AS2Go

2026.5.7.1034

Private/Get-VulnerableCertificateTemplate.ps1

function Get-VulnerableCertificateTemplate {

    ################################################################################
    ##### #####
    ##### Finding an Vulnerable Certificate Templates #####
    ##### #####
    ################################################################################

    $CurrentFunction = Get-FunctionName
    Write-Log -Message "### Start Function $CurrentFunction ###"
    #region ####################### main code #########################
    
    $CAtemplate = Get-KeyValue -key "BadCA"

    Invoke-Output -T CodeSnippet -M "A simple LDAP query is sufficient:"
    #$code = "`$SearchFilter = (&(objectClass=pKICertificateTemplate)(cn=`$PublishedTemplate)(msPKI-Certificate-Name-Flag=1)(msPKI-Certificate-Application-Policy=1.3.6.1.5.5.7.3.2))"
    # Write-Syntax2 -code $code

    Write-Highlight -Text (' $SearchFilter ', '= ', ' "(&(objectClass=pKICertificateTemplate)(cn=', '$PublishedTemplate', ')(msPKI-Certificate-Name-Flag=1)(msPKI-Certificate-Application-Policy=1.3.6.1.5.5.7.3.2))"')`
        -Color $fgcR, $fgcF, $fgcV, $fgcR, $fgcV, $fgcF

    Write-Highlight -Text (' $Template ', '= ', ' Get-ADObject ', '-SearchBase ', '"CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,', '$forest" ', '-LDAPFilter ', '$SearchFilter ', '-SearchScope ', 'OneLevel')`
        -Color $fgcR, $fgcF, $fgcC, $fgcS, $fgcV, $fgcR, $fgcS, $fgcR, $fgcS, $fgcF
    
    Write-Host ""
    Write-log -Message " Only a simple LDAP Query is needed."
    
    $question = "Would you like to run this step - Y or N? Default "
    $answer = Get-Answer -question $question -defaultValue $yes

    If ($answer -eq $yes) {
        #find vulnerable CA templates

        Foreach ($RiskyTemplate in $Script:RiskyPublishedTemplates) {
            Write-host "`n`nIdentified vulnerable certificate template " -NoNewline
            Write-host "$($RiskyTemplate.Name)" -ForegroundColor Yellow
            Write-host "on Certification Authority '$($RiskyTemplate.EnrollmentCA)'."
            Write-Host "The template can be enrolled by:`n"
   

            $DSobject = [adsi]("LDAP://$($RiskyTemplate.DN)")
            $secd = $DSobject.psbase.get_objectSecurity().getAccessRules($true, $chkInheritedPerm.checked, [System.Security.Principal.NTAccount])
            $results = $secd | Where-Object { $_.AccessControlType -eq "Allow" -and $_.ObjectType -eq "0e10c968-78fb-11d2-90d4-00c04f79dc55" -and $_.ActiveDirectoryRights -like "*ExtendedRight*" } | Select-Object IdentityReference

            foreach ($result in $results) {
                [string]$t = $result.IdentityReference
                try {
                    $sid = $result.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value
                }
                catch {
                    $sid = "n/a"
                }
                [string]$displayText = "$($result.IdentityReference)"

                If ($sid -match '(-513|S-1-1-0|S-1-5-11)$') {
                    write-host (" - $displayText").PadRight(60, [Char]32) -NoNewline
                    Write-Host " << Bingo!" -ForegroundColor Red
                    $CAtemplate = $RiskyTemplate.Name
                    $CAEnrollment = $RiskyTemplate.EnrollmentCA

                }
                elseif ($sid -match '(-515)$' ) {
                    write-host (" - $displayText").PadRight(60, [Char]32)  -NoNewline
                    Write-Host " << Bingo!" -ForegroundColor Red
                    [string]$temp = ($temp + ' - ' + $($RiskyTemplate.Name).ToUpper())
                }
                else {
                    write-host " - $displayText"
                }
            }
        }
    }


    Do {
        $question = "Do you want to use CA template '$CAtemplate' - Y or N? Default "
        $prompt = Get-Answer -question $question -defaultValue $yes

        if ($prompt -ne $yes) {
            write-host ""
            [int]$i = 0
            Foreach ($ca in $Script:RiskyPublishedTemplates) {
                Write-host " [" -NoNewline
                Write-Host $i -ForegroundColor Yellow -NoNewline
                Write-host "] - $($ca.name)"
                $i++
            }
            write-host ""
            $max = $i - 1
            $i = Get-Random -Minimum 0 -Maximum $max
            [int]$selectedIndex = 0
            do { 

                $n = Read-Host "Type in the NUMBER for your preferred CA Template, e.g. $i"
                if ([int]::TryParse($n, [ref]$selectedIndex) -and $selectedIndex -ge 0 -and $selectedIndex -le $max) {
                    $repeat = $no
                }
                else {
                    $repeat = $yes
                    Write-Host $n -NoNewline -ForegroundColor Yellow
                    Write-Host " is out of scope!"
                }
            } Until ($repeat -eq $no)
            
            $CAtemplate = $Script:RiskyPublishedTemplates.name[$selectedIndex]
            $CAEnrollment = $Script:RiskyPublishedTemplates.EnrollmentCA[$selectedIndex]
   
      
            Set-KeyValue -key "BadCA" -NewValue $CAtemplate
            write-host ""
            

      
        }
    } Until ($prompt -eq $yes)
    
    #check if this Template can be enrolled by Domain Computers
    If ($temp.Contains("- $CAtemplate".ToUpper())) {
        [bool]$UseDomainComputers = $true
    }
    else {
        [bool]$UseDomainComputers = $false
    }

    $CA = [PSCustomObject]@{
        Name                  = $CAtemplate
        EnrollmentCA          = $CAEnrollment
        AlsoByDomainComputers = $UseDomainComputers

    } 


    Write-Log -Message " >> using $CAtemplate, can be enrolled by Domain Computer - $UseDomainComputers"
    ######################## main code ############################
    $runtime = Get-RunTime -StartRunTime $StartRunTime
    Write-Log -Message " Run Time: $runtime [h] ###"
    Write-Log -Message "### End Function $CurrentFunction ###"

    return $CA 
}