home.social
Sign in Create account

#esc1 — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #esc1, aggregated by home.social.

  1. Lutra Security @[email protected] ·

    Active Directory Certificate Services (AD CS) is Microsoft's way to establish and manage a public key infrastructure in Active Directory. It can be used to manage certificate templates, issue certificates or revoke them. And since those certificates can be used for client authentication, AD CS makes for a very appealing target for attackers.

    This is probably also the reason why @SpecterOps took a deep dive into attacking AD CS in 2021. During their research, @harmj0y and @tifkin_ uncovered several ways to abuse AD CS, for example, to escalate privileges. Those privilege escalation techniques are labelled with the prefix "ESC" (no, not affiliated to the music contest Germany loses every year) followed by a number.

    Today, we will have a look at ESC1, which an attacker can abuse to escalate privileges from a regular domain user to Domain Admin.

    ESC1 refers to a misconfiguration in a certificate template that can be used for client authentication. It occurs if a normal domain user is allowed to request such a certificate and can supply an arbitrary subjectAltName (SAN). What this essentially means is that a user can supply an arbitrary username in the SAN and impersonate any user.

    For more details see the whitepaper, it's great: specterops.io/wp-content/uploa

    Think of a really bad gatekeeper: He looks at your ID and checks that you belong. He turns around to grab your keys and by that time he already forgot your name. And asks you again. And of course you, as a hacker, say: "I am the head of the company". He grabs "your" keys, opens the door and is like: "Whatever, go inside. Here are the keys to all rooms".

    The tool "Certify" can be used to identify and perform almost all AD CS attacks. In case of ESC1, an attacker only needs to request a certificate using the vulnerable template and provide the username that they want to impersonate as an argument. That’s it. They can now impersonate the user and take over the entire domain.

    🔐 So: How can you fix the vulnerability and detect abuse? 🕵️

    First and foremost: CA servers are Tier 0 assets. 💎 This means that they are as important as your Domain Controller and should be hardened as such. To fix the misconfiguration you need to disable the option to supply the subject name in the request (see screenshot). For detection, monitor requests (EID 4886) and issuing (EID 4887) of certificates as well as the modification of CA settings, such as certificate template modifications (e.g. ESC4 abuse).

    #itsecurity #ttp #mitre #redteam #redteaming #TechTuesday #adcs #esc1

    #itsecurity #ttp #mitre #redteam #redteaming #techtuesday