_ _____ _______ _ _ _______ _______ _____ _______ _ _
| | | | |____/ |______ | | | | | |_____|
|_____ |_____| |_____ | \_ ______| | | | __|__ | | |
.--. .--. .--.
/.-. '----------. /.-. '----------. /.-. '----------.
\'-' .---'-''-'-' \'-' .--'--''-'-' \'-' .--'--'-''-'
'--' '--' '--'
A small tool built to find and fix common misconfigurations in Active Directory Certificate Services.
- Locksmith must be run on a domain joined system.
- The ActiveDirectory and ServerManager PowerShell modules must be installed before importing the Locksmith module.
- Administrative rights may be required for some checks and for remediation.
Open a PowerShell prompt and install Locksmith from the PowerShell Gallery:
Install-Module -Name Locksmith -Scope CurrentUser-
Download and Use the Module Without Installing It
- Download the latest module version.
- Open a PowerShell prompt to the location of the extracted file and run:
Unblock-File .\Locksmith.zip # if necessary to unblock the download Expand-Archive .\Locksmith.zip Import-Module .\Locksmith\Locksmith.psd1 Invoke-Locksmith
-
Download the Standalone Script Without Module
- Download the latest monolithic (all-in-one) script version.
- Open a PowerShell prompt to the location of the downloaded file and run:
Unblock-File .\Invoke-Locksmith.zip Expand-Archive .\Invoke-Locksmith.zip -DestinationPath .\ .\Invoke-Locksmith.ps1
There are several modes you can chose from when running Invoke-Locksmith. You can also use the Scans parameter to choose which scans you want to invoke.
Running Invoke-Locksmith.ps1 with no parameters or with -Mode 0 will scan the current Active Directory forest and output all discovered AD CS issues to the console in Table format.
# Module Syntax
Invoke-Locksmith# Script Syntax
.\Invoke-Locksmith.ps1Example Output for Mode 0: https://github.com/jakehildreth/Locksmith/blob/main//Docs/Examples/Mode0.md
This mode scans the current forest and outputs all discovered AD CS issues and possible fixes to the console in List format.
# Module Syntax
Invoke-Locksmith -Mode 1# Script Syntax
.\Invoke-Locksmith.ps1 -Mode 1Example Output for Mode 1: https://github.com/jakehildreth/Locksmith/blob/main/Docs/Examples/Mode1.md
Locksmith Mode 2 scans the current forest and outputs all discovered AD CS issues to ADCSIssues.CSV in the present working directory.
# Module Syntax
Invoke-Locksmith -Mode 2# Script Syntax
.\Invoke-Locksmith.ps1 -Mode 2Example Output for Mode 2: https://github.com/jakehildreth/Locksmith/blob/main/Docs/Examples/Mode2.md
In Mode 3, Locksmith scans the current forest and outputs all discovered AD CS issues and example fixes to ADCSRemediation.CSV in the present working directory.
# Module Syntax
Invoke-Locksmith -Mode 3# Script Syntax
.\Invoke-Locksmith.ps1 -Mode 3Example Output for Mode 3: https://github.com/jakehildreth/Locksmith/blob/main/Docs/Examples/Mode3.md
Mode 4 is the "easy button." Running Locksmith in Mode 4 will identify all misconfigurations and offer to fix each issue. If there is any possible operational impact, Locksmith will warn you.
# Module Syntax
Invoke-Locksmith -Mode 4# Script Syntax
.\Invoke-Locksmith.ps1 -Mode 4Example Output for Mode 4: https://github.com/jakehildreth/Locksmith/blob/main/Docs/Examples/Mode4.md
Use the -Scans parameter to choose which vulnerabilities to scan for. Acceptable values include All, Auditing, ESC1, ESC2, ESC3, ESC4, ESC5, ESC6, ESC7, ESC8, ESC9, ESC11, ESC13, ESC15, EKEUwu, ESC16 or PromptMe. The PromptMe option presents an interactive list allowing you to select one or more scans.
# Run all scans
Invoke-Locksmith -Scan All# Prompt the user for a list of scans to select
Invoke-Locksmith.ps1 -Scans PromptMe# Scan for ESC1 vulnerable paths
Invoke-Locksmith.ps1 -Scans ESC1# Scan for ESC1, ESC2, and ESC8 vulnerable paths
Invoke-Locksmith.ps1 -Scans ESC1,ESC2,ESC8Thank you for using Locksmith! 💜