Not A Security Boundary: Breaking Forest Trusts

Presented at DerbyCon 9.0 Finish Line (2019), Sept. 6, 2019, 4 p.m. (45 minutes).

For years, Microsoft has stated that the forest is the security boundary in Active Directory. Many organizations have built their Active Directory trust architectures with this in mind, trusting that the compromise of one forest can not be leveraged to compromise a foreign forest. However, in late 2018 we discovered that this was not the case. By combining a legacy printer protocol "feature" with several architectural flaws in Active Directory, the compromise of one forest could be leveraged to compromise a foreign forest and all resources within it. We will deep dive into the architectural components that enable this trust violation, demonstrate a fully weaponized attack with available tools, and cover the new fundamental fix for this vulnerability Microsoft is pushing out in 2019.


Presenters:

  • Lee Christensen
    Will Schroeder and Lee Christensen are offensive engineers and red teamers for SpecterOps. Will is the co-founder of various offensive projects including the Veil-Framework, Empire, GhostPack, and BloodHound. He has presented at a number of industry conferences including ShmooCon, BlackHat, DEF CON, Troopers, DerbyCon, BlueHat Israel, and more. Lee enjoys building tools to support red team and hunt operations and is the author of several offensive tools and techniques, including UnmanagedPowerShell (incorporated into the Metasploit, Empire, and Cobalt Strike toolsets) and KeeThief.
  • Will Schroeder / @harmj0y as Will Schroeder
    Will Schroeder and Lee Christensen are offensive engineers and red teamers for SpecterOps. Will is the co-founder of various offensive projects including the Veil-Framework, Empire, GhostPack, and BloodHound. He has presented at a number of industry conferences including ShmooCon, BlackHat, DEF CON, Troopers, DerbyCon, BlueHat Israel, and more. Lee enjoys building tools to support red team and hunt operations and is the author of several offensive tools and techniques, including UnmanagedPowerShell (incorporated into the Metasploit, Empire, and Cobalt Strike toolsets) and KeeThief.

Links:

Similar Presentations: