSCredential]$Credential`
`4391`	`4402`	`)`
`4392`	`4403`
`4393`		`- $Version = '2025.3.28'`
	`4404`	`+ $Version = '2025.4.20'`
`4394`	`4405`	`$LogoPart1 = @'`
`4395`	`4406`	`_ _____ _______ _ _ _______ _______ _____ _______ _ _`
`4396`	`4407`	`\| \| \| \| \|____/ \|______ \| \| \| \| \| \|_____\|`