Let the Children Play — Leveraging ADCS for Persistence in Parent-Child Configured Forests

hello everyone I think we can um get started so hi everyone thanks for giving me the time to talk about um active directory certificate Services um let's get started so maybe a little bit about myself um I asked chat GPT to um summarize my um bio and everything but I am one of those Consultants that do many Consulting things um for cyber secur I like both red and blue teaming so I guess that makes me purple um and I really have a passion for teaching um which is why I get involved at the University of Petoria and try hackme as well um sort of like helping engineering students and helping people learn about cyber security um I also sort of as I

mentioned generated it with chat GPT and I think it's slightly narcissistic so um when I have time it's probably time to rewrite that bio again again um but before we dive into the wonderful world of adcs I think first we need to sort of cover a little bit of ground um I am a fan of leaving No Man Behind so let's get a little bit of the background um and let's cover that before we dive into the technicalities of this talk so why active directory why is active directory sort of revered by both the blue and red teamers alike and why do red teamers attempt to scale the mountain that is a and why is blue team

is trying to make this journey as perilous as possible well it's really actually simple in the sense that most organizations um last time I checked it was about 90% of the Forbes 1,000 companies make use of active directory and active directory basically controls access to everything so so as a red teamer if you can scale the mountain and you make it to that tippy top you become a domain admin then you have the ability to either directly authenticate to whatever you want to or you would have the ability to get to a position where you can compromise whatever asset you need to compromise but beware here be monsters and traps for the same reason that this is the challenge that every

red teamer wants to accomplish it's the same reason why the blue team are protecting it so fiercely so this creates a constant tug of war between your red and your blue team and usually we find that that game has quite a bit of balance to it um which is then why when we get something where a red team essentially has a Teleport scroll to get to the top it's quite big news right it's quite something that is going to upset that balance that we have for this game so what what does a typical ad structure look like in an organization well if it's built several years ago it's probably Pandora's box but that's a entirely different talk for a different

day but in active directory we talk about forests so what is going to happen is let's sort of take a look at what this Forest is going to look like we'll start with our first domain which is going to be our th. L domain in this domain we have the domain controllers and servers but let's say that our organization is so large that it's either sort of distinct regions or big subsidiaries rather than dumping everything into a single domain what we will do is we will essentially create children so we can have the za. tm. L domain as a sub or a child domain that is serving all of the South African resources we have all of our wonderful

servers and our computers are living within that Za domain and we are not restricted to just one child we can create as many children as we possibly want and each of those children is going to serve resources that is specific to that child domain and this then creates the entire THM Forest Microsoft says that the security boundary sits at the forest we'll talk about that a little bit later but we can also have other forests here as well and there are ways for us to establish trust between these various different forests as well so this is basically the structure that active directory looks like we have all of these different forests within the forest what is going to happen is that

because it is a child domain there will automatically be intrinsic trust between the child and the parent so that's a bidirectional um trust that is created there and now while there might not be direct trust between two of the children because they have both have trust with the parent there's intrinsic trust between those two child domains as well and then of course when you're configuring other trust with other Forest there's different ways that you can do it but it's either both trust each other or only one trusts the other but this is what it looks like when we are building a active directory Forest now the last bit of background to sort of cover is what is active directory

certificate services so ad knows that if you're making it in the big league you have to diversify and that's why they don't just provide you with identity and access management but they have a lot of what I call sort of subservices or special services or tack on services that they are going to give you access to um a popular one in the past is something like exchange for mail functionality or I'm going to call itm I know it has the new name of mecm but no one seems to use that so secm which is for patch and update management and adcs active directory certificate Services is similar in the sense that it is a subservice and it allows you to create

your own internal certificate Authority so while you want to have a external ca for everything that you're exposing on your parameter right to verify for your clients that there's trust you can't necessarily use a external ca for all of your internal systems so that is where adcs is coming to play it's public key infrastructure that can be used to create a internal CA um to do all of the encryption needs that you have within your organization so basically adcs is going to integrate into ad and it then allows us to create what we call a Enterprise CA so the keyword here is Enterprise and we'll talk a little bit about that because the fact is that this is a

Enterprise service and often we might not understand or really realize what it means when you are creating an Enterprise service such as exchange is an Enterprise service so what is actually meant by this word of Enterprise and for today we are going to do a little bit of a dive into that as well so then before we start our dive we're sort of just having a quick recap of the terms and then sort of the last two bits of terms that are important to talk about the first one is going to be Kerberos which is one of the big protocols that ad uses for authentication the short of it is that it allows you to get a ticket and this

ticket gives you access to the ride that is called ad and then lastly that adcs if a certificate is used for authentication there's two methods that that can happen the first one is PK in it which the short of it means that it's kobo's authentication that it's using with a certificate but there is also a different Authentication Protocol that we can use which is called s Channel um and it's most popular with something like alap s so we're authenticating to alap using a certificate it goes through S Channel authentication so with all of that covered let let's dive into it so in 2021 finally active directory certificate Services came under scrutiny um because of the opportunities that it

provides for fright actors for credential Fest and for domain and Forest privilege escalation so the thing is is that normally all of us focuses on ad rightfully so right it's the big thing um but it means that these side Services of AD don't get the same type of attention and often what happens is when a researcher starts to dive a little bit under the hood they start to see quite a bit of bad things so this happened in 2021 when the researchers from Spectre Ops looked under the her and they were fairly surprised by what they found so it is worth noting that there's a distinguishing factor between a vulnerability and a misconfiguration um so in ad we don't

normally say that it's a vulnerability it's just purely a misconfiguration someone changed the configuration to something that it shouldn't be um and while sort of the road to Hull is paved with good intentions it is almost as if 80 makes it too easy to misconfigure something I think they they need like a claxon and a lot of Red Alert alarms going off when some people click like just one text box and there you go you've added the domain users to the main admins um you would think they would sort of like realize that these things are bad and give you sufficient warning there and the same can be said to adcas to a certain degree so when you

first install it it's not vulnerable that's also a lie we'll discuss a actual vulnerability that we found with adcs but um it's worth noting that it's technically not vulnerable right from the start and then what happens is based on the configurations that users are going to do that's when it becomes vulnerable so see Microsoft needs those big warning labels I don't know if any of you can spot the warning label on that image there but if you if you look slightly close there it will say that if you want a Enterprise CA the account you're specifying there must be a Enterprise admin that's the warning that's all you get right warning you that this is a Enterprise level service

that you are installing so it's literally that only tiny note that you're getting that's telling you that you are dabbling now with Enterprise Services here and Y be dragons you need to be careful now you can go for the top option which is a standalone CA but I promise you no one will ever do that and the reason for it is if you install a standalone CA nothing trusts it like nothing at all will trust a standalone CA where if you just click the second option Enterprise CA then it means that Microsoft is dealing with all of the nice intricacies of making sure that everything in your domain trusts that CA it will do all of that configuration for

you automatically but it's an Enterprise service so what does that sort of mean for us here is what we are going to dive into it but the short answer is that when you are installing an Enterprise service that needs to happen within the parent domain right your children can have a sip of the permissions every now and then but this is for the adults right and a lot of times what can happen and we have actually seen that on client Estates is that some like this gets installed in a child domain and that is horrifically wrong um and we'll go through why that is really really bad in a minute but understand this is an

