BSides Buffalo 2026: The Walking Dead of AD: Uncovering rare DACL-led escalation and BloodHound tool

Hi folks. Um, today our presentation right now starts with we have our friends here Nikos Gordes. He will be talking about the walking dead of AD. So without any further ado, Nico. >> Hello there. >> Hello. Sorry. >> Come on. Fox confidence. Okay. I haven't drink yet coffee. Okay. Hello beside Bad. How are you? >> Give some love, guys. Give some love. It's 10:00 a.m. Let's go. Let's go. Okay. My name is Nichos. Uh, and for the next 15 minutes, we'll explore together some weird things we discovered last year with my team about active directory. Big disclaimer here. The opinions expressed in the this presentation are my own and don't represent my current my last my future employer or any

organization. Also before before start the presentation I need a favor from you. Okay. My name is I said my name is Nicholas. I have a big issue in my life. My mom doesn't believe that people pay to see my presentation. So I need your favor. If you feel comfortable, I want to take a picture of you to prove to my mom that's people pay and come to see my presentation. If you don't if you have any issue, please uh stay away. Okay, >> that's good. >> I don't have to. >> Yeah, man. I did it. Also uh another one thing uh my presentations uh you will see this presentation is more storytelling okay so I don't put a lot of blah blah for

two reasons the first reason is I want people to be focused to me and the second reason sometimes I'm a little lazy so I will try to explain a lot of things uh with pixel because I think a picture can say a lot of words rather than than the real word okay who am My name is Nichos. Uh I'm from Greece originally. I live two years in United States. I'm a senior offense security consultant. Uh I have expertise in adver simulation and emulation. Uh I have participated some global cyber EU and DA threat penetration testing uh in Europe and Asia. Uh I have few certifications also. I'm proud offer of supernova and comander. You can find these open source

tools on my GitHub. This is my favorite number 19. When I see this number, every time something goes very well. Today I'm a little stressed, so I put the number there to be safe. Okay, this is my safe zone. And you can find me on um social media with this handle. Actually, this is my handle name. Ah, also this is my logo. I designed this logo when I was before five five years. I have this logo tattoo here. Okay, let me deflect this. Okay, also um this Krianos, the co-author of this presentation and the research. He's a CEO based in Greece. Uh he's co-founder of offensive vex premier uh cyber uh red teaming offensive security

uh event based in Greece. He has also adversary uh expertise in adversary simulation emulation. He has full certification also. He found some zero days for zixel networks back in the days and you can find him uh on social media with his handle. Okay, today's agenda as I said this presentation is more storytelling and I will tell you a story what happened before one year in California and we'll try uh to guide to to guide this uh topic like this. Okay. I hope to I hope to enjoy this presentation. Uh put your belts, seat your belts and let's go California, one of the best places in the United States. If you disagree, I don't care. Okay. So, it was Sunday when I was

landed in one very well-known uh California uh region, very well-known region in California. uh I prepared my stuff and on Monday I went to the office uh I met the clients actually we had to do a progression test if you are not familiar what's a progression test it's a retest we go after some months or years and we try to um identify and verify if uh the client has uh fixed the vulnerabilities that we previously previously reported in the real penetration test. So I had five Mondays to be honest. Okay. So it was a retest. In two days I finished everything. Most of them has already remediated. So I as I asked my manager what will

happen with the three remaining days. Okay. It's time that the client has already allocated. So I took the green light from my manager and I asked the client what do you want to do the three days he said he answered with the most common request of all the times can you gain domain admin oh my god so I said okay I will try my best but the time is very limited okay so sit down I started to enumerate the network I execute different tools like a map count etc etc. Net exec and when I collected the data from blood count and searching on blood count what's going on I observed something very weird this okay probably this doesn't seem so

