cqrenet/elysium
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: cqrenet/elysium:v2.2.2
Branches Tags
cqrenet/elysium:main cqrenet/elysium:backup/orig-main-20251020-190110
cqrenet/elysium:v2.4.4 cqrenet/elysium:v2.4.3 cqrenet/elysium:v2.4.2 cqrenet/elysium:v2.4.1 cqrenet/elysium:v2.4.0 cqrenet/elysium:v2.3.0 cqrenet/elysium:v2.2.5 cqrenet/elysium:v2.2.4 cqrenet/elysium:v2.2.3 cqrenet/elysium:v2.2.2 cqrenet/elysium:v2.2.1 cqrenet/elysium:v2.2.0
...
compare: cqrenet/elysium:v2.2.5
Branches Tags
cqrenet/elysium:main cqrenet/elysium:backup/orig-main-20251020-190110
cqrenet/elysium:v2.4.4 cqrenet/elysium:v2.4.3 cqrenet/elysium:v2.4.2 cqrenet/elysium:v2.4.1 cqrenet/elysium:v2.4.0 cqrenet/elysium:v2.3.0 cqrenet/elysium:v2.2.5 cqrenet/elysium:v2.2.4 cqrenet/elysium:v2.2.3 cqrenet/elysium:v2.2.2 cqrenet/elysium:v2.2.1 cqrenet/elysium:v2.2.0

3 Commits
v2.2.2 ... v2.2.5

Author SHA1 Message Date
tomas.kracmar 37d1a8d971 Release v2.2.5: resolve DSInternals module path in block error 
The Zone.Identifier block detection now dynamically resolves the
actual DSInternals module installation path via Get-Module instead
of hardcoding a ProgramFiles path, so the Unblock-File command in
the error message is always correct.

All versions bumped to unified v2.2.5.
 2026-06-09 13:10:36 +02:00
tomas.kracmar 0175864e72 Release v2.2.4: permission check InheritOnly fix and DSInternals block detection 
Test-ReplicationPermissions:
- Skip InheritOnly ACEs since they do not apply to the domain root
  object itself, only to child objects.

Test-WeakADPasswords:
- Detect Windows Zone.Identifier blocks on DSInternals DLLs and
  emit a clear error with the exact Unblock-File remediation
  command instead of a vague warning.

All versions bumped to unified v2.2.4.
 2026-06-09 13:07:46 +02:00
tomas.kracmar 9496063b97 Release v2.2.3: improve replication permission detection 
Test-ReplicationPermissions now recognizes:
- GenericAll as satisfying replication rights
- Blanket ExtendedRight (empty ObjectType) ACEs

Also adds diagnostic hints distinguishing between
'missing ACE entirely' and 'ACE exists but not for you'.

