home.social

#adcs — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #adcs, aggregated by home.social.

  1. Reminder: Die gültigen #Zertifikat-Laufzeiten schrumpfen.

    🟡 15. März 2026: 200 Tage ☹️
    🟠 15. März 2027: 100 Tage 🤢
    🔴 15. März 2029: 47 Tage 🤮

    Unser Status:
    #LetsEncrypt (wo einfach möglich) aktiviert
    ✅ 30-Tage-Zertifikate der internen AD CS PKI für Intranetdienste auf #WindowsServer und #Linux mit #PowerShell vollautomatisiert
    ⏳ AD FS, Exchange

    heise.de/news/47-Tage-CAs-und-

    #sysadmin #admin #itsicherheit #zertifikate #tls #ssl #reminder #adcs #adfs #pki #intranet #internet

  2. Reminder: Die gültigen #Zertifikat-Laufzeiten schrumpfen.

    🟡 15. März 2026: 200 Tage ☹️
    🟠 15. März 2027: 100 Tage 🤢
    🔴 15. März 2029: 47 Tage 🤮

    Unser Status:
    #LetsEncrypt (wo einfach möglich) aktiviert
    ✅ 30-Tage-Zertifikate der internen AD CS PKI für Intranetdienste auf #WindowsServer und #Linux mit #PowerShell vollautomatisiert
    ⏳ AD FS, Exchange

    heise.de/news/47-Tage-CAs-und-

    #sysadmin #admin #itsicherheit #zertifikate #tls #ssl #reminder #adcs #adfs #pki #intranet #internet

  3. Is today a #FediHire Friday? Sure looks like it!

    What I'm looking for: A senior level, individual contributor role supporting Windows, Active Directory, Certificates, PKI, Azure, and information security in a large enterprise. I like to solve weird problems and make computers run smoothly. I want to help others use technology effectively. Interested in relocating outside of the US.

    My main focus the last few years has been rebuilding and modernizing a struggling certificate environment. That includes growing the team to meet our company needs, migrating our AD-integrated private PKI stack to a certificates-as-a-service vendor, getting a handle on our web PKI consumption, and making massive improvements to our certificate life-cycle management platform. I supported and advised our CyberSec and Desktop teams as we rolled out multi-factor authentication to 50,000 employees and contractors across the US. My understanding of deep computer fundamentals, talent for quickly grasping nuances of larger systems, and calmness in a crisis have contributed to quickly resolving major technology outages regardless of root cause.

    This role hasn't been exclusively technical. A big part of my current job is building relationships with our developers to help them understand how certificates work, the responsible ways to use them, and what our relevant internal policies are. I've developed training and teaching material for junior and mid-level engineers featuring practical PKI concepts and our specific enterprise requirements. I've worked closely with fellow principal engineers and architects to design secure, resilient services. I've gotten to spend some time with upper management to both explain the immediate challenges we've had and the plans we can implement improve our infrastructure, reducing costs and outages.

    While this position has been focused on certs and how to use them, I'm very comfortable considering a technical leadership role for Windows (server and desktop) administration and Active Directory. I also have some good experience with Azure and virtualization platforms, but they haven't been my daily focus for several years.

    My current employer is direct retail for general public consumers. I've also worked in banking/finance, manufacturing, and architecture/civil engineering firms. The common thread is I love to help people leverage technology for their goals, to help them be more effective.

    In my personnel/volunteer time I've done very similar: working backstage with lights/sounds/projections so live performers can shine, and volunteering at local repair clinic events to help my neighbors with technology that isn't meeting their expectations.

    Right now I'm in Syracuse, New York (about five hours from NYC), but I'm open to relocation/migration anywhere in the world.

    PMs open if you want to talk details. Boosts/retoots appreciated.

    #Job #GetFediHired #FediHired #ITJobs #Windows #ActiveDirectory #Certificate #MSCA #MicrosoftCertificateAuthority #ADCS #PKI #WebPKI #Azure #Migration #CyberSecurity #InfoSecurity #RemoteWork

  4. Is today a #FediHire Friday? Sure looks like it!

    What I'm looking for: A senior level, individual contributor role supporting Windows, Active Directory, Certificates, PKI, Azure, and information security in a large enterprise. I like to solve weird problems and make computers run smoothly. I want to help others use technology effectively. Interested in relocating outside of the US.

    My main focus the last few years has been rebuilding and modernizing a struggling certificate environment. That includes growing the team to meet our company needs, migrating our AD-integrated private PKI stack to a certificates-as-a-service vendor, getting a handle on our web PKI consumption, and making massive improvements to our certificate life-cycle management platform. I supported and advised our CyberSec and Desktop teams as we rolled out multi-factor authentication to 50,000 employees and contractors across the US. My understanding of deep computer fundamentals, talent for quickly grasping nuances of larger systems, and calmness in a crisis have contributed to quickly resolving major technology outages regardless of root cause.

    This role hasn't been exclusively technical. A big part of my current job is building relationships with our developers to help them understand how certificates work, the responsible ways to use them, and what our relevant internal policies are. I've developed training and teaching material for junior and mid-level engineers featuring practical PKI concepts and our specific enterprise requirements. I've worked closely with fellow principal engineers and architects to design secure, resilient services. I've gotten to spend some time with upper management to both explain the immediate challenges we've had and the plans we can implement improve our infrastructure, reducing costs and outages.

    While this position has been focused on certs and how to use them, I'm very comfortable considering a technical leadership role for Windows (server and desktop) administration and Active Directory. I also have some good experience with Azure and virtualization platforms, but they haven't been my daily focus for several years.

    My current employer is direct retail for general public consumers. I've also worked in banking/finance, manufacturing, and architecture/civil engineering firms. The common thread is I love to help people leverage technology for their goals, to help them be more effective.

    In my personnel/volunteer time I've done very similar: working backstage with lights/sounds/projections so live performers can shine, and volunteering at local repair clinic events to help my neighbors with technology that isn't meeting their expectations.

    Right now I'm in Syracuse, New York (about five hours from NYC), but I'm open to relocation/migration anywhere in the world.

    PMs open if you want to talk details. Boosts/retoots appreciated.

    #Job #GetFediHired #FediHired #ITJobs #Windows #ActiveDirectory #Certificate #MSCA #MicrosoftCertificateAuthority #ADCS #PKI #WebPKI #Azure #Migration #CyberSecurity #InfoSecurity #RemoteWork

  5. Is today a #FediHire Friday? Sure looks like it!

    What I'm looking for: A senior level, individual contributor role supporting Windows, Active Directory, Certificates, PKI, Azure, and information security in a large enterprise. I like to solve weird problems and make computers run smoothly. I want to help others use technology effectively. Interested in relocating outside of the US.

    My main focus the last few years has been rebuilding and modernizing a struggling certificate environment. That includes growing the team to meet our company needs, migrating our AD-integrated private PKI stack to a certificates-as-a-service vendor, getting a handle on our web PKI consumption, and making massive improvements to our certificate life-cycle management platform. I supported and advised our CyberSec and Desktop teams as we rolled out multi-factor authentication to 50,000 employees and contractors across the US. My understanding of deep computer fundamentals, talent for quickly grasping nuances of larger systems, and calmness in a crisis have contributed to quickly resolving major technology outages regardless of root cause.

    This role hasn't been exclusively technical. A big part of my current job is building relationships with our developers to help them understand how certificates work, the responsible ways to use them, and what our relevant internal policies are. I've developed training and teaching material for junior and mid-level engineers featuring practical PKI concepts and our specific enterprise requirements. I've worked closely with fellow principal engineers and architects to design secure, resilient services. I've gotten to spend some time with upper management to both explain the immediate challenges we've had and the plans we can implement improve our infrastructure, reducing costs and outages.

    While this position has been focused on certs and how to use them, I'm very comfortable considering a technical leadership role for Windows (server and desktop) administration and Active Directory. I also have some good experience with Azure and virtualization platforms, but they haven't been my daily focus for several years.

    My current employer is direct retail for general public consumers. I've also worked in banking/finance, manufacturing, and architecture/civil engineering firms. The common thread is I love to help people leverage technology for their goals, to help them be more effective.

    In my personnel/volunteer time I've done very similar: working backstage with lights/sounds/projections so live performers can shine, and volunteering at local repair clinic events to help my neighbors with technology that isn't meeting their expectations.

    Right now I'm in Syracuse, New York (about five hours from NYC), but I'm open to relocation/migration anywhere in the world.

    PMs open if you want to talk details. Boosts/retoots appreciated.

    #Job #GetFediHired #FediHired #ITJobs #Windows #ActiveDirectory #Certificate #MSCA #MicrosoftCertificateAuthority #ADCS #PKI #WebPKI #Azure #Migration #CyberSecurity #InfoSecurity #RemoteWork

  6. Is today a #FediHire Friday? Sure looks like it!

    What I'm looking for: A senior level, individual contributor role supporting Windows, Active Directory, Certificates, PKI, Azure, and information security in a large enterprise. I like to solve weird problems and make computers run smoothly. I want to help others use technology effectively. Interested in relocating outside of the US.

    My main focus the last few years has been rebuilding and modernizing a struggling certificate environment. That includes growing the team to meet our company needs, migrating our AD-integrated private PKI stack to a certificates-as-a-service vendor, getting a handle on our web PKI consumption, and making massive improvements to our certificate life-cycle management platform. I supported and advised our CyberSec and Desktop teams as we rolled out multi-factor authentication to 50,000 employees and contractors across the US. My understanding of deep computer fundamentals, talent for quickly grasping nuances of larger systems, and calmness in a crisis have contributed to quickly resolving major technology outages regardless of root cause.

    This role hasn't been exclusively technical. A big part of my current job is building relationships with our developers to help them understand how certificates work, the responsible ways to use them, and what our relevant internal policies are. I've developed training and teaching material for junior and mid-level engineers featuring practical PKI concepts and our specific enterprise requirements. I've worked closely with fellow principal engineers and architects to design secure, resilient services. I've gotten to spend some time with upper management to both explain the immediate challenges we've had and the plans we can implement improve our infrastructure, reducing costs and outages.

    While this position has been focused on certs and how to use them, I'm very comfortable considering a technical leadership role for Windows (server and desktop) administration and Active Directory. I also have some good experience with Azure and virtualization platforms, but they haven't been my daily focus for several years.

    My current employer is direct retail for general public consumers. I've also worked in banking/finance, manufacturing, and architecture/civil engineering firms. The common thread is I love to help people leverage technology for their goals, to help them be more effective.

    In my personnel/volunteer time I've done very similar: working backstage with lights/sounds/projections so live performers can shine, and volunteering at local repair clinic events to help my neighbors with technology that isn't meeting their expectations.

    Right now I'm in Syracuse, New York (about five hours from NYC), but I'm open to relocation/migration anywhere in the world.

    PMs open if you want to talk details. Boosts/retoots appreciated.

    #Job #GetFediHired #FediHired #ITJobs #Windows #ActiveDirectory #Certificate #MSCA #MicrosoftCertificateAuthority #ADCS #PKI #WebPKI #Azure #Migration #CyberSecurity #InfoSecurity #RemoteWork

  7. Is today a #FediHire Friday? Sure looks like it!

    What I'm looking for: A senior level, individual contributor role supporting Windows, Active Directory, Certificates, PKI, Azure, and information security in a large enterprise. I like to solve weird problems and make computers run smoothly. I want to help others use technology effectively. Interested in relocating outside of the US.

    My main focus the last few years has been rebuilding and modernizing a struggling certificate environment. That includes growing the team to meet our company needs, migrating our AD-integrated private PKI stack to a certificates-as-a-service vendor, getting a handle on our web PKI consumption, and making massive improvements to our certificate life-cycle management platform. I supported and advised our CyberSec and Desktop teams as we rolled out multi-factor authentication to 50,000 employees and contractors across the US. My understanding of deep computer fundamentals, talent for quickly grasping nuances of larger systems, and calmness in a crisis have contributed to quickly resolving major technology outages regardless of root cause.

