SkillAgentSearch skills...

Locksmith2

An AD CS toolkit for AD Admins, Defensive Security Professionals, and Filthy Red Teamers

GenerateConvertImprove

Install / Use

/learn @jakehildreth/Locksmith2
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

The Locksmith 2 logo features the word "locksmith" followed by the number "2" in a bold, blocky pixelated font. The design uses a gradient color scheme transitioning from light lavender on the left through pink tones to coral/orange on the right, set against a dark purple background with a rectangular border. The retro-digital aesthetic gives the logo a modern yet approachable feel, suggesting a tool that makes security management accessible and straightforward. The "2" indicates this is the second version of the Locksmith tool.

Locksmith 2 is a Work In Progress

Find and fix Active Directory Certificate Services (AD CS) security misconfigurations

PowerShell Gallery PowerShell

Overview

Locksmith 2 is a comprehensive PowerShell module for auditing Active Directory Certificate Services (AD CS) infrastructure. It identifies security misconfigurations across certificate templates, certification authorities, and PKI infrastructure objects based on established ESC (Escalation) techniques.

Built for AD administrators, security professionals, and penetration testers, Locksmith 2 provides:

  • Automated vulnerability scanning for ESC1-ESC16 techniques
  • Detailed remediation scripts for each discovered issue
  • Granular cmdlets for targeted security assessments
  • Comprehensive reporting with human-readable output
  • Educational resources explaining each vulnerability

Locksmith 2 represents the next generation in the Locksmith line of open-source AD CS security tooling, improving upon the original with better code organization, enhanced reporting, and deeper risk analysis.

Features

  • [x] Scan certificate templates (ESC1, ESC2, ESC3, ESC4a (ACE), ESC4o (Ownership), ESC9)
  • [x] Audit certification authorities (ESC6, ESC7a (CA Administrator), ESC7m (Certificate Manager), ESC11, ESC16)
  • [x] Check PKI infrastructure objects (ESC5a (ACE), ESC5o (Ownership)
  • [x] Generate PowerShell remediation scripts
  • [ ] Generate PowerShell scripts to revert remediations
  • [x] Support for non-domain-joined systems - excluding ESC6,7a/m, 11, 16)
  • [x] Object output
  • [x] HTML/CSV/PDF/Excel output
  • [ ] Interactive TUI for guided remediation

Installation

From PowerShell Gallery

Install-Module -Name Locksmith2 -Scope CurrentUser -Force

From Source

git clone https://github.com/jakehildreth/Locksmith2.git
cd Locksmith2
Import-Module .\Locksmith2.psd1

Quick Start

# Interactive mode - prompts for forest and credentials
Invoke-Locksmith2

# Specify credentials
$cred = Get-Credential
Invoke-Locksmith2 -Forest 'contoso.com' -Credential $cred

# Targeted scanning for specific techniques
Find-LS2VulnerableTemplate -Technique ESC1
Find-LS2VulnerableCA -Technique ESC6

# Inspect results
$stores = Get-LS2Stores
$stores.IssueStore['ESC1']

Supported ESC Techniques

| Technique | Description | Target Objects | |-----------|-------------|----------------| | ESC1 | Misconfigured Certificate Templates | Templates | | ESC2 | Certificate SubCA Abuse | Templates | | ESC3 | Enrollment Agent Restrictions | Templates | | ESC4 | Vulnerable Access Control | Templates | | ESC5 | Vulnerable PKI Object Access Control | Infrastructure Objects | | ESC6 | EDITF_ATTRIBUTESUBJECTALTNAME2 Enabled | CAs | | ESC7 | Vulnerable CA Administrator/Manager Roles | CAs | | ESC9 | Weak Certificate Mappings | Templates | | ESC11 | Missing RPC Encryption | CAs | | ESC16 | Disabled CRL/AIA Security Extensions | CAs |

For detailed information on ESC techniques, see Certified Pre-Owned by SpecterOps.

cmdlet Reference

Primary Functions

Invoke-Locksmith2

Performs comprehensive AD CS security audit scanning for all known ESC vulnerabilities.

Invoke-Locksmith2 [-Forest <String>] [-Credential <PSCredential>] 
                  [-SkipVersionCheck] [-SkipPowerShellCheck] [-SkipForestCheck]

Find-LS2VulnerableTemplate

Scans certificate templates for specific ESC vulnerabilities.

Find-LS2VulnerableTemplate -Technique <String>
# Supported: ESC1, ESC2, ESC3c1, ESC3c2, ESC4a, ESC4o, ESC9

Returns: LS2Issue objects for programmatic use

Find-LS2VulnerableCA

Scans certification authorities for configuration issues and dangerous role assignments.

Find-LS2VulnerableCA -Technique <String>
# Supported: ESC6, ESC7a, ESC7m, ESC11, ESC16

Returns: LS2Issue objects for programmatic use

Find-LS2VulnerableObject

Scans PKI infrastructure objects (containers, computer accounts) for security issues.

Find-LS2VulnerableObject -Technique <String>
# Supported: ESC5a, ESC5o

Returns: LS2Issue objects for programmatic use

Get-LS2Stores

Returns internal data stores populated during audits for inspection and analysis.

Get-LS2Stores

Returns:

  • PrincipalStore: Resolved principals by SID
  • AdcsObjectStore: AD CS objects with security properties
  • DomainStore: Domain information
  • IssueStore: Discovered vulnerabilities by technique
  • SafePrincipals: Acceptable high-privilege SIDs
  • DangerousPrincipals: Risky broad-access SIDs
  • StandardOwners: Acceptable owner SIDs for AD CS objects

Set-LS2Forest

Sets the target forest for scanning. Useful for running multiple scans or using Find-LS2Vulnerable* functions independently.

Set-LS2Forest -Forest <String>

Set-LS2Credential

Sets credentials for AD queries. Useful for running multiple scans or using Find-LS2Vulnerable* functions independently.

Set-LS2Credential -Credential <PSCredential>

Requirements

  • PowerShell: 5.1 or higher (Windows PowerShell)
  • Permissions: Read access to Active Directory Configuration partition
  • Network: Connectivity to domain controller LDAP/GC ports (389, 3268)
  • Credentials: Domain user or computer account

Contributing

Locksmith 2 is "Open Source, acknowledged contribution", this means that any contribution will have to be discussed with the Maintainers before being submitted.

  1. Open an issue and discuss your proposed change
  2. Fork the repository
  3. Write some code following PowerShell best practices and existing code style
  4. Write clear commit messages using conventional commits
  5. Submit a pull request
  6. Request a review from @jakehildreth

Credits

Author: Jake Hildreth (@jakehildreth)
Website: locksmith.ad | jakehildreth.com
License: MIT

Acknowledgments

  • SpecterOps for groundbreaking AD CS research (Certified Pre-Owned)
  • Original Locksmith contributors and community
  • Sam Erde (@SamErde) for significant code contributions

Related Projects

Disclaimer

Locksmith 2 is provided for legitimate security assessment and defensive purposes only. Users are responsible for obtaining proper authorization before running security audits. The authors are not responsible for misuse or damage caused by this tool.

Support

License

MIT License w/Commons Clause - see LICENSE file for details.

Made with 💜 by Jake Hildreth

jakehildreth

View profile

View on GitHub
GitHub Stars43
CategoryDevelopment
Updated6d ago
Forks6
jakehildreth/Locksmith2

Languages

PowerShell

Security Score

80/100

Audited on Mar 28, 2026

No findings