Skip to content

feat: ESC8 detection and dashboard overhaul#63

Merged
jakehildreth merged 2 commits into
mainfrom
feature/add-esc8-detection
May 12, 2026
Merged

feat: ESC8 detection and dashboard overhaul#63
jakehildreth merged 2 commits into
mainfrom
feature/add-esc8-detection

Conversation

@jakehildreth
Copy link
Copy Markdown
Owner

@jakehildreth jakehildreth commented May 12, 2026

Summary

Two commits covering a full ESC8 detection implementation and a major dashboard refactor.

feat(esc8): detect NTLM relay to AD CS HTTP endpoints

New functions

  • Get-WebEnrollmentEndpointStatus — probes a single URL for NTLM auth exposure and EPA posture using HttpClient; returns $null on failure
  • Set-CAWebEnrollmentEndpoints — pipeline enrichment; probes 5 paths × http + https per CA and stores results on LS2AdcsObject.WebEnrollmentEndpoints

Detection

  • ESC8 definition added to ESCDefinitions.ps1 with maintenance comment listing all 4 required wiring points for future techniques
  • ESC8 detection branch in Find-LS2VulnerableCA: HTTP always flagged; HTTPS flagged when NTLM offered or EPA not required; dedup by URL
  • ESC8 added to $caTechniques in Initialize-LS2Scan and $techniques in Invoke-Locksmith2
  • [object[]]$WebEnrollmentEndpoints property added to LS2AdcsObject

Tests

  • 28 ESC8 unit tests in Find-LS2VulnerableCA.Tests.ps1
  • 9 enrichment tests in Set-CAWebEnrollmentEndpoints.Tests.ps1
  • Integration test stub in Get-WebEnrollmentEndpointStatus.Integration.Tests.ps1 (guarded by $env:LS2_TEST_CA_HOST)
  • 75-test Locksmith2.ESCCoverage.Tests.ps1 suite enforcing all 4 wiring points for every technique in ESCDefinitions

refactor(dashboard): DRY rewrite, ESC8 wiring, logo header, footer context

Structure

  • Replaced 8 per-tab hardcoded blocks with a single $tabDefs [ordered] hashtable and one foreach render loop; ~130 lines removed
  • All tab metadata (icon, color, technique filter, subtitle, title, sort column) defined once

Layout

  • Fixed tab off-by-one: New-HTMLSection before first New-HTMLTab was counting as a tab-content slot; moved header content to New-HTMLHeader
  • Removed -Transition from New-HTMLTabStyle (caused animation-phase off-by-one)
  • Replaced text title with Locksmith2.png logo (50% width, resolves from module base or source-tree fallback)
  • Context line (Forest, User, Computer, Generated) placed under logo
  • Issue count + tab description moved to italic footer below each data table
  • Renamed Misconfigurations tab to Dangerous Configurations

Coverage

  • ESC8 added to CAs and Dangerous Configurations tabs
  • ESC3c2, ESC4o, ESC5o added where missing from technique filters

@jakehildreth
feat(esc8): detect NTLM relay to AD CS HTTP endpoints
bf3d421 
- add Get-WebEnrollmentEndpointStatus (HttpClient probe) and Set-CAWebEnrollmentEndpoints (CA pipeline enrichment) to detect HTTP/HTTPS NTLM auth exposure and EPA posture on web enrollment endpoints
- add ESC8 definition, detection branch in Find-LS2VulnerableCA, and WebEnrollmentEndpoints property on LS2AdcsObject; wire ESC8 into Initialize-LS2Scan and Invoke-Locksmith2 technique lists
- add 75-test ESCCoverage suite that enforces all four wiring points for every technique in ESCDefinitions; add maintenance comment in ESCDefinitions listing required wiring steps
- add 28 ESC8 unit tests in Find-LS2VulnerableCA.Tests.ps1, 9 enrichment tests in Set-CAWebEnrollmentEndpoints.Tests.ps1, and integration test stub guarded by LS2_TEST_CA_HOST
- fix PS5.1 CP1252 encoding issue in Test-IsUtf8.ps1 (U+2713 checkmark replaced with [+])
@jakehildreth
refactor(dashboard): DRY rewrite, ESC8 wiring, logo header, footer co…
eaaff5f 
…ntext

- replace per-tab hardcoded filter/table/format blocks with \ [ordered]
  hashtable (single source of truth for icon, color, technique filter, subtitle,
  sort column) and a single foreach render loop; eliminates ~130 lines of
  duplication
- add ESC8 to CAs and Dangerous Configurations tabs; fix tab off-by-one caused
  by New-HTMLSection before first New-HTMLTab (moved to New-HTMLHeader); remove
  -Transition from New-HTMLTabStyle (caused animation-phase shift); rename
  Misconfigurations to Dangerous Configurations
- replace title text in New-HTMLHeader with Locksmith2.png logo (50% width,
  resolved from module base or source-tree fallback) plus inline context line
  (Forest, User, Computer, Generated); move issue count + tab description to
  below each data table as italic footer; remove context lines from tab footer
- add ESC8, ESC3c2, ESC4o, ESC5o to technique filters; ensure all CA/template/
  object techniques consistently filtered across all 8 tabs
@jakehildreth jakehildreth merged commit 065884e into main May 12, 2026
1 check passed
@jakehildreth jakehildreth deleted the feature/add-esc8-detection branch May 12, 2026 17:02
@jakehildreth jakehildreth mentioned this pull request May 14, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jakehildreth