Update module metadata, add ESC17 vulnerability detection, and enhance risk assessment

- Updated copyright year in Locksmith.psd1 to 2026 and incremented module version to 2026.1.4.1411.
- Modified Format-Result.ps1 to change ESC1 description and added ESC17 vulnerability.
- Enhanced Invoke-Scans.ps1 to include ESC17 in scan options and processing logic.
- Updated Set-RiskRating.ps1 to account for ESC17 in risk scoring.
- Extended Invoke-Locksmith.ps1 to handle server authentication EKUs for ESC17.
- Implemented Find-ESC17.ps1 to identify AD CS templates with dangerous configurations related to server authentication.

Author: jakehildreth

Build/Build-Module.ps1

@@ -26,7 +26,7 @@ $CopyrightYear = if ($Calver) { $CalVer.Split('.')[0] } else { (Get-Date -Format
 Build-Module -ModuleName 'Locksmith' {
     # Usual defaults as per standard module
     $Manifest = [ordered] @{
-        ModuleVersion        = if ($Calver) { $CalVer } else { (Get-Date -Format yyyy.M.d.Hmm -AsUTC) }
+        ModuleVersion        = if ($Calver) { $CalVer } else { (Get-Date -Format yyyy.M.d.Hmm) }
         CompatiblePSEditions = @('Desktop', 'Core')
         GUID                 = 'b1325b42-8dc4-4f17-aa1f-dcb5984ca14a'
         Author               = 'Jake Hildreth'
@@ -132,7 +132,7 @@ Build-Module -ModuleName 'Locksmith' {
 
             # The scans to run. Defaults to 'All'.
             [Parameter()]
-            [ValidateSet('Auditing', 'ESC1', 'ESC2', 'ESC3', 'ESC4', 'ESC5', 'ESC6', 'ESC7', 'ESC8', 'ESC9', 'ESC11', 'ESC13', 'ESC15', 'EKUwu', 'ESC16', 'All', 'PromptMe')]
+            [ValidateSet('Auditing', 'ESC1', 'ESC2', 'ESC3', 'ESC4', 'ESC5', 'ESC6', 'ESC7', 'ESC8', 'ESC9', 'ESC11', 'ESC13', 'ESC15', 'EKUwu', 'ESC16', 'ESC17', 'All', 'PromptMe')]
             [array]$Scans = 'All',
 
             [Parameter()]

Invoke-Locksmith.ps1

@@ -3,18 +3,19 @@
     Author               = 'Jake Hildreth'
     CmdletsToExport      = @()
     CompatiblePSEditions = @('Desktop', 'Core')
-    Copyright            = '(c) 2022 - 2025. All rights reserved.'
+    Copyright            = '(c) 2022 - 2026. All rights reserved.'
     Description          = 'A small tool to find and fix common misconfigurations in Active Directory Certificate Services.'
     FunctionsToExport    = 'Invoke-Locksmith'
     GUID                 = 'b1325b42-8dc4-4f17-aa1f-dcb5984ca14a'
     HelpInfoURI          = 'https://raw.githubusercontent.com/jakehildreth/Locksmith/main/en-US/'
-    ModuleVersion        = '2025.10.29.1143'
+    ModuleVersion        = '2026.1.4.1411'
     PowerShellVersion    = '5.1'
     PrivateData          = @{
         PSData = @{
             ExternalModuleDependencies = @('ActiveDirectory', 'ServerManager', 'Microsoft.PowerShell.Utility', 'Microsoft.PowerShell.LocalAccounts', 'Microsoft.PowerShell.Management', 'Microsoft.PowerShell.Security', 'CimCmdlets', 'Dism')
             IconUri                    = 'https://raw.githubusercontent.com/jakehildreth/Locksmith/main/Images/locksmith.ico'
             ProjectUri                 = 'https://github.com/jakehildreth/Locksmith'
+            RequireLicenseAcceptance   = $false
             Tags                       = @('Locksmith', 'ActiveDirectory', 'ADCS', 'CA', 'Certificate', 'CertificateAuthority', 'CertificateServices', 'PKI', 'X509', 'Windows')
         }
     }