    This role hasn't been exclusively technical. A big part of my current job is building relationships with our developers to help them understand how certificates work, the responsible ways to use them, and what our relevant internal policies are. I've developed training and teaching material for junior and mid-level engineers featuring practical PKI concepts and our specific enterprise requirements. I've worked closely with fellow principal engineers and architects to design secure, resilient services. I've gotten to spend some time with upper management to both explain the immediate challenges we've had and the plans we can implement improve our infrastructure, reducing costs and outages.

    While this position has been focused on certs and how to use them, I'm very comfortable considering a technical leadership role for Windows (server and desktop) administration and Active Directory. I also have some good experience with Azure and virtualization platforms, but they haven't been my daily focus for several years.

    My current employer is direct retail for general public consumers. I've also worked in banking/finance, manufacturing, and architecture/civil engineering firms. The common thread is I love to help people leverage technology for their goals, to help them be more effective.

    In my personnel/volunteer time I've done very similar: working backstage with lights/sounds/projections so live performers can shine, and volunteering at local repair clinic events to help my neighbors with technology that isn't meeting their expectations.

    Right now I'm in Syracuse, New York (about five hours from NYC), but I'm open to relocation/migration anywhere in the world.

    PMs open if you want to talk details. Boosts/retoots appreciated.

    #Job #GetFediHired #FediHired #ITJobs #Windows #ActiveDirectory #Certificate #MSCA #MicrosoftCertificateAuthority #ADCS #PKI #WebPKI #Azure #Migration #CyberSecurity #InfoSecurity #RemoteWork

  8. 🛠️ Tool
    ===================

    Executive summary: ADTrapper is a self-contained Active Directory security analysis platform that ingests Windows authentication logs, applies a library of detection rules, and provides interactive visualizations and integration points for AD graph data. The project emphasizes detection coverage for credential-based abuse and certificate-related attacks and supports import of BloodHound/SharpHound collections for enriched analysis.

    Technical details and key features:
    • Detection ruleset: Over 54 detection rules covering brute force, password spray, privilege escalation indicators, ADCS/certificate abuse events, and suspicious account behaviors.
    • Data inputs: Primary intake is Windows authentication/event logs; optional enrichment from AD enumeration data and uploaded SharpHound/BloodHound collections to map relationships.
    • Visualization: Force-directed graphs expose account/computer relationships and authentication paths to aid investigation and threat hunting.
    • Architecture overview: Front-end built with Next.js and TypeScript, storage backed by a relational DB (migrations present), and the application distributed as a containerized package for self-hosted use.

    How it works conceptually:
    • Logs are parsed into structured events and correlated against the rule set to produce alerts and anomalies.
    • Graph data from SharpHound is merged with log-derived edges to reveal potential attack paths and privilege escalation chains.
    • ADCS-related events are analyzed to surface certificate enrollment anomalies or suspicious CA activity indicative of certificate-based attacks.

    Use cases:
    • Incident investigation focused on authentication anomalies and lateral movement paths.
    • SOC triage for credential stuffing, account takeover, and certificate abuse scenarios.
    • Enrichment of BloodHound analyses with actual authentication telemetry to validate observed paths.

    Limitations and considerations:
    • The project accepts anonymous uploads; operators should assess privacy and operational risks before using public instances.
    • Detection efficacy depends on log completeness and AD enrichment quality; absent telemetry reduces rule coverage.
    • No managed deployment guarantees are provided; platform is intended for self-hosted analysis and evaluation.

    References and signals:
    • Notable integrations: SharpHound/BloodHound, AD CS event analysis, force-directed graph visualization.

    🔹 tool #ActiveDirectory #ADCS #BloodHound #security

    🔗 Source: github.com/MHaggis/ADTrapper

  9. Huge thanks to Design Tech Solutions for publishing an article about RELIANOID! 📰 🤩

    They explore how the RELIANOID Load Balancer enhances maritime cybersecurity, helping secure connected vessels, ports, and critical infrastructure.

    Read the full article here:

    relianoid.com/about-us/reliano

  10. ESCплуатация: новый вектор атаки на Active Directory Certificate Services

    Привет, Хабр! По горячим следам нашей большой статьи про векторы атак ESC1-ESC15 мы — команда PT Cyber Analytics — решили подробно разобрать относительно новый вектор атаки ESC16. Возможность обнаружения и эксплуатации этого вектора была добавлена в майском обновлении ПО Certipy.

    habr.com/ru/companies/pt/artic

    #activedirectory #cybersecurity #пентест #certificate_authority #certificates #adcs #redteam #certipy

  11. ESCплуатация: новый вектор атаки на Active Directory Certificate Services

    Привет, Хабр! По горячим следам нашей большой статьи про векторы атак ESC1-ESC15 мы — команда PT Cyber Analytics — решили подробно разобрать относительно новый вектор атаки ESC16. Возможность обнаружения и эксплуатации этого вектора была добавлена в майском обновлении ПО Certipy.

    habr.com/ru/companies/pt/artic

    #activedirectory #cybersecurity #пентест #certificate_authority #certificates #adcs #redteam #certipy

  12. The EU just bet €12.5M on biotech firm Oncomatryx to lead in antibody-drug conjugates (ADCs) — a new frontier in cancer therapy. A bold move in Europe's push to shape the future of precision oncology.
    🔗 biotech.industryexaminer.com/e
    #Biotech #Oncology #ADCs

