Share this page!

Stephan Berger Profile picture
Twitter logo
Mar 6 14 tweets 4 min read
1/ I presented 10 #ActiveDirectory hardening measures a few weeks ago, and I will tweet my recommendations in the next ten days.

The list is neither prioritised nor complete, but it might give companies and administrators good input on improving (AD) security.

🧵 #CyberSecurity
2/ Number #1 of the Active Directory hardening measures:

#ADCS (Active Directory Certificate Services)
3/ The whitepaper Certified Pre-Owned: Abusing Active Directory Certificate Services by Will Schroeder and Lee Christensen showcased new possibilities and attack vectors to gain domain administrative rights as an attacker. [1]
4/ Attackers (and we as Defenders!) can use the Certify tool published by @SpecterOps to find vulnerable certificates.

Below are parts of a vulnerable certificate (from [2]).
5/ In the screenshot above, we see ENROLLEE_SUPPLIES_SUBJECT, which means the user requesting a new certificate based on this template can request a certificate for any user, including domain admins! 🤯
6/ Client Authentication at PkiExtendedKeyUsage means that the newly created certificate, based on this template, can also be used for authentication against computers in AD.
7/ Based on "Enrollment Rights: NT Authority\Authenticated Users," any authenticated user can create a new certificate based on this template.
8/ Further details and more profound descriptions can be found in [2]. 📖
9/ "Once the vulnerable certificate template has been identified, we can request a new certificate on behalf of a domain administrator using Certify." [2]
10/ "Once we have the certificate in cert.pfx, we can request a Kerberos TGT for the user for which we minted the new certificate." [2]
11/ In a nutshell - it's practically game over at this point.

More attacks against vulnerable certificates exist than outlined here (check the original whitepaper from SpecterOps), and there is constant research in this area.
12/ In our AD assessments, we find regularly vulnerable certificates.

In discussions with customers, it becomes clear that this topic is still too little known among administrators and IT security personnel.

A circumstance that needs to be changed.
13/ As always, we cannot protect our networks 100%, but we should raise the bar as high as possible, eliminating vulnerable certificates and misconfigurations in our AD Certificate Services.
14/ References:

[1] posts.specterops.io/certified-pre-…
[2] ired.team/offensive-secu…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Stephan Berger

Stephan Berger Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @malmoeb

Stephan Berger Profile picture
Mar 7
1/ Number #2 of the #ActiveDirectory hardening measures:

Service Accounts

🧵 #CyberSecurity Image
2/ In our AD assessments or IR cases, we repeatedly see that service accounts are highly privileged, often also part of the domain administrators group.

This can be disastrous, especially with a weak password for the service account:

Image
3/ @Synacktiv took a closer look at the detection capabilities of Defender for Identity, including whether and how Kerberoasting could be detected. [1] Image
Read 7 tweets
Stephan Berger Profile picture
Feb 16
1/ Ouch. 🫣

A TA brute-forced the password of the domain admin.

The customer first suspected an internal compromise, but upon a deeper investigation of this incident, we quickly realized that the IP address was the internal address of a Cisco ASA VPN box.

🧵 #CyberSecurity
2/ The customer disabled the login mask a long time ago on the public internet-facing IP address of the Cisco ASA, as depicted in the image below.
3/ But, if we take a closer look at the @metasploit module 'Cisco SSL VPN Bruteforce Login Utility', we see that the URL "+CSCOE+/logon.htm" is used for the password guessing, at least in this module. [1]
Read 10 tweets
Stephan Berger Profile picture
Feb 16
1/ Two takeaways from @Aon_plc's blog about the forensic traces left by Evilginx2 [1]:

1⃣ "Initial logins from the phishing server will appear as the victim's legitimate user agent string."

🧵 #CyberSecurity
2/ When I saw this for the first time I was quite confused and scratched my head, because I always look for suspicious user agents or deviating user agents of the compromised user.

It took a moment to realise that the phishing kit spoofed the UA from the user's browser. 👉😏
3/ This behavior of Evilginx2 makes it harder to find outliers in the recorded login information, because as nicely described in the blog the user agent from the user performs the login as if the user would log in himself.
Read 5 tweets
Stephan Berger Profile picture
Jan 31
1/ In a recent case, the TA installed DWservice as a backdoor. [1]

I installed the software on my test machine, which works incredibly well!

The screenshot shows the desktop from my lab machine, which I accessed from within the browser.

🤯

🧵 #CyberSecurity
2/ The screenshot above depicts the content of the config.json file, which is located in the installation directory of DWservice, and could be interesting for LEA purposes (the key could be linked to an account).

Below is another screenshot with various features of the service.
3/ In our case, the path to the binary was C:\Programdata\DWAgent\native\dwagsvc.exe, but the path can be changed during installation.
Read 6 tweets
Stephan Berger Profile picture
Jan 25
1/ Three observations while playing around with a malicious OneNote sample we discovered today at a customers network:

Purchase_order__01_B2202026_2022-07-18_09-15-49.one

MD5: 99388b4d4f9c52a79e84e9538d92d979

🧵 #CyberSecurity
2/ In this case, a malicious .bat file gets executed when the user double clicks "View Document".

The malicious .bat file is written to a temporary folder:

C:\Users\<username>\AppData\Local\Temp\OneNote\16.0\Exported\{0438B35A-EB92-4C25-8DB6-5413952EFD08}\NT\0\.bat"
3/ This might come in handy for a forensic investigation when we have to prove, for example, that the user indeed clicked the button.

Otherwise, the malicious file would not have been written to disk / to the Exported OneNote folder.
Read 5 tweets
Stephan Berger Profile picture
Jan 24
1/ Playing around with the BatLoader sample showcased first in the @VMware blog [1][2].

"The novaPDF installer is edited using the tool Advanced Installer to add a PowerShellScriptInline custom action that executes a malicious PowerShell script."

🧵

#CyberSecurity
2/ What is exciting for us as analysts: After installing the Advanced Installer on my VM, the BatLoader MSI package can be opened inside Advanced Installer, and the PowerShell code can be copied out (see above).

How to create PS custom actions is described here [3].
3/ After the initial infection, in this case, Nsudo was used for performing configuration changes on the infected machine.

In the commands presented in the VMware blog, we can see the typical Nsudo command line "-U:T", as I also describe here:

Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(