SlideShare a Scribd company logo

ReCertifying Active Directory

"ReCertifying Active Directory was presented at BlackHat EU 2021 by Will Schroeder and Lee Christensen.

1 of 37
Download to read offline
ReCertifying Active
Directory
@harmj0y and @tifkin_
TL;DR
- Background
- Attacks against AD CS
- Defenses
- Incident Response
2
1
Background
...
3
Active Directory Certificate Services
▪ A server role
▪ Microsoft’s public key infrastructure
(PKI) implementation
▫ Used by organizations for smart cards, SSL
certificates, code signing, etc.
▪ Clients send certificate signing requests
(CSRs) to a certificate authority(CA),
which signs issued certificates using the
private key for the CA certificate 4
Certificate Enrollment
5
Certificate Templates
CAs issue certificates with “blueprint” settings
defined by certificate templates (stored as AD objects)
6
Ad

Recommended

(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory PwnagePetros Koutroumpis
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsWill Schroeder
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
 

More Related Content

What's hot

Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security BoundaryWill Schroeder
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedWill Schroeder
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the TorchWill Schroeder
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatzBenjamin Delpy
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATANikhil Mittal
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationNikhil Mittal
 

What's hot (20)

Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting Revisisted
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the Torch
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatz
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATA
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
 

Similar to ReCertifying Active Directory

Achieving Pci Compliace
Achieving Pci CompliaceAchieving Pci Compliace
Achieving Pci CompliaceDenish Patel
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat Security Conference
 
A New Pairing Free ID Based Certificate Less Digital Signature (CL-DS) Scheme...
A New Pairing Free ID Based Certificate Less Digital Signature (CL-DS) Scheme...A New Pairing Free ID Based Certificate Less Digital Signature (CL-DS) Scheme...
A New Pairing Free ID Based Certificate Less Digital Signature (CL-DS) Scheme...IJCSIS Research Publications
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideHai Nguyen
 
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideSPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideJ.D. Wade
 
Pcishrinktofitpresentation 151125162550-lva1-app6891
Pcishrinktofitpresentation 151125162550-lva1-app6891Pcishrinktofitpresentation 151125162550-lva1-app6891
Pcishrinktofitpresentation 151125162550-lva1-app6891Risk Crew
 
Securing sensitive data with Azure Key Vault
Securing sensitive data with Azure Key VaultSecuring sensitive data with Azure Key Vault
Securing sensitive data with Azure Key VaultTom Kerkhove
 
Cisco iso based CA (certificate authority)
Cisco iso based CA (certificate authority)Cisco iso based CA (certificate authority)
Cisco iso based CA (certificate authority)Netwax Lab
 
Who are you? Authentication by certificates
Who are you? Authentication by certificatesWho are you? Authentication by certificates
Who are you? Authentication by certificatesteam-WIBU
 
Confidential Computing in Azure - SlideShare Ed Dec 2022.pptx
Confidential Computing in Azure - SlideShare Ed Dec 2022.pptxConfidential Computing in Azure - SlideShare Ed Dec 2022.pptx
Confidential Computing in Azure - SlideShare Ed Dec 2022.pptxCarlo Sacchi
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseFelipe Prado
 
Deploying Compliant Kubernetes: Real World Edge Cases
Deploying Compliant Kubernetes: Real World Edge CasesDeploying Compliant Kubernetes: Real World Edge Cases
Deploying Compliant Kubernetes: Real World Edge CasesDevOps.com
 
HashiTalks France 2023 - Sécurisez la distribution automatique de vos certif...
HashiTalks France 2023 - Sécurisez la distribution automatique de vos certif...HashiTalks France 2023 - Sécurisez la distribution automatique de vos certif...
HashiTalks France 2023 - Sécurisez la distribution automatique de vos certif...Stéphane Este-Gracias
 
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...MongoDB
 
Cis 560-Security Access &Amp; Control Strategies Essay
Cis 560-Security Access &Amp; Control Strategies EssayCis 560-Security Access &Amp; Control Strategies Essay
Cis 560-Security Access &Amp; Control Strategies EssaySusan Cox
 
2010-03-30 Red Hat Identity Management, Certificate System Technical Overview
2010-03-30 Red Hat Identity Management, Certificate System Technical Overview2010-03-30 Red Hat Identity Management, Certificate System Technical Overview
2010-03-30 Red Hat Identity Management, Certificate System Technical OverviewShawn Wells
 

Similar to ReCertifying Active Directory (20)

Certified Pre-Owned
Certified Pre-OwnedCertified Pre-Owned
Certified Pre-Owned
 
Achieving Pci Compliace
Achieving Pci CompliaceAchieving Pci Compliace
Achieving Pci Compliace
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
 
A New Pairing Free ID Based Certificate Less Digital Signature (CL-DS) Scheme...
A New Pairing Free ID Based Certificate Less Digital Signature (CL-DS) Scheme...A New Pairing Free ID Based Certificate Less Digital Signature (CL-DS) Scheme...
A New Pairing Free ID Based Certificate Less Digital Signature (CL-DS) Scheme...
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guide
 
Dapp
DappDapp
Dapp
 
TOP FEATURES OF CertiDApp
TOP FEATURES OF CertiDAppTOP FEATURES OF CertiDApp
TOP FEATURES OF CertiDApp
 
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideSPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival Guide
 
Pcishrinktofitpresentation 151125162550-lva1-app6891
Pcishrinktofitpresentation 151125162550-lva1-app6891Pcishrinktofitpresentation 151125162550-lva1-app6891
Pcishrinktofitpresentation 151125162550-lva1-app6891
 
MCSA 70-412 Chapter 06
MCSA 70-412 Chapter 06MCSA 70-412 Chapter 06
MCSA 70-412 Chapter 06
 
Securing sensitive data with Azure Key Vault
Securing sensitive data with Azure Key VaultSecuring sensitive data with Azure Key Vault
Securing sensitive data with Azure Key Vault
 
Cisco iso based CA (certificate authority)
Cisco iso based CA (certificate authority)Cisco iso based CA (certificate authority)
Cisco iso based CA (certificate authority)
 
Who are you? Authentication by certificates
Who are you? Authentication by certificatesWho are you? Authentication by certificates
Who are you? Authentication by certificates
 
Confidential Computing in Azure - SlideShare Ed Dec 2022.pptx
Confidential Computing in Azure - SlideShare Ed Dec 2022.pptxConfidential Computing in Azure - SlideShare Ed Dec 2022.pptx
Confidential Computing in Azure - SlideShare Ed Dec 2022.pptx
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
 
Deploying Compliant Kubernetes: Real World Edge Cases
Deploying Compliant Kubernetes: Real World Edge CasesDeploying Compliant Kubernetes: Real World Edge Cases
Deploying Compliant Kubernetes: Real World Edge Cases
 
HashiTalks France 2023 - Sécurisez la distribution automatique de vos certif...
HashiTalks France 2023 - Sécurisez la distribution automatique de vos certif...HashiTalks France 2023 - Sécurisez la distribution automatique de vos certif...
HashiTalks France 2023 - Sécurisez la distribution automatique de vos certif...
 
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
 
Cis 560-Security Access &Amp; Control Strategies Essay
Cis 560-Security Access &Amp; Control Strategies EssayCis 560-Security Access &Amp; Control Strategies Essay
Cis 560-Security Access &Amp; Control Strategies Essay
 
2010-03-30 Red Hat Identity Management, Certificate System Technical Overview
2010-03-30 Red Hat Identity Management, Certificate System Technical Overview2010-03-30 Red Hat Identity Management, Certificate System Technical Overview
2010-03-30 Red Hat Identity Management, Certificate System Technical Overview
 

More from Will Schroeder

Nemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfNemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfWill Schroeder
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseWill Schroeder
 
Trusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conTrusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conWill Schroeder
 
Building an EmPyre with Python
Building an EmPyre with PythonBuilding an EmPyre with Python
Building an EmPyre with PythonWill Schroeder
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellWill Schroeder
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)Will Schroeder
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have MissedWill Schroeder
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsWill Schroeder
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationWill Schroeder
 

More from Will Schroeder (17)

Nemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfNemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdf
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePass
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
 
A Year in the Empire
A Year in the EmpireA Year in the Empire
A Year in the Empire
 
Trusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conTrusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44con
 
Building an EmPyre with Python
Building an EmPyre with PythonBuilding an EmPyre with Python
Building an EmPyre with Python
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShell
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the Gap
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have Missed
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerTools
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
 
Pwnstaller
PwnstallerPwnstaller
Pwnstaller
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
 
Wielding a cortana
Wielding a cortanaWielding a cortana
Wielding a cortana
 

Recently uploaded

Modern Red Teaming - subverting mature defenses on a budget
Modern Red Teaming - subverting mature defenses on a budgetModern Red Teaming - subverting mature defenses on a budget
Modern Red Teaming - subverting mature defenses on a budgetmatt806068
 
Model Jaringan network jaringan komputer.pdf
Model Jaringan network jaringan komputer.pdfModel Jaringan network jaringan komputer.pdf
Model Jaringan network jaringan komputer.pdfgalfinprihardiputra0
 
Red shadows ringing in Japan's Cyberspace
Red shadows ringing in Japan's CyberspaceRed shadows ringing in Japan's Cyberspace
Red shadows ringing in Japan's Cyberspacesttyk
 
Regulation is Coming - Trusted Media Summit 2023
Regulation is Coming - Trusted Media Summit 2023Regulation is Coming - Trusted Media Summit 2023
Regulation is Coming - Trusted Media Summit 2023Damar Juniarto
 
Obstructive jaundice is a medical condition characterized by the yellowing of...
Obstructive jaundice is a medical condition characterized by the yellowing of...Obstructive jaundice is a medical condition characterized by the yellowing of...
Obstructive jaundice is a medical condition characterized by the yellowing of...ssuser7b7f4e
 
Augmented and Mixed Reality Solutions for Aerospace & Defense
Augmented and Mixed Reality Solutions for Aerospace & DefenseAugmented and Mixed Reality Solutions for Aerospace & Defense
Augmented and Mixed Reality Solutions for Aerospace & Defensethirdeyegen65
 
AWS Overview of AWS Clarify, Feature Store, Hyper parameter Tuning
AWS Overview of AWS  Clarify, Feature Store, Hyper parameter TuningAWS Overview of AWS  Clarify, Feature Store, Hyper parameter Tuning
AWS Overview of AWS Clarify, Feature Store, Hyper parameter TuningVarun Garg
 
UGB INTERNETBANKING FACILITY LAUNCHED.pptx
UGB INTERNETBANKING FACILITY LAUNCHED.pptxUGB INTERNETBANKING FACILITY LAUNCHED.pptx
UGB INTERNETBANKING FACILITY LAUNCHED.pptxRitesh Sahu
 
history of tau gamma architect.1968.....
history of tau gamma architect.1968.....history of tau gamma architect.1968.....
history of tau gamma architect.1968.....josephiigo
 
Augmented and Mixed Reality Solutions for Frontline Medical Professionals
Augmented and Mixed Reality Solutions for Frontline Medical ProfessionalsAugmented and Mixed Reality Solutions for Frontline Medical Professionals
Augmented and Mixed Reality Solutions for Frontline Medical Professionalsthirdeyegen65
 

Recently uploaded (10)

Modern Red Teaming - subverting mature defenses on a budget
Modern Red Teaming - subverting mature defenses on a budgetModern Red Teaming - subverting mature defenses on a budget
Modern Red Teaming - subverting mature defenses on a budget
 
Model Jaringan network jaringan komputer.pdf
Model Jaringan network jaringan komputer.pdfModel Jaringan network jaringan komputer.pdf
Model Jaringan network jaringan komputer.pdf
 
Red shadows ringing in Japan's Cyberspace
Red shadows ringing in Japan's CyberspaceRed shadows ringing in Japan's Cyberspace
Red shadows ringing in Japan's Cyberspace
 
Regulation is Coming - Trusted Media Summit 2023
Regulation is Coming - Trusted Media Summit 2023Regulation is Coming - Trusted Media Summit 2023
Regulation is Coming - Trusted Media Summit 2023
 
Obstructive jaundice is a medical condition characterized by the yellowing of...
Obstructive jaundice is a medical condition characterized by the yellowing of...Obstructive jaundice is a medical condition characterized by the yellowing of...
Obstructive jaundice is a medical condition characterized by the yellowing of...
 
Augmented and Mixed Reality Solutions for Aerospace & Defense
Augmented and Mixed Reality Solutions for Aerospace & DefenseAugmented and Mixed Reality Solutions for Aerospace & Defense
Augmented and Mixed Reality Solutions for Aerospace & Defense
 
AWS Overview of AWS Clarify, Feature Store, Hyper parameter Tuning
AWS Overview of AWS  Clarify, Feature Store, Hyper parameter TuningAWS Overview of AWS  Clarify, Feature Store, Hyper parameter Tuning
AWS Overview of AWS Clarify, Feature Store, Hyper parameter Tuning
 
UGB INTERNETBANKING FACILITY LAUNCHED.pptx
UGB INTERNETBANKING FACILITY LAUNCHED.pptxUGB INTERNETBANKING FACILITY LAUNCHED.pptx
UGB INTERNETBANKING FACILITY LAUNCHED.pptx
 
history of tau gamma architect.1968.....
history of tau gamma architect.1968.....history of tau gamma architect.1968.....
history of tau gamma architect.1968.....
 
Augmented and Mixed Reality Solutions for Frontline Medical Professionals
Augmented and Mixed Reality Solutions for Frontline Medical ProfessionalsAugmented and Mixed Reality Solutions for Frontline Medical Professionals
Augmented and Mixed Reality Solutions for Frontline Medical Professionals
 

ReCertifying Active Directory

  • 2. TL;DR - Background - Attacks against AD CS - Defenses - Incident Response 2
  • 4. Active Directory Certificate Services ▪ A server role ▪ Microsoft’s public key infrastructure (PKI) implementation ▫ Used by organizations for smart cards, SSL certificates, code signing, etc. ▪ Clients send certificate signing requests (CSRs) to a certificate authority(CA), which signs issued certificates using the private key for the CA certificate 4
  • 6. Certificate Templates CAs issue certificates with “blueprint” settings defined by certificate templates (stored as AD objects) 6
  • 7. NTAuthCertificates 7 Defines the root of domain-based certificate auth!
  • 8. Subject Alternative Names (SANs) ▪ Allows additional identities to be bound to a certificate beyond the Subject ▪ Can be dangerous when combined with certificates that allow domain authentication! ▫ AD maps certificates to AD user accounts using the SAN 8
  • 9. Aren’t Smartcards Necessary for Abuse? ▪ No! Rubeus and Kekeo support Kerberos authentication using certificates via PKINIT ▫ Schannel authentication also supports certificates (e.g., LDAPS) ▪ Certificate must ▫ Have EKU’s that permit AD auth (e.g., Client Authentication) ▫ Be signed by a CA in NTAuthCertificates 9
  • 10. 2 Attacks Against AD CS ... 10 And How to Defend
  • 11. AD CS Attack Summary 11 Our “Certified Pre-Owned” whitepaper codified these attack classes against AD CS: THEFT* User/machine certificate theft (5 attacks) PERSIST* Active certificate enrollment (3 attacks) ESC* Domain escalation (8 attacks) DPERSIST* Domain persistence (3 attacks)
  • 12. Malicious Certificate Enrollments (PERSIST*) ▪ Users/machines can enroll in any template they have “Enroll” permissions for ▪ If the certificate allows for domain authentication (some defaults do) we can persist in their account context ▫ Doesn’t touch LSASS ▫ Doesn’t need elevation (for user contexts) ▫ Separate credential material from passwords (still valid after password resets) 12
  • 13. 13
  • 14. THEFT*/PERSIST* Defense: Overview ▪ Detect non-LSASS reading of DPAPI-encrypted keys ▫ Monitor file opens/reads of DPAPI files (SACLs*?) ■ (Local)AppData folders: Microsoft[Crypto | Protect | Vault | Credentials] ▪ Monitor certificate auth/enrollment events ▫ EIDs 4886/4887, EID 4768 (more on these later) ▪ Monitor for Certificate Authentication events ▫ EID 4768 with PKINIT certificate information (more on this later) ▪ “Honey Credentials” in certificate form 14 *https://medium.com/@cryps1s/detecting-windows-endpoint-compromise-with-sacls-cd748e10950
  • 15. Requirements: 1. Low-privileged user can enroll in the template 2. No “Issuance Restrictions” 3. [PKINIT] Client Authentication EKU, Smart Card Logon EKU, Any Purpose EKU, or No EKU 4. The ENROLLEE_SUPPLIES_SUBJECT flag set on the template ▫ Template’s AD object has msPKI-Certificate-Name-Flag set to 1 in its bitmask ESC1 - ENROLLEE_SUPPLIES_SUBJECT 15
  • 16. ESC1 - Impact ▪ Allows an attacker to supply an arbitrary SAN when requesting a domain-auth capable certificate ▪ Translation: they can become anyone in the domain! 16
  • 17. ESC8-NTLM Relay to HTTP Enrollment Endpoints ▪ AD CS web enrollment endpoints are optional roles (but commonly installed) ▫ All of these endpoints are vulnerable to NTLM relay! ▪ If there is a machine-enrollable auth template: ▫ Combine with printer bug or PetitPotam for coerced auth ▫ Translation: we take over ANY computer in the domain! 17
  • 18. ESC* Defense: Hardening 18 ▪ Audit/harden CA settings for every CA! ▫ Manager/Enroll/Control rights ▪ Audit/harden certificate template settings ▫ Enroll/Control rights ▪ Harden AD CS HTTP enrollment endpoints ▫ Remove them if not needed ▫ Enable NTLM(-relay) protections ■ HTTPS + channel binding or remove NTLM authentication from IIS ■ Ideally, disable NTLM completely at the host level and throughout the domain :)