  13. Escплуатация. Повышение привилегий с использованием AD CS

    Привет, Хабр! На связи команда PT Cyber Analytics. Мы взаимодействуем с этичными хакерами в различных red‑team‑проектах, реализуемых для наших заказчиков. Пока хакеры занимаются поиском уязвимых мест и различных недостатков в системах заказчиков, мы — аналитики — занимаемся комплексным анализом системы, оценкой уязвимостей и их последствий в контексте угрозы для заказчика, составляем список рекомендаций и мер и представляем все обнаруженное хакерами и проанализированное нами в форме понятных отчетов. В процессе работы над подобными проектами мы провели множество исследований инфраструктур и накопили знания о различных актуальных атаках — и хотим поделиться этими знаниями с экспертами или теми, кто просто заинтересован в информационной безопасности. Свою статью мы бы хотели начать с обсуждения атак, наиболее часто проводимых в рамках внутренних пентестов. Основная цель внутренних пентестов — получение контроля над инфраструктурой заказчика. Поскольку большая часть компаний использует Active Directory для построения сетей, то цель обычно достигается путем получения учетной записи администратора домена (или другой учетной записи с аналогичными привилегиями). С такими правами потенциальный нарушитель может сделать практически все что угодно: добраться до любой важной информации, зашифровать данные, вывести критически значимые системы из строя и т. п. Таким образом, получения подобной учетной записи в большинстве случаев достаточно для окончания работ и подтверждения успешности взлома внутренней сети. Есть множество способов добиться этой цели, один из них, и достаточно популярный, — проведение атак на службу сертификации Active Directory (AD CS).

    habr.com/ru/companies/pt/artic

    #cybersecurity #certificates #activedirectory #certificate_authority #certipy #adcs #пентест #redteam

  14. Escплуатация. Повышение привилегий с использованием AD CS

    Привет, Хабр! На связи команда PT Cyber Analytics. Мы взаимодействуем с этичными хакерами в различных red‑team‑проектах, реализуемых для наших заказчиков. Пока хакеры занимаются поиском уязвимых мест и различных недостатков в системах заказчиков, мы — аналитики — занимаемся комплексным анализом системы, оценкой уязвимостей и их последствий в контексте угрозы для заказчика, составляем список рекомендаций и мер и представляем все обнаруженное хакерами и проанализированное нами в форме понятных отчетов. В процессе работы над подобными проектами мы провели множество исследований инфраструктур и накопили знания о различных актуальных атаках — и хотим поделиться этими знаниями с экспертами или теми, кто просто заинтересован в информационной безопасности. Свою статью мы бы хотели начать с обсуждения атак, наиболее часто проводимых в рамках внутренних пентестов. Основная цель внутренних пентестов — получение контроля над инфраструктурой заказчика. Поскольку большая часть компаний использует Active Directory для построения сетей, то цель обычно достигается путем получения учетной записи администратора домена (или другой учетной записи с аналогичными привилегиями). С такими правами потенциальный нарушитель может сделать практически все что угодно: добраться до любой важной информации, зашифровать данные, вывести критически значимые системы из строя и т. п. Таким образом, получения подобной учетной записи в большинстве случаев достаточно для окончания работ и подтверждения успешности взлома внутренней сети. Есть множество способов добиться этой цели, один из них, и достаточно популярный, — проведение атак на службу сертификации Active Directory (AD CS).

    habr.com/ru/companies/pt/artic

    #cybersecurity #certificates #activedirectory #certificate_authority #certipy #adcs #пентест #redteam

  15. If you are an Active Directory admin and have been saddled with running PKI long enough to have fun into implementation issues, Uwe Gradenegger has a great still relevant post on the limits of Active Directory Certificate Services. It is eye-opening and provides clarity on a lot of issues I've encountered understanding why ADCS is so... ADCS.
    gradenegger.eu/en/limits-of-th

    #activedirectory #pki #adcs #windows #sysadmin

  16. AD CS Web Enrollment. Relay меня полностью

    В последнее время часто можно услышать, что атаки на ADCS стали чем-то тривиальным: после выхода информативной статьи Certified Pre-Owned от Specter Ops почти каждый пентестер знает, что такое ESC1 и ESC8, и, увидев в Cert Publishers компьютеры, сразу бежит туда. Однако Web Enrollment помимо атак может чейнить уязвимости и служить отличным вариантом для Initial Access. Разберемся, как его применять, на примере нашего проекта по инфраструктурному пентесту.

    habr.com/ru/companies/jetinfos

    #информационная_безопасность #пентест #activedirectory #adcs

  17. I'm 10 days into #vacation ... I have 20 days left. I think I need longer vacation as when I come back one of the things that are waiting for me is doing shit with #ADCS, setting up a new node and doing shit with templates. And I'm not in the mood at all.

    #sysadmin #windows #server #techie #pki

  18. Active Directory Certificate Services (AD CS) is Microsoft's way to establish and manage a public key infrastructure in Active Directory. It can be used to manage certificate templates, issue certificates or revoke them. And because those certificates can be used for client authentication, AD CS is a very appealing target for attackers.

    We have already looked at the escalation primitive "ESC1" before (infosec.exchange/@lutrasecurit). Today we will have a look at ESC4. Just like ESC1, an attacker can abuse this misconfiguration to escalate their privileges from a regular domain user to Domain Admin.

    This time, the misconfiguration is that a regular domain user can modify a certificate template. This means, that an attacker can simply modify the template and configure it to be vulnerable to ESC1. Then, the attacker can easily exploit the ESC1 misconfiguration they added and escalate their privileges.

    The tool "Certify" can be used to identify and perform almost all AD CS attacks. In case of ESC4, an attacker only needs to change the certificate template to allow the enrollee to supply a subject (CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT). Then, an attacker can request a certificate using the modified template and provide the username that they want to impersonate as an argument. That’s it. They can now impersonate the user and take over the entire domain.

    So how can you detect and defend against it?

    First and foremost: CA servers are Tier 0 assets. This means that they are as important as your Domain Controller and should be hardened as such. To fix the misconfiguration, you need to review the permissions for the certificate template in question. For this, open “Certificate Authority”, right-click on “Certificate Templates” and choose “Manage”. There you can view the “Security” tab within the properties and manage the permissions (see screenshot). In this case, remove the dangerous permissions of the Domain Users group (Full Control, Write).

    For detection, monitor requests (EID 4886) and issuing (EID 4887) of certificates as well as the modification of CA settings, such as certificate template modifications. And of course: Search for these types of misconfigurations to find them before the real attackers do.

    #itsecurity #adcs #esc4 #ttp #mitre #redteam #redteaming #TechTuesday

  19. Active Directory Certificate Services (AD CS) is Microsoft's way to establish and manage a public key infrastructure in Active Directory. It can be used to manage certificate templates, issue certificates or revoke them. And because those certificates can be used for client authentication, AD CS is a very appealing target for attackers.

