Merge pull request #80 from BloodHoundAD/eku-props

Add constructed CertTemplate EKU properties
SpecterOps · Oct 18, 2023 · fd82e42 · fd82e42
2 parents 82a1cdf + b0d6491
commit fd82e42
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 2 deletions.
diff --git a/src/CommonLib/Enums/CommonOids.cs b/src/CommonLib/Enums/CommonOids.cs
@@ -0,0 +1,13 @@
+namespace SharpHoundCommonLib.Enums
+{
+    // More can be found here: https://www.pkisolutions.com/object-identifiers-oid-in-pki/
+    public static class CommonOids
+    {
+        public static string AnyPurpose = "2.5.29.37.0";
+        public static string ClientAuthentication = "1.3.6.1.5.5.7.3.2";
+        public static string PKINITClientAuthentication = "1.3.6.1.5.2.3.4";
+        public static string SmartcardLogon = "1.3.6.1.4.1.311.20.2.2";
+        public static string CertificateRequestAgent = "1.3.6.1.4.1.311.20.2.1";
+        public static string CertificateRequestAgentPolicy = "1.3.6.1.4.1.311.20.2.1";
+    }
+}
diff --git a/src/CommonLib/Helpers.cs b/src/CommonLib/Helpers.cs
@@ -320,6 +320,13 @@ public static IRegistryKey OpenRemoteRegistry(string target)
             var key = new SHRegistryKey(RegistryHive.LocalMachine, target);
             return key;
         }
+
+        public static string[] AuthenticationOIDs = new string[] {
+            CommonOids.ClientAuthentication,
+            CommonOids.PKINITClientAuthentication,
+            CommonOids.SmartcardLogon,
+            CommonOids.AnyPurpose
+        };
     }
 
     public class ParsedGPLink

diff --git a/src/CommonLib/Processors/LDAPPropertyProcessor.cs b/src/CommonLib/Processors/LDAPPropertyProcessor.cs
@@ -518,15 +518,26 @@ public static Dictionary<string, object> ReadCertTemplateProperties(ISearchResul
                     nameFlags.HasFlag(PKICertificateNameFlag.SUBJECT_ALT_REQUIRE_UPN));
             }
 
-            props.Add("ekus", entry.GetArrayProperty(LDAPProperties.ExtendedKeyUsage));
-            props.Add("certificateapplicationpolicy", entry.GetArrayProperty(LDAPProperties.CertificateApplicationPolicy));
+            string[] ekus = entry.GetArrayProperty(LDAPProperties.ExtendedKeyUsage);
+            props.Add("ekus", ekus);
+            string[] certificateapplicationpolicy = entry.GetArrayProperty(LDAPProperties.CertificateApplicationPolicy);
+            props.Add("certificateapplicationpolicy", certificateapplicationpolicy);
 
             if (entry.GetIntProperty(LDAPProperties.NumSignaturesRequired, out var authorizedSignatures))
                 props.Add("authorizedsignatures", authorizedSignatures);
 
             props.Add("applicationpolicies", entry.GetArrayProperty(LDAPProperties.ApplicationPolicies));
             props.Add("issuancepolicies", entry.GetArrayProperty(LDAPProperties.IssuancePolicies));
 
+
+            // Construct effectiveekus
+            string[] effectiveekus = schemaVersion == 1 & ekus.Length > 0 ? ekus : certificateapplicationpolicy;
+            props.Add("effectiveekus", effectiveekus);
+
+            // Construct authenticationenabled
+            bool authenticationenabled = effectiveekus.Intersect(Helpers.AuthenticationOIDs).Any() | effectiveekus.Length == 0;
+            props.Add("authenticationenabled", authenticationenabled);
+
             return props;
         }