Attack Tactics 9: Shadow Creds for PrivEsc w/ Kent & Jordan

This webcast was originally published on January 9, 2025.

In this video, Kent Ickler and Jordan Drysdale discuss Attack Tactics 9: Shadow Credentials for Primaries, focusing on a specific technique used in penetration testing services at Black Hills Information Security. They delve into the intricacies of how this local privilege escalation method exploits features in Active Directory to gain unauthorized access. The talk also covers mitigation strategies for these types of attacks, emphasizing the importance of auditing and implementing security measures to prevent exploitation.

  • The webcast focuses on the use of shadow credentials as a technique for local privilege escalation (LPE) in cybersecurity attacks.
  • The technique of using shadow credentials exploits features in Active Directory rather than vulnerabilities, making it a complex but effective method for attackers.
  • Defensive measures such as LDAP signing and channel binding are crucial to prevent abuse of shadow credentials in Active Directory environments.

Highlights

Full Video

Transcript

Jason Blanchard

Hello everybody and welcome to today’s Black Hills Information Security webcast. My name is Jason Blanchard. I’m the content & community director here at Black Hills. We don’t have a traditional marketing team. We have a content and community team.

And what that means is we like to create content. We like to bring people together that also enjoy that content, give them a chance to talk to each other about that content. Which is why we have Discord. We have a lot of opportunities for you to get a chance to meet each other.

So we have Kent and Jordan here today doing Attack Tactics 9: Shadow Creds for PrivEsc.

So we have done attack tactics 1, 2, 3, 4, 5, 6, 7, 8 and now 9. I’ve been here for six years. I think we started with like four maybe when I got here six years ago.

So it’s been a long running series. We probably could do one a month if we wanted to. But right now we’re on attack tactics 9 and Kent and Jordan are going to do a deep dive in some of the attacks that we do here at Black Hills as far as our pen testing services.

Now if you ever need a pen test, Red Team, threat hunt, ANTISOC, which is continuous pen testing with your friendly apt group, then where to find us. And with that I’m going to turn it over to Kent and Jordan.

And if you need anything at all, ask in Discord. If you need anything beyond that, ask in Zoom. And we are happy that you’re here today. All right, Kent and Jordan, it’s all yours.

Kent Ickler

Thank you. Jason, you are one of the best. We appreciate everything you do, the community you’ve built and much love sir. Thank you.

Jordan Drysdale

Truly Jason, you’re great. Best. The best.

Jason Blanchard

Good lord.

Jordan Drysdale

So yeah, there have been eight of these prior and they very much are some of the methodology that we use at BHIS for some of our pen tests. Not all of them, not all of our methodologies. But today we’re going to be talking about one specific one that’s been up and coming.

In fact, if, you’ve watched some of our recent webcasts, one of them more recently noticed we talked about a specific attack vector and we kind of took it from the perspective of a detection and we went deep dive into how the detection works.

Now we’re going to deep dive into how the actual attack works.

Kent Ickler

Yeah, the detection there is relatively complicated. We’ll get there toward the end. We’ll talk about that for a moment. So on that webcast we did share some of this methodology with you as well.

But we flew through it, right? The intention of that webcast was to demonstrate detections, talked about defenses, why this is kind of relatively insidious attack vector being a feature and not a vulnerability.

So that webcast is out there too, that talks about the defenses, the detections and what all this is. But here we’re going to talk about this very specifically from an attacker perspective.

And that’s because this is a consistently effective local privesque technique. Lpe, we’ll use that acronym a bunch today. This, has been around for going on four years now.

And we just like to shout out all the people who have worked on this. Elad Shamir, the. There’s a whole bunch of people who have written the back end of this. We have some, internal personnel who have made this, our most commonly used technique for this.

so Gabe, shout out for just basically building and sharing this knowledge with the team, making the entire team aware of its functioning and thus pushing this over the last two years to our number one technique for local privilege escalation.

So here we go. Why this talk? What are some common attack tactics? Shadow creds is one of them. How are they being used? They’re being used to take over your systems and domains. Why the focus on local privilege escalation?

Often because your admins set up stuff and leave credential material lying around on endpoints. So if you can get an endpoint, guess what? That’s step one in moving through domains. Is Microsoft aware of these risks? Yes.

These are not vulnerabilities, these are features. And how do we detect and defend this attack? We’ll kind of wrap the webcast up there. So we’re going to do some swiping right here. You’ve met Kent before. He’s 40ish.

ethics, disruptor, disruption, instigator, whatever speaks his mind very openly and clearly here at the company, which pushes us forward constantly. Trainer, just. You want to describe yourself?

that’s perfect.

Jordan Drysdale

Let’s keep going.

Kent Ickler

Swipe right, here we go. We’re looking for interns. And when we say interns, we prefer you’re in a cyber security program at a college or a university or a two year program. We need people with coding skills.

Right? This is how we kind of grow and get better. And we can share. Ken, I don’t have a whole lot of time to dev, so it’s nice to have someone.

I could say, hey, will you go help me with this little project, reviving Mininet a 10 year old, dead project. Yeah, sure, got it. Boom. Gets hired. me, I feel like I’m 67 most mornings when I wake up.

I still laugh when I fart at 17, right. Like all that stuff, but I’m like somewhere in my 40s so, try to, I try to be professional. I’m not very often, but I do like to share knowledge and anyway, swipe right one more.

again, if you, if you are a student and are looking for things, we truly like at times need an intern or two, we’ll build that intern, help help grow and go from there.

But anyway, one more swipe right, you want to talk about this? Why shadow credits?

Jordan Drysdale

Why shadow credits?

Kent Ickler

So, and then the next slide is what are shadow creds?

Jordan Drysdale

So okay, so why shadow creds? we’re going to talk about an lpe, right? Local Privesque or Privez C. All right, so there’s lots of different LPs out there.

There’s been ones that have been out forever and this is one that’s more recent because it is based off a feature and oftentimes when there’s new features that get configured come, with them is possibly the opportunity to exploit that feature for something other than it was intended.

And that’ really what shadow cred is, right? We are going to use what is a attribute in Active Directory for authentication. We’re going to misuse it, we’re going to abuse the feature to be able to do a local privilege escalation.

So a couple different ways we’re going to do that, but we’re going to focus on, on one way today we’re going to show you the entire path about how to do that. this is very effective for us. One of the reasons we’re talking about it now, and we talked a little bit about, about late last year was it was kind of really came into a lot of attention last year, just like two years ago it was adcs, right?

So it’s been kind of an ongoing thing where every year we’ve got this new big exploit that becomes kind of the most common path for us to be able to get local priv and compromise domain. So from that perspective, this is one of the most common ones we were looking at last year.

This, was a feature that was brought in from Active directory schema in 2016. So anything that’s functional levels 2016 plus is going to have that. All right.

It’s relatively easy. I mean we’re going to go through some commands today. And you’re like, wow, there’s a lot of pieces to this. But the reality of it is if you take a step back, you realize we’re just abusing a feature.

So kind of take a look at from that perspective. But we’re going to give the commands and demonstrate it here for you as well. Again, this is our number one LP for 2024.

Kent Ickler

Yeah. And when we do demonstrate the actual attack, if you subtract all the prep work, the capturing of the GIF and the clicks is like 16 seconds. So you coerce the system, you relay it, you’ve got to start your operational with this attack.

It’s kind of scary. Like a lot of things, once you see NTLM relay dump creds for the first time, you’re like, oh my gosh, wow, that was really easy and really scary and really fast. So anyway, it is relatively easy.

But again, as Ken mentioned, there are some nuances to this attack. So you want to talk about the features please?

Jordan Drysdale

Sure. So let’s talk about shadow creds. Like that’s what we’re talking about is this LPE that’s using shadow creds. And why is it like this shadow cred? Like we think of credentials, we think it’s something typically like username password.

Right. Is a credential and we all kind of recognize that. We can then go on to say like multi factor authentication has that like third component of, of a credential. Right. You need something else. Maybe it’s a one time authentication token, something like that.

So we think of shadow credentials, we’re thinking of a credential that we don’t necessarily see. And the reason we don’t necessarily see it is because although we think of those credentials as username and M passwords, we know in active directory those are stored in attributes.

But they’re relatively obvious to us. Right. Where if we take a step back and think about shadow credentials. Okay, it’s not obvious to us. Why is it not obvious to us? Well, it’s stored in a specific attribute and active directory called msds key credential link, that’s an attribute inactive directory, 2016 plus functional level.

Now what’s typically stored in there as part of the feature set is the necessary credential components to allow things like Azure ad, sso, passwordless authentication, fido, two windows, hello, Azure AD hybrid devices for SSO again and device based authentication.

So it’s essentially an attribute in on prem active directory where you’re able to store this additional credential mechanism, inside of your on prem active directory for things, like Windows hello.

So because of that this is a feature, remember? And how would a computer be able to manage that? Well for the computer itself to be able to manage that, it has to be able to write into that attribute.

And that’s essentially what we’re looking at here is a computer can write into its own own attribute for this and if we can control the computer and take the context of the computer, we can put anything into that attribute.

So yes, it’s supposed to be an authentication mechanism for the computer, but what if we stuff something else in there that allows us to authenticate besides that? So there’s multiple shadow credentials, can be associated with a specific ad object.

So you can’t put just one thing in Ms. Key credential link. You can, but you can also put multiple so you can start stacking stuff into Ms. Key credential link. It’s not one credential that can be stored, it’s multiple.

So when we go through and do this attack, we do require one piece to make this work and that’s HTTP authentication for a relay. And we’re going to set up this relay as part of this demonstration as so there are multiple components to this related to the local privesc and being able to abuse that to the point that you’re compromising an entire domain.

Again it’s a feature.

Kent Ickler

Whoops. One extra click there. So there’s a but here.

Jordan Drysdale

The privesque part, the local privesque part, the relay part. How do we do it?

Kent Ickler

So it requires a couple of services. Windows 10 we’re going to lean on the web client service and we need to manipulate that to start which is possible as a low priv user show you how to do that or if you’re running Windows 11 that coercion doesn’t seem to work as well with web client or as consistently where instead if you can coerce the EFS to start or encrypting file system you can coerce that service.

Both of those support HTTP authentication when coerced and thus we’re going to attempt coercion after coercing services to start with user land techniques.

Jordan Drysdale

But why do we need those services to start? We do need to think about that. Right? We talk about coercing a service to start because then later on we’re going to coerce that service into doing something else.

Kent Ickler

Yeah, that’s fair. And then we’re going to use this certificate that we now own on A computer object to request a service ticket that we can use to escalate.

Right. Is that, is that the gist of it? Yes, pretty much, yeah. So it’s basically an insidious means of escalating privileges via features. We start some services on an endpoint, we coerce those to run using on disk stuff and then establishing a tunnel back down that tunnel.

We’re going to send some instructions to those services saying hey, authenticate back to me, thus relaying that back to ldap.

And here’s one of the defenses that we rarely see. LDAP signing and channel binding. You can stop both of these attacks against LDAP LDAPs with those functional implementations, which is channel binding and LDAP signing.

It’s basically saying I need message integrity on authentication events that happen on my domain controllers. And these are, these are features we write up now, or these are findings we write up on a lot of tests. We have credentials, it’s something we check for and if you don’t have it, you’re getting dinged for it because these are features that ensure the authentication material coming back to your domain controllers is indeed valid.

So here’s our lab setup. pretty high level. You can deploy one of these two with a couple of clicks. Now what’s nice is from Doaz Lab.com, you’re going to see an ARM template. That ARM template is just a click if you’re in an authenticated session and can create objects.

This is about a $3, a lab, $3 per day lab or maybe four something somewhere in there. So basically this is the entirety. There’s a couple of Windows VMs you can access via RDP.

On the edge of this cloud infrastructure there’s a Linux box you can also access via ssh. On the edge of this cloud infrastructure on the interior, the Windows systems are on the same subnet and then the Linux box is on a different subnet that has routing capability to that.

So you’ve got an attack rig. You can perform this entire thing with a few clicks on the doazlab.com build. So the overview here is as mentioned, right?

We’re going to establish some tunnels now from the endpoint, we’re going to talk about why we use SSH here in just a minute. But we need a couple of SSH tunnels for tooling and then we’re going to coerce some services.

To start, we’re going to use NTL and Relay X for relay against ldap. And then we need to relay machine off, not user auth. We’re going to show you user auth failing because that’s kind of how we coerce one of these services to start.

Petite podem for coercion. If you haven’t used this tool and you’re offensive, this is something you should probably look at. There’s a few other tools that have kind of followed in its footsteps.

I think Coercer is one of them. But coercion is kind of forced authentication and has become again, it’s sort of a feature, not a vulnerability.

And while some of the functions that petiteprodem initially took advantage of were unauthenticated coercion, you can still coerce systems and machine authentication with credentials.

We’re going to use PK init tools for ticketing. We’re going to create request an S4U2 service ticket for a privileged user to perform that escalation and then establish remote command execution rce to actually perform.

Okay, so lab setup. The slide says recuerda este cuenta. Remember this account? So Theodore Nichols is the D.A. we are going to target.

Why are we going to do that? We need a DA to pick on later. So we’re in setup phase. We’re doing some initial recon or situational awareness, if you will. What box am I on?

Who am I? Who are the administrators of the system? And then we go look who are domain.

Jordan Drysdale

So the nopriv user for context doesn’t have any extra privileges, it’s just a domain user. That’s it. Lowest priv user account in. Org.

Kent Ickler

So this is step one, situational awareness. Where am I? Who am I targeting? is it possible to escape the confines of this system? Now, again, as mentioned, not an admin on the system or the domain.

Jordan Drysdale

We have a no low priv user can log into. Can log in WS05.

Kent Ickler

Tunnel number one. Here’s your first couple of commands. Now, they look sort of strange, right?

Jordan Drysdale

Running from the workstation.

Kent Ickler

Yeah, running from the work.

Jordan Drysdale

Using native windows ssh.

Kent Ickler

Native windows Windows ssh. As you see, right, we create a user on our Linux box out in the cloud somewhere. this IP should not be attacked.

It’s not ours anymore. it was released prior to this slide deck going live.

Jordan Drysdale

Somebody else owns it.

Kent Ickler

Someone else owns it. You do not have permission to go poke at 2 0.7.32.198 and shouldn’t. It is not ours. Just a reminder, it is illegal to hack systems.

It is a state crime in every state in the US it is a federal crime. So that means two trips to court should you choose to attempt wiretapping. Now we create two tunnels.

The first tunnel we will use to establish a remote tunnel. This means I want on that far end at the far side of the SSH tunnel where we log in as low priv, open up 9050 and allow me to run tools back down that chain.

This does not open a local socket, this opens a remote socket. So on our SSH server running in the Cloud, 9050 is now listening. a quick Google search should tell you that that is Tor doesn’t matter.

Jordan Drysdale

So okay, for context though, doesn’t matter. Windows workstation, you’re making SSH outbound connection from Windows to a Linux system that we own. Doesn’t have to be Linux, but in this case it is and they were doing that tachr9050.

So when the connection comes into open to SSH on the Linux system, anyone else on that Linux system now will see Port 9050 listening, which is actually a port for.

It’s actually a tunnel to the local network of the Windows workstation. Right. So we’re able to now cross fill x fill infill the into that LAN across the Internet to an untrusted location just with one command.

So if you’re like, hey, I want to be able to expose my internal network to some server on the Internet, there you go, we’re doing it right because SSH is installed natively in Windows 10 plus now.

Kent Ickler

So. Okay, so do you want to explain that next one? The local port forward. So we’re opening up two ports on this one.

Jordan Drysdale

Yeah. Okay, so this next command we’re going to. So we left that first tunnel running.

Kent Ickler

On the wide open, ready to go.

Jordan Drysdale

On the far new window on the workstation, we’re going to open another one, PowerShell, we’re going to run another SSH command. This time we’re going to listen to the local host, the workstations, local host 127001, right.

Localhost on port 80. So on the local workstation for 88 we’re going to listen and we’re going to push that over to port 8080 on the Linux box.

So it’s a little confusing, but keep.

Kent Ickler

Moving so you can perform this attack. This is where you would start. Establish SSH tunnels. This is C2, this command and control. So legitimately now we are seeing adversaries using ssh.

And I’m going to be honest, it’s one of the first techniques we’re going to try. Now as testers at bhis when we do assume compromise when we gain a foothold on an endpoint, if we can SSH out, we have established connectivity via tunneling into your environment and can run tools straight through it.

Now what’s interesting about this is it bypasses a lot of EDR because we don’t have to drop binaries on disk. We just used SSH to escape the confines and trusted binary.

I think this next one says exactly what I’m talking about right now.

Jordan Drysdale

Oh yeah, it’s on disk by default with Windows.

Kent Ickler

Why would we do anything else? Why would we drop malware?

Jordan Drysdale

We don’t have to create malicious payloads anymore to create a C2 channel when we can just use native Windows SSH. Which by the way, if you’re a customer right now thinking, oh my God, what this is here. Yeah, you should have been blocking port 22.

You should have been blocking SSH the entire time.

Kent Ickler

Protocol inspection as well. Right? You’re going to want to look at.

Jordan Drysdale

Your protocol inspection, not just 22 because I’ll just switch it to port 80.

Kent Ickler

When we say malleable port configurations, what we’re saying is we can just move SSH to any socket we want. So if you allow 443 out and that’s it, and you got. Yeah, that’s it. We can just use 443 to escape and we can proxy a lot of the tools.

we say all the tools because of all the things but we are saying you can proxy a ton of tools back through proxy based tools. Yes, yes, exactly.

Jordan Drysdale

Which is most of them that we use. Yeah.

Kent Ickler

And so stable long time connections. If we run these and on that Linux box, I don’t even really have to hang out on the endpoint anymore.

I have all the tooling that I’m used to in Linux so I can escape.

Jordan Drysdale

You can have all the endpoint controls on that workstations you want. As soon as we’re able to facilitate that SSH outbound connection and create that tunnel. We’re not even trying to run malware on those workstations anymore.

We’re doing it across that tunnel on a system we control. So if you are allowing SSH outbound connections on any port, that becomes the mechanism for running malicious code because we don’t need to do it on the workstation anymore, we can do it anywhere else via that tunnel.

Kent Ickler

So we need coercible services. Remember we introduced these. The encrypting file system is Good for Windows 11 and the web client service, web dev, is Good for Windows 10, these two services are used and I guess abused by us.

If they’re not running, we coerce them to start.

Jordan Drysdale

Also their features.

Kent Ickler

But why these features, Kent?

Jordan Drysdale

Well, okay, you could disable these and you would be disabling features that are components of Windows. And here’s the thing, you might not need need these services at all. You may not be using these features if you’re not going to use web dev.

You can disable the service in Windows and it won’t automatically start by coercion. So and if you’re not using efs, the exact same thing happens. So those considerations are things that like Windows has lots of features.

Active Directory has lots of features. Part of hardening that is to disable the features that you do not need or use.

Kent Ickler

That’s a fact. So what we’re showing you here is that these two services are not started. I’m trying to show you in exactly the same session this entire deck was captured from.

They’re not running now.

Jordan Drysdale

Okay, so clean Workstation, we went to services, we looked at these two services that we need to be able to use.

Kent Ickler

We logged into the box, we’re just not running, they’re not running.

Jordan Drysdale

Typically you’d have to be an admin to start these. Right. If you were a local admin, you could just go right click on the service and start and that’s how you could start them. But we can’t do that because we’re using our low priv account. We’re not admins, we can’t start these services.

But in Windows, notice that they’re showed manual, they list as triggered. So if you can create a triggerable event, you can get this service to actually start by the system.

Kent Ickler

Yeah, and two questions here that we’re going to address right now. Why not? But wouldn’t EFS usually be a good thing? And I asked Kent this question last night.

Jordan Drysdale

Yeah.

Kent Ickler

Yes, of course it is. Which is why we can start it in userland, because it’s necessary at times. Right. I want to create an encrypted file on my desktop.

You can’t. Yeah, you can, but you can’t go start the service manually. You have to trigger it.

Jordan Drysdale

Trigger it.

Jason Blanchard

Right.

Jordan Drysdale

Which you can as a low privilege user.

Kent Ickler

Yeah, exactly. And same with web client. Gabe has some really scary tricks on this one where you could put a file in a share and that starts the service automatically.

I don’t, I don’t have that link handy, but I might find it after. Regardless, are there any services on modern Windows Server builds that can be used for coercion.

And I think the theory here is that. Have you tested from server desktop?

Jordan Drysdale

Huh, no, we typically haven’t because we’re always focusing on that lowest workstation point of view.

Kent Ickler

But yeah, I would hate to answer.

Jordan Drysdale

That the services are going to be.

Kent Ickler

There, but they may be say, yeah, I mean, of course, and be wrong. So what I have seen in testing is, let’s say we’re running on a subnet, and on that subnet we launch MITM6.

We get some hosts talking to us with IPv6. They start sending us DNS query process.

After machine accepts our offer, basically saying a user had a browser running, the browser sent some broadcasts, we say, yes, 100%, you can have this auto proxy, proxy configuration file.

The machine will submit creds. So I have used that to get shadow credentials in ad. So it’s basically like I’m prepped and ready on this subnet to target shadow credentials on the domain.

And so in theory, if you have users browsing on remote desktop, my guess is we can still do this through attacks like WPAD and some combination of DNS poisoning.

And I will honestly, look into this. That’s just. It’s a great question that I don’t want to answer correctly.

Jordan Drysdale

But to expand on that, also mention that domain users typically has RDP access to servers. And of course the.

Kent Ickler

Well, think about like you should client your domain user.

Jordan Drysdale

Think about thin clients. That’s fair.

Kent Ickler

So if you’re publishing desktops, you’re not publishing Windows 10 desktops. Usually I’m building a server infrastructure, user profiles, and then pushing people who log into thin clients a desktop image.

Jordan Drysdale

If your domain users can log into any system by rdp, you’re doing it wrong. Domain users should not be. No, they have not.

Kent Ickler

Absolutely not.

Jordan Drysdale

Okay, but by default they are.

Kent Ickler

So here’s that triggerable event. Here’s what we’re talking about. So the first one, remember, like the EFS is good for Windows 11. This works effectively and consistently on Windows 11.

Create a file on your desktop, go to the advanced properties of that file, check the box to encrypt it, and boom. EFS is running just like that.

That’s awesome. We did that in the background. We’ve already got the tunnel established and now we have a coercible service.

Jordan Drysdale

I looked away and now the service.

Kent Ickler

Is running just like that. I mean, it is that simple. Triggered. Yeah, yeah, yeah. RoboCop is triggered and Discord is distracting a little bit.

Jordan Drysdale

Oh man. What about the other one? We had another service we wanted to start somehow with your turn. All right, so yeah, we’re going to start NTLM Extra, but we’re going to tell you why in a second. Aside from that though, we’re going to go into Windows, we’re going to go to our into our user account attribute.

And what we want to do is we want to change the little avatar picture of who we are. And when we do that we’re going to type in some path. We’re essentially looking at localhost on port 8080. Of course that’s going to get forwarded by NTL and Relay X, but we just want to put in some file in there.

So file JPEG file doesn’t exist. It doesn’t matter. But because we’re spinning that slash test, localhost8080, what that’s going to do is it’s going to coerce web dev to start.

Kent Ickler

Yeah, here, remember, remember this? SSH tunnel?

Jordan Drysdale

I used the wrong word.

Kent Ickler

I said corsa listening on localhost. So we can throw auth requests.

Jordan Drysdale

I forgot that it’s a feature. I said course. I actually meant trigger. We’re going to trigger the service to start.

Kent Ickler

That’s fair. We are creating a trigger through coarse.

Jordan Drysdale

We’re using the services just like they were intended, kind of. All right, so we do that. It is a feature. We do that. All of a sudden, the service starts and we keep on moving forward.

Kent Ickler

What happened in the background? What did we do? Why did we start, a listener on, on ada.

Jordan Drysdale

So what happened there is of course when we put that slash, slash, slash localhost8080. the, the system opening the browser there is trying to go to that path to find that file in the background.

Mind you, we’ve got NTLM relax. That port forwarded that off to our Linux system. So NTLM Relax on that Linux system just had some sort of activity that happened where it was listening and it just got a SMB protocol connection to do something looking for file jpeg which didn’t exist, but that’s okay.

But the connection got routed to that Linux system where we have NTLM Relay X running.

Kent Ickler

This is so distracting. It’s so great though, truly. and next up, so what happened there? We’re going to, we’re going to think this through one more time. So out on our Linux box, which you see here, we launched NTLM Relay X as listed in the slide prior.

So on the far end of our tunnels we run the NTLM Relay X command, right? We got 8080 listening, and we perform this little trigger event and we get authentication.

Except we could not modify those. Right.

Jordan Drysdale

So the Linux server got an 8080 port inbound SMB connection, which was received by NTLM. Relax.

Kent Ickler

Correct. Actually, it got an inbound HTTP request.

Jordan Drysdale

Thank you.

Kent Ickler

Right. Not SMB. What we got was user authentication. This came from user land. Right. So I’m a user. I’m, performing some activity. I say, hey, Windows, can you go do this thing on my behalf?

It submits user creds, and the user on a desktop should never be able to write to key cred. Right, that’s. That’s just. It would be, no longer a feature and much more in the land of vulnerabilities should users be able to update this at will.

But what we see is failed authentication, attempting to relay the user’s authentication to update the key cred. And we expected that.

Jordan Drysdale

Yep. So when we had ntl. Relax. Try to do that work to stuff a credential into, SDS key credential link, it basically said, no, you don’t have authorization to do that.

Kent Ickler

No priv. User that submitted that authentication does not have the rights. Shoot.

Jordan Drysdale

It didn’t work.

Kent Ickler

It didn’t, but. But the service got triggered.

Jordan Drysdale

That’s good. We got somewhere.

Kent Ickler

Trust the process.

Jordan Drysdale

Trust the process.

Kent Ickler

I hadn’t heard that yet.

Jordan Drysdale

So we triggered the service to start. The web client now is running, which is excellent. That’s what we were looking for, right? Yeah.

Kent Ickler

Oh, 100% what you can do with that if you haven’t seen these things. Those two coercion tricks are relatively straightforward, easy to use. You, can start these services on any box you have access to.

In theory. Right. Web client still runs on Windows 11. Checked this morning. Still runs on Server. Is this available on server?

Builds Web client service? Yeah, I assume so.

Jordan Drysdale

Anything with desktop components will be. Probably not Windows Core, but it might be there. I don’t know. Does anybody. Hey, listen, there’s not supposed to be a GUI on.

Yeah, there’s not supposed to be a, GUI on Domain controllers. Darn it.

Kent Ickler

Wow. All right, all right. So, okay, we’re going to take a deep breath here. We’re going to just recap. So we’ve established a couple of tunnels outbound from our endpoint with SSH.

Two tunnels, remember. Right. One is going to relay 8080 for us. one is, the proxy chains listener 9050, which is on by default in the configuration file.

Jordan Drysdale

That’s going back into.

Kent Ickler

We’re going to shovel stuff down our tunnel. Okay. And so what we see here is we’re going to relaunch NTLM Relay X.

With this listening and running. We are going to perform coercion. And so Petit Podem, a fantastic tool used on most bhis pen tests that are assumed compromise or red team.

internals, where we get footholds. We’re going to attempt this on internal testing where we get a list of DCs, we do four I in some loop and attempt unauthenticated petite podem.

And then we may coerce your domain controllers to create certificates for us. Who knows? There’s all kinds of stuff we do with Petit Potem. But you’re going to see this in most bhis pen test reports.

It’s just one of those tools that is now ubiquitous with our activities as testers.

Jordan Drysdale

So let’s try it. Let’s run those commands.

Kent Ickler

So it is demo time for sure. So watch this. It’s about 16 seconds. We’ve launched NTLM Relay X. We’re going to run Petite Podem. Wow. Holy crap. It’s already done. And we’ve got a, device ID and a certificate coercion.

We’re done. Like that’s it. Once the tunnel is up and ready.

Jordan Drysdale

Good job. Webcast over. We got it.

Kent Ickler

Yeah, that’s it, right? Pretty much, kind of. But there’s some more details here. We’re going to. We’re going to talk about what it means. Now we’ve got a PFX file. Great. So what is the PFX file?

The PFX is a certificate file that contains some of the serialized data that came out of the key credential link. And if we go like, look next. Now we got to go into some relatively complex Kerberos bits to understand all these things.

Jordan Drysdale

We’re going back looking. So that previous screenshot have the demo. We’re now looking at the components of.

Kent Ickler

Yeah, exactly. So this one, this top one is this window here we catch our first connection and our targeting LDAP that does not have channel binding enabled.

Jordan Drysdale

What did PT PODAM do for us?

Kent Ickler

Oh, yeah, we should look at that.

Jordan Drysdale

Okay, yeah, we got to do that first.

Kent Ickler

Yeah, we’re going to look at this and I’m going to try to pause this before this thing goes again here. Right. And right.

