certsync Research
Summary
A new technique has been discovered for remotely dumping passwords from a Domain Controller without needing to use the commonly abused API for the Directory Replication Service (DRSUAPI).
Abuse of the DRSUAPI is a well-known attack and by removing the need to use this mechanism the certsync tool is able to dump password hashes in a new way.
There is no privilege escalation within this tool or technique and therefore an attacker needs to already be in a position with Certificate Admin or Domain Admin rights. When the tool is run successfully every NTLM password hash in AD can be dumped to a text file.
This is another example of an attack technique that relies on abusing the older and less secure NTLM authentication mechanism.
Attack Flow
The tool uses the following steps:
Technical Details
Run Certsync
Once setup certsync only needs to be supplied with credentials and have access to the victim/test environment.
As can be seen above we need to supply the following on the command line for this work;
We then get an output of all the NTLM hashes for all users by default. However, we can use the -ldap-filter flag to restrict which accounts we retrieve the password hash for. In the example below we only target the Domain Admin users, this makes the tool a tiny bit stealthier but not by much.
Current Detections
This is not a stealthy technique and produces a significant amount of log artifacts on your Domain Controllers. For an environment with 88 user accounts our detections generated 98 alerts across 11 distinct detections. Below are the detections that were triggered.
Detection Example for Command Line Logging
Below is an example alarm that was triggered as part of our testing and shows the SYSTEM account is actually responsible for the certificate key backup on the CA, not the initially compromised user.
Logs
The two most important log types for this detection are command line logging and Kerberos auditing.
Recommended by LinkedIn
4769 A Kerberos service ticket was requested
Used to detect the various Kerberos tickets an attacker attempts to request once they have the certificate.
4768 A Kerberos authentication ticket (TGT) was requested
Used to detect the various Kerberos tickets an attacker attempts to request once they have the certificate.
4688 New Process Created
This can be used to see the abnormal Command Prompt being spawned from services.exe. It can also be used to detect the backup of the certificates.
Logs from Attacking IP
Below we can see a snapshot of the logs coming from our attacking IP address of 10.1.1.60. There is a huge amount of logs related to Kerberos and they are being generated for numerous accounts in our environment.
Other Detections
Defender for Identity
A product which is being more commonly deployed is Microsoft Defender for Identity. This is installed on all Domain Controllers within an environment. From there it can assist with detecting various AD abuses and when correlated with other logs and alarms can be a powerful detection engine.
Below are the specific Defender for Identity alerts that triggered when the certsync tool was run.
Detection Quality
The majority of the detections for this technique are directly related to the TTP and behaviors inherent in its use. Therefore, an attacker using this will have a difficult time in hiding their true behavior.
The bolded detections are the new ones created as part of this research. The non-bolded are part of the standard Seamless Intelligence ruleset.
References
Attack Tool
https://github.com/zblurx/certsync
UnPAC the hash
https://www.thehacker.recipes/ad/movement/kerberos/unpac-the-hash
DRSUAPI
https://blogs.manageengine.com/it-security/2020/09/29/advanced-active-directory-attacks-simulating-domain-controller-behavior.html
What Is the Kerberos PAC?
https://blog.netwrix.com/2023/01/10/what-is-the-kerberos-pac/
Great breakdown and explanation of that new technique Tristan