feat(esc13): Add ESC13 (Group-Linked OID Policy) Detection#67
Merged
Conversation
- Add 5 new LS2AdcsObject properties for OID/group-link tracking (CertificatePolicy, CertTemplateOID, OIDToGroupLink, HasLinkedGroupOIDPolicy, LinkedGroupOIDPolicies) - Implement Set-LinkedGroupOIDPolicy to cross-reference msPKI-Enterprise-Oid objects in AdcsObjectStore via OID lookup map - Add ESC13 definition to ESCDefinitions.ps1 with Conditions, IssueTemplate, FixTemplate, and RevertTemplate - Wire ESC13 into Find-LS2VulnerableTemplate (ValidateSet, $(LinkedGroup) expansion), Initialize-AdcsObjectStore pipeline, Initialize-LS2Scan, and Invoke-Locksmith2 - Add 22 new tests (Set-LinkedGroupOIDPolicy + ESC13 scan path); 627 total, 0 failures; build clean
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements detection of the ESC13 attack technique — a certificate template vulnerability where an application policy OID is linked to a universal group via
msDS-OIDToGroupLinkon anmsPKI-Enterprise-OidAD object. An enrollee who authenticates using a certificate issued from such a template silently gains the rights of the linked group without appearing in its member list.Reference: https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53
Changes
Data Model
Classes/LS2AdcsObject.ps1— 5 new properties:CertificatePolicy,CertTemplateOID,OIDToGroupLink,HasLinkedGroupOIDPolicy,LinkedGroupOIDPoliciesNew Function
Private/Set/Set-LinkedGroupOIDPolicy.ps1— builds an OID→group DN lookup map from allmsPKI-Enterprise-Oidobjects inAdcsObjectStore, then enriches certificate template objects with the two computed propertiesDetection Wiring
Private/Data/ESCDefinitions.ps1— ESC13 entry withConditions,IssueTemplate,FixTemplate,RevertTemplatePrivate/Initialize/Initialize-AdcsObjectStore.ps1—Set-LinkedGroupOIDPolicyadded to template enrichment pipeline afterSet-AuthenticationEKUExistPublic/Find-LS2VulnerableTemplate.ps1—ESC13added toValidateSetand no-technique list;$(LinkedGroup)variable expansion added to standard enrollee issue branchPrivate/Initialize/Initialize-LS2Scan.ps1—ESC13added to$templateTechniquesPublic/Invoke-Locksmith2.ps1—ESC13added to$techniquesTests
Tests/Private/Set/Set-LinkedGroupOIDPolicy.Tests.ps1— 8 unit tests covering no-OID-store, unlinked OIDs, single/multiple linked groups, non-template passthrough, empty policy arrayTests/Public/Find-LS2VulnerableTemplate.Tests.ps1— 7 ESC13 tests: issue returned when conditions met, correct Technique value, linked group DN in issue text, negative cases for each conditionTests/Shared/TestHelpers.psm1— default values for 5 new properties inNew-MockLS2AdcsObjectDocs
README.MD— ESC13 added to supported techniques table andFind-LS2VulnerableTemplatecmdlet referenceTest Results
627 tests, 0 failures. Build clean (
Locksmith2.v2026.5.131651.zip).