ReCertifying Active Directory Certificate Services

Presented at Black Hat Europe 2021, Nov. 10, 2021, 3:20 p.m. (40 minutes)

Microsoft's Active Directory Public Key Infrastructure (PKI) implementation, known as Active Directory Certificate Services (AD CS), has unfortunately flown under the radar of the defensive industry. AD CS is widely deployed and provides attackers opportunities for credential theft, machine persistence, domain escalation, and subtle domain persistence. We present relevant background on certificates in Active Directory, briefly overview the attacks possible, and present preventive, detective, and indecent response guidance for how to secure organizations against these abuses. By presenting the most comprehensive guidance on securing AD CS we hope to give organizations the information and tools they need to secure these complex, widely deployed, and often misunderstood systems.


Presenters:

  • Lee Christensen - Technical Architect, SpecterOps
    Lee Christensen is a technical architect at SpecterOps, where he helps research and develop offensive capabilities for use in penetration tests and red team engagements. He has an extensive background in offensive security, particularly enjoying research of Windows, Active Directory, and the components commonly found inside them. His research has resulted in several CVEs and new offensive tradecraft used throughout the industry. In addition, Lee has contributed to many open-source tools including GhostPack, BloodHound, SpoolSample, UnmanagedPowerShell, and KeeThief.
  • Will Schroeder / @harmj0y - Technical Architect, SpecterOps   as Will Schroeder
    Will Schroeder is a technical architect at SpecterOps, and is an experienced operator/researcher with a focus on red teaming, Active Directory, and offensive development. He has spoken at a number of security conferences spanning from Black Hat to Troopers, and has helped develop a number of offensive projects including BloodHound, the Veil-Framework, PowerSploit, Empire, and GhostPack. He also shares the first CVE for breaking Active Directory Forest Trusts with Lee Christensen.

Links:

Similar Presentations: