fix: new logic should resolve ESC1 false positives.

[jakehildreth]

I believe this simple logic change should resolve #261.

@vilacham - if you have a moment, can you test this in your Terraform/GCP lab?

[vilacham]

@jakehildreth I tested this in my lab. Good news: the fix removes the false positives when a non-Enroll Control Access GUID is present. However, it introduces false negatives by missing valid ESC1 cases where enrollment is granted via a standard ACCESS_ALLOWED_ACE with control access bit set in the access mask (rule 2 per MS-CRTD).

Minimal change: include the zeroed GUID alongside the enroll GUID by replacing the content of line 268 in Invoke-Locksmith.ps1 and line 61 in Private/Find-ESC1.ps1 (ObjectType check) with:

( ( ($entry.ActiveDirectoryRights -match 'ExtendedRight') -and ( ($entry.ObjectType -eq '0e10c968-78fb-11d2-90d4-00c04f79dc55') -or ($entry.ObjectType -eq '00000000-0000-0000-0000-000000000000') ) ) -or

This small check for the zeroed GUID keeps the false positives out while preventing the new false negatives, and it aligns fully with Microsoft’s documentation. I can re-run the lab tests after the change.

[jakehildreth]

Thank you, friend! This is fantastic feedback. I will update the logic on Find-ESC1 shortly then apply the same logic to all template issues that require Enroll rights.

[jakehildreth]

@vilacham How's this update look?

[Copilot]

Pull Request Overview

This PR fixes false positives in the ESC1 vulnerability detection by adding a more specific check for the ExtendedRight permission to only flag the certificate enrollment right (0e10c968-78fb-11d2-90d4-00c04f79dc55) or all object types (00000000-0000-0000-0000-000000000000). The change also updates the module version.

• Enhanced ESC1 detection logic to reduce false positives by checking specific ObjectType GUIDs for ExtendedRight permissions
• Updated module version from 2025.8.25 to 2025.9.8

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
Private/Find-ESC1.ps1	Added ObjectType GUID validation for ExtendedRight permissions to prevent false positives
Locksmith.psd1	Updated module version number
Invoke-Locksmith.ps1	Applied same ESC1 logic fix and updated version number

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[SamErde]

Nice work, @jakehildreth and @vilacham!

[vilacham]

@jakehildreth @SamErde Tested the updated version, no ESC1 false positives or false negatives.