Securing against new offensive techniques abusing active directory certificate service

by | Jul 6, 2021 | Detection, Vulnerability

SpecterOps recently released an offensive security research paper that details techniques enabling an adversary to abuse insecure functionality in Active Directory Certificate Service.

SpecterOps reports that abusing the legitimate functionality of Active Directory Certificate Service will allow an adversary to forge the elements of a certificate to authenticate as any user or administrator in Active Directory. JUMPSEC has highlighted numerous changes that can be made to Active Directory Certificate Service configuration to protect the domain through a defence-in-depth approach.

We at JUMPSEC wanted to understand the defensive application of this offensive research to pre-emptively defend our clients from these techniques before exploitation is observed in the wild. To do this, we utilised our Active Directory lab and attempted to harden the service to reduce the risk of compromise and limit the ability for an attacker to cause harm.

In this article, JUMPSEC has documented the most effective and efficient methods we took to implement the broad defensive guidance in SpecterOps research. In our attempts to harden Active Directory Certificate Service, we have identified ways to harden the environment against compromise, and leverage auditing toolkits to make it easier to identify and remediate areas of exposure.

Read here for technical extracts or for the full technical guide click here

Article written by Dray Agha, Security Researcher | Any questions, comments, or criticisms please drop me a line on: Twitter, Github, or Email

Active Directory Certificate Service Defensive Guidance

Disclaimer

The information provided on this website is to be used for educational purposes only. The author is in no way responsible for any misuse of the information provided. Any actions and or activities related to the material contained within this website is solely your responsibility.

GitHub Activity

@JumpsecLabs
JumpsecLabs pushed to main in JumpsecLabs/Guidance-Advice Jul 20, 2021
1 commit to main
@JumpsecLabs
JumpsecLabs pushed to master in JumpsecLabs/shad0w Jul 20, 2021
2 commits to master

 

Follow JUMPSECLabs

Disclaimer

The information provided on this website is to be used for educational purposes only. The author is in no way responsible for any misuse of the information provided. Any actions and or activities related to the material contained within this website is solely your responsibility.

You may also like…

Running Once, Running Twice, Pwned! Windows Registry Run Keys

The Windows registry is a vast and complex topic and cannot be understood and defended in one article. One particular area of interest from a security perspective is registry run keys. In this article, we discuss who uses them, how to uncover abuse, and how to eradicate evil from them.

Can Depix deobfuscate your data?

In this post, Caleb explores Depix and its potential to recover sensitive text from reports that were redacted by the original authors.

PRINTNIGHTMARE NETWORK ANALYSIS

By Dray Agha The infosec community has been busy dissecting the PrintNightmare exploit. There are now variations of the exploit that can have various...

Share This