Enterprise service which means we should treat it as such so this then tells us everything that we need to know if adcs is an Enterprise service the same category as things like exchange and secm then it means that if we can compromise adcs we can take full control of the entire Forest but there's even a lot more scary details under the H as well see if 0 apologies skipped ahead there so if adcs is misconfigured then this is going to be the thing that becomes that teleport scroll normal conventional ad attacks there's quite a lot of things that you need to do to be able to compromise um systems and finally take full control of

the forest with adcs if there's one misconfigured template this is your jump directly to Enterprise admins so the main user to Enterprise admin is something that we've seen quite a lot now and we're not even talking about conventional things like Orden ticket attacks it's a one hop thing and the part that makes it the most scary for me as well is that we can literally use internal tooling for that you can use Microsoft's legitimate functionality to perform this exploit and it will work the other thing with this as well is that it has built-in persistence um certificate are impervious to credential rotation so for example if a user account is compromised the blue team the first

thing they're going to do is rotate those credentials certificates persist through those credential rotations because you're no longer using the users password for your persistence you are persisting with a certificate so as long as that certificate's valid that's how long you have persistence if you compromise a root CA that is 10 years of persistence that you have unless they rotate the root CA um which is wild to do to invalidate every single certificate in your entire organization um and what we are seeing here as well is because the attack surface is different it means that detection and response is still catching up um we don't have that same maturity in the detection that we need with our

conventional ad attacks so before we dive into adcs exploitation I want to gather around all the children for a story of back in my day um when um the young hipsters are getting EA for us it was quite a number of steps that we had to go through so what did sort of cross domain lateral movement really look like well um if you were lucky enough you would land up in one of the child domains through a social engineering attack a web drive by or maybe there's no network access control in an office but that finally gets you into one of these child domains and what you would do is you would rumage through that

child domain compromising a bunch of things being noisy um or trying not to be noisy but trying to compromise until finally you have the ability to compromise that child domain once you have compromised that child domain the next thing if you wanted to move to the other child domains would be that you would have to compromise the parent so we would use conventional attacks such as a Kerberos golden ticket attack in today's time we have things which did detections of as slightly less such as a diamond or a sapphire ticket but we have to Target a parent compromise the parent and once we have control of the parent we can bully our siblings and finally take control of

them as well and then once we have control of the parent at that point we can also look to move to other forests where there are trusts as well so to show a little demo of what this looks like I'm running this from the domain controller um you don't have to do it from the domain controller that's probably going to flag quite a bit but what we're going to do is we're going to do a Golden Ticket attack so first what we're doing is we're getting some security identifiers some information that we need to craft our golden ticket attack and one of the things that Flags a lot is you need access to the krbtgt

hash and that's the hash that's used to sign all KERO tickets so we need that hash which means that we need to dump it from one of the child domain controllers um you can see we um are running mimic cats on a domain controller which will 100% flag there are other ways of getting that information but it is a tried and tasted path which means from a detection standpoint it's also a tried and tasted way of detecting these type of attacks that are happening and you can see what we did there is using mimicat as well we generated a golden ticket and we can see that with that golden ticket now loaded into our cobos

tickets we have access to the parent um domain in this case we can then um run something like PS exact also something that will flag quite hard but um um I don't have any detection in this lab so we're going to run PS exec if I can remember how to type the command um this is a video so I did figure it out somewhere um and that's going to allow us to basically now move to that parent domain controller so we're asking for CMD to execute it's going to activate the PS exec that's going to give us a lovely additional detection there as well um with your root domain controller in the parent all of a sudden allowing

PS exec as a service um and then once we have access to that what what is interesting to see is that that Cobo ticket goes with us so um when we type for example a command like who am I it still sees us as the child administrator but remember the cobos ticket is the thing that's the golden ticket that's giving us access and this is now passing through sort of to the other child domain controllers as well allowing us to compromise them as well so what does this look like from a adcs perspective so if we don't want to go the conventional route what do we need to do if we want to perform lateral movement

through adcs well there's there's three main steps that we need to do the first step is that we need to hunt for template permissions so we need to hunt for a misconfigured template that can be used by US for privilege escalation or lateral movement um we need to look for templates where the ownership has been misconfigured so for example sometimes we don't have the ability to request a template that that we want um but we do have the ability to compromise a user that's the owner of a template and while that template might not have been misconfigured if we are now the owner of that template we can just misconfigure that template ourselves and make it

