mlns='http://www.w3.org/1999/xhtml'>

Register for free Black Hat Webinar, September 30 at 11am PST
 
Black Hat Webinars | Register Now
PLEASE JOIN US FOR THE NEXT INSTALLMENT IN THE BLACK HAT WEBINAR SERIES
Certified Pre-Owned: Abusing Active Directory Certificate Services
Thursday, September 30, 2021
11:00AM - 12:00PM PDT  //  60 MINUTES, INCLUDING Q&A
  Sponsored By:
ServiceNow
Microsoft's Active Directory Public Key Infrastructure (PKI) implementation, known as Active Directory Certificate Services (AD CS), has largely flown under the radar by both the offensive and defensive realms. AD CS is widely deployed and provides attackers opportunities for credential theft, machine persistence, domain escalation, and subtle domain persistence.

We will present the relevant background on certificates in Active Directory, detail the abuse of AD CS through certificate theft and active malicious enrollments for user and machine persistence, discuss a set of common certificate template misconfigurations that can result in domain escalation, and explain a method for stealing a Certificate Authority's private key in order to forge new user/machine "golden" certificates.

By bringing light to the security implications of AD CS, we hope to raise awareness for both attackers and defenders alike of the security issues surrounding this complex, widely deployed, and often misunderstood system.
 
Webcast Presenters
Lee Christensen
Lee Christensen is a technical architect at SpecterOps, where he helps research and develop offensive capabilities for use in penetration tests and red team engagements. He has an extensive background in offensive security, particularly enjoying research of Windows, Active Directory, and the components commonly found inside them. His research has resulted in several CVEs and new offensive tradecraft used throughout the industry. In addition, Lee has contributed to many open-source tools including GhostPack, BloodHound, SpoolSample, UnmanagedPowerShell, and KeeThief.
Will Schroeder
Will Schroeder is a technical architect at SpecterOps, and is an experienced operator/researcher with a focus on red teaming, Active Directory, and offensive development. He has spoken at a number of security conferences spanning from Black Hat to Troopers, and has helped develop a number of offensive projects including BloodHound, the Veil-Framework, PowerSploit, Empire, and GhostPack. He also shares the first CVE for breaking Active Directory Forest Trusts with Lee Christensen.
Karl Klaessig
Karl is ServiceNow’s Director of Product Marketing, Security Operations and has over 15 years of experience in product positioning and marketing of enterprise security platforms, including SIEM, SOAR and endpoint technologies, most recently from Product Marketing roles at RSA and McAfee, where he was responsible for the positioning of their security operations and automation platforms. When not focusing on enterprise security, he can be found hiking and kayaking with his wife Rachel and their six children, yes six – it’s not a misprint!
 

Upcoming Black Hat Events

 
November 8-11, 2021 | Excel London + Virtual
Black Hat