Jordan Drysdale

Okay, so top one until I’m really accessing.

Kent Ickler

So right here.

Jordan Drysdale

There we go.

Kent Ickler

We’re paused. Now it does some down the tunnel stuff. Right. We’re telling Petite Podem if we look at that command again that we’ve got listed there, which we have in that previous slide as well.

So we’re saying, hey, petite podem, go talk to. Gosh darn it, I clicked go talk to 127001. the target. This is actually the target.

Once we. Oh my gosh, one more time here. Hey, petite podem, define this 127001@8080 file as a target on this host down the tunnel.

Since we used proxy chains authenticate using this set of credentials here domain, enumerate all pipes. So what’s happening?

Jordan Drysdale

Outbound connection from Petit podam M across that tunnel we created to the local host where the tunnel originated, saying, hey, I’m gonna want to make a connection to Port 8080 blah on the IP address there.

192.168.2.5 is the workstation. So several components there. What we’re doing is reason petite podam to coerce to tell one of those.

Kent Ickler

Services to authenticate back to us as over the 8080 tunneling.

Jordan Drysdale

As the computer.

Kent Ickler

As the computer, yes. And so we get a device id. All right, all right, so what happens? Intel M relay catches the response and says, I have a Target defined of LDAP 192-16-8824, which is the DC you see in that previous lab, the client requested a service called blah and we, enumerated pipes.

We hit the first one, it worked out fine. Sometimes you do have to enumerate all, sometimes you don’t, doesn’t really matter. But it sends the caught credentials back to the domain controller.

And what happens there is the creation of that key credential link. We’re saying, hey, now that we’ve got the computer authenticating to us, hey, computer, go create your own key cred, Give me a copy of that cert in the process.

And that’s what we get there. So then we’re going to use PK in IT to go get a TGT for the workstation. Kent, we’ve gone back and forth about Kerberos so much.

I seriously still don’t understand how Kerberos works. It’s just that there’s so much to it.

Jordan Drysdale

Okay, the point where you’re not going to get into the details of Kerberos right now because it could be the entire hour. What we’re going to say is that we’re going to take the credential piece that we received from the computer and we’re now going to authenticate with it to be able to get a TGT for the additional pieces of Kerberos authentication I want to summarize it that way, not get into details of it.

One of the questions in Discord is saying hey, do you have a diagram of all these tunnels? There’s two tunnels, we don’t have a diagram of them but just two. One of them is essentially listening on the computer for 8080 and then exposing that on the Linux box.

The Other one is port 9050 exposing Linux boxes, the LAN connection back to the workstation. We will create a diagram for that, but not right now.

Kent Ickler

Yeah, 100% and that’s it. It’s relatively straightforward if you think about I’m sitting on a workstation, I’ve got a Linux system and I want two separate tunnels listening one to shovel data intentionally back through.

So a reverse tunnel, that’s the dash R we show earlier in the slide deck and I can go back there, we can talk about that again. It doesn’t hurt my feelings at all. The first SSH tunnel again is a reverse listener on 9050.

So that opens a socket on the Linux system that we can shovel proxy chains back through. Any TCP based tool can be shoveled back through 9050. So that is the listener on the Linux system.

The other one is forwarding 8080 locally to 8080 remotely on localhost. Both systems localhost 8080 to remote system, local host 8082 tunnels.

That’s it. As we said it’s relatively easy and straightforward with some nuances. And again PK in it.

this is something a lot of organizations are picking up on. This is something Defender ATP will pick up on. this is a portion of the process where you can get early detections. Now we haven’t really talked about detections and we’re going to get there toward.

Jordan Drysdale

The end you should be monitoring your Kerberos. Authentication is the key component there.

Kent Ickler

Wow, look at this. Holy cow, it’s beautiful.

Jordan Drysdale

Well, thank you.

Kent Ickler

Yeah, no doubt. So describe ticket can tell us a little bit about this. Kent pointed out that you could also right click on that PFX in Windows and say hey can I look at the details of this and you’ll see the same data here.

Now when I say remember the mini Kerberos as rep key it’s this one right here that you see right above the bottom shroud AA15E9 blah blah blah blah blah bl blah.

Those bits are now used and we can unpack the hash now we discussed this as well last night just to make sure we were on the same page about recovering that objects NT hash.

And really it’s because we now own the object, we can go grab NT hash of the computer object for use later. However, we’re authenticating with assert to do so, like a little Kerberos bit.

If my understanding is correct. Now please, if, if anyone can understand, if anyone can explain this better, please help me understand. My understanding is that key can deserialize a portion of the object to recover the to deserialize a portion of the key credential to recover that NT hash.

Next up, get us for U2 ticket. This is where we go pick on Theodore Nichols. As mentioned earlier, Ricoha esta cuenta. This means we’re going to pick on Theodore Nichols because we know he’s a domain admin, we know we can pick on him, and we’re ready to go.

So here’s where we say, I’m going to go request a service ticket, a guest get S4U ticket. And as mentioned, Theodore Nichols is the DA we’re going to pick on.

We’re requesting a CIF service ticket on behalf of that DA with the following command. And it’s again, relatively nuanced. We’re saying, hey, I want a SIF service ticket for this user issued as a CCACHE file against that object, the WS05 using that cheese move dog cert and authenticate against DC.

So basically.

Jordan Drysdale

Where did Cheese Move Dog come from?

Kent Ickler

That was issued by ntlm.

Jordan Drysdale

Okay, okay. So it is, it is amazing to.

Kent Ickler

Me anywhere you run into these eight character files in Impact, it. It has been signatured that if an eight character random file gets dropped on Windows and antivirus goes, oh, hey, that must be some malicious tool.

Jordan Drysdale

Are you suggesting we should not make any files that are random?

Kent Ickler

Terrible, terrible signaturing. Because now we have figured out there’s a few places in Impact where we can go encode or code specifically file names to avoid these cheesy signature detections.

But that’s just life. Life is hard. EDR is easy to. EDR is relatively straightforward to bypass most situations. Especially when you realize after playing with Impact at secret stump like 40 times that like an EDR product is just mapping the reg copy operation and being dumped into an eight character file as the vulnerability.

It’s just, it’s crazy.

Jordan Drysdale

All the time spent trying to bypass EDR and now we just make an SSH outbound connection.

Kent Ickler

I don’t know.

Jordan Drysdale

All right, block your sshs.

Kent Ickler

Yeah, for sure. And protocol inspection, not just block like port 22, this is protocol inspection time. So next up again, WMIC. This is something that’s going to get picked up by EDR pretty consistently.

So good luck. there’s a whole bunch of various shells you can use in Impact. There’s a whole bunch of different ways you can authenticate. It’s just we’re at the point now where we own this box and we’re authenticating with a certificate that belongs to a domain administrator.

So another break, Just taking a quick break here. I do like the term escalatory escalator.

Jordan Drysdale

Escalatory escalator.

Kent Ickler

It’s again kind of a nuanced like second phase of this attack chain. This is the difficult part where I’m going to show one slide again, this one I, I, I think like every single time I try to use this command I screw up some component in it and make a request.

on, on like screw something up.

Jordan Drysdale

It takes 16 seconds after the number of tries we make to get it to work.

Kent Ickler

This is going to take me take a couple tries to get right, but anyway, here we go. Authenticating without a password using the exported domain administrator ccache file.

