SpecterOps recently released an offensive security research paper that details techniques enabling an adversary to abuse insecure functionality in Active Directory Certificate Service. SpecterOps reports that abusing the legitimate functionality of Active Directory Certificate Service will allow an adversary to forge the elements of a certificate to authenticate as any user or administrator in Active Directory.
The techniques grant an attacker with prior access to the internal network a trivial means of bypassing domain controls and otherwise secure configurations to achieve administrative control of the environment. This presents a trivial method of achieving a full-scale domain compromise, a catastrophic event for any organisation, whereby an adversary could theoretically achieve unending, unlimited persistence to the network. This would be disastrous for any victim, granting an attacker the ability to freely conduct broader attacks against critical systems and information, and require the full-scale rebuild of any affected domains to recover from the compromise.
In response, JUMPSEC released defensive guidance translating the defensive application of this offensive research, to pre-emptively defend our clients from these techniques before exploitation is observed in the wild. To do this, we utilised our Active Directory lab and attempted to harden the service to reduce the risk of compromise and limit the ability for an attacker to cause harm.
JUMPSEC has examined SpecterOps’ research and compiled guidance to prepare the defences and harden the configurations of an environment before adversaries have the opportunity for exploitation. We are extremely grateful to the research published by SpecterOps, and as always, we are a firm supporter of offensive security research and its role in improving the security baseline for organisations.