Let the Children play - Leveraging AD CS for persistence and profit in Parent-Child configured forests - Tinus Green
In 2021, Active Directory Certificate Services came under scrutiny because of the opportunities it provides attackers for credential theft, domain escalation, and persistence. It has become a household name for red and blue teams. This talk will cover new discoveries from two perspectives:
Lateral Movement - Noisy compromises of the Parent domain to get to other Child domains are a thing of the past
Cross-Domain Escalation - A newly discovered default permission misconfiguration allowing forest-wide persistence from any Child domain
1. Introduction
An introduction to the basic concepts of Active Directory Certificate Services will be given. Terminologies such as Kerberos, PKINIT, SCHANNEL, and CSR will be covered. Background information on AD CS exploitation up to this point will be given. Reference will be made to the initial research performed by SpecterOps [1] and some interesting new vulnerabilities, such as CVE-2022-26923 [2], that were discovered afterwards.
2.The Potency of AD CS exploitation
A refresh demonstration [Demo 1] will be performed to show how AD CS can be leveraged for privilege escalation. The demo will focus primarily on exploiting ESC1 [3] to construct a certificate that can be used to either generate a Kerberos ticket via PKINIT or authenticate to LDAP via SCHANNEL authentication. The goal of this demonstration is to show how easy it is to perform the privilege escalation attack and how the attacker OpSec around the attack path is different, since conventional username and password credentials are not used.
3. Conventional Cross-Domain Lateral Movement Techniques
Before diving into new cross-domain lateral movement techniques leveraging AD CS, a demonstration will be given on the conventional methods [Demo 2]. Conventionally, we had to rely on performing a golden ticket attack to compromise the Parent domain, which then allows full access to all Child domains. While the attack path has been proven to work, it provides several opportunities for detection that are well-known by now, which means that the chance of any of these actions being detected during a red team is significant.
4. Understanding the E in ECA
To truly understand the permissions associated with AD CS, we have to go back to the installation and configuration process of a new Enterprise CA (ECA). When configuring a new ECA using the normal configuration process, Microsoft provides you with an easily overlooked warning to tell you that this is an Enterprise Admin equivalent service, but never really explains the true impact of what this means. Some interesting things happen automatically when a new ECA is configured, but most organisations are likely unaware of the true consequences.
5. Lateral Movement through AD CS
A demonstration will be used to showcase how the automatic configuration, explained in the previous section, can be leveraged by an attacker [Demo 3]. Due to the container configuration changes that are made when a new ECA is installed, all Domain Controllers in the entire forest will automatically enrol for a new certificate and trust the ECA. Conventionally, we could not exploit this since the domain controllers do not enrol for a Kerberos certificate that supports PKINIT authentication. However, we can leverage SCHANNEL authentication as the ECA certificate is trusted, which means that it can now be used for cross-domain lateral movement without touching the Parent domain.
6. The Installation Misconfiguration
Finally, we get to the misconfiguration that occurs during the installation process of AD CS. The misconfiguration has been raised to Microsoft as a vulnerability. However, they provided their default claim: "The security boundary sits at the forest". Although true, this claim does not consider that threat actors can leverage the misconfiguration to not only perform privilege escalation from any Child domain to the Parent domain, but also deploy forest-wide persistence. Furthermore, the amount of opportunities for detection is also drastically reduced, as there are fewer steps to deploy this persistence, since it can be done exclusively through LDAP on a child domain.
7. Weaponising the Misconfiguration
A demonstration of how this misconfiguration can be leveraged for privilege escalation and persistence will be shown [Demo 4].
References:
[1] specterops.io/...
[2] research.ifcr....
[3] www.thehacker....
Filmed at BSides Cape Town
AV Sponsored by BITM Cyber Security