vulnerable so that's another way that we can go for it we also want to sort of like create a privilege account to authenticate so we want to make sure that we are escalating our privileges so we don't want to authenticate as our user but we want to impersonate some one of privileged access um or we can also just look to basically compromise the adcs server itself directly it is a server if there's misconfigurations around who can access it who is an administrator on that server if we can compromise the entire adcs server we can just do whatever we want there as well but we're looking for template permissions something that's wrong there once we get into the right position we

can then generate a certificate um and the three main ways of doing this is we can use the B in Windows tool so this is an attack that you can run completely with Native tooling um or what we would do is we can generate a certificate signing request and then send that for web enrollment this is a popular legitimate functionality that is used for example for Linux machines to get a certificate for them you generate a CSR you take it to the adcs website and you enroll and you get a certificate from there but we can look to abuse that as well or we can use specialized toolings such as certify to generate that certificate for us and then once we have

that certificate that is basically it we're ready to authenticate and our two options that we're going for there's PK in it which is going to be cobos authentication or S Channel authentication which allows us to authenticate to Al app on a domain controller so hunting for the certificate just to prove it you can use 100% native tooling so you can use something like sech UT which is built in on Windows to get the certificate template and while those SEC security descriptors are quite ugly and needs to be sort of decoded you can 100% decode those security descriptors and do this completely from a native perspective um fortunately things like certify makes that a lot easier it allows us to use

tooling to do that enumeration and one thing why I'm a big big big fan of certify is it allows you to get that data in a format that's supported within blood down so that now means you can take your shound data combine it with your certifi data and all of the sudden you can draw those nice little blood down graphs that tells you this user has access to this permission or this is an escalation Vector um that the following users can access so we can then draw Attack paths to get us into the position where we can use adcs now with that being said what are we looking for um there's actually quite a number of things that Spectre Ops

publish for us the first thing is misconfigure templat so according to the spect Ops white paper these are the escalation routes that they make available which is escalation 1 to three and nine is when a template itself has been misconfigured and you can use it we also hunt for misconfigured template permissions as mentioned before even if a template's not vulnerable if we can take ownership of that template we can make it vulnerable ourselves um we're also looking for misconfigured active directory so still the same type of attacks apply if active directory itself has been um misconfigured we can leverage that to get in a position where we can use adcs and often where we see

that as well is sort of a misconfigured adcs server um which allows us to compromise the server if we can compromise the server we have the opportunity to for example pull the root certificate or create other templates that might be vulnerable and we can use that for adcs attacks um adcs itself can also be misconfigured so then we can run some interesting attacks such as petite Pam where we're trying to do a relay to get a certificate via web enrollment because it does support um non-encrypted communication um and we are looking for misconfigured domain controllers as well so a very interesting one that was done by Oliver lak I hope I'm saying that right the creator of certify was that

cve that he found where if the domain controller itself was misconfigured not having the security patch you could abuse that to basically generate a certificate for any domain contract roller which is a privileged system in the environment and then use that for your future attacks now I will be focusing on just escalation one for um this demonstration because it is the simplest one so for escalation one we just have to ask ourselves a couple of questions in our enumeration phase the first part is can I request the certificate template or can I get into a position where I will have the ability to request that specific temp temp if that's a yes we're one step closer then

does that certificate template need manager approval or sort of need any digital signatures the only reason that's important is there's then another human step someone's going to review what we're doing if that's not there it doesn't mean if it's there it doesn't mean we cannot do it it just means that we need to look out for another human there um which is going to be a little bit harder so if that's not there ticket we're one step closer then does that certificate template support a authentication EK so that's extended key usage we are looking for the client authentication one because we want to use this certificate to authenticate as a client and as a privileged client like

the administrator and then lastly does it allow you to specify the subject alternative name because if it allows us to specify that rather than specifying a sand what we're going to do is we're going to specify a user principal name of a very privilege account allows us to generate a certificate for that user and then authenticate as then so quickly showing what that looks like from the Native perspective we can open Management console um as promised you can do this completely native by just loading in certificates here and what we're going to do is we are going to use the native bolting tooling to request a certificate that is going to be vulnerable so we tell it we want to