  • 20. 20 ESC*/PERSIST* Defense: Monitor Certificate Requests and Auth ▪ Monitor cert enrollments (EIDs 4886/4887) ▪ Monitor for Certificate Authentication events ▫ EID 4768 with PKINIT certificate information
  • 21. ESC* Defense: Monitoring AD ▪ Audit NTAuthCerticates ▫ LDAP/certutil/pkiview ▫ SACLs + EID 4662/5136 21 ▪ Monitor certificate template modifications ▫ EID 4899 ▫ SACLs + EID 4662/5136 msPKI-Certificate-Name-Flag
  • 22. Finding Requester Info ▪ Collect weblogs from the IIS-host HTTP enrollment servers ▪ CA database contains requester info and the raw CSR bytes ▫ C:WindowsSystem32CertLog<CA NAME>.edb ▫ Abnormal user agents + processes ▫ Abnormal/missing CSR fields 22
  • 23. “Golden Certificates” ▪ If the private key for a CA’s certificate is not protected by a TPM/HSM, DPAPI is used ▫ CAs sign issued certificates with this key ▪ Attackers can steal DPAPI-protected private keys ▪ If the CA is in NTAuthCertificates, attackers can forge certificates as anyone in the domain! ▫ Can’t be revoked as the certs aren’t actually “issued”! ▫ Work as long as the CA cert is valid! 23
  • 24. “Golden Certificates” and DPERSIST* Defense ▪ Detect non-LSASS reading of DPAPI-encrypted keys (as previously covered) ▪ Monitor CA backup started/completion events (EID 4876/4877) ▫ Requires enabling CA audit logs 24
  • 25. A Novel “Golden Certificate” Defense ▪ Fabian Bader put out a great post* on using IssuedSerialNumbersDirectories to deny UNKNOWN serial # OCSP requests 25 *https://cloudbrothers.info/en/golden-certificate-ocsp/
  • 26. ▪ Abnormal serial numbers ▫ https://www.pkisolutions.com/adcs-ce rtificate-serial-number-generation-a lgorithms-a-comrehensive-guide/ ▪ Thumbprints that aren’t in the CA DB’s log of issued certs 26 Hunting Ideas for Forged Certificates
  • 27. High Level Architecture Guidance ▪ Treat CAs as Tier 0 Assets! ▪ Hardware protect CA keys ▪ Internal root CAs should be offline, with subordinate CAs doing issuance ▫ A proper architecture is worth investing in! 27
  • 28. A Note on Response ... 28
  • 29. Do you know: If AD CS has issued a specific user a certificate? Which users/machines requested a specific template? If an alternate SAN was specified in a request? 29
  • 30. AD CS Response ▪ If you have AD CS and a computer/user is compromised, you need to be able to answer these questions! ▫ PSPKIAudit can help here ▪ Organizations also need to streamline the certificate revocation process ▫ Possible through the GUI or PSPKI ▪ Make plans for how to respond to a compromised subordinate/root CA 30
  • 31. 31
  • 32. 32
  • 33. 33
  • 34. Defensive Gaps 34 ▪ Few people have deep knowledge of AD CS ▫ “It’s the boiler in the basement” ▫ It’s very easy to accidentally misconfigure an AD CS deployment ▫ Lots of third-party products “encourage” you to configure things incorrectly ▪ Certificate Services event logs leave a lot to be desired ▪ Most of us just haven’t been paying attention to this!
  • 35. Summary ▪ AD CS is dangerous if not handled properly ▪ Attack tooling (and knowledge) is now out there! ▪ Defenses: ▫ Develop an AD CS incident response plan ▫ Audit relevant AD CS event logs ▫ Audit/triage certificate issues with PSPKIAudit ▪ Our whitepaper has complete details ▫ https://bit.ly/3xLziQ9 35
  • 36. Acknowledgements ▪ Previous work (see the paper for complete details): ▫ Benjamin Delpy, PKISolutions, Christoph Falta, CQURE, Keyfactor, @Elkement, Carl Sörqvist, Brad Hill ▫ Risk-Insight’s Similar Work/Findings: ■ https://www.riskinsight-wavestone.com/en/2021/06/microsoft-adcs-abusing-pki-in-active-directory-environment/ ▪ Ceri Coburn and Charlie Clark for related Rubeus additions ▪ Special thanks to Mark Gamache for collaborating with us on parts of this work 36
  • 37. Thanks! ANY QUESTIONS? You can find us at: @harmj0y | @tifkin_ [will | lee] @specterops.io AD CS Whitepaper: https://bit.ly/3xLziQ9 37