Active Directory Certificates and PKINIT are hot topics these days and our operators at Fortalice have been doing their best to stay on top of the new research and tools. My previous blog touched on PyWhisker and referenced one of its resources available on https://thehacker.recipes. While reading through the documentation there, a note near the bottom caught my eye, which stated: User objects can't edit their own msDS-KeyCredentialLink attribute while computer objects can.
On a recent red team engagement, our team was tasked with focusing on Active Directory Certificate Services (ADCS) exploitation. The objective was to identify certificate template misconfigurations and potentially achieve privilege escalation by abusing them. The concepts and attacks used were based around the work and whitepaper by Will Shroeder (@harmj0y) and Lee Christensen (@tifkin_).
Domain fronting is a generic technique based on HTTPS that allows an actor to hide the true destination of a communication from network equipment in the path. While domain fronting has been used in offensive engagements for several years now, the number of frontable cloud services continues to dwindle. Today, Fortalice is publicly adding another service to that list: Azure Front Door.