    We have already looked at the escalation primitive "ESC1" before (infosec.exchange/@lutrasecurit). Today we will have a look at ESC4. Just like ESC1, an attacker can abuse this misconfiguration to escalate their privileges from a regular domain user to Domain Admin.

    This time, the misconfiguration is that a regular domain user can modify a certificate template. This means, that an attacker can simply modify the template and configure it to be vulnerable to ESC1. Then, the attacker can easily exploit the ESC1 misconfiguration they added and escalate their privileges.

    The tool "Certify" can be used to identify and perform almost all AD CS attacks. In case of ESC4, an attacker only needs to change the certificate template to allow the enrollee to supply a subject (CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT). Then, an attacker can request a certificate using the modified template and provide the username that they want to impersonate as an argument. That’s it. They can now impersonate the user and take over the entire domain.

    So how can you detect and defend against it?

    First and foremost: CA servers are Tier 0 assets. This means that they are as important as your Domain Controller and should be hardened as such. To fix the misconfiguration, you need to review the permissions for the certificate template in question. For this, open “Certificate Authority”, right-click on “Certificate Templates” and choose “Manage”. There you can view the “Security” tab within the properties and manage the permissions (see screenshot). In this case, remove the dangerous permissions of the Domain Users group (Full Control, Write).

    For detection, monitor requests (EID 4886) and issuing (EID 4887) of certificates as well as the modification of CA settings, such as certificate template modifications. And of course: Search for these types of misconfigurations to find them before the real attackers do.

    #itsecurity #adcs #esc4 #ttp #mitre #redteam #redteaming #TechTuesday

  20. Active Directory Certificate Services (AD CS) is Microsoft's way to establish and manage a public key infrastructure in Active Directory. It can be used to manage certificate templates, issue certificates or revoke them. And because those certificates can be used for client authentication, AD CS is a very appealing target for attackers.

    We have already looked at the escalation primitive "ESC1" before (infosec.exchange/@lutrasecurit). Today we will have a look at ESC4. Just like ESC1, an attacker can abuse this misconfiguration to escalate their privileges from a regular domain user to Domain Admin.

    This time, the misconfiguration is that a regular domain user can modify a certificate template. This means, that an attacker can simply modify the template and configure it to be vulnerable to ESC1. Then, the attacker can easily exploit the ESC1 misconfiguration they added and escalate their privileges.

    The tool "Certify" can be used to identify and perform almost all AD CS attacks. In case of ESC4, an attacker only needs to change the certificate template to allow the enrollee to supply a subject (CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT). Then, an attacker can request a certificate using the modified template and provide the username that they want to impersonate as an argument. That’s it. They can now impersonate the user and take over the entire domain.

    So how can you detect and defend against it?

    First and foremost: CA servers are Tier 0 assets. This means that they are as important as your Domain Controller and should be hardened as such. To fix the misconfiguration, you need to review the permissions for the certificate template in question. For this, open “Certificate Authority”, right-click on “Certificate Templates” and choose “Manage”. There you can view the “Security” tab within the properties and manage the permissions (see screenshot). In this case, remove the dangerous permissions of the Domain Users group (Full Control, Write).

    For detection, monitor requests (EID 4886) and issuing (EID 4887) of certificates as well as the modification of CA settings, such as certificate template modifications. And of course: Search for these types of misconfigurations to find them before the real attackers do.

    #itsecurity #adcs #esc4 #ttp #mitre #redteam #redteaming #TechTuesday

  21. Active Directory Certificate Services (AD CS) is Microsoft's way to establish and manage a public key infrastructure in Active Directory. It can be used to manage certificate templates, issue certificates or revoke them. And because those certificates can be used for client authentication, AD CS is a very appealing target for attackers.

    We have already looked at the escalation primitive "ESC1" before (infosec.exchange/@lutrasecurit). Today we will have a look at ESC4. Just like ESC1, an attacker can abuse this misconfiguration to escalate their privileges from a regular domain user to Domain Admin.

    This time, the misconfiguration is that a regular domain user can modify a certificate template. This means, that an attacker can simply modify the template and configure it to be vulnerable to ESC1. Then, the attacker can easily exploit the ESC1 misconfiguration they added and escalate their privileges.

    The tool "Certify" can be used to identify and perform almost all AD CS attacks. In case of ESC4, an attacker only needs to change the certificate template to allow the enrollee to supply a subject (CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT). Then, an attacker can request a certificate using the modified template and provide the username that they want to impersonate as an argument. That’s it. They can now impersonate the user and take over the entire domain.

    So how can you detect and defend against it?

    First and foremost: CA servers are Tier 0 assets. This means that they are as important as your Domain Controller and should be hardened as such. To fix the misconfiguration, you need to review the permissions for the certificate template in question. For this, open “Certificate Authority”, right-click on “Certificate Templates” and choose “Manage”. There you can view the “Security” tab within the properties and manage the permissions (see screenshot). In this case, remove the dangerous permissions of the Domain Users group (Full Control, Write).

    For detection, monitor requests (EID 4886) and issuing (EID 4887) of certificates as well as the modification of CA settings, such as certificate template modifications. And of course: Search for these types of misconfigurations to find them before the real attackers do.

    #itsecurity #adcs #esc4 #ttp #mitre #redteam #redteaming #TechTuesday

  22. Active Directory Certificate Services (AD CS) is Microsoft's way to establish and manage a public key infrastructure in Active Directory. It can be used to manage certificate templates, issue certificates or revoke them. And because those certificates can be used for client authentication, AD CS is a very appealing target for attackers.

    We have already looked at the escalation primitive "ESC1" before (infosec.exchange/@lutrasecurit). Today we will have a look at ESC4. Just like ESC1, an attacker can abuse this misconfiguration to escalate their privileges from a regular domain user to Domain Admin.

    This time, the misconfiguration is that a regular domain user can modify a certificate template. This means, that an attacker can simply modify the template and configure it to be vulnerable to ESC1. Then, the attacker can easily exploit the ESC1 misconfiguration they added and escalate their privileges.

    The tool "Certify" can be used to identify and perform almost all AD CS attacks. In case of ESC4, an attacker only needs to change the certificate template to allow the enrollee to supply a subject (CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT). Then, an attacker can request a certificate using the modified template and provide the username that they want to impersonate as an argument. That’s it. They can now impersonate the user and take over the entire domain.

    So how can you detect and defend against it?

    First and foremost: CA servers are Tier 0 assets. This means that they are as important as your Domain Controller and should be hardened as such. To fix the misconfiguration, you need to review the permissions for the certificate template in question. For this, open “Certificate Authority”, right-click on “Certificate Templates” and choose “Manage”. There you can view the “Security” tab within the properties and manage the permissions (see screenshot). In this case, remove the dangerous permissions of the Domain Users group (Full Control, Write).

    For detection, monitor requests (EID 4886) and issuing (EID 4887) of certificates as well as the modification of CA settings, such as certificate template modifications. And of course: Search for these types of misconfigurations to find them before the real attackers do.

    #itsecurity #adcs #esc4 #ttp #mitre #redteam #redteaming #TechTuesday

  23. Microsoft Incident Response (Microsoft IR) provides guidance for organizations to set up Active Directory Certificate Services (ADCS) backups and recover an ADCS platform from compromise:

    Recover ADCS from Compromise
    techcommunity.microsoft.com/t5

    #adcs #Security #Microsoft #msftadvocate

  24. Active Directory Certificate Services (AD CS) is Microsoft's way to establish and manage a public key infrastructure in Active Directory. It can be used to manage certificate templates, issue certificates or revoke them. And since those certificates can be used for client authentication, AD CS makes for a very appealing target for attackers.

    This is probably also the reason why @SpecterOps took a deep dive into attacking AD CS in 2021. During their research, @harmj0y and @tifkin_ uncovered several ways to abuse AD CS, for example, to escalate privileges. Those privilege escalation techniques are labelled with the prefix "ESC" (no, not affiliated to the music contest Germany loses every year) followed by a number.

    Today, we will have a look at ESC1, which an attacker can abuse to escalate privileges from a regular domain user to Domain Admin.

    ESC1 refers to a misconfiguration in a certificate template that can be used for client authentication. It occurs if a normal domain user is allowed to request such a certificate and can supply an arbitrary subjectAltName (SAN). What this essentially means is that a user can supply an arbitrary username in the SAN and impersonate any user.

    For more details see the whitepaper, it's great: specterops.io/wp-content/uploa

    Think of a really bad gatekeeper: He looks at your ID and checks that you belong. He turns around to grab your keys and by that time he already forgot your name. And asks you again. And of course you, as a hacker, say: "I am the head of the company". He grabs "your" keys, opens the door and is like: "Whatever, go inside. Here are the keys to all rooms".

    The tool "Certify" can be used to identify and perform almost all AD CS attacks. In case of ESC1, an attacker only needs to request a certificate using the vulnerable template and provide the username that they want to impersonate as an argument. That’s it. They can now impersonate the user and take over the entire domain.

    🔐 So: How can you fix the vulnerability and detect abuse? 🕵️

    First and foremost: CA servers are Tier 0 assets. 💎 This means that they are as important as your Domain Controller and should be hardened as such. To fix the misconfiguration you need to disable the option to supply the subject name in the request (see screenshot). For detection, monitor requests (EID 4886) and issuing (EID 4887) of certificates as well as the modification of CA settings, such as certificate template modifications (e.g. ESC4 abuse).

    #itsecurity #ttp #mitre #redteam #redteaming #TechTuesday #adcs #esc1

  25. 𝗦𝗶𝗺𝗽𝗹𝗶𝗳𝗶𝗲𝗱 𝗱𝗲𝗽𝗹𝗼𝘆𝗺𝗲𝗻𝘁 𝘄𝗶𝘁𝗵 𝗗𝗲𝗳𝗲𝗻𝗱𝗲𝗿 𝗳𝗼𝗿 𝗜𝗱𝗲𝗻𝘁𝗶𝘁𝘆

    "Microsoft Defender for Identity is an essential part of a modern security practice, helping your organization protect against, and respond to, identity-based threats. In this blog we will show you the simple steps for deploying Microsoft Defender for Identity within your environment."

    techcommunity.microsoft.com/t5

    #defenderforidentity #mdi #microsoft #microsoftsecurity #defender #adfs #domaincontroller #activedirectory #itdr #azure #adfs #adcs #deployment

  26. 𝐌𝐢𝐜𝐫𝐨𝐬𝐨𝐟𝐭 𝐃𝐞𝐟𝐞𝐧𝐝𝐞𝐫 𝐟𝐨𝐫 𝐈𝐝𝐞𝐧𝐭𝐢𝐭𝐲 𝐞𝐱𝐩𝐚𝐧𝐝𝐬 𝐢𝐭𝐬 𝐜𝐨𝐯𝐞𝐫𝐚𝐠𝐞 𝐰𝐢𝐭𝐡 𝐧𝐞𝐰 𝐀𝐃 𝐂𝐒 𝐬𝐞𝐧𝐬𝐨𝐫

    Sensor that can be deployed on Active Directory Certificate Services (AD CS) servers. This new sensor builds on the existing detections for suspicious certificate usage available today and extends Defender for Identities capabilities and coverage more comprehensively across identity environments.

    AD CS is a role in Windows Server that allows you to create and manage public key infrastructure (PKI) certificates.

    New detections:

    ➡️Domain-controller certificate issuance for a non-DC

    ➡️Suspicious disable of audit logs of AD CS

    ➡️Suspicious deletion of the certificate database

    ➡️Suspicious modifications to the AD CS settings (coming soon)

    techcommunity.microsoft.com/t5

    #defenderforidentity #xdr #mdi #azure #microsoft #micrsoftsecurity #soc #adcs #pki #windows #server #cybersecurity #microsoft365defender #cloudsecurity #identity

  27. Catch up on everything cyber with this week's edition of our SOC Goulash newsletter!:

    opalsec.substack.com/p/soc-gou

    Images which were redacted or cropped on Google Pixel devices or using the Windows Snipping Tool can be reversed and sensitive data revealed. The bug, dubbed "Acropalypse", may have been fixed but any existing images - be they bank details, nudes, or confidential company information - remain up for grabs.

    #Hacktivists launched a week-long, coordinated attack on Australian banks, hospitals, airports and more, in retaliation for an offensive submission by an Australian designer at the Melbourne Fashion Festival, of all things.

    The takedown of #BreachForums was made official last week, with the subsequent disarray demonstrating that continued law enforcement action is succeeding in capitalising on the mistrust inherent to the cyber crime ecosystem.

    A significant vulnerability in the #WooCommerce Payments plugin can let attackers takeover #WordPress sites, and a PoC #exploit has been released publicly for a vulnerability in #Veeam's backup software.

    The #blueteam had a great week, with CISA releasing a tool that helps grab #Azure, #M365 and the #Defender suite telemetry to help run ad hoc investigations; #Splunk shared an awesome defensive guide to #ADCS attacks, and we've seen a bunch of great write-ups on #IcedID, #ASyncRAT, and more!

    Catch all this and much more in this week's newsletter:

    opalsec.substack.com/p/soc-gou

    #infosec #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #soc #threatintel #threatintelligence #acropalypse #OpAustralia #darkweb #CISA

  28. The Locksmith Active Directory (AD) Certificate Services (CS) remediation tool has been updated: github.com/TrimarcJake/Locksmi

    New features:
    - Support for Restricted Admin Mode. If RAM is detected, Locksmith will ask to be re-run using the -Credential switch.
    - If the AD Powershell module is not installed on Win 10/11, Locksmith will attempt to install it for you.
    Note: previously only available on server-class OSes.
    - New functions for checking user type and elevation status.
    - Auto-generated snippets for ownership issues (a subset of ESC4/ESC5).
    - Support for non-English Active Directory environments!

    Next planned updates:
    - Add individual CA Hosts to $SafeUsers using SIDs.
    - Perform additional environment checks before attempting to run.
    - Rename modes to something that makes sense.

    #IAM #IdentitySecurity #CertificateServices #ActiveDirectory #ActiveDirectoryCertificateServices #ADCS #PKI #Locksmith #OpenSource #DefensiveSecurity #DefensiveSecurityTooling #Pizza

  29. Happy Monday, folks! It's time to shake off the cobwebs, so strap yourselves in and get your reading glasses out - here's a wrap-up of the week's infosec news, just for you: opalsec.substack.com/p/soc-gou

    Australia's mandatory reporting laws for Critical infrastructure operators got its first win last week, with the CISC revealing 47 cyber incidents were reported in the 8 months to December last year. Congrats, but what does that actually mean?

    #GoDaddy finally twigged to a multi-year compromise of their networks, after users reported odd redirects impacting their website visitors. Turns out they'd likely been owned since at least March 2020, and appear to have failed to evict the attackers at least twice.

    Havoc is the latest C2 framework to be thrown in anger, this time against a government target and in a multi-staged delivery chain which featured several evasive measures. Seems like Sliver and Brute Ratel may soon be in good company!

    Symantec researchers have unearthed Frebniis - a stealthy IIS backdoor novel for it's hooking of a legitimate feature to covertly intercept attacker tasking.

    A number of critical bugs in #Fortinet, #Apple, and #Citrix have been squashed - just make sure you know which ones, and apply those patches!

    #redteam members are in for a treat, with a new Nim-based implant to play with and the OffensivePipeline tool to help automate obfuscation.

    The #blueteam can look forward to a detailed look at attacks on #ESXi and how to mitigate it, as well as Hunt recommendations for evilginx2, and an update to Microsoft #Defender for Identity to help identify #ADCS abuse.

    As always, there's literally dozens more research articles on threat actor activity and tradecraft that I can't summarise here, so make sure you take a look at this week's issue of SOC Goulash and get yourself up to speed!

    opalsec.substack.com/p/soc-gou

    #infosec #CyberAttack #Hacked #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #soc #threatintel #threatintelligence #SliverC2 #BruteRatel #criticalinfrastructure

  30. Hey #fediverse

    Do you administer/secure/have access to a non-English Active Directory + AD Certificate Services environment? I made some updates to Locksmith last week to improve results in non-English ADs, but I don't have one of my own to test with.

    If you can test for me, I will buy you a beer/soda/drink of your choice!

    #Locksmith #ADCS #ActiveDirectory #CertficateServices #IAM #PKI

  31. 𝗦𝗶𝗺𝗽𝗹𝗶𝗳𝗶𝗲𝗱 𝗱𝗲𝗽𝗹𝗼𝘆𝗺𝗲𝗻𝘁 𝘄𝗶𝘁𝗵 𝗗𝗲𝗳𝗲𝗻𝗱𝗲𝗿 𝗳𝗼𝗿 𝗜𝗱𝗲𝗻𝘁𝗶𝘁𝘆

    "Microsoft Defender for Identity is an essential part of a modern security practice, helping your organization protect against, and respond to, identity-based threats. In this blog we will show you the simple steps for deploying Microsoft Defender for Identity within your environment."

    techcommunity.microsoft.com/t5

    #defenderforidentity #mdi #microsoft #microsoftsecurity #defender #adfs #domaincontroller #activedirectory #itdr #azure #adfs #adcs #deployment

  32. 𝗦𝗶𝗺𝗽𝗹𝗶𝗳𝗶𝗲𝗱 𝗱𝗲𝗽𝗹𝗼𝘆𝗺𝗲𝗻𝘁 𝘄𝗶𝘁𝗵 𝗗𝗲𝗳𝗲𝗻𝗱𝗲𝗿 𝗳𝗼𝗿 𝗜𝗱𝗲𝗻𝘁𝗶𝘁𝘆

    "Microsoft Defender for Identity is an essential part of a modern security practice, helping your organization protect against, and respond to, identity-based threats. In this blog we will show you the simple steps for deploying Microsoft Defender for Identity within your environment."

    techcommunity.microsoft.com/t5

    #defenderforidentity #mdi #microsoft #microsoftsecurity #defender #adfs #domaincontroller #activedirectory #itdr #azure #adfs #adcs #deployment

  33. Locksmith has been updated: github.com/TrimarcJake/Locksmi

    New features:
    - Improved on-screen explanation of what the script is doing
    - Improved output formatting
    - Confirmation now required before the AD CS environment is changed
    - If Locksmith changes your environment, a script is created to easily revert those changes.
    - Less false positives
    - If Active Directory module is not installed, Locksmith will attempt to install it for you.

