Luis Rocha

If you have Active Directory Certificate Services (ADCS) in your environment, run Locksmith now! In Active Directory Security Assessments, we have found critical security issues in *most* ADCS configurations. The great thing about Locksmith is that it doesn't just highlight the security issues in your ADCS environment, but also provides the command to remediate it! If you're a pentester/red teamer, Locksmith is great for you to provide remediation recommendations to your customers. https://t.co/vvtBeeMLuR #ActiveDirectorySecurityTip

The domain Kerberos service account, KRBTGT (https://t.co/T3WOILdFs8), is an important account since it is used to sign & encrypt Kerberos tickets. The account is disabled and the password doesn't change except when moving from Windows 2000/2003 to Windows Server 2008 (or newer). This is a highly privileged account and if an attacker can gain knowledge of the account's password hash (or password), they can create forged Kerberos tickets (aka Golden Tickets: https://t.co/WMvjSOIpwm). Most AD forests have this account lingering with old passwords. The KRBTGT account stores two passwords, the current one and the previous one and checks them both to validate Kerberos tickets. This means that to ensure that the KRBTGT passwords are fully changed, the password must be changed twice. If an attacker can capture a DC backup that is as old as one of the KRBTGT account passwords (say 15 years), then they can compromise the environment even if the backup is 15 years old! We can use the "msds-keyversionnumber" attribute to determine how many times the KRBTGT password has changed. The formula n - 2 works to calculate how many times the password has changed. If this value is 2 it hasn't changed since it was originally set when the domain was created. If the value is 9, then it has changed 7 times (9 - 2 = 7). Sometimes this value is very large, like 100003. In that case we just use the last digit (3) to calculate the number of times it has changed: n - 2 = 1, so it has changed 1x. We recommend changing the password once, then waiting at least a week, and then changing the password again. When you set the password, a process on the DC actually changes the KRBTGT password to a fully random password. PowerShell code to report on the KRBTGT account for the current domain: $DomainKRBTGTAccount = Get-ADUser 'krbtgt' -Server $DomainDC -Properties DistinguishedName,'msds-keyversionnumber',Created,PasswordLastSet $DomainKRBTGTAccount | Select DistinguishedName,Created,PasswordLastSet,'msds-keyversionnumber' | Format-Table -AutoSize #ActiveDirectorySecurityTip

Some of the details in this story are just crazy. For instance: "Sophos included in its “hotfix" for the hackers' intrusions additional code that would collect more data from customers' devices. That new data collection revealed that a single Sophos device registered in February of 2020 in Chengdu showed signs of early alterations similar to the Asnarök malware. [...] The company went so far as to track down and monitor the specific devices on which the hackers were testing their intrusion techniques, surveil the hackers at work, and ultimately trace that focused, years-long exploitation effort to a single network of vulnerability researchers in Chengdu, China."