Enhance error handling in Get-CAHostObject and Find-ESC7 scripts

[rebelinux]

• Improved error handling in the Get-CAHostObject and Find-ESC7 scripts by verifying the presence of CAHostDistinguishedName before retrieving AD objects.

I did not modify the Invoke-Locksmith.ps1 file because my editor automatically changes the spacing between 'if' and 'else'. I'm unsure if this is a bug or if the file does not adhere to the specified formatting option.

“powershell.codeFormatting.preset": ‘OTBS’.

Before fix:

PS C:\Users\blabla\Documents\WindowsPowerShell\Modules\Locksmith> Invoke-Locksmith -Scans ESC7 -Verbose
    _       _____  _______ _     _ _______ _______ _____ _______ _     _
    |      |     | |       |____/  |______ |  |  |   |      |    |_____|
    |_____ |_____| |_____  |    \_ ______| |  |  | __|__    |    |     |
        .--.                  .--.                  .--.
       /.-. '----------.     /.-. '----------.     /.-. '----------.
       \'-' .---'-''-'-'     \'-' .--'--''-'-'     \'-' .--'--'-''-'
        '--'                  '--'                  '--'
                                                          v<ModuleVersion>
Gathering AD CS Objects from pharmax.local...
WARNING: Unable to resolve pharmax-CAYEY-DC-01V-CA Fully Qualified Domain Name (FQDN)
Get-ADObject : Cannot validate argument on parameter 'Identity'. The argument is null. Provide a valid value for the argument, and then try running the command again.
At C:\Users\blabla\Documents\WindowsPowerShell\Modules\Locksmith\Private\Get-CAHostObject.ps1:47 char:30
+                 Get-ADObject $_.CAHostDistinguishedName -Properties * ...
+                              ~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-ADObject], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.GetADObject
 
Identifying Issuing CAs with ESC7...
Exception calling "Translate" with "1" argument(s): "The trust relationship between the primary domain and the trusted domain failed.
"
At C:\Users\blabla\Documents\WindowsPowerShell\Modules\Locksmith\Private\Convert-IdentityReferenceToSid.ps1:33 char:9
+         $SID = ($Principal.Translate([System.Security.Principal.Secur ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : SystemException
 
Exception calling "Translate" with "1" argument(s): "The trust relationship between the primary domain and the trusted domain failed.
"
At C:\Users\blabla\Documents\WindowsPowerShell\Modules\Locksmith\Private\Convert-IdentityReferenceToSid.ps1:33 char:9
+         $SID = ($Principal.Translate([System.Security.Principal.Secur ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : SystemException

05/19/2025 14:54:52 : No ADCS issues were found.
PS C:\Users\blabla\Documents\WindowsPowerShell\Modules\Locksmith> 

After fix:

PS C:\Users\blabla\Documents\WindowsPowerShell\Modules\Locksmith> Invoke-Locksmith -Scans ESC7 -Verbose
    _       _____  _______ _     _ _______ _______ _____ _______ _     _
    |      |     | |       |____/  |______ |  |  |   |      |    |_____|
    |_____ |_____| |_____  |    \_ ______| |  |  | __|__    |    |     |
        .--.                  .--.                  .--.
       /.-. '----------.     /.-. '----------.     /.-. '----------.
       \'-' .---'-''-'-'     \'-' .--'--''-'-'     \'-' .--'--'-''-'
        '--'                  '--'                  '--'
                                                          v<ModuleVersion>
Gathering AD CS Objects from pharmax.local...
WARNING: Unable to resolve pharmax-CAYEY-DC-01V-CA Fully Qualified Domain Name (FQDN)
WARNING: Get-CAHostObject: Unable to get information from pharmax-CAYEY-DC-01V-CA
Identifying Issuing CAs with ESC7...
----------------------------------------
     ESC7 - Non-standard PKI Admins     
----------------------------------------

Technique CA Name                  Risk   Issue
--------- -------                  ----   -----
ESC7      pharmax-SERVER-DC-01V-CA Medium Unexpected prinicipals (NT AUTHORITY\Authenticated Users) are granted "CA Administrator" rights on this Certification Authority.
                                          Unexpected prinicipals (NT AUTHORITY\Authenticated Users) are granted "Certificate Manager" rights on this Certification Authority.

                                          More info:
                                            - https://posts.specterops.io/certified-pre-owned-d95910965cd2



[!] You ran Locksmith in Mode 0 which only provides an high-level overview of issues
identified in the environment. For more details including:

  - DistinguishedName of impacted object(s)
  - Remediation guidance and/or code
  - Revert guidance and/or code (in case remediation breaks something!)

Run Locksmith in Mode 1!

# Module version
Invoke-Locksmith -Mode 1

# Script version
.\Invoke-Locksmith.ps1 -Mode 1

Thank you for using Locksmith <3

[jakehildreth]

DUDE. You're a beast. I'll look at this later tonight.

[rebelinux]

It also produced incorrect results in ESC16 when the CA was unavailable.

PS C:\Users\blabla\Documents\WindowsPowerShell\Modules\Locksmith> Invoke-Locksmith -Scans ESC16 -Verbose
    _       _____  _______ _     _ _______ _______ _____ _______ _     _
    |      |     | |       |____/  |______ |  |  |   |      |    |_____|
    |_____ |_____| |_____  |    \_ ______| |  |  | __|__    |    |     |
        .--.                  .--.                  .--.
       /.-. '----------.     /.-. '----------.     /.-. '----------.      
       \'-' .---'-''-'-'     \'-' .--'--''-'-'     \'-' .--'--'-''-'      
        '--'                  '--'                  '--'
                                                          v<ModuleVersion>
Gathering AD CS Objects from pharmax.local...
WARNING: Unable to resolve pharmax-CAYEY-DC-01V-CA Fully Qualified Domain Name (FQDN)
Get-ADObject : Cannot validate argument on parameter 'Identity'. The argument is null. Provide a valid value for the argument, and then try running the command again.
At C:\Users\blabla\Documents\WindowsPowerShell\Modules\Locksmith\Private\Get-CAHostObject.ps1:47 char:30
+                 Get-ADObject $_.CAHostDistinguishedName -Properties * ...
+                              ~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-ADObject], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.GetADObject
 
Identifying Issuing CAs with szOID_NTDS_CA_SECURITY_EXT disabled (ESC16)...
---------------------------------------------------------------
     ESC16 - szOID_NTDS_CA_SECURITY_EXT Extension Disabled     
---------------------------------------------------------------

Technique CA Name                 Risk   Issue
--------- -------                 ----   -----
ESC16     pharmax-CAYEY-DC-01V-CA Medium **CA Unavailable**


[!] You ran Locksmith in Mode 0 which only provides an high-level overview of issues
identified in the environment. For more details including:

  - DistinguishedName of impacted object(s)
  - Remediation guidance and/or code
  - Revert guidance and/or code (in case remediation breaks something!)

Run Locksmith in Mode 1!

# Module version
Invoke-Locksmith -Mode 1

# Script version
.\Invoke-Locksmith.ps1 -Mode 1

Thank you for using Locksmith <3

PS C:\Users\blabla\Documents\WindowsPowerShell\Modules\Locksmith>

[jakehildreth]

Do you mind syncing your branch with the testing branch? There were a few updates that you are missing.

[rebelinux]

Done!

[jakehildreth]

Hmmmm, still not synced, but that's okay. It's only like 3 lines, so i'll do the work. Thank you for your PR!