This post was made possible through the contributions of Joseph Spero and Thanassis Diogos.
In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker gained access to the client network through a VPN connection using a third-party IT management account. The IT management account had multi-factor authentication (MFA) disabled to enable automated workstation provisioning.
With access to the internal network, the attacker performed reconnaissance and identified a server running Active Directory Certificate Services responsible for Certificate Authority Web Enrollment and the Certificate Enrollment Web Service. Active Directory Certificate Services (AD CS) is a service within Microsoft Windows that enables organizations to issue digital certificates to authenticate users, workstations, and servers, digitally sign messages, or encrypt data. Once the attacker identified the AD CS server, they exploited CVE-2022–26923, which enabled the attacker to elevate their privileges to domain administrator. CVE-2022–26923 was patched by Microsoft in update KB5014754, however, due to the configuration of the Key Distribution Center, the exploit was not blocked and just logged as a warning.
With domain administrator privileges, the attacker attempted to execute a DCSync attack, which extracts credentials from a domain controller (DC) by impersonating a domain controller and retrieving password data via domain replication. The DCSync attack was detected and blocked by the client’s security tooling and shortly after X-Force executed containment measures to elimin ..
Support the originator by clicking the read the rest link below.
