TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Black Hills InfoSec

Abusing Active Directory Certificate Services (Part 3)

Kassie Kimball · 2023-11-09 · Read original ↗

ATT&CK techniques detected

10 predictions
T1649Steal or Forge Authentication Certificates
93%
"##09f read more in this series : - abusing active directory certificate services ( part 1 ) - abusing active directory certificate services ( part 2 ) - abusing active directory certificate services ( part 4 ) - detecting adcs privilege escalation ready to learn more? level up yo…"
T1649Steal or Forge Authentication Certificates
81%
"abusing active directory certificate services ( part 3 ) abusing active directory certificate services ( part 3 ) in part one and part two of this blog series, we discussed common misconfigurations of active directory certificate templates. in this post, we will walk through expl…"
T1649Steal or Forge Authentication Certificates
77%
"as shown in the figure below. note that the esc8 technique does not abuse certificate template misconfigurations. instead, this technique leverages the configuration of the certificate authority ( ca ) server. active directory certificate authorities that are vulnerable to esc8 m…"
T1557.001Name Resolution Poisoning and SMB Relay
72%
"the tool successfully forced the victim to authenticate using the efsrpcdecryptfilesrv method. as shown in the figure below, the credential material was relayed through the certipy relay that we set up earlier, to the target endpoint http : / / foobar - ca. foobar. com / certsrv …"
T1649Steal or Forge Authentication Certificates
67%
"1. 100 ) and request a certificate using the following enabled template. the attack path can be summarized as follows : - coerce the victim machine ( server01. foobar. com ) to authenticate to an attacker - controlled host. - relay the hash obtained from the victim to the adcs ht…"
T1649Steal or Forge Authentication Certificates
66%
"’ ve successfully coerced the target machine server01 and relayed the credentials to obtain a certificate on behalf of server01. foobar. com, we can use the certificate to obtain the credential hash and a kerberos ticket of the target server01 account using the certipy auth comma…"
T1649Steal or Forge Authentication Certificates
44%
"do not specify a template name, certipy will attempt to issue a certificate using the machine and user templates. these are default templates, but that does not mean that they will be available in your target environment or that they apply to your victim account. * side note : * …"
T1557.001Name Resolution Poisoning and SMB Relay
40%
"discuss relay attacks in detail ; however, bhis has many resources for red and blue teams alike on relay attacks, which can be found in the “ resources ” section towards the end of this article. esc8 in the following example, let ’ s imagine that we have gained a foothold in our …"
T1557.001Name Resolution Poisoning and SMB Relay
38%
"coercer : https : / / github. com / p0dalirius / coercer - https : / / github. com / bats3c / adcspwn - petitpotam : https : / / github. com / topotam / petitpotam in this example, we will use coercer, a python tool that can be used to coerce windows machines to authenticate to y…"
T1649Steal or Forge Authentication Certificates
38%
"##f31 - https : / / learn. microsoft. com / en - us / openspecs / windows _ protocols / ms - rprn / d42db7d5 - f141 - 4466 - 8f47 - 0a4be14e2fc1 - https : / / learn. microsoft. com / en - us / openspecs / windows _ protocols / ms - dfsnm / 95a506a8 - cae6 - 4c42 - b19d - 9c1ed122…"

Summary

| Alyssa Snow In PART ONE and PART TWO of this blog series, we discussed common misconfigurations of Active Directory certificate templates. In this post, we will walk through exploitation […]

The post Abusing Active Directory Certificate Services (Part 3) appeared first on Black Hills Information Security, Inc..