Skip to content

Locksmith

 _       _____  _______ _     _ _______ _______ _____ _______ _     _
 |      |     | |       |____/  |______ |  |  |   |      |    |_____|
 |_____ |_____| |_____  |    \_ ______| |  |  | __|__    |    |     |
     .--.                  .--.                  .--.
    /.-. '----------.     /.-. '----------.     /.-. '----------.
    \'-' .---'-''-'-'     \'-' .--'--''-'-'     \'-' .--'--'-''-'
     '--'                  '--'                  '--'

A small tool built to find and fix common misconfigurations in Active Directory Certificate Services.

GitHub release GitHub top language PowerShell Gallery Platform Support GitHub contributors PRs Welcome GitHub Actions Workflow Status PowerShell Gallery Downloads

Contents

  1. Installation
  2. Run Locksmith
  3. Mode 0
  4. Mode 1
  5. Mode 2
  6. Mode 3
  7. Mode 4
  8. Scans

Installation

Prerequisites

  1. Locksmith must be run on a domain joined system.
  2. The ActiveDirectory and ServerManager PowerShell modules must be installed before importing the Locksmith module.
  3. Administrative rights may be required for some checks and for remediation.

Standard Module Installation

Open a PowerShell prompt and install Locksmith from the PowerShell Gallery:

Install-Module -Name Locksmith -Scope CurrentUser

Alternative Installation Methods

  1. Download and Use the Module Without Installing It
  2. Download the latest module version.
  3. Open a PowerShell prompt to the location of the extracted file and run: powershell Unblock-File .\Locksmith.zip # if necessary to unblock the download Expand-Archive .\Locksmith.zip Import-Module .\Locksmith\Locksmith.psd1 Invoke-Locksmith
  4. Download the Standalone Script Without Module
  5. Download the latest monolithic (all-in-one) script version: https://github.com/jakehildreth/Locksmith/releases/latest/download/Invoke-Locksmith.zip.
  6. Open a PowerShell prompt to the location of the downloaded file and run: powershell Unblock-File .\Invoke-Locksmith.zip Expand-Archive .\Invoke-Locksmith.zip -DestinationPath .\ .\Invoke-Locksmith.ps1

Run Locksmith

There are several modes you can chose from when running Invoke-Locksmith. You can also use the Scans parameter to choose which scans you want to invoke.

Mode 0: Identify Issues, Output to Console (Default)

Running Invoke-Locksmith.ps1 with no parameters or with -Mode 0 will scan the current Active Directory forest and output all discovered AD CS issues to the console in Table format.

# Module Syntax
Invoke-Locksmith

# Script Syntax
.\Invoke-Locksmith.ps1

Example Output for Mode 0: https://github.com/jakehildreth/Locksmith/blob/main/examples/Mode0.md

Mode 1: Identify Issues and Fixes, Output to Console

This mode scans the current forest and outputs all discovered AD CS issues and possible fixes to the console in List format.

# Module Syntax
Invoke-Locksmith -Mode 1

# Script Syntax
.\Invoke-Locksmith.ps1 -Mode 1

Example Output for Mode 1: https://github.com/jakehildreth/Locksmith/blob/main/examples/Mode1.md

Mode 2: Identify Issues, Output to CSV

Locksmith Mode 2 scans the current forest and outputs all discovered AD CS issues to ADCSIssues.CSV in the present working directory.

# Module Syntax
Invoke-Locksmith -Mode 2

# Script Syntax
.\Invoke-Locksmith.ps1 -Mode 2

Example Output for Mode 2: https://github.com/jakehildreth/Locksmith/blob/main/examples/Mode2.md

Mode 3: Identify Issues and Fixes, Output to CSV

In Mode 3, Locksmith scans the current forest and outputs all discovered AD CS issues and example fixes to ADCSRemediation.CSV in the present working directory.

# Module Syntax
Invoke-Locksmith -Mode 3

# Script Syntax
.\Invoke-Locksmith.ps1 -Mode 3

Example Output for Mode 3: https://github.com/jakehildreth/Locksmith/blob/main/examples/Mode3.md

Mode 4: Fix All Issues

Mode 4 is the "easy button." Running Locksmith in Mode 4 will identify all misconfigurations and offer to fix each issue. If there is any possible operational impact, Locksmith will warn you.

# Module Syntax
Invoke-Locksmith -Mode 4

# Script Syntax
.\Invoke-Locksmith.ps1 -Mode 4

Example Output for Mode 4: https://github.com/jakehildreth/Locksmith/blob/main/examples/Mode4.md

Scans: Select Which Scans to Invoke

Use the -Scans parameter to choose which vulnerabilities to scan for. Acceptable values include All, Auditing, ESC1, ESC2, ESC3, ESC4, ESC5, ESC6, ESC8, ESC11, ESC13, ESC15, EKEUwu, or PromptMe. The PromptMe option presents an interactive list allowing you to select one or more scans.

# Run all scans
Invoke-Locksmith -Scan All

# Prompt the user for a list of scans to select
Invoke-Locksmith.ps1 -Scans PromptMe

# Scan for ESC1 vulnerable paths
Invoke-Locksmith.ps1 -Scans ESC1

# Scan for ESC1, ESC2, and ESC8 vulnerable paths
Invoke-Locksmith.ps1 -Scans ESC1,ESC2,ESC8

Thank you for using Locksmith! 💜