#Blog #sysadmin #PKI #Windows #ADCS

https://blog.yuuta.moe/2023/06/28/rotating-adcs-two-tier-ca/

If anyone else was having nightmares on client certificates using #workspaceOne and #ADCS for certificate enrollment.

If you have an account for your certificate enrollment, it needs permissions to the Airwatch Cloud connector user folder as well after their latest update.

I added the SVC account we use for certificate enrollment to the administrators group of the connector box, and that resolved our client enrollment issues.

Windows Server : sécuriser les connexions RDP avec un certificat (ADCS) https://www.it-connect.fr/securite-windows-server-certificat-rdp-adcs/ #ActiveDirectory #WindowsServer #Sécurité #ADCS #RDP

An interesting post around #ADCS #ActiveDirectory #CertificateServices validation and concerns around it https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/the-nightmare-of-validating-certificate-requests/ba-p/3743769

The Locksmith Active Directory (AD) Certificate Services (CS) remediation tool has been updated: https://github.com/TrimarcJake/Locksmith

New features:
- Support for Restricted Admin Mode. If RAM is detected, Locksmith will ask to be re-run using the -Credential switch.
- If the AD Powershell module is not installed on Win 10/11, Locksmith will attempt to install it for you.
Note: previously only available on server-class OSes.
- New functions for checking user type and elevation status.
- Auto-generated snippets for ownership issues (a subset of ESC4/ESC5).
- Support for non-English Active Directory evironments!

Next planned updates:
- Add individual CA Hosts to $SafeUsers using SIDs.
- Perform additional environment checks before attempting to run.
- Rename modes to something that makes sense.

#IAM #IdentitySecurity #CertificateServices #ActiveDirectory #ActiveDirectoryCertificateServices #ADCS #PKI #Locksmith #OpenSource #DefensiveSecurity #DefensiveSecurityTooling #Pizza

Happy Monday, folks! It's time to shake off the cobwebs, so strap yourselves in and get your reading glasses out - here's a wrap-up of the week's infosec news, just for you: https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-4fe

Australia's mandatory reporting laws for Critical infrastructure operators got its first win last week, with the CISC revealing 47 cyber incidents were reported in the 8 months to December last year. Congrats, but what does that actually mean?

#GoDaddy finally twigged to a multi-year compromise of their networks, after users reported odd redirects impacting their website visitors. Turns out they'd likely been owned since at least March 2020, and appear to have failed to evict the attackers at least twice.

Havoc is the latest C2 framework to be thrown in anger, this time against a government target and in a multi-staged delivery chain which featured several evasive measures. Seems like Sliver and Brute Ratel may soon be in good company!

Symantec researchers have unearthed Frebniis - a stealthy IIS backdoor novel for it's hooking of a legitimate feature to covertly intercept attacker tasking.

A number of critical bugs in #Fortinet, #Apple, and #Citrix have been squashed - just make sure you know which ones, and apply those patches!

#redteam members are in for a treat, with a new Nim-based implant to play with and the OffensivePipeline tool to help automate obfuscation.

The #blueteam can look forward to a detailed look at attacks on #ESXi and how to mitigate it, as well as Hunt recommendations for evilginx2, and an update to Microsoft #Defender for Identity to help identify #ADCS abuse.

As always, there's literally dozens more research articles on threat actor activity and tradecraft that I can't summarise here, so make sure you take a look at this week's issue of SOC Goulash and get yourself up to speed!

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-4fe

#infosec #CyberAttack #Hacked #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #soc #threatintel #threatintelligence #SliverC2 #BruteRatel #criticalinfrastructure

The new #MDI alert type "Suspicious certificate usage over #Kerberos protocol (#PKINIT)" detects misuse of certificates in your #AD environment.

For additional information check out the release blog

#ADCS #Security

https://techcommunity.microsoft.com/t5/security-compliance-and-identity/microsoft-defender-for-identity-now-detects-suspicious/ba-p/3743335

Hey #fediverse

Do you administer/secure/have access to a non-English Active Directory + AD Certificate Services environment? I made some updates to Locksmith last week to improve results in non-English ADs, but I don't have one of my own to test with.

If you can test for me, I will buy you a beer/soda/drink of your choice!

