False Positives in ESC4 from Incomplete Filtering

Question

False Positives in ESC4 from Incomplete Filtering

TrimarcJake opened this issue 2 years ago · 1 comments

Description: Locksmith is alerting on safe objects.

Example: CN=Machine,CN=Certificate Templates... has the following set of rights:

ActiveDirectoryRights : ReadProperty, WriteProperty, ExtendedRight
InheritanceType       : None
ObjectType            : 0e10c968-78fb-11d2-90d4-00c04f79dc55
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : ObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     : MARVEL\Domain Computers
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None

This is safe because WriteProperty only applies to the 0e10c968-78fb-11d2-90d4-00c04f79dc55 (Enroll) right.

Expected Result: No alert on this template.

Actual Result: Locksmith marks this as ESC4.

Proposed Solution: ESC4 check should filter out anything to do with ObjectType 0e10c968-78fb-11d2-90d4-00c04f79dc55 (Enroll) and a05b8cc2-17bc-4802-a710-e7c15ab866a2 (AutoEnroll)

Special thanks to Thomas Andresen for bringing this to my attention!

Answer 1 · 2023-08-05T10:51:16.000Z

Resolved in #56