request a new certificate because this is an Enterprise CA what happens is all those policies and those wonderful things are pulled in for us we can see the one that is vulnerable there and we can see that rather than specifying the sand what it's expecting um for the first one we're just going to specify whatever we want but for the second one for the alternative name what we're going to do is specify the user principal name of the administrator so at this point we have a certificate where the user principal name is the administrator which means that we can now use this certificate for very privileged things um the one thing that's important is for us to use the

certificate in other locations the private key needs to be exportable and while that is template configuration it's client side template configuration so we can just click the button to make the private key exportable ourselves after providing the information that we need that is successful enrollment and as you can see there we have a lovely vulnerable certificate now that will allow us to authenticate as the administrator um and as we can see through its things um we can then do a export of that certificate as well so I'll stop it here um there we go so now let's look at what this looks like if we were going to do certify for example a lot easier so with this one what we are

going to do is we use certifi to First perform enumeration we give it a ad0 account it's going to perform enumeration for us save it to um Json and text file in this case we're just going to look through the text file and what we will not is we'll see that on that web server vulnerable we can see that that that is a vulnerable template and the reason for it is is we can provide the sand and rolly Supply subject we can see that there's client authentication and we can see the enrollment rights currently allows all domain users or domain computers to enroll for the certificate template and we can see that certifier also tells us

that this is a vulnerable template that it can be used for privilege escalation so basically all we're going to do at this point is we are going to run a certifi command to request that certificate and as you can see the UPN that we are specifying here is the administrator of that child domain once we get that certificate we can use it for authentication and what we will see here is that certify also then just as an added bonus gives us the hash of that specific user but we will see that our authentication works and the big important part is we get a cobos ticket here so that cobos ticket is now for the administrative user and it can be used

so wonderful now let's see what it looks like if we are going to do lateral movement across this entire Forest using something like certifi so instead of specifying that we are the user principle of administrator at za. mwr.com R.L we want to be the administrator of the parent domain well if we do that then we'll see it says PA data no support um and the reason reason for that is we'll dive into it like what's actually happening here but it's because that domain controller doesn't have a CBO certificate which allows it to support PK in it but as you will note here we can then just still do alap authentication to that parent domain controller there's some lovely commands

you can run um Oliver also clickbaits you with a nice dump command for dumping the domain and then when you try it it just says not implemented but in essence it is working at this point for us us to Target the parent domain controller but there's a step further here we don't need to Target the parent domain in this case what happens if we just get a certificate directly for the other child domain for that domain controller well that works and what you'll note here is the same issue is going to happen on that child domain controller in a different domain is that it doesn't support PK in it and the reason again is there's no cero certificate but for some

reason we can still do alap authentication we can still do a channel authentication to that one and as you'll note we are now authenticated as the administrator in the other child domain so at this point for some reason we don't need to compromise the parent we can go directly for the other child domain that we are looking for so what is actually happening here well um after doing a little bit of inspection we can see that for some reason the domain controller in every single domain in the entire Forest has a domain controller certificate um why why has this happened and that's default configuration from adca so once you just click through those buttons of configuration every

single one of your domain controllers is going to enroll not for a Kerberos um um certificate that can be used for PK in it but for a domain controller certificate um and what's worse is is if you think the answer is to delete that c certificate um the only sad reality is we can see it's proper proper deleted every single time Group Policy updates which is 15 minutes standard on a domain controller that little bugger is coming back um I'm still to find the actual Group Policy object that does the enrollment of that certificate but it happens so every 15 minutes there's a check that's happening and if that domain controller does not have a domain

controller certificate it will be be back there and this is normal configuration from Windows so again while we cannot do cobos authentication if we can perform alap authentication in any of the other domains I hope you see how we've literally gone from domain user in a simple child domain not just to Enterprise admin but we can skip Enterprise admin entirely and compromise another child domain if we choose so now it gets worse so then this us on a rabbit ho of trying to figure out what is actually happening here um and I hope it become it's clear there but what was very interesting to see is for this adcs instance we installed it in the parent

