Add ESC15 Detections

[TrimarcJake]

Added ESC15 detections to all the places.

Also added links to Specterops, Compass, and TrustedSec write-ups of all the stuff Locksmith looks for.

[github-actions[bot]]

🦙 MegaLinter status: ⚠️ WARNING

Descriptor	Linter	Files	Fixed	Errors	Elapsed time
⚠️ COPYPASTE	jscpd	yes		21	2.15s
⚠️ EDITORCONFIG	editorconfig-checker	19		1	0.31s
⚠️ POWERSHELL	powershell	19		16	33.14s
✅ POWERSHELL	powershell_formatter	19		0	20.43s
⚠️ REPOSITORY	checkov	yes		1	13.87s
✅ REPOSITORY	gitleaks	yes		no	0.5s
✅ REPOSITORY	git_diff	yes		no	0.01s
✅ REPOSITORY	grype	yes		no	18.07s
✅ REPOSITORY	secretlint	yes		no	0.98s
✅ REPOSITORY	trivy	yes		no	6.27s
✅ REPOSITORY	trivy-sbom	yes		no	6.27s
✅ REPOSITORY	trufflehog	yes		no	6.55s
⚠️ SPELL	cspell	20		352	10.65s

See detailed report in MegaLinter reports _Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff_

_MegaLinter is graciously provided by _

[techspence]

The code runs successfully. When I ran this in my lab it returned the following hits:

• User
• UserSignature
• ClientAuth
• EFS
• Machine
• DomainController
• IPSECIntermediateOnline
• IPSECIntermediateOffline

None of these templates are intentionally misconfigured with any of the other ESC. Furthermore, when I requested a certificate for say the User template, I do not see "Application Policies" anywhere in the cert.

Are these false positives then?

[TrimarcJake]

Are these false positives then?

Nah, any Schema V1 template can be used to create a certificate with Application Policies attached. Depending on the exact Schema V1 template abused, you could end up with a wide variety of possible issue. Thankfully it's been patched!

For those reading: best practices are to create a duplicate of an existing Schema V1 template when creating a new template. This changes the Schema version to 2 and adds more functionality!