    Next planned updates:
    - Strict Mode support
    - RDP Restricted Admin support

    #IAM #IdentitySecurity #CertificateServices #ActiveDirectory #ActiveDirectoryCertificateServices #ADCS #Locksmith #OpenSource #DefensiveSecurity #DefensiveSecurityTooling #Pizza

  34. Happy Monday, folks! It's time to shake off the cobwebs, so strap yourselves in and get your reading glasses out - here's a wrap-up of the week's infosec news, just for you: opalsec.substack.com/p/soc-gou

    Australia's mandatory reporting laws for Critical infrastructure operators got its first win last week, with the CISC revealing 47 cyber incidents were reported in the 8 months to December last year. Congrats, but what does that actually mean?

    #GoDaddy finally twigged to a multi-year compromise of their networks, after users reported odd redirects impacting their website visitors. Turns out they'd likely been owned since at least March 2020, and appear to have failed to evict the attackers at least twice.

    Havoc is the latest C2 framework to be thrown in anger, this time against a government target and in a multi-staged delivery chain which featured several evasive measures. Seems like Sliver and Brute Ratel may soon be in good company!

    Symantec researchers have unearthed Frebniis - a stealthy IIS backdoor novel for it's hooking of a legitimate feature to covertly intercept attacker tasking.

    A number of critical bugs in #Fortinet, #Apple, and #Citrix have been squashed - just make sure you know which ones, and apply those patches!

    #redteam members are in for a treat, with a new Nim-based implant to play with and the OffensivePipeline tool to help automate obfuscation.

    The #blueteam can look forward to a detailed look at attacks on #ESXi and how to mitigate it, as well as Hunt recommendations for evilginx2, and an update to Microsoft #Defender for Identity to help identify #ADCS abuse.

    As always, there's literally dozens more research articles on threat actor activity and tradecraft that I can't summarise here, so make sure you take a look at this week's issue of SOC Goulash and get yourself up to speed!

    opalsec.substack.com/p/soc-gou

    #infosec #CyberAttack #Hacked #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #soc #threatintel #threatintelligence #SliverC2 #BruteRatel #criticalinfrastructure

  35. Happy Monday, folks! It's time to shake off the cobwebs, so strap yourselves in and get your reading glasses out - here's a wrap-up of the week's infosec news, just for you: opalsec.substack.com/p/soc-gou

    Australia's mandatory reporting laws for Critical infrastructure operators got its first win last week, with the CISC revealing 47 cyber incidents were reported in the 8 months to December last year. Congrats, but what does that actually mean?

    #GoDaddy finally twigged to a multi-year compromise of their networks, after users reported odd redirects impacting their website visitors. Turns out they'd likely been owned since at least March 2020, and appear to have failed to evict the attackers at least twice.

    Havoc is the latest C2 framework to be thrown in anger, this time against a government target and in a multi-staged delivery chain which featured several evasive measures. Seems like Sliver and Brute Ratel may soon be in good company!

    Symantec researchers have unearthed Frebniis - a stealthy IIS backdoor novel for it's hooking of a legitimate feature to covertly intercept attacker tasking.

    A number of critical bugs in #Fortinet, #Apple, and #Citrix have been squashed - just make sure you know which ones, and apply those patches!

    #redteam members are in for a treat, with a new Nim-based implant to play with and the OffensivePipeline tool to help automate obfuscation.

    The #blueteam can look forward to a detailed look at attacks on #ESXi and how to mitigate it, as well as Hunt recommendations for evilginx2, and an update to Microsoft #Defender for Identity to help identify #ADCS abuse.

    As always, there's literally dozens more research articles on threat actor activity and tradecraft that I can't summarise here, so make sure you take a look at this week's issue of SOC Goulash and get yourself up to speed!

    opalsec.substack.com/p/soc-gou

    #infosec #CyberAttack #Hacked #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #soc #threatintel #threatintelligence #SliverC2 #BruteRatel #criticalinfrastructure

  36. Happy Monday, folks! It's time to shake off the cobwebs, so strap yourselves in and get your reading glasses out - here's a wrap-up of the week's infosec news, just for you: opalsec.substack.com/p/soc-gou

    Australia's mandatory reporting laws for Critical infrastructure operators got its first win last week, with the CISC revealing 47 cyber incidents were reported in the 8 months to December last year. Congrats, but what does that actually mean?

    #GoDaddy finally twigged to a multi-year compromise of their networks, after users reported odd redirects impacting their website visitors. Turns out they'd likely been owned since at least March 2020, and appear to have failed to evict the attackers at least twice.

    Havoc is the latest C2 framework to be thrown in anger, this time against a government target and in a multi-staged delivery chain which featured several evasive measures. Seems like Sliver and Brute Ratel may soon be in good company!

    Symantec researchers have unearthed Frebniis - a stealthy IIS backdoor novel for it's hooking of a legitimate feature to covertly intercept attacker tasking.

    A number of critical bugs in #Fortinet, #Apple, and #Citrix have been squashed - just make sure you know which ones, and apply those patches!

    #redteam members are in for a treat, with a new Nim-based implant to play with and the OffensivePipeline tool to help automate obfuscation.

    The #blueteam can look forward to a detailed look at attacks on #ESXi and how to mitigate it, as well as Hunt recommendations for evilginx2, and an update to Microsoft #Defender for Identity to help identify #ADCS abuse.

    As always, there's literally dozens more research articles on threat actor activity and tradecraft that I can't summarise here, so make sure you take a look at this week's issue of SOC Goulash and get yourself up to speed!

    opalsec.substack.com/p/soc-gou

    #infosec #CyberAttack #Hacked #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #soc #threatintel #threatintelligence #SliverC2 #BruteRatel #criticalinfrastructure