APT
Domain Admin in only 5 minutes via Name Impersonation (CVE-2021-42278) Before patch, there was a weird behavior on the KDC. When requesting a service ticket, if the KDC wasn't able to find the user behind the TGT, it would make another lookup, but this time…
An ‘Attack Path’ Mapping Approach to CVEs 2021-42287 and 2021-42278
This post provides Splunk SPL queries for detecting the attacks described in Charlie’s blog, using only Windows Security Log events from a domain controller. Furthermore, this post only examines a subset of the Windows Event logging data source
https://www.trustedsec.com/blog/an-attack-path-mapping-approach-to-cves-2021-42287-and-2021-42278
#ad #pac #s4u2self #research #escalation
This post provides Splunk SPL queries for detecting the attacks described in Charlie’s blog, using only Windows Security Log events from a domain controller. Furthermore, this post only examines a subset of the Windows Event logging data source
https://www.trustedsec.com/blog/an-attack-path-mapping-approach-to-cves-2021-42287-and-2021-42278
#ad #pac #s4u2self #research #escalation
TrustedSec
An 'Attack Path' Mapping Approach to CVEs 2021-42287 and 2021-42278
Figure 1 - CVE 2021-42287 and 2021-42278 Attack Path 1 Diagram While each detection strives for high fidelity and may be able stand on its own accord,…
Domain Escalation — ShadowCoerce (MS-FSRVP)
Coercing the domain controller machine account to authenticate to a host which is under the control of a threat actor could lead to domain compromise. The most notable technique which involves coerced authentication is the PetitPotam attack which uses the Encrypting File System Remote Protocol (MS-EFSR). However, this is not the only protocol which could be utilized for domain escalation.
Research:
https://pentestlaboratories.com/2022/01/11/shadowcoerce/
PoC:
https://github.com/ShutdownRepo/ShadowCoerce
#ad #escalation #relay #redteam
Coercing the domain controller machine account to authenticate to a host which is under the control of a threat actor could lead to domain compromise. The most notable technique which involves coerced authentication is the PetitPotam attack which uses the Encrypting File System Remote Protocol (MS-EFSR). However, this is not the only protocol which could be utilized for domain escalation.
Research:
https://pentestlaboratories.com/2022/01/11/shadowcoerce/
PoC:
https://github.com/ShutdownRepo/ShadowCoerce
#ad #escalation #relay #redteam