All versions bumped to unified v2.2.3.
 2026-06-09 11:53:44 +02:00
11 changed files with 64 additions and 17 deletions
Expand all files Collapse all files
Bump-Version.ps1
+1 -1
View File
@@ -8,7 +8,7 @@
##################################################
## Project: Elysium ##
## File: Bump-Version.ps1 ##
## Version: 2.2.2 ##
## Version: 2.2.5 ##
## Support: support@cqre.net ##
##################################################
CHANGELOG.md
+23
View File
@@ -6,6 +6,29 @@ Starting with **v2.2.0**, Elysium uses a **unified project version**. All script
---
## [2.2.5] — 2026-06-09
### Fixed
- The DSInternals `Zone.Identifier` block error message (added in v2.2.4) now dynamically resolves the actual DSInternals module path via `Get-Module` instead of hardcoding `$env:ProgramFiles\WindowsPowerShell\DSInternals`. The `Unblock-File` command in the error now points to the correct installation directory.
---
## [2.2.4] — 2026-06-09
### Fixed
- `Test-ReplicationPermissions` (in `Elysium.Common.ps1`) now skips `InheritOnly` ACEs when evaluating replication rights. An ACE marked `InheritOnly` applies only to child objects, not the domain root itself, so it does not grant the required extended rights for DCSync on the domain object.
- `Import-CompatModule` (in `Test-WeakADPasswords.ps1`) now detects DSInternals being blocked by Windows `Zone.Identifier` (alternate data stream from internet download) and throws a clear, actionable error with the exact `Unblock-File` command to run. Previously this surfaced as an opaque non-FIPS warning.
---
## [2.2.3] — 2026-06-09
### Fixed
- `Test-ReplicationPermissions` (in `Elysium.Common.ps1`) now correctly recognizes `GenericAll` and blanket `ExtendedRight` (empty ObjectType) ACEs as satisfying replication permission requirements. Previously, only exact GUID-matched ExtendedRight ACEs were detected, causing false negatives when rights were granted via broader permissions.
- Improved error diagnostics: the missing-rights message now indicates whether an ACE for the specific right exists on the domain object but is not assigned to the caller, versus no ACE existing at all.
---
## [2.2.2] — 2026-06-09
### Fixed
Elysium.Common.ps1
+24 -7
View File
@@ -1,4 +1,4 @@
$script:ElysiumVersion = '2.2.2'
$script:ElysiumVersion = '2.2.5'
function Invoke-RestartWithExecutable {
param(
@@ -374,19 +374,36 @@ function Test-ReplicationPermissions {
$missing = @()
foreach ($rightName in $requiredRights.Keys) {
$guid = $requiredRights[$rightName]
$granted = $false
$guid = $requiredRights[$rightName]
$granted = $false
$aceExistsForGuid = $false
foreach ($ace in $acl) {
if ($ace.AccessControlType -ne [System.Security.AccessControl.AccessControlType]::Allow) { continue }
if (-not ($ace.ActiveDirectoryRights -band [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight)) { continue }
if ($ace.ObjectType -ne $guid) { continue }
# InheritOnly ACEs apply to child objects only — the domain root itself is not covered
if ([bool]($ace.PropagationFlags -band [System.Security.AccessControl.PropagationFlags]::InheritOnly)) { continue }
$rights = $ace.ActiveDirectoryRights
$hasExtended = [bool]($rights -band [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight)
$hasGenericAll = [bool]($rights -band [System.DirectoryServices.ActiveDirectoryRights]::GenericAll)
# Match: exact GUID, OR ExtendedRight with empty ObjectType (all extended rights), OR GenericAll
$isMatch = $hasGenericAll `
-or ($hasExtended -and $ace.ObjectType -eq [guid]::Empty) `
-or ($hasExtended -and $ace.ObjectType -eq $guid)
if (-not $isMatch) { continue }
if ($ace.ObjectType -eq $guid) { $aceExistsForGuid = $true }
if ($callerSids.Contains($ace.IdentityReference.Value)) { $granted = $true; break }
}
if (-not $granted) { $missing += $rightName }
if (-not $granted) {
$hint = if ($aceExistsForGuid) {
' (ACE exists on the domain object but is not assigned to this account or any of its groups)'
} else {
' (no ACE found for this right on the domain object at all)'
}
$missing += $rightName + $hint
}
}
if ($missing.Count -gt 0) {
throw ("Account '{0}' is missing the following replication permissions on '{1}':`n - {2}`n`nGrant these extended rights on the domain object to allow DCSync-based hash retrieval." -f `
throw ("Account '{0}' failed replication permission check on '{1}':`n - {2}`n`nGrant these extended rights on the domain object to allow DCSync-based hash retrieval." -f `
$Credential.UserName, $DomainDN, ($missing -join "`n - "))
}
Elysium.ps1
+1 -1
View File
@@ -7,7 +7,7 @@
##################################################
## Project: Elysium ##
## File: Elysium.ps1 ##
## Version: 2.2.2 ##
## Version: 2.2.5 ##
## Support: support@cqre.net ##
##################################################
ElysiumSettings.txt.sample
+1 -1
View File
@@ -8,7 +8,7 @@
##################################################
## Project: Elysium ##
## File: ElysiumSettings.txt ##
## Version: 2.2.2 ##
## Version: 2.2.5 ##
## Support: support@cqre.net ##
##################################################
Extract-NTHashes.ps1
+1 -1
View File
@@ -7,7 +7,7 @@
##################################################
## Project: Elysium ##
## File: Extract-NTHashes.ps1 ##
## Version: 2.2.2 ##
## Version: 2.2.5 ##
## Support: support@cqre.net ##
##################################################
Prepare-KHDBStorage.ps1
+1 -1
View File
@@ -7,7 +7,7 @@
##################################################
## Project: Elysium ##
## File: Prepare-KHDBStorage.ps1 ##
## Version: 2.2.2 ##
## Version: 2.2.5 ##
## Support: support@cqre.net ##
##################################################
Test-WeakADPasswords.ps1
+9 -2
View File
@@ -8,7 +8,7 @@
##################################################
## Project: Elysium ##
## File: Test-WeakADPasswords.ps1 ##
## Version: 2.2.2 ##
## Version: 2.2.5 ##
## Support: support@cqre.net ##
##################################################
@@ -352,7 +352,14 @@ function Import-CompatModule {
$nonFipsErrors = @($importErrors | Where-Object { $_.Exception.Message -notmatch 'Only FIPS certified cryptographic algorithms are enabled in \.NET' })
if ($nonFipsErrors.Count -gt 0) {
Write-Warning ("DSInternals import reported non-fatal warning(s): {0}" -f $nonFipsErrors[0].Exception.Message)
$nonFipsMsg = $nonFipsErrors[0].Exception.Message
if ($nonFipsMsg -match 'Zone\.Identifier|alternate data stream') {
$dsModule = Get-Module -Name DSInternals -ErrorAction SilentlyContinue
if (-not $dsModule) { $dsModule = Get-Module -ListAvailable -Name DSInternals -ErrorAction SilentlyContinue | Select-Object -First 1 }
$dsPath = if ($dsModule) { $dsModule.ModuleBase } else { '<DSInternals module path>' }
throw ("DSInternals native DLL is blocked by Windows (Zone.Identifier). Run the following on the target machine and retry:`n Get-ChildItem -Path '$dsPath' -Recurse | Unblock-File")
}
Write-Warning ("DSInternals import reported non-fatal warning(s): {0}" -f $nonFipsMsg)
}
Write-Verbose ("Imported module '{0}' (Core={1}, Windows={2})" -f $Name, $runningInPSCore, $onWindows)
Uninstall.ps1
+1 -1
View File
@@ -7,7 +7,7 @@
##################################################
## Project: Elysium ##
## File: Uninstall.ps1 ##
## Version: 2.2.2 ##
## Version: 2.2.5 ##
## Support: support@cqre.net ##
##################################################
Update-KHDB.ps1
+1 -1
View File
@@ -7,7 +7,7 @@
##################################################
## Project: Elysium ##
## File: Update-KHDB.ps1 ##
## Version: 2.2.2 ##
## Version: 2.2.5 ##
## Support: support@cqre.net ##
##################################################
Update-LithnetStore.ps1
+1 -1
View File
@@ -7,7 +7,7 @@
##################################################
## Project: Elysium ##
## File: Update-LithnetStore.ps1 ##
## Version: 2.2.2 ##
## Version: 2.2.5 ##
## Support: support@cqre.net ##
##################################################