Critical Active Directory Certificate Services vulnerability and how to mitigate it


On Friday, July 23, the world found out about the new Active Directory Certificate Services domain admin vulnerability. Its designation is critical and can enable a malicious actor to completely take over a Windows domain that runs ADSC service.

In essence, it is a chain vulnerability that boils down to an issue in relaying NTLM authentication (and this isn't the first time that this has happened).
Infigo IS' Security Assessment and Protection team tested how the vulnerability works and in three steps were able to take control of the domain.

The first step is provoking arbitrary NTLM authentication with the tool PetitPotam.
The second step is relaying to Active Directory Certificate Services while using IIS server with the tool Impacket.
The third step is using a tool Rubeus to fetch a Kerberos TGT (Ticket Granting Tool), and that is it.

If the machine in question is a domain controller, the attacker has fully compromised the domain.

How to mitigate the vulnerability?

Depending on the use of Active Directory Certificate Services, the organizations could disable NTLM authentication on the IIS server. If the organization doesn't need ISS, it should be removed completely.
Organizations should also use host-based firewalls to limit connectivity as much as possible, and ask themselves does their Domain Controller needs to make outbound connections to port 445, and do their workstations need to allow inbound connections on port 445.

Detection

If organizations want to check if they were attacked, they should look for events with Event Code 4768 (TGT request), where the Certificate Information section contains data (Certificate Issuer Name, Serial Number and Thumbprint), indicating that a certificate was used for the request.

For Splunk users the search in question is quite simple:
index=windows EventCode=4768 Certificate_Issuer_Name=*


What was the course of action for Infigo IS?

Our security team has analyzed the vulnerability and published what it does, how it does it, and how to mitigate it. There is also a Microsoft security advisory.
Our Infigo SIEM, and with that our Security Operation Center (SOC), has implemented an alert that detects this attack.

As always, we recommend that you keep an eye out for the latest security bulletins, and keep your systems up to date.

If you would like to know more about Infigo IS' products and services that will help you with your security posture, and information security in general, you can contact us at info@infigo.hr or call us at +385 1 4662 700.