domain we followed the configuration we did it correctly and for some reason when we view the containers that gets created when adcs is configured we noticed that the administrators in the child domain had full control over those containers now Microsoft promises you this is an Enterprise service right which means parent domain Enterprise admins they should be the only ones that have this permission but for some reason in every single one of your child domains your child administrators have access to those containers so if those are the containers that tells you what the configuration of adcs is and a child domain has access full control to those containers will lead to some interesting privilege escalation attacks that we can

perform here even if the organization followed all of the rules made sure to control all of the templates everything of adcs from the parent domain we can still do privilege escalation it gets worse if someone decided to install adcs directly in a child domain because then it's not just the administrators of the child domain that have full control but now a group that is a little bit more easy to get than that Bolin administrator Group which is the domain admins as well so what is actually happening here to result in this misconfiguration that even if you follow Microsoft's guidance that this is an Enterprise service they are giving permissions for child domains as well and looking at the ACLS the very very

interesting thing that we noticed is that they someone was a little bit lazy at Microsoft and instead of specifying the administrators of a specific domain they specified the permission of boltin Administrators now that shouldn't be an issue but can anyone Spot the Difference there when we view those containers from a child domain and from a parent domain what's happening is that builtin administrators is interpreted from the domain that you are viewing the permissions remember these containers for any Forest there's only one set of these containers and it gets replicated to every domain controller in the domain but there's only one set it only lives in the parent domain but for some reason the bolt-in administrator's

permission that bolt-in word if you are viewing the containers from a child domain it says you the administrators of the child domain has full control over those containers and when you view those same containers from the parent domain now it's saying no no no it's the parent administrators that have full control here so we have a privilege escalation Vector here if we compromise the administrators group from a child domain because of the misinterpretation of the built-in administrators AC we can our privilege escalate we can take full control of containers that should be in the parent domain so we did just that we weaponized it um and what we did is we created a power sh script so here you

will see we are generating our own fake CA um just using op SSL to create the key for our CA and once we have that public key what we are going to do is we are then going to move that public key to a Windows system and on the Windows system what we are going to do is run our script provide it with that public key this is in the child domain so we're providing the script our public key and what this is going to do is it's now going to take that public key and embed it in very specific containers within the adcs configuration the first place we embedded is going to be an ENT off

certificate right which means that this certificate is trusted for authentication um that's not the last step of this thing and the reason for that is is you also need to make your ca a trusted CA but surpris if they installed adcs there's a ad certificate Authority there and the same vulnerability is on that container where a child domain has the ability to tamper with that object and as you can see our fake CA made its way all the way to the parent domain it is now a trusted CA that we have embedded in the parent domain essentially the entire Forest after compromising one of the Childs and again what you will see here is if we

try to do cro authentication no PK in at support but Al that authentication works so what we have done now is we have embedded our very own fake CA with a certificate that's valid for 10 years that allows us to generate any malitia certificate that we want and because we're in control of that CA there's no certification revocation list they can't revoke these certificates um and we have the ability to perform out authentication to any domain within this Forest so quite a interesting one so we reported it to Microsoft um this slide was called the word from our sponsor but I was not allowed to put that in can still mention it um and essentially the

issue that Microsoft came up with is they basically said that well the security boundary sits at the forest we do not see privilege escalation from a child domain to the parent domain as real privilege escalation I think they're just getting tired of golden ticket attacks and all of those things but essentially what they told us is nope the boundary sits at the forest so there's no real privileges ation that has happened here but what it allows us to do now is if they are making use of adcs and they're doing everything correctly if you have the ability to compromise a single child domain at that point that is privilege escalation and persistence in one hop that allows you

to compromise the entire Forest at this point embedding your own CA in that Forest which means that they can't even revoke the militia certificates that you have created at this point um since we are nice nicer than Microsoft sorry it's a little bit small but um the same script that does the weaponization for you we have actually embedded a function that allows you to scan your um containers to see if you're vulnerable to this type of thing and if you are vulnerable to it because it's really not that hard um you shouldn't be using your bolt-in administrator group for anything especially in the parent domain um you can run the same script um with another

function to basically remove the permission at this point um and as you can see we are now clean and when we run our exploit from the child domain it's going to tell us well we don't have the permissions to do this so there you'll see when we are loading our militia certificate we get some lovely errors there telling us that permission denied we cannot load the ca from a child domain controller anymore um so we did release the tool as well if anyone wants to play around with it there you go it is public officially um from today including the blog post that explains this issue as well um as I mentioned the script can help you as a rate team if

you want to embed persistence we do also tell you where to remove your persistence because once you embed this this is Forest wide compromise for that certificate um any client you do a red team for is going to have to um have a Stern conversation with you to remove that persistence once you're done um but in essence once you compromise one child that is essentially the entire Forest falling allowing you to embed your ca at this point so quickly to wrap up what does it look like from a detection perspective um I think prevention is still better than detection um and there the trick is that you really need to treat adcs like the Enterprise service that it is if you

decided to install adcs or configure it within a child domain I highly recommend you move it out and I know that's quite hard because that means you need to move that private key and that certificate and everything but this shouldn't be something that lives in any of your child domains um if you have installed it in a child domain if you've given any permissions um for any of your templates to any of the child domain um users you have essentially made them Enterprise admins at this point um and I know that's tough because it means someone centrally has to manage all certificate templates for this ad that has like 12 distinct regions and child domains but

that's what needs to happen if you grant permissions within any of those child domains for adcas you have created new Enterprise admins in your organization so that is the best option is to prevent it what we can do is we can also detect unnown tooling and indicators of compromise we can look for things like certify ruia certify these are the tooling that would be used with adcs compromises but I think as I've shown you as well you can just use the native tooling so detection on the tuling alone is not going to be enough that then leads us to try to perform detection on authentication but this is where things can get hard because Kos authentication

is quite noisy in an environment it's being used everywhere so hopefully what we can do for those cross domain lateral movement techniques is do a little bit more detection on alap itself so what are some of the event idas we can look for um the first one we can look for things where sort of like altering of a Certificate request extension changes so someone modifying templates are they doing some bad stuff there um as I mentioned we can look for changes in adcs is one of the things that we can monitor on um we can also look for things like a certificate has been issued depending on your organization how often certificates are issued that

might be a detection thing um to implement and as mentioned one of the things that we can look at is the authentication itself C cose is going to be very noisy but we might be able to sort of do detections on for example administrator keros ticket which is a bolting account that we should not be using at this point and then we can look for the log on event that is telling us that s Channel authentication has occurred um that's another way that we can look to detect it and then in sort of just closing on it um I do think that we have as a red team currently a Teleport scroll allowing us to move not

just within a domain but essentially within a entire Forest um quite fast and that the detection game for adcs exploits definitely need to catch up this is the new sort of golden ticket attacks that we need to look out for and this is the things that we need to sort of upscale our detection in and make sure that we are doing custom Freight hunting for this as well and then for those in hexcon the the watch this space was because we didn't do the full weaponization by the hexcon conference but it's still here and the reason for it is um we were lucky enough to find this built-in administrator misconfiguration within adcs but there's a lot of other

containers there there's a lot of other services and it seems that Microsoft says it's acceptable that when someone uses the built-in administrator acce that there is allowed to be confusion between whether that's something within the parent domain or whether it's something within the child domain which means that this privilege escalation Vector most likely exists in other tooling as well that is performing configuration on containers um and if that container has the Bolin administrator um probably in trouble it means that's now a child domain has the ability to take full control of that container and then lastly just a couple of acknowledgements for the previous research by Spectre Ops and Oliver L really love his certified toour it

really makes your life a lot easier and for MWR for trck me for building large labs in AWS and raising the AWS bill um and then Al hazre um a twitch streamer he was streaming my rating Capstone Challenge and that's where we found this initial thing that you can just do lateral movement to any other child domain and sent me on this rabbit hole for adcs investigation thanks any questions

yes it's got misconfiguration schema extensions knows know tears ad

moreines absolutely um it's really really a hard thing the best 80 is no 80 or a fresh 80 um the amount of times we've gone on assessments and you enumerate 80 and you can see this this dumpster fire and then you see this new a that was created and it looks all shiny and then guys this is really good and like no one uses it we're still like 10 years in the development of migrating to this magical ad um that is secure so active directory certific um active directory itself is really really hard to do well um and I am a little bit angered by for example Microsoft's responses to certain things where it's like this is something basic guys like

just remove this one permission or just change this one thing and the answer you get from them is like nope not not our problem not our problem like protect your entire forest and if you're a small organization that's that's easier to do but when you're one of these large organizations that have like 13 different regions across the world with different child domains I mean I'm asking you to manage adcs from the parent domain and that's probably not even feasible right um so there has to be a different way but it feels like Microsoft's not always coming to the party

yes that is correct so what would happen is there's two different configurations I hope and pray you followed the manual approach because if you did you're not vulnerable but if you followed Microsoft's neat little commands they tell you to run then it's doing container replication between the two forests and if that happens remember as soon as I make this change to this cont container it replicates to the other Forest as well which means cross Forest privileged escalation and lateral movement has just become a possibility any other questions

yes

sure um you definitely so so templates are the way that adcs allows you to Grant your users the permissions to request certificates so that's intended Behavior there are template misconfigurations so for example you should never have a template that allows for client authentication and allows the specifying of the subject alternative name Microsoft even pops up a tiny little warning to say like hey are you sure you want to do this um and you just click through it and there you go you have a vulnerable template where the issue comes in is what is not intended Behavior but sometimes happens is it's not this one Central group that manages all of the templates a child domain the

users they need access to certain certificate templates so there will be a group that's granted access over those templates and this is the interesting part where you're mixing conventional ad compromises with adcs compromises now I don't need to get to domain admins I just need to get to the group in 0 that has the permissions to modify certificate templates because even if the template's not vulnerable I myself can just make it vulnerable that's where your detection comes in on has any of your templates been altered um those event IDs become quite important to monitor for because again I can just if no template's vulnerable I can just make my own vulnerable template if I have

those permissions

yes should every user be able to read datab probably not but that's how ad works so until Microsoft decides that they can redact some of the information that this is probably the ability to read the template and the security descrip associated with and exist I think it is possible and I have seen it you can strip out all of the view or a specific template from most us but any of yes

somethings really irritating thing that I noticed is actually the configuration for S right the subject name and what I figured is that in larger States it would probably be irritating for somebody to continuously provide management uh responses to this the correct for this web server or whatever this fig probably part of the reason why you end up having certificat where it doesn't matter you just select the sand and then you have that or you're given rights and either one of those two literally just game over yeah it's it's tough and again the the issue here is is this is one of the most clear-cut cases where security is fighting against business use there's other places where

it happens as well but this is the one where I can understand why people misconfigure it but they then need to be aware that the misconfiguration they're doing there is allowing people to be Enterprise admins so probably shouldn't do it but who am I to complain if I'm holding up your business um and everything like that it's tough anything else yesal if you 1400 this kind of leral escalation break responsibility boundaries self you're froming messing everything absolutely and and that's the trick here is I don't think we pay enough attention when Microsoft gives that tiny warning this is Enterprise level right like I can't fault anyone for having their child domains in install adcs but it's really

bad you've literally promoted that child domain to a parent domain that's what you've done I think there's an interesting point there Microsoft respon secar the implication of that is every operating country supposed to be yes that's the implication is not possible I don't know any large multinational that operates like that unless AC thank you I think I'm officially out of time thanks [Applause] everyone