#Locksmith #ADCS #ActiveDirectory #CertficateServices #IAM #PKI

RT @g0h4n_0
📜ADCS module for #RustHound 🦀is out (v1.1.0)

⚙️ Collect CA and Templates for @ly4k_ BloodHound version
⚙️ Or like #Certipy collect CA and Templates for official BloodHound version

https://github.com/OPENCYBER-FR/RustHound#module-adcs-collector

#infosec #pentest #ActiveDirectory #ADCS

CertPotato – Using #ADCS to #privesc from virtual and network service accounts to local system

#infosec #cybersecurity #redteam #pentesting

https://sensepost.com/blog/2022/certpotato-using-adcs-to-privesc-from-virtual-and-network-service-accounts-to-local-system/

Great update on #Certifried and the various #security #vulnerabilities in #ActiveDirectoryCertificateServices #ADCS including additional vulns in #CES and #SCEP

#Certificates and Pwnage and Patches, Oh My! https://posts.specterops.io/certificates-and-pwnage-and-patches-oh-my-8ae0f4304c1d

Locksmith has been updated: https://github.com/TrimarcJake/Locksmith

New features:
- Improved on-screen explanation of what the script is doing
- Improved output formatting
- Confirmation now required before the AD CS environment is changed
- If Locksmith changes your environment, a script is created to easily revert those changes.
- Less false positives
- If Active Directory module is not installed, Locksmith will attempt to install it for you.

Next planned updates:
- Strict Mode support
- RDP Restricted Admin support

#IAM #IdentitySecurity #CertificateServices #ActiveDirectory #ActiveDirectoryCertificateServices #ADCS #Locksmith #OpenSource #DefensiveSecurity #DefensiveSecurityTooling #Pizza

#introduction

Hi. I'm Jake. I'm a recovering sysadmin now working in identity security. I'm a husband, dad, wannabe powerlifter, and blue teamer for life.I enjoy figuring out how stuff works by getting my hands dirty. I maintain the Locksmith AD CS remediation assistant https://github.com/TrimarcJake/Locksmith

Current areas of focus: improving internal tooling, AD CS security, Protected Users group evangelism

#activedirectory #adcs #identity #identitysecurity #iam #locksmith #certificateservices #blueteam

At Wild West Hackin' Fest this year, my coworker Jake Hildreth gave a talk in the ToolShed track where he released his new #ActiveDirectory Certificate Services tool Locksmith.

Trimarc has posted his slides along with a brief blog on his new tool: https://www.hub.trimarcsecurity.com/post/wild-west-hackin-fest-toolshed-talk-locksmith

Locksmith is PowerShell tooling that:

-Scans your AD CS environment.

-Finds vulnerable configurations & reports on them.

-(PSPKIAudit, Certify, Certipy all already do this stuff.)

-Remediates.

The remediate bit is the really important bit here and something the other tools built around auditing and attacking the AD CS issues and misconfigurations laid out in SpectreOps Certified Pre-owned.

If you want to go straight to the Locksmith code, here you go: https://github.com/TrimarcJake/Locksmith

Locksmith is under continuous development and will be improving over time.

#ADCS #Locksmith #PKI

📒 Enabling ADCS Audit and Fix Bad Configs

Auditing is not enabled by default in AD CS. For some mysterious reason, Microsoft has decided to not enable AD CS auditing OOB.

To find the issue, run this command on every one of your CAs:
certutil -getreg CA\AuditFilter

To enable all auditing, do this:
certutil –setreg CA\AuditFilter 127
net stop certsvc
net start certsvc

You'll also need to enable the Certificate Service advanced auditing subcategories in a GPO linked to the OU containing your CA host objects (Figure 1). Lastly, enforce the advanced auditing subcategories! All of your previous work will be for naught if you don't enforce (Figure 2).

Fix for AD CS Templates with Bad Configs:
https://github.com/trimarcjake/adcs-snippets#fix-1-for-templates-with-bad-configs---remove-ability-to-set-a-san

#adcs #audit #recommendations #blueteam

Abuse AD CS via dNSHostName Spoofing

This blog covers the technical details of CVE-2022-26923. Active Directory Domain Services Elevation of Privilege Vulnerability via AD CS dNSHostName Spoofing.

https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4

When you have SYSTEM on server/workstation:
https://gist.github.com/Wh04m1001/355c0f697bfaaf6546e3b698295d1aa1

#ad #adcs #privesc #redteam

*DNSHostName Spoofing combined with KrbRelayUp*

Domain user to domain admin without the requirement for adding/owning previously a computer account. Step-by-step write-up of the attack in a pure Windows environment.

https://gist.github.com/tothi/f89a37127f2233352d74eef6c748ca25

#ad #adcs #privesc #ldap #relay #redteam