weird I will explain you later why it's weird I found that domain user which is nexted group of users group of pre Windows 2000 compatible says all of this default they have generic rights permission to Lazarus user and you will come tell me okay bro you came to besides bubble to tell me something that would be very common okay okay it's not so common because if you can see here Lazarus user it's disabled object so we have them configuration in a disabled active directory user. Very interesting. I haven't seen this again. As you can see the other side from Windows attacking machine actually it was disabled. So another one interesting thing for this engagement was

there weren't direct path from domain user to domain admins which means this presentation we we are search we search about hidden paths not visible and default uh attacking paths uh from blood count. So what we need as we said we are part of authenticated users and authenticated users it's nest group of pre windows 2000 compatible access this is all default it's happening all the time then we need to try to to use this generic right permission okay to abuse the disabled object Okay, pretty straightforward. I think the problem is the target is disabled. It's not active. Before proceeding with the exploitation part, let's go back to the some fundamental things. I'm sure that most of you you're

already familiar. But about the access control theory, an access control list defines who can access an active directory object and what action they can perform. An axe control entry n is an individual rule within an ax control list that grants or define permissions to a specific user group or a computer. Okay, we have two types of access control list. Uh the dark and suckling discrete shary never in my life uh I can pronounce this how how how people in America you say this discretionary okay discretionary access control list dly defines who can access an objects what permission they have through however from the other side system access control list defines what actions on an object should be audit and

log it for security monitoring. From the terminology you understand we will focus to dag and not so much sucking because we have more opportunities uh to abuse something. However, this is an example how a duck a duckle looks like behind the scenes. As you can see the permission page is duckling. Uh the blue line highlighted is an ace and also the other uh tab it's about sucking. Okay. So what we want actually to abuse we want to use the generic right. Okay let's refphrase what generic right is doing according to Microsoft documentation. So with generic right we can read the properties and we can edit modify properties of a uh ID principle. Please keep this in mind not protected

properties. I will explain later what mean uh what is not protected properties. Also let's see how uh genic right looks like behind the scenes. Okay. If you go to the domain controller, you will see exactly this by enabling the read and write so easily. We have a misconfiguration in active directory. Okay. Okay. Let's proceed with the exploitation part. I was searching about what I can do, how I can enable this uh disabled object. Okay. So I present today three different tools you can use in the different three different situations. The first one is the Microsoft active directory parcel module that we can use. If you have a Windows laptop connected via an Ethernet cable, you can use this

LDAP modify command line tool. If you have a Linux uh also you need to build your own LDAP queries. it's more difficult, not so straightforward uh like Windows. And of course, if you have a cobalt strike command control, you can use tr CS remote ops both repository, you can find uh pon object file name enable user. I implement it and also I added a pull request. They accepted a pull request. Uh I disable the same for disabling uh disabling user. So for this example I will try to use the first the Windows Microsoft uh active directory module. I don't know if you are if you believe in any religion if you're Christian but if you read the

Bible uh there is uh in John 9 verse 11 when John say uh Lazarus come out it's time to wake up okay I will tell you something when I was the client I tried this I felt like Jesus okay I said before using the module Lazarus, come out, bro. After 6 months, it's time to wake up because the client said this disabled object, it was about a user who quit from the company and uh 6 months ago. So for 6 months, this disabled object and this misconfiguration was existing and no one understood that. So I felt like God. So let's go to the technical part. Okay. Uh the first command it's about to verify actually the condition if the

user is disabled or enabled. Okay. As you can see disabled and with a simple command by using the value one to enable arguments. Boom. The user it's enabled. As we said generic right give us to edit pro uh to edit properties of active directory object which is which they are not protected and bum we did it. Lazarus is still alive and back to the game back from the graveyard. Very good. The next part, okay, we bring back from the graveyard Lazarus is to abuse this active directory object because now it's enabled. Okay, we have generic right generic right you know it can give it can give us the uh the opportunity to do SA credentials or RBCD resourcebased

