add NO_SECURITY_EXTENSION flag

SpecterOps · Oct 18, 2023 · b725115 · b725115
1 parent 50ec50b
commit b725115
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/src/CommonLib/Enums/PKIEnrollmentFlag.cs b/src/CommonLib/Enums/PKIEnrollmentFlag.cs
@@ -2,6 +2,8 @@
 
 namespace SharpHoundCommonLib.Enums
 {
+    // from https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-crtd/ec71fd43-61c2-407b-83c9-b52272dec8a1
+    // and from certutil.exe -v -dstemplate
     [Flags]
     public enum PKIEnrollmentFlag : uint
     {
@@ -24,6 +26,7 @@ public enum PKIEnrollmentFlag : uint
         INCLUDE_BASIC_CONSTRAINTS_FOR_EE_CERTS = 0x00008000,
         ALLOW_PREVIOUS_APPROVAL_KEYBASEDRENEWAL_VALIDATE_REENROLLMENT = 0x00010000,
         ISSUANCE_POLICIES_FROM_REQUEST = 0x00020000,
-        SKIP_AUTO_RENEWAL = 0x00040000
+        SKIP_AUTO_RENEWAL = 0x00040000,
+        NO_SECURITY_EXTENSION = 0x00080000
     }
 }
diff --git a/src/CommonLib/Processors/LDAPPropertyProcessor.cs b/src/CommonLib/Processors/LDAPPropertyProcessor.cs
@@ -504,6 +504,7 @@ public static Dictionary<string, object> ReadCertTemplateProperties(ISearchResul
 
                 props.Add("enrollmentflag", enrollmentFlags);
                 props.Add("requiresmanagerapproval", enrollmentFlags.HasFlag(PKIEnrollmentFlag.PEND_ALL_REQUESTS));
+                props.Add("nosecurityextension", enrollmentFlags.HasFlag(PKIEnrollmentFlag.NO_SECURITY_EXTENSION));
             }
 
             if (entry.GetIntProperty(LDAPProperties.PKINameFlag, out var nameFlagsRaw))