AD CS HTTP endpoint not available to abuse ESC8 with #PetitPotam? WebDAV + NTLM relay to LDAP is an option (use the forward slash trick). WebDAV abuse comes with constraints, the largest being the WebClient service does not run by default on workstations/servers. 
For local priv esc on workstations, you can start the WebClient service using a @tiraniddo trick: tiraniddo.dev/2015/03/starti…
Otherwise, a remote machine needs to have the WebClient service running. Servers do not support WebDAV by default: they must have the WebDAV Redirector role installed and the service needs to be started.
I'm curious to see what applications typically enable the WebClient role. Defenders, you can identify machines that run the WebClient service using System event 7036
Another constraint of WebDAV is that Windows will only attempt to authenticate if the host is in the local intranet. If not on a compromised machine, one method to to side-step this would be to abuse ADIDNS (see @kevin_robertson's great work here netspi.com/blog/technical…)
@kevin_robertson I cannot emphasize enough how badly organizations need to start tackling the NTLM auth problem. Microsoft will not be doing it anytime soon. NTLM auth is BAD! Work on eliminating its use as much as possible in your network, and restrict its usage where that's not possible
See docs.microsoft.com/en-us/previous… for guidance on how to audit for and ultimately restrict NTLM usage in your environment.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