conleation. I'm sure that you are already familiar with SA credentials or source based conleation but let's refresh in one line for it. Okay, so credentials we need to configure this uh specific uh attribute mst credential link by adding the value of a public key uh which we own already the private key for the RBCD the resource based delegation we need to edit and we need to configure and edit the value of mds allow to act on behalf of an of other identity with uh the security descriptor of a node a machine account from this example you understand we don't have a own machine account someone will tell me okay machine account quota is 10 uh you can

create a one uh I will tell you something it was zero I couldn't create a machine account so I went more straightforward with s credentials fun fact uh we need to say something a shout out to Samir who from Spectre drops he did all the research about uh Satas and he created the whisker the net tool um for me is one of the best researchers that I have seen so far uh in the field of active directory uh also uh for this example I used pi whiskers it's a python implementation of whisker shout out to Charlie uh Bronberg uh who created the Python implementation. So actually what we are doing uh we target the specific

the affected uh active directory uh object Lazarus user and we try to add an an open uh sorry a public key uh attribute uh to to the attribute ms key credential link that's it we create a pfx and we can authenticate pfx is a way of authentication Right. What happened? Okay. So, I use the PFX. Okay. to extract the ent. I want I have a question for the audience. Do you know how certify a command uh extract the end from? We use a pfx and we extracted the end. Do you know how it's happening behind the scenes? >> Is it in memory? >> Sorry. >> Anything in memory or no? >> Actually, no. Well, certify if you go to analyze the

code what I'm doing in my free time that's the reason I don't have a girlfriend okay uh I'm trying all the time and I'm doing code review to the tools because when you do most more advanced project like uh red teaming and all the stuff if you know how the code it's actually what's happening behind the scenes it's more easy for someone to change the tool okay to avoid detections uh to remove parts. Of course, they can bring the textures behind the scenes uh certify uses uh methods careos user to user authentication. What's this? So we ask DD okay uh with these methods and then we we go to the KDC K G distribution uh send center service

and we give the TGT and we say here is the TGD also from this TGD I want to I want to give me a service ticket but the service ticket that you will give me I want to encrypt with the session key of this digit and not the target uh uh the service account uh accounts secret key. So because we possessed the session key we can decrypt the service ticket and we can extract from back info structure the ent because then is embedded there. All is happening because we go with the digit and the session key and say okay give me the service ticket but this service ticket I want to be encrypted with my session key and not

the secret key of the service account. This is all the magic and that's the reason certify can extract the empty house. Okay, I have added to this presentation all the process uh I generated by AI uh all of this uh and one thing that I want after this presentation uh to take a message when you go back to your home to your apartment please try to understand what the tools doing. Please try to avoid just pressing commands, okay? Because when you will go to advanced project and you have the knowledge what's happening behind the scenes, it will save your life. How many times have you participated in a project and you know a tool failed for any

reason and probably you don't know what's happening. If you understand what the tool is doing, of course, you can avoid detections in the future and you can understand why the tool is failed. Okay, let's go to the next. So, I compromised this user. Okay, I have the ent user GZ. We did the L movement. Whoa. Be more excited guys. So, What what client asks to become domain admin? Okay. When you compromise a new user, it's a new start in an active directory or in a network generally. Okay. A new user, a new generally a new object. So we start again the numeration from the beginning. Blood hound exe. And of course we can try and certify.

It's a low hanging fruit. I gave a shot and I founded the blade subscriber

to many active directory certification services privilege escalation. Can someone tell me this uh vulnerable certificate the play in which ADCS is vulnerable? >> Yeah, this one. Yeah. Not only >> that was there. There's like 15 different escalations. >> EC4. Yeah. >> EC2 and DC3. >> Why is EC2 and EC3? Because first of all the enrollment engine is is enable which makes vulnerable uh to be to EC3 and of course any proposed makes valerable to EC2. Okay. Of course because I said in the beginning I'm a little lazy sometimes. Okay. I went with the most obvious escalation one. As you can see uh but let's remind uh if someone is not familiar okay it's not same okay we're