Locksmith.psd1

@@ -0,0 +1,112 @@
+function Find-ESC17 {
+    <#
+    .SYNOPSIS
+        This script finds AD CS (Active Directory Certificate Services) objects that have the ESC1 vulnerability.
+
+    .DESCRIPTION
+        The script takes an array of ADCS objects as input and filters them based on the specified conditions.
+        For each matching object, it creates a custom object with properties representing various information about
+        the object, such as Forest, Name, DistinguishedName, IdentityReference, ActiveDirectoryRights, Issue, Fix, Revert, and Technique.
+
+    .PARAMETER ADCSObjects
+        Specifies the array of ADCS objects to be processed. This parameter is mandatory.
+
+    .PARAMETER SafeUsers
+        Specifies the list of SIDs of safe users who are allowed to have specific rights on the objects. This parameter is mandatory.
+
+    .PARAMETER ServerAuthEKUs
+        A list of EKUs that can be used for server authentication.
+
+    .OUTPUTS
+        The script outputs an array of custom objects representing the matching ADCS objects and their associated information.
+
+    .EXAMPLE
+        $Targets = Get-Target
+        $ADCSObjects = Get-ADCSObject -Targets $Targets
+        $SafeUsers = '-512$|-519$|-544$|-18$|-517$|-500$|-516$|-521$|-498$|-9$|-526$|-527$|S-1-5-10'
+        $ServerAuthEKUs = '1\.3\.6\.1\.5\.5\.7\.3\.1' 
+        $Results = Find-ESC1 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers -ClientAuthEKUs $ServerAuthEKUs
+        $Results
+    #>
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory)]
+        [Microsoft.ActiveDirectory.Management.ADEntity[]]$ADCSObjects,
+        [Parameter(Mandatory)]
+        [string]$SafeUsers,
+        [Parameter(Mandatory)]
+        $ServerAuthEKUs,
+        [Parameter(Mandatory)]
+        [int]$Mode,
+        [Parameter(Mandatory)]
+        [string]$UnsafeUsers,
+        [switch]$SkipRisk
+    )
+    $ADCSObjects | Where-Object {
+        ($_.objectClass -eq 'pKICertificateTemplate') -and
+        ($_.pkiExtendedKeyUsage -match $ServerAuthEKUs) -and
+        ($_.'msPKI-Certificate-Name-Flag' -band 1) -and
+        !($_.'msPKI-Enrollment-Flag' -band 2) -and
+        ( ($_.'msPKI-RA-Signature' -eq 0) -or ($null -eq $_.'msPKI-RA-Signature') )
+    } | ForEach-Object {
+        foreach ($entry in $_.nTSecurityDescriptor.Access) {
+            $Principal = New-Object System.Security.Principal.NTAccount($entry.IdentityReference)
+            if ($Principal -match '^(S-1|O:)') {
+                $SID = $Principal
+            } else {
+                $SID = ($Principal.Translate([System.Security.Principal.SecurityIdentifier])).Value
+            }
+            if (
+                ($SID -notmatch $SafeUsers) -and
+                ( ( ($entry.ActiveDirectoryRights -match 'ExtendedRight') -and
+                    ( $entry.ObjectType -match '0e10c968-78fb-11d2-90d4-00c04f79dc55|00000000-0000-0000-0000-000000000000' ) ) -or
+                ($entry.ActiveDirectoryRights -match 'GenericAll') )
+            ) {
+                $Issue = [pscustomobject]@{
+                    Forest                = $_.CanonicalName.split('/')[0]
+                    Name                  = $_.Name
+                    DistinguishedName     = $_.DistinguishedName
+                    IdentityReference     = $entry.IdentityReference
+                    IdentityReferenceSID  = $SID
+                    ActiveDirectoryRights = $entry.ActiveDirectoryRights
+                    Enabled               = $_.Enabled
+                    EnabledOn             = $_.EnabledOn
+                    Issue                 = @"
+$($entry.IdentityReference) can provide a Subject Alternative Name (SAN) while
+enrolling in this Server Authentication template, and enrollment does not require
+Manager Approval.
+
+The resultant certificate can be used by an attacker to impersonate servers
+and perform Machine-in-the-Middle Attacks
+
+More info:
+  - https://trustedsec.com/blog/wsus-is-sus-ntlm-relay-attacks-in-plain-sight
+  - https://blog.digitrace.de/2026/01/using-adcs-to-attack-https-enabled-wsus-clients/
+
+"@
+                    Fix                   = @"
+# Enable Manager Approval
+`$Object = '$($_.DistinguishedName)'
+Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Enrollment-Flag' = 2}
+"@
+                    Revert                = @"
+# Disable Manager Approval
+`$Object = '$($_.DistinguishedName)'
+Get-ADObject `$Object | Set-ADObject -Replace @{'msPKI-Enrollment-Flag' = 0}
+"@
+                    Technique             = 'ESC17'
+                }
+
+                if ($SkipRisk -eq $false) {
+                    Set-RiskRating -ADCSObjects $ADCSObjects -Issue $Issue -SafeUsers $SafeUsers -UnsafeUsers $UnsafeUsers
+                }
+
+                # if ( $Mode -in @(1, 3, 4) ) {
+                #     Update-ESC1Remediation -Issue $Issue
+                # }
+
+                $Issue
+            }
+        }
+    }
+}

Private/Find-ESC17.ps1

@@ -32,7 +32,7 @@ function Format-Result {
 
     $IssueTable = @{
         DETECT        = 'Auditing Not Fully Enabled'
-        ESC1          = 'ESC1 - Vulnerable Certificate Template - Authentication'
+        ESC1          = 'ESC1 - Vulnerable Certificate Template - Client Authentication'
         ESC2          = 'ESC2 - Vulnerable Certificate Template - Subordinate CA/Any Purpose'
         ESC3          = 'ESC3 - Vulnerable Certificate Template - Enrollment Agent'
         ESC4          = 'ESC4 - Vulnerable Access Control - Certificate Template'
@@ -45,6 +45,7 @@ function Format-Result {
         ESC13         = 'ESC13 - Vulnerable Certificate Template - Group-Linked'
         'ESC15/EKUwu' = 'ESC15 - Vulnerable Certificate Template - Schema V1'
         ESC16         = 'ESC16 - szOID_NTDS_CA_SECURITY_EXT Extension Disabled on CA'
+        ESC17         = 'ESC17 - Vulnerable Certificate Template - Server Authentication'
     }
 
     $RiskTable = @{
@@ -73,7 +74,7 @@ function Format-Result {
                     Format-Table Technique, @{l = 'CA Name'; e = { $_.Name } }, @{l = 'Risk'; e = { $_.RiskName } }, Issue -Wrap |
                     Write-HostColorized -PatternColorMap $RiskTable -CaseSensitive
                 }
-                { $_ -in @('ESC1', 'ESC2', 'ESC3', 'ESC4', 'ESC9', 'ESC13', 'ESC15/EKUwu') } {
+                { $_ -in @('ESC1', 'ESC2', 'ESC3', 'ESC4', 'ESC9', 'ESC13', 'ESC15/EKUwu', 'ESC17') } {
                     $Issue |
                     Format-Table Technique, @{l = 'Template Name'; e = { $_.Name } }, @{l = 'Risk'; e = { $_.RiskName } }, Enabled, Issue -Wrap |
                     Write-HostColorized -PatternColorMap $RiskTable -CaseSensitive

Private/Format-Result.ps1

@@ -6,7 +6,7 @@ function Invoke-Scans {
     .PARAMETER Scans
         Specifies the type of scans to perform. Multiple scan options can be provided as an array. The default value is 'All'.
         The available scan options are: 'Auditing', 'ESC1', 'ESC2', 'ESC3', 'ESC4', 'ESC5', 'ESC6', 'ESC8', 'ESC9', 'ESC11',
-            'ESC13', 'ESC15, 'EKUwu', 'ESC16', 'All', 'PromptMe'.
+            'ESC13', 'ESC15, 'EKUwu', 'ESC16', 'ESC17', 'All', 'PromptMe'.
 
     .NOTES
         - The script requires the following functions to be defined: Find-AuditingIssue, Find-ESC1, Find-ESC2, Find-ESC3C1,
@@ -37,6 +37,8 @@ function Invoke-Scans {
         [Parameter(Mandatory)]
         [string]$ClientAuthEkus,
         [Parameter(Mandatory)]
+        [string]$ServerAuthEkus,
+        [Parameter(Mandatory)]
         [string]$DangerousRights,
         [Parameter(Mandatory)]
         [string]$EnrollmentAgentEKU,
@@ -48,7 +50,7 @@ function Invoke-Scans {
         [string]$SafeUsers,
         [Parameter(Mandatory)]
         [string]$SafeOwners,
-        [ValidateSet('Auditing', 'ESC1', 'ESC2', 'ESC3', 'ESC4', 'ESC5', 'ESC6', 'ESC7', 'ESC8', 'ESC9', 'ESC11', 'ESC13', 'ESC15', 'EKUwu', 'ESC16', 'All', 'PromptMe')]
+        [ValidateSet('Auditing', 'ESC1', 'ESC2', 'ESC3', 'ESC4', 'ESC5', 'ESC6', 'ESC7', 'ESC8', 'ESC9', 'ESC11', 'ESC13', 'ESC15', 'EKUwu', 'ESC16', 'ESC17', 'All', 'PromptMe')]
         [array]$Scans = 'All',
         [Parameter(Mandatory)]
         [string]$UnsafeUsers,
@@ -133,6 +135,10 @@ function Invoke-Scans {
             Write-Host 'Identifying Issuing CAs with szOID_NTDS_CA_SECURITY_EXT disabled (ESC16)...'
             [array]$ESC16 = Find-ESC16 -ADCSObjects $ADCSObjects -UnsafeUsers $UnsafeUsers
         }
+        ESC17 {
+            Write-Host 'Identifying AD CS templates with dangerous ESC17 configurations...'
+            [array]$ESC17 = Find-ESC17 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers -ServerAuthEKUs $ServerAuthEKUs -Mode $Mode -UnsafeUsers $UnsafeUsers
+        }
         All {
             Write-Host 'Identifying auditing issues...'
             [array]$AuditingIssues = Find-AuditingIssue -ADCSObjects $ADCSObjects
@@ -163,10 +169,12 @@ function Invoke-Scans {
             [array]$ESC15 = Find-ESC15 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers -UnsafeUsers $UnsafeUsers
             Write-Host 'Identifying Certificate Authorities with szOID_NTDS_CA_SECURITY_EXT disabled (ESC16)...'
             [array]$ESC16 = Find-ESC16 -ADCSObjects $ADCSObjects -UnsafeUsers $UnsafeUsers
+            Write-Host 'Identifying AD CS templates with dangerous ESC17 configurations...'
+            [array]$ESC17 = Find-ESC17 -ADCSObjects $ADCSObjects -SafeUsers $SafeUsers -ServerAuthEKUs $ServerAuthEkus -Mode $Mode -UnsafeUsers $UnsafeUsers
         }
     }
 
-    [array]$AllIssues = $AuditingIssues + $ESC1 + $ESC2 + $ESC3 + $ESC4 + $ESC5 + $ESC6 + $ESC7 + $ESC8 + $ESC9 + $ESC11 + $ESC13 + $ESC15 + $ESC16
+    [array]$AllIssues = $AuditingIssues + $ESC1 + $ESC2 + $ESC3 + $ESC4 + $ESC5 + $ESC6 + $ESC7 + $ESC8 + $ESC9 + $ESC11 + $ESC13 + $ESC15 + $ESC16 + $ESC17
 
     # If these are all empty = no issues found, exit
     if ($AllIssues.Count -lt 1) {
@@ -191,5 +199,6 @@ function Invoke-Scans {
         ESC13          = $ESC13
         ESC15          = $ESC15
         ESC16          = $ESC16
+        ESC17          = $ESC17
     }
 }

Private/Invoke-Scans.ps1

@@ -55,7 +55,7 @@ function Set-RiskRating {
     $RiskScoring = @()
 
     # CA issues don't rely on a principal and have a base risk of Medium.
-    if ($Issue.Technique -in @('DETECT', 'ESC6', 'ESC7', 'ESC8', 'ESC11', 'ESC16')) {
+    if ($Issue.Technique -in @('DETECT', 'ESC6', 'ESC7', 'ESC8', 'ESC11','ESC17')) {
         $RiskValue += 3
         $RiskScoring += 'Base Score: 3'
 
@@ -104,7 +104,7 @@ function Set-RiskRating {
     }
 
     # Template and object issues rely on a principal and have complex scoring.
-    if ($Issue.Technique -notin @('DETECT', 'ESC6', 'ESC7', 'ESC8', 'ESC11', 'ESC16')) {
+    if ($Issue.Technique -notin @('DETECT', 'ESC6', 'ESC7', 'ESC8', 'ESC11','ESC17')) {
         $RiskScoring += 'Base Score: 0'
 
         # Templates are more dangerous when enabled, but objects cannot be enabled/disabled.

Private/Set-RiskRating.ps1

@@ -101,6 +101,7 @@ function Invoke-Locksmith {
             'ESC15',
             'EKUwu',
             'ESC16',
+            'ESC17',
             'All',
             'PromptMe'
         )]
@@ -155,6 +156,9 @@ function Invoke-Locksmith {
     # Extended Key Usages for client authentication. A requirement for ESC1, ESC3 Condition 2, and ESC13
     $ClientAuthEKUs = '1\.3\.6\.1\.5\.5\.7\.3\.2|1\.3\.6\.1\.5\.2\.3\.4|1\.3\.6\.1\.4\.1\.311\.20\.2\.2|2\.5\.29\.37\.0'
 
+    # Extended Key Usages for server authentication. A requirement for ESC17
+    $ServerAuthEKUs = '1\.3\.6\.1\.5\.5\.7\.3\.1'
+
     # GenericAll, WriteDacl, and WriteOwner all permit full control of an AD object.
     # WriteProperty may or may not permit full control depending the specific property and AD object type.
     $DangerousRights = 'GenericAll|Write'
@@ -264,6 +268,7 @@ function Invoke-Locksmith {
     $ScansParameters = @{
         ADCSObjects        = $ADCSObjects
         ClientAuthEkus     = $ClientAuthEKUs
+        ServerAuthEKUs     = $ServerAuthEKUs
         DangerousRights    = $DangerousRights
         EnrollmentAgentEKU = $EnrollmentAgentEKU
         Mode               = $Mode
@@ -291,6 +296,7 @@ function Invoke-Locksmith {
     $ESC13 = $Results['ESC13']
     $ESC15 = $Results['ESC15']
     $ESC16 = $Results['ESC16']
+    $ESC17 = $Results['ESC17']
 
     # If these are all empty = no issues found, exit
     if ($null -eq $Results) {
@@ -316,6 +322,7 @@ function Invoke-Locksmith {
             Format-Result -Issue $ESC13 -Mode 0
             Format-Result -Issue $ESC15 -Mode 0
             Format-Result -Issue $ESC16 -Mode 0
+            Format-Result -Issue $ESC17 -Mode 0
             Write-Host @"
 [!] You ran Locksmith in Mode 0 which only provides an high-level overview of issues
 identified in the environment. For more details including:
@@ -350,6 +357,7 @@ Invoke-Locksmith -Mode 1
             Format-Result -Issue $ESC13 -Mode 1
             Format-Result -Issue $ESC15 -Mode 1
             Format-Result -Issue $ESC16 -Mode 1
+            Format-Result -Issue $ESC17 -Mode 1
         }
         2 {
             $Output = Join-Path -Path $OutputPath -ChildPath "$FilePrefix ADCSIssues.CSV"