And here we go, a quick standard windows command net local group administrators, no priv user/add. Then take a look at the group.

There we are.

Jordan Drysdale

If you see a nopriff user as a domain admin or local admin, in this case a local admin, I mean you should be monitoring those changes well.

Kent Ickler

On the way to being dead. Okay, I assure you. So go ahead Ken, your turn. I’ll take a deep breath here.

Jordan Drysdale

That’s how you LPE with an over pillaged computer. It’s not even over privileged, it’s just privileged. It’s the feature shadow credential features. Okay, so again, remember, the computer account has the ability to shovel things into that attribute.

That attribute is used for authentication and credentials. If we can coerce and get context as the computer, we can put anything we want into that specific attribute, including some sort of other credential mechanism.

So because we control the computer at that point, we’re able to shovel things in there and authenticate as.

Kent Ickler

So we’re going to stop right here. We’re going to talk about mitigations for a second. The most important one, I guess I’m going to say the most, the two most important is verifying the integrity, the integrity of the authentication events that happen on your network.

Meaning for SMB, implement message integrity checks, implement signing, SMB signing. For ldap, implement channel binding and LDAP signing and enforce it.

Jordan Drysdale

Yeah, so that’s fair because this was all running a default ish basically. Right, so these are configurations that were default with Windows 2019, I think it’s 2019 and Windows 10 or 11.

So default configurations. But yeah, if you go through and start hardening these protocols, remember we did authentication relays here. You can prevent that with sign down.

Kent Ickler

I won’t be able to authenticate as a machine object that I am not because I break the mic in the packet that was authenticated to me. Right. We coerced authentication.

It was sent to me. That would be the end of that valid mic. As soon as I forward that along, it’s broken. Unless you don’t care about message integrity.

Thus authentication. If you enforce LDAP signing and enforce channel binding, that authentication event won’t happen. And me relaying a computer object won’t happen either, at least successfully.

So this is the end of the webcast, right?

Jordan Drysdale

Yeah, but wait, there’s, there’s actually more. this was like kind of like really complicated and, and you said it took 16 seconds, but obviously it actually took us 43 minutes.

Is there a different way to go about doing this that might be faster?

Kent Ickler

Yeah, well obviously if you have a privileged account laying around, you could just use whisker. I mean it’s really straightforward tool in that this tool was purpose built for tampering with the Ms.

Key credential link attribute. So whisker, is awesome. Like if, if you have an account that can write to the key cred.

Guess what? There’s purpose built tools for this. So we just say whisker, add target and the key cred is updating. It is basically that simple.

So we went through a bunch of trouble to coerce and trigger and coerce some more and relay and then do some stuff at the command line.

What if you just had the privilege and could just operate at command line as privileged user. Here you go. Whisker, add target. And why is that again? This is a feature. This is something supported by Windows.

This is normal. This is regular behavior.

Jordan Drysdale

It’s a beauty. We’re definitely abusing it. But it is a feature and we.

Kent Ickler

Yeah, we definitely abuse this. I am remiss to not say it’s a vulnerability. It is, is, it’s a vulnerability.

Jordan Drysdale

The way it’s configured is ADCS with esque1A vulnerability as it’s also a feature, a possibly missing vulnerable configuration.

Fair.

Kent Ickler

Is that your, is that your take on this?

Jordan Drysdale

Certainly an abused feature. where do we go from here? All right, let’s Go ahead and make sure that, our credential we wanted to add in there is layer and we’ve listed it.

Kent Ickler

It.

Jordan Drysdale

It’s there.

Kent Ickler

I couldn’t be more distracted. This is one of the most distracted webcasts I’ve experienced.

Jordan Drysdale

I’m not distracted at all.

Kent Ickler

So, yeah, I mean, we can now list objects as well with whisker. Whisker List object. We could say some other object out there. As long as the account we’re using to instantiate whisker has read write access to the key cred.

There it is.

Jordan Drysdale

How’d you clean it up?

Kent Ickler

the clear command ralph. They make it really tough.

Jordan Drysdale

Huh.

Kent Ickler

Huh. So we always include a finding called post test cleanup. And I shouldn’t say always. We should always include a, finding that says go clean up after yourself.

Jordan Drysdale

Yeah, if you have a pen test.

Kent Ickler

do it for me.

Jordan Drysdale

And they got da. There’s likely artifacts there that need to be cleaned up. And it’s worth asking, hey, did you guys clean up after yourselves? Is there anything we need to remove that ends up being an artifact that becomes a vulnerability because of its existence?

This isn’t necessarily one of them, but it’s. It’s courtesy to clean up after yourself. And this is a way that we’re going to clean up that MSDS key credentials link.

Kent Ickler

Ken, do you want to talk about how they can check what accounts may have the permission to modify the attribute?

Jordan Drysdale

Yes, you could.

Kent Ickler

Oh, man, this is active drag.

Jason Blanchard

Go ahead.

Kent Ickler

Give us, Give us a couple minutes. We’re a little ahead of schedule.

Jordan Drysdale

Okay, so in active directory, boy, you can. You could use AD Explorer to do it. you’d want to go into a schema on. Actually use ad. Explorer to do it. Yep. AD Explorer. Do it. Go and turn on advanced, features.

Go into the schema and look for the specific attribute inside of the schema and AD Explorer and you will see an stdl, which basically configures what, different accounts can modify this attribute across the domain.

Of course, that SDDL will also have an ACE in it, which is.

Kent Ickler

What’s an sddl?

Jordan Drysdale

Oh, man.

Kent Ickler

What’s next?

Jordan Drysdale

Oh, no. Security defined something language. It’s been a bit, hasn’t it? Oh, thanks for that. Someone will get it for me. If you’re wondering why we’re bringing up these acronyms, watch the other webcast about this, where we talk for an entire hour about these acronyms and how to do exactly what Jordan’s asking.

that is to control what objects can actually change this attribute and then what objects can also audit this attribute which is kind of the next most we’re going to talk about here in a little bit is auditing this attribute.

Because how do any of this has happened? By default in Windows the MSQ credential link is not audited. So if you shovel credentials into that, you will never know.

Kent Ickler

Never know. Blind, completely blind. And event ID 5136 you’re not going to see because it’s not audited by default and you have to define that.

So if you want to clean this up with PowerShell, one of the things is a really straightforward command Again set ad object the identity and then clear.

Right. You can clear an attribute if it’s garbage one command. There it is. So as you see I’m in PowerShell here.

Jordan Drysdale

the context will change. We’re doing this as a domain admin because we have to use the context of something that can change that attribute.

Kent Ickler

Yeah. Okay, so let’s take the previous question a bit further. Is it configurable and would you configure who can write to the key credential link?

Jordan Drysdale

Sure. If you’re never going to use those features, you could just delete the attribute from the schema and it would be a non issue.

Kent Ickler

Yeah. Or you could set one account, you could set DAs to write.

Jordan Drysdale

Yeah, I mean okay, DA shouldn’t be able to write that. Okay. DA’s are domain admins highest privilege so yeah, they’re going to be able to

Kent Ickler

I might argue that a da you would want some form of privilege.

Jordan Drysdale

Oh sure.

Kent Ickler

If it needed. Right. You’re not going to enable a schema admin to delete an attribute, remove that schema admin again and then meet it later.

Jordan Drysdale

I do. I am curious how much all systems would complain after this attribute is missing. But regardless. Yeah, you could also configure the attribute not to be able to be written by computer accounts by the owner computer.

Kent Ickler

That’s fair. And we are in an attack tactics webcast. Right. Should we really be sharing defensive recommendations? Yes, of course we should.

Jordan Drysdale

We share everything we as one does.

Kent Ickler

Yes, as one does. So again as you see in this we’re basically saying clear out the key credential link of PowerShell and we’re using Whisker again to go see if there is anything stored or parked there.

Then is there good solid advice for detecting this event? if anybody wants to go grab that GitHub page for us, it is.

Jordan Drysdale

So I will tell you we have advice on how to detect it. I don’t necessarily like how we’ve done it. We’ve, essentially gone through and changed the STDL to say that we are going to audit the attributes in a fashion that’s kind of noisy.

The reason why I don’t like how we do it, and practically speaking, I think it’s really the only good way of doing it right now, is because it’s noisy. And we are going to now audit the change of an attribute, which is a feature, which means you’re going to get an audit entry every time the feature is used, both maliciously and appropriately.

So now you’ve got these log attributes that you now need to investigate every one of them to determine whether or not the attribute was being abused. Which means you have to go through and look at who changed the attribute and give context to why it was changed.

Because the computer changed the attribute. We know that that’s who could change it. But if the feature is used appropriately, it’s also the computer that changes that attribute. So you now have to look at how the attribute was changed and what was added or removed from the attribute to determine whether or not it was valid or not.

So just looking this attribute and saying, oh, the attribute was changed. It’s malicious. No, it’s the feature. Like it, it could be fine. And right now there’s not a great way of being able to do that.

Kent Ickler

So can you tell us what this attribute? Good. We say it slightly differently. I say attribute, Ken says attribute, and I’m pretty sure it doesn’t really matter what this attribute guid that is the schema something.

Jordan Drysdale

Yeah. So that is the aperture.

Kent Ickler

This is static in Windows attributes GUID.

Jordan Drysdale

That is the attribute GUID for that specific attribute in active directory schema that is static across all domain environments.

Kent Ickler

So that audit rule is saying, hey, anytime, someone world Sid, Everyone, not just.

Jordan Drysdale

Everyone, is the everyone everyone, not just.

Kent Ickler

The domain everyone, it’s everyone everyone.

Jordan Drysdale

So if you have an anonymous that is also part of world Sid, whereas anonymous wouldn’t be part of.

Jason Blanchard

Whoa.

Jordan Drysdale

Okay, so it is everyone everyone, not just everyone, if that makes any sense at all.

Kent Ickler

Yes. And we’re saying anytime that is tampered.

Jordan Drysdale

Yeah, Again, that’s why this is so tough, because the feature is also going to create a record here that is appropriate if you’re using, but it’s also going to be if you do it maliciously.

So you have to give context every time these are changed. So, yeah, it’s tough. I mean, right now there’s no way to do this without augmenting how those were changed. Essentially, when the Tribute comes in that this has been changed, you need to trigger something that’s going to go list the actual value of the key credentialing to determine whether or not it’s malicious.

And it’s not easy to do that.

Kent Ickler

Don’t we? Aren’t we saying this workstation updating itself is probably fine? Or is it?

Jordan Drysdale

Well, now that we’re here, we’re going to use Sentinel and we’re going to do that with Custo. Yeah. Yeah. So we’ve gone through the pattern of. We’ve created the event ID using the audit. Now we’re going to peel apart that event ID and find the information that was changed and determine whether or not it was.

Was actually a problem or not. And that’s what we’re doing here with Sentinel.

Kent Ickler

Now.

Jordan Drysdale

Do I like the way this is done? I’d really love it if it was an event ID that just said it’s a problem.

Kent Ickler

We. Yeah, I know. We can see that the computer object updates itself, which is how it’s supposed to work.

Jordan Drysdale

Yes.

Kent Ickler

So we don’t know if it’s malicious or not.

Jordan Drysdale

Okay. The. Was it sixth line down and that you should like roll your mouse right over it. The low priv one.

Kent Ickler

This one. Oh, that looks weird. Huh. Huh.

Jordan Drysdale

I may have been testing there.

Kent Ickler

Yeah.

Jordan Drysdale

So.

Kent Ickler

Oh, for sure.

Jordan Drysdale

The key thing here is you have to be able to augment this event ID to be able to figure out whether or not it’s a problem, which is tough. we can definitely audit it now, but to be able to determine if the IR needs to kick off is really tough.

With this one, bear in mind that this is not audited at all by default at all. So, like, if you want to even know that systems are using this, either need to look at them all the time or enable the audit of this with the STDL and, the ACE and the acs though.

And Sacle.

Kent Ickler

Yeah. I’m trying to think logically how I would sort this out as an admin. Whether or not this was a malicious event, I think you don’t know without the context.

Jordan Drysdale

Is are you using those features in your environment?

Kent Ickler

That’s fair.

Jordan Drysdale

So that’s fair.

Kent Ickler

And that’s pretty much it. I think we have, achieved. Actually. No, I’m just joking.

Jordan Drysdale

Okay. Can you go back two slides?

Kent Ickler

Yeah. One more.

Jordan Drysdale

One more.

Kent Ickler

Three.

Jordan Drysdale

Okay. There’s a question, in Discord. How do you go and set that attribute to be audited? It’s that link, if this whole thing.

Kent Ickler

There’s six commands, five commands here.

Jordan Drysdale

Yeah, there’s five commands. But that link will have that information in the blog post and links to the old webcast where you can talk and listen to us for an hour talk about doing just that and come.

Kent Ickler

Up with some better strategies, hopefully over time.

Jordan Drysdale

But yes, that.

Kent Ickler

Do you believe this is on. Should the onus be on Microsoft here to help us understand what’s malicious and what’s not?

Jordan Drysdale

I would love it to see that if the feature is going to be actively used, it triggers the audit to be turned on. Now contrary to that is you could just have Audit enabled on it by default.

And here’s my suspicion on this is they generated new features but they didn’t update their default auditing pack. And that’s kind of where I see it as.

Kent Ickler

Mhm. That’s interesting.

Jordan Drysdale

The other side of that though, of course is discussion about what default logs are, which is not a discussion.

Kent Ickler

Logged by default or what, default log.

Jordan Drysdale

What can, what can we have?

Kent Ickler

We don’t have time.

Jordan Drysdale

We don’t have time.

Kent Ickler

All right, so here’s the, here’s the gist. Basically you’re looking at event ID5136 and you’re looking for the modified attribute once you’ve pushed auditing onto that object.

Now that’s how you audit key credential links. So there’s some defenses, checklists. What we don’t have here is signing, implement. Signing. Implement it for SMB, implement it for LDAP and M.

Move forward with your security program. Really like it is one of the most effective things you can do to keep us from moving laterally and moving around your environment as other people.

Right. Other credentials. So I think that’s it.

Jordan Drysdale

Is that it?

Jason Blanchard

Are you sure?

Kent Ickler

Like six times.

Jordan Drysdale

We’ve got some classes.

Kent Ickler

We cheated.

Jordan Drysdale

we might have. If you want to know more about this, we cover it again in a class. Hey, that’s us.

Jason Blanchard

Yeah.

Jordan Drysdale

Yes it is.

Kent Ickler

We see each other once in a while. We’re coming out to Baltimore out here.

Jason Blanchard

Are you coming out to Baltimore?

Jordan Drysdale

Yeah, in a while.

Kent Ickler

I think it’s in May.

Jason Blanchard

Okay, well, it’ll be great.

Kent Ickler

Looking forward to it.

Jason Blanchard

Yeah, it’d be great to have you nearby.

Kent Ickler

We will 100 hang out.

Jordan Drysdale

Yeah.

Jason Blanchard

so you had so many false endings that you have no idea. Like us in the background.

Kent Ickler

We’re like, it’s only 1:30 guys.

Jordan Drysdale

We still have slides left. Are you talking? No, we don’t.

Kent Ickler

You had the slide deck in PDF. You could have scrolled. I saw. We were cheating. We were doing other things. We were doing.

Jason Blanchard

We were doing Hackett.

Jordan Drysdale

Yeah.

Jason Blanchard

Speaking of which, if you’ve not checked in for Hackett, now’s the time to, check in for Hackett. If you don’t know what Hackett is. If you come to a Black Hills Infosec webcast or an anti cast or the News on Mondays, please come to the News on Mondays.

We love the News on Mondays. and so if you engage in discord live during the webcast, or during the anticast or during the news, then we give you credit for being here. And then once you hit 10, we send you a reward in the mail, including if you live anywhere in the world.

Deb has figured out how to send your reward anywhere in the world. Now, it might take three to four months to get to you. And every once in a while, the package has been ripped open and the contents have been taken from the inside.

And we’ll do it again.

Kent Ickler

it’s so frustrating when I get it. Like, I got it. Oh, wait, it’s empty. I’m like, oh, anyway, but we’ll send it again, like he said. Yeah. There’s one other question I want to address real quick.

And somebody asked if we renamed our class, and yes, we did. With John’s blessing. Basically going from attack to tech defend, where we were colliding directly with Timidine and his crew’s offense for defense class to BHIS’s assumed compromise class.

So basically, we’re taking our pivot methodology as testers that Kent and I do on a daily basis. This, we turned that into our class. So what you can do and see now is BHIS’s assumed compromise methodology with us.

Haircut fish is killing it. What the heck?

Jason Blanchard

Haircut fish?

Jordan Drysdale

Is that Simon and Garfunkel?

Kent Ickler

It is.

Jason Blanchard

It was. there will be. there’s not currently Hackett check ins for Fireside Fridays. the active countermeasures team has not figured out how they want to do that yet.

And so at this time, there’s no hack a check in for Fireside Fridays, but you can attend Fireside Fridays. we’ll drop the link here in Discord and get that over to you. Ken, Jordan.

this is our first webcast back since we took a break. It’s 2025. I’m going to ask you two questions to wrap up today and then any questions that you want to address.

so first question is this. What are you excited for in 2025? Kent, you first.

Jordan Drysdale

Oh, awesome. So BHS has always done a lot of cool stuff, and this year, I can tell we’re gonna do a lot more cool stuff. And I’m excited for it. I am here for it. It’s gonna be awesome.

Kent Ickler

Yeah, no doubt about that. I’m just gonna carry right along. I think one of the things I heard in a chat the other day was 2025 is the year of clarity and mostly clarity and communication.

So we’re trying to work better as a company. Being a disparate workforce is a challenge. Right. So, like, I might be working with Ben in Chicago and, Adam in Philadelphia, and we don’t really know what each other are doing on, on the same test.

So, while I can read and collaborate in, in the test with them, I think we’re really working hard to make sure our internal communications are solid now. Even better, we have implemented some new policy changes for our testers that should really facilitate better communication with our customers in the outside world.

Yeah. And that, that is the difference right there, is that our customers know what we’re doing all the time. We’re loose in their networks. They should definitely have open communication channels with us. We’re trying to do better.

Jordan Drysdale

In discord. Someone said they’re looking forward to 2025 as the year that NTLM dies. Well, I would say that, but it’s another 20 years out. That’s just how it is. We’ll be seeing NTLM in 20 years, guaranteed.

Jason Blanchard

All right, last question for Jordan. first then, Ken, is we are not great at marketing as a company. We’re not.

Kent Ickler

It’s.

Jason Blanchard

I, I don’t have any marketing background. No one on our team. I asked, on Monday, I was like, anyone here actually been through a marketing class? And it was like, no. Hands up.

Kent Ickler

Yeah. So Ken, sorry, our intern actually is, is the one with the most marketing experience right now.

Jason Blanchard

That is true.

Kent Ickler

She’s actually in school to do marketing.

Jason Blanchard

So, Jordan, if you were going to tell people to hire Black hills, for 2025, how would you put it?

Kent Ickler

Well, that’s an interesting question. That’s not where I thought you were going with that. I’m going to go with if you were going to hire a pen test firm that provides some of the best value on earth, shares everything we know, consistently, continuously, will help you understand what we’re doing on your networks.

And we’ll make sure that when we leave, you understand what we did, why we did it, how to detect us, and how to prepare yourself for Your next pen test with any firm you choose. I think we’re going to blow your doors off.

Like, truly, I don’t, I don’t think there’s a better firm out there as, far as, like, hands on, delivering quality in an offensive approach and defensive tactics.

Jordan Drysdale

That’s interesting. I think once our customers are with us, they seem to stick with us. I, actually just had a customer recently. I was doing a pivot test and they said, wow, you caught something our previous, our previous vendor didn’t.

I’m like, thanks. Like, I don’t like this is our typical like, mechanism. It’s kind of the answer I give him is like, great, you’re going to know how to do it too. At the end of the engagement, like you’re getting a report that shows you exactly how to do it.

So, yeah, it’s fact.

Jason Blanchard

Well, I appreciate that. And, for your final thoughts, Jordan, first, what are your final thoughts for today? If you could sum up everything in one last thing, what would it be? Jordan?

Kent Ickler

This is a, relatively insidious Windows feature. Shadow credentials that we are using consistently to take over endpoints, which is the first step, in domain compromise.

You need to detect this whether we know how to tell you what’s malicious and what’s not. In the event structure, you really need to think about how to defend against it, moving toward, signing, validating where your authentication stuff is coming from.

And we can help you with that. We can help you by showing you.

Jordan Drysdale

I would say managing, engineering, securing Active Directory sometimes means doing those exact same things for features. Normally we think about security vulnerabilities, but when you do the exact same thing for features because they all, many of them have components that can be abused.

Jason Blanchard

All right, all right. And to wrap up things today, thank you to everyone that joined us for pre show banter. we always get on about 30 minutes before our webcast begins just to talk, about nothing that really.

No, no consequence of any kind. so thank you. If you enjoyed today, please come back next week. Next week we have one on grc where actually GRC people can use their influence in a way that is not just about checkbox and makes real change.

So come back next week for Kelly and C.J. and if this was your first time here, we hope you come back. If this was your 50th time here, well, we know we saw it through Hackett. and so we appreciate you coming back time and time again.

And so, and lastly, happy 2025. it feels like one hell of a year so far as far as the way the world is.

But we’ll be here every single week, hanging out together, sharing knowledge together, and being together because we’re better together. And with that, we’ll see you all next time.

Jordan Drysdale

All right?

Jason Blanchard

All right, Ryan. Kill it. Kill it, Ryan.

Kent Ickler

Just do it. Do it.

Jason Blanchard

Yeah, Ryan, you don’t have to kill things. Kill it.



Ready to learn more?

Level up your skills with affordable classes from Antisyphon!

Pay-What-You-Can Training

Available live/virtual and on-demand