here to learn all uh let's let's remind uh again uh what's escalation one prerequisites take a good picture thank you so first of all the templates should be enabled right secondly enroll subject this give you the ability to request an alternate uh subject uh subject name to a certificate and uh also requires manager approval should be disabled. Requires uh signature uh authorized signature required should be uh false and of course extended key users uh should be to client authentication. And last but not least, we need to have enrollment uh enrollment rights to uh our control user and performing this of course we take the administrator pfx and again we use certify off and that's it we have the

empty house of the domain admin. Congratulations we became domain admins. Okay, so the project finished. Happy clients, happy Nikos. So I left from California and I went straight to the freezen Chicago. Have you ever been to Chicago? Okay, I'll tell you something. Chicago, it's one of the best cities, but it's one of the worst cities. People there are crazy. Look me. Okay, Chicago. Chicago, the city of dreams. So I arrived to Chicago. I went out of my building, okay? I start to smoke a cigarette, okay? And I was thinking about what happened. Fun fact, don't smoke. Smoking is a bad habit. Okay? So, I was starting thinking what's happened. It was crazy, right? We had to

disable the object. We enabled the object and we became domain admin. No direct path. And unfortunately it happened something very bad. Something started to scratch my mind. Say Nikos you need to give more time to this. So I throw I throw the cigarette on the road. Please don't tell this to caps. Okay. And I went back to my apartment and I started to organize my thoughts. Another one advice from this presentation is when you do research is to organize your thoughts. You need to know what you want to achieve and to split your thoughts the part. Okay. So what we want to achieve? We want to find new things and to dig more about what's

happening uh with this uh misconfiguration. Okay. How we'll start? We saw in the previous example of course we had a generic rights and we compromised the disabled object. So the first thing is I need to find other permissions d permissions which give me the ability to enable the disabled object. As you can see this is the table. This is all that I found. If you if I miss something forgive me I'm just a human from Chicago. I said people in Chicago are crazy. And you will see something very weird in this table. You will see a column named direct access. You will ask me because what's direct access? And I will tell you. Let's give two examples about

direct access. In the previous example, we we we used one command to name the user. Doesn't mean that every time you need one command. Another example we have domain users and and write dagos papagelus disabled user object for this example we use two commands okay the first one is about forget the first one it's about to verify the state the second command is about to give full control to to give nikoskaz which is our control user uh full control to thumbs pav by yellow target user disabled user. So in this way because we have full control now we can enable the disable thumbs for a yellow user object. So with right angle you use two

commands. Let's give another one example right domain users has right owner to mikos disabled user object. Don't ask me about my about the names. It's all the names of my friends. Okay. I expose every time my friends it's my favorite thing actually this is the reason why why I do I go to the presentations okay in this example we have three commands we need three commands to enable the user first of all we need we because we have right owner we need to we can change the owner of the object so of course we give uh we set as an owner of Nikos Katop is disabled user object our control user Nikos. Secondly, we use the previous command from the

previous example to give full control. Now, Nikos has full control to Nikos, which mean if I have full control, I can make it enable again. Back to the game. Okay, this is my this was my first thought. Okay, we did it. What else we can search? Can someone someone tell me >> generic all >> no no generic all needs only one command >> no saying the permissions I guess >> okay we found the permissions we know the permission which permission can enable or disable it what's next the next is we have these permissions we know that's all of the permissions can do okay we enabled the user so what after that what we'll take to the client okay we enabled

okay congrats kio you compromise. It doesn't mean all permissions gives the ability to do RBCD or shadow credentials. As you can see from this table, only the first four can perform both. Right account restrictions uh only can perform RBCD. And why that's happening because right account restrictions can't edit by default to modify uh MSDSQL test. So only uh MSDS uh allow to act of another of other identity. So you can do RBCD. This is the full table. Okay. And now you know that with all of these permissions what you can do and what you can compromise. Okay. This was my first thoughts. Okay, we found permissions. We know this is my first and second thoughts. We know what

we can do. What else we can do? This is Takan. Not Takan. Takan. He's legendary rapper in Greece. Even my mom knows Takan. He's legend. He's legend. When I say uh legend legend like uh easy. So what tax says active directory contains far more than just user. Yeah, of course in the previous example we saw only targeting users. We don't have only users. We have other objects. So I made a table about different active directory objects. So actually you can enable disable only user computer and service account. Let's see an example. We have a GMSA SBC Pro. It's a service account. I will try to compromise. It's a disabled service account. Wow. What card is called? Okay. So,

as you can see, we we use again one command, but for the service account, the command is different. It's not as forward. It's enabling AD uh AD account even to verify the state of uh the disabled object. The command is again different. So for the service account the only difference you use other delays for example uh for partial active directory module. What about the active directory certificates templates? I haven't mentioned this. Okay, I'm not crazy even I am from Chicago. So what's happening with active directory certification services? I have seen a lot of time disabling but varable uh active directory certifications uh templates. Unfortunately because the certificates requires to publishing on certificate authority server you can't do you can't enable them and

the reason let's give an example let's assume that we have a disabled certificate template uh but it's varable to escalation 4 escalation 4 give us the ability to change the security settings of the deblade and make it vulnerable to another ADCS escalation attack like escalation one or escalation trait. The problem is if you find a disabled active directory certificate template uh and vulnerable to escalation 4, you can change the security settings but you can't enable this only permissions and roles in on premise active directory can enable uh certificate the blades is only domain admin enterprise admins and CA administrator or CA ad local administrators. So what's the point to abuse misconfiguration if you're already to abuse this if you're already domain

admin? We do this to K domain admin privileges. So unfortunately you can't do nothing. Okay. Do you remember the beginning of the presentation I said something about uh protected properties? Do you remember? I want to see if you're focusing. Okay. Nice. So in active directory there is a specific mechanism uh the uh the admin SD holder. What is doing this admin SD holder? When you add a user to a privileged group like domain admin this uh mechanis works in the in background and add an attribute admin count equal one. So our object is now privileged and this mechanism protect the privilege uh object from uh a lot of interactions and what's happened disable the privilege

uh the privilege user these mechanisms still works and you can't interact with the disabled object. Let's give an example. >> We have Lazarus user. If if you see he's uh right now he's uh in in a domain admin uh domain admin uh group. Okay. So this user has enabled that that count which the attribute of admin holder. If you see from blood count it says ax control inheritance denied which means it's true which means when you see this which by default when you put someone high privilege you can't interact interact or edit the permissions. So forget that but because we are living in a world with the dragon and dungeons I will tell you something. I have seen this in my life.

I swear I have seen this. When we go inside an active directory object, of course, we are handing misconfigurations, it mistakes. If someone from it disable the axe control uh inheritance uh enabled axe control inheritance even even the even the disabled object has admin count you can perform all the previous uh actions that we said but this is a very rare condition I have seen this in my life one time but you never know please keep your eyes Once an object becomes privileged, it should always be treated as privilege. Jim Sakura, he did all the research about Administ Holder. He's security researcher for of spectros. Okay. Toys for girls and boys. We did the research. We saw a lot of examples.

Hello ma. Uh the last part of the presentation, one of the last parts is what we what we give back to the community except from a research uh and a guy from Chicago. So we created open source tool named Lazarus wake up. Uh it's a Python tool based on prop poetry framework. actually uh because I said in the beginning uh LDAP you need to build your LDAP queries and all of stuff uh if you use a Linux machine. So we had an idea to create this tool uh to be very easy uh and it's very straightforward uh what what you do in this tool you can of course recon and you can state the state uh uh the management of factor

directory principal for example if it's disabled you can make it enabled and vice versa as you can see this is um an example we found that there is one disabled user Jose, another one of my friends and we use uh Lazarus wake up just use the enable attribute and boom you have from Linux enable the user if you try trust me if you try to do uh with LDAP queries that I mentioned in the beginning it's very painful you can find it on my GitHub Um here is my GitHub. Uh you can use my handle name Nick Wood. I have the other tools there. Go and subscribe if you want. Okay. What next? We made a tool also

as I said the beginning in active in blood on blood count there is no default query for that. So guess what? We create our own queries. In this query what you what you we can do we search any user group uh or computer >> which they have uh dangerous D permissions to disable object >> actually wait I might have oh sorry this is the result of the query. Okay. So if you if you throw this query on blood count, bam, you find which objects uh they have dangerous permissions. But we developed another one more useful. Think about you start like a low privilege user in internal network. Okay. On blood count of course you will

press right click on this uh user. With this query, you can find the shortest path from your own uh objects to disable users. Remember any disabled user, it's a new hidden path. As you can see, we have neris and this is your attack path. Fun fact uh also I submitted these queries to open source u library of uh blood hounds. I'm waiting uh to accept them. If they accept uh you can find there too. Okay. the art of defensing. When you give offensive security uh talks, it's very important to give tips and recommendations how to remediate or detect all of these actions. I know that's very cool to present things how you can you hack this and all stuff but

at the end of the day we need to remember that's we need to make the internet a safer place right so about this what you can do of course review the security tab of the candidate object uh for the disabled build uh for inbounds and outbounds uh relationships. If you remember in the beginning I saw a picture for someone uh for Lazarus user how we created the generic right how it looks like from Windows server side. Yeah, you can go there the security tab and you can examine uh and try to identify the inbound and outbound permissions. Also, Lazarus shows the inbound permissions. Secondly, we want to make detections. I will tell you something. I have in my

home, my local app, I have a Proxmox and I have very popular. I will not say okay, which very popular. The bad thing when I enabling when I test this against enable EDR these popular ADRs don't detect the enabler or disabling user and someone from blue team will come okay so what if you perform session or or RBCD we catch you yeah but I will tell you something I know a lot of many popular vendors EDR popular vendors by default they don't have detection for RBCD and site I'm sure that Microsoft has but other populars they don't have and you need to implement your own rules so for detection again let's organize organize our thoughts what we need first

in order to build the detection to identify the event ID when we do this action what's happening behind the scenes in event viewer as you can See the event ID D 4722 sorry 4722. Uh this looks like from event and then when we have this event ID we implemented a sigma rule. Uh you can find it on uh my personal blog or medium using my handle again. Uh this rule is a sigma for a reason. You can convert in any uh language you want. KQL uh to be uh to working with elastic. I use elastic uh I have elastic cm back in my home. So what is doing this uh try to detect when uh when a low

privilege user uh enables or disables another uh another uh disabled object. As you can see this is the result. of uh in my lab. This is some reference for this presentation and your questions.

Very good. >> I finished five minutes. Uh yeah, there you go. So no question nothing >> I guess I'm curious. So everything you showed here was based off of a misconfiguration, not an active directory default. Is that >> Yeah. >> Okay. >> It's everything about misconfigurations having mis configurations. >> Also, I need to tell something else. This is the first part of uh this research. I'm waiting uh conference uh in Vegas to accept the village in Vegas to accept the second part uh and probably there we will uh present the second part of this research because we identified more things about the dis. Any other question connect with you? Sorry. Okay, you can find me on Twitter uh with this handle.

Uh give me a second.

You can use this handle uh on Twitter. You can find me on LinkedIn uh with my name Nicholas Vas. Okay, it's a it's a guy speaking uh in a red room. Uh that's it. And my GitHub, of course, with the same thing. You can find my GitHub. You can find everything. Just press Nick and follow the fox. Okay. Thank you very much. Have a good one.