Certified Pre-Owned: Abusing Active Directory Certificate Services

Presented at Black Hat USA 2021, Aug. 5, 2021, 1:30 p.m. (40 minutes).

Microsoft's Active Directory Public Key Infrastructure (PKI) implementation, known as Active Directory Certificate Services (AD CS), has largely flown under the radar by both the offensive and defensive realms. AD CS is widely deployed and provides attackers opportunities for credential theft, machine persistence, domain escalation, and subtle domain persistence.

We will present the relevant background on certificates in Active Directory, detail the abuse of AD CS through certificate theft and active malicious enrollments for user and machine persistence, discuss a set of common certificate template misconfigurations that can result in domain escalation, and explain a method for stealing a Certificate Authority's private key in order to forge new user/machine "golden" certificates.

By bringing light to the security implications of AD CS, we hope to raise awareness for both attackers and defenders alike of the security issues surrounding this complex, widely deployed, and often misunderstood system.


Presenters:

  • Will Schroeder / @harmj0y - Technical Architect, SpecterOps   as Will Schroeder
    Will Schroeder is a technical architect at SpecterOps, and is an experienced operator/researcher with a focus on red teaming, Active Directory, and offensive development. He has spoken at a number of security conferences spanning from Black Hat to Troopers, and has helped develop a number of offensive projects including BloodHound, the Veil-Framework, PowerSploit, Empire, and GhostPack. He also shares the first CVE for breaking Active Directory Forest Trusts with Lee Christensen.
  • Lee Christensen - Technical Architect, SpecterOps
    Lee Christensen is a technical architect at SpecterOps, where he helps research and develop offensive capabilities for use in penetration tests and red team engagements. He has an extensive background in offensive security, particularly enjoying research of Windows, Active Directory, and the components commonly found inside them. His research has resulted in several CVEs and new offensive tradecraft used throughout the industry. In addition, Lee has contributed to many open-source tools including GhostPack, BloodHound, SpoolSample, UnmanagedPowerShell, and KeeThief.

Links:

Similar Presentations: