New Role, New AD Takeover

Hello World!

It's been a while, but not without justification. I've been adjusting to a new job position, Offensive Security consulting. It's been quite a difference compared to my previous positions, but boy has it been fun. I've had some big smiles and a lot of realizations since jumping into this position.

Learning about different engagements from perimeters to targeted internals and red team operations has been a blast. Also my report writing skills are having to jump up to speed real quick because at the end of the day, a huge chunk of consulting time is spent writing and consolidating reports. To quote a fellow consultant,

We hack for free. We get paid to write reports. - Medic

I'd like to discuss a trend I have been seeing regarding Active Directory Certificate Services, and how a large amount of companies are opening themselves up wide open by using misconfigured templates. June of last year, SpecterOps published this article https://posts.specterops.io/certified-pre-owned-d95910965cd2, identifying and explaining a lot of the attack potential with ADCS. I'll easily vouch for the validity of this article. I've seen consultants go from low privilege domain user, to a full Domain and even Forest takeover in a matter of hours using misconfigured ADCS.

Sadly, it seems a lot of companies are either not aware or not taking these attack paths seriously. Many still can't seem to have a consistent patch management system in place, with things like noPac, PetitPotam, and even Zerologon still viable in some large networks.

This post will remain short, as I am still building our a lab to show case future content such as this but this is something I wanted to address that offensive and defensive teams alike should be paying A LOT of of attention to, as I have used this personally on engagements with outstanding success. Its could be the difference between getting a solid report for a consultant, or a full company takedown by a malicious threat actor, possibly without a single alert from your security tools. Read the defensive tips from Specterops in their whitepaper,  https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf.

Till next time,