Antisyphon Training Anticasts | Adapting to Active Directory Security Enhancements with Eric Kuehn

Summary
Are your go-to Active Directory attacks quietly failing without you noticing?

Join Eric Kuehn, Principal Security Consultant at Secure Ideas, for a free one-hour training session that takes a deep dive into the security enhancements Microsoft has introduced to Active Directory over the past few years and how they are reshaping the way penetration testers and defenders operate.

You’ll learn how long-reliable attack paths now break, how successful attacks may leave new and unexpected traces, and what these changes mean for staying stealthy during an engagement.

Eric will teach you the latest AD hardening features, the new detection opportunities they create, and the practical changes testers and defenders can make to improve their tradecraft right away.

Chapters

(00:00) - Intro
(01:29) - I am Eric Kuehn
(05:43) - “Recent” Change Timeline
(09:14) - 2026 And Beyond
(13:34) - NTLM Finally Going Away
(19:28) - Kerberos PAC Signatures
(23:23) - What Does It Mean to Us?
(25:18) - Certificate-Based Authentication
(29:46) - Non-Security Events for PAC and Certificate Issues
(31:07) - Certificate Services Audit Events
(32:11) - Kerberos Enhancements
(35:18) - In Summary
(37:59) - Demo Time
(49:25) - Q&A

Credits
Chat with your fellow attendees in the BHIS Discord server:
https://discord.gg/bhis
in the #🔴live-chat channel

🔗 Register for FREE Infosec Webcasts, Anti-casts & Summits –
https://poweredbybhis.com

Click here to watch a video of this episode.

Brought to you by:

Black Hills Information Security

https://www.blackhillsinfosec.com

Antisyphon Training

https://www.antisyphontraining.com/

Active Countermeasures

https://www.activecountermeasures.com

Wild West Hackin Fest

https://wildwesthackinfest.com

Creators and Guests

Host

Zach Hill

Guest

Eric Kuehn

Eric Kuehn is a principal security consultant at Secure Ideas, as well as an IANS faculty member. He leverages his extensive experience with Microsoft infrastructures and Active Directory to perform penetration tests and offer guidance on system security and architecture. He also is the author of the “Red Team Fundamentals for Active Directory” course, where he explains the concepts, techniques, and best practices for exploiting and defending AD environments. Eric has been working with Active Directory since its release and was the technical leader and architect of one of the largest and most complex AD implementations out there. He holds the CISSP certification and is passionate about sharing his knowledge and skills with others. Eric has delivered talks on Active Directory security and other topics at various conferences, events, and webcasts, and via Antisyphon Training.

Guest

Jennifer Shannon

Jennifer is a Senior Security Consultant with Secure Ideas with a background in malware analysis, penetration testing, and teaching. She graduated with honors from Florida State College at Jacksonville’s networking program. An avid computer geek for most of her life, she began her journey in cybersecurity as a SOC Analyst where she showed an aptitude for both penetration testing and malware analysis. She was quickly promoted into a role that capitalized on her abilities.

Producer

Meagan Bentley

What is Antisyphon Training Anticasts?

Podcast audio-only versions of weekly webcasts from Antisyphon Training

Eric Kuehn: 00:12

So, as we mentioned, we're here to talk about the changes that have happened over the last couple of years and that are gonna be happening for the next several years to Active Directory. If you are familiar with Active Directory, you will know that really there was this long period of time where nothing really happened. Right? Lots of changes occurred from 2000 all the way to 2016 and then like nothing for nine years and suddenly something began to change. We're gonna go kinda go over all of that.

Eric Kuehn: 00:44

So if you're not familiar with Active Directory, let's say if you have an internal environment and you have more than five Windows computers, you're probably having active directory run-in the background and it manages your identities, how you log in, what you have permissions to see, etcetera. So it's really the backbone of every Windows environment if it's on prem. Things are beginning to move out to the cloud. You have Entra and Azure. Absolutely.

Eric Kuehn: 01:11

And we have hybrid joined devices. We have devices that are only joined to Entra, all of those things. But really active directory is still here. It's gonna be around for a long time until every company can move all of their internal applications to use some cloud based authentication, whether that's Entra, Okta, whatever it might be. So myself, my name is Eric Keene.

Eric Kuehn: 01:33

As I I I told Zach earlier, I answered anything close to Keene, Koon, Koon, whatever. I've had the name for a long time, and I know no one guesses that it's actually Keene. I'm one of the two principal security consultants at Secure Ideas, which means I not only get to attack things and and be a pen tester, but I also help manage the other consultants here with Secure Ideas. Secure Ideas is headquartered out of Jacksonville, Florida. I'm based out of Charlotte, North Carolina, though.

Eric Kuehn: 02:05

Myself and a few other people are here, kind of the second biggest office. And I've been with Secure Ideas for nine years, which I cannot believe it's been nine years. It's gone by so fast. It's been a really fun time. Looking forward to having more years here.

Eric Kuehn: 02:19

I do have over twenty five years of experience with both managing, implementing, securing active directory, and then also attacking active directory. I've been very lucky to be able to work with it since pretty much its release. I've worked on very small infrastructures and then environments that are huge. The biggest being over 250 domain controllers that was across the globe. 300 plus thousand users, you know, more servers.

Eric Kuehn: 02:49

Groups were close to a million. GPOs out my ears, a huge environment. We like to think it was the biggest and most complex. It probably was up there, but it all depends on how you measure it, like total number of domains or objects. Take your pick.

Eric Kuehn: 03:05

Beyond active directory, I I am very familiar with Windows systems and applications, just general system architecture. I do penetration testing, security consulting in general, and training like this. Go to conferences, love giving workshops, etcetera. I'm also a IONS faculty. If you're not familiar with IONS, it's talking to subject matter experts about something that you're interested in doing.

Eric Kuehn: 03:30

It's it's another form of consulting. Kinda yeah. It's really about talking to experts in the industry to see what might be the best thing, not necessarily just what you've read or seen. And on top of that, I'm a MITRE MITRE ATT and CK framework contributor. I love MITRE as a way of talking about attacks and tactics and things that were used, not necessarily like, hey.

Eric Kuehn: 03:53

We're gonna do this specific attack scenario, but really talk about what was done. Give, once again, that common language for people to to understand since every pen testing company tends to call their findings something slightly different. It gives a a good uniform method of seeing what it is. Other interesting facts. I'm a movie enthusiast.

Eric Kuehn: 04:15

I was actually a film and audio major in college. Decided that I didn't wanna be a starving artist in New York or LA because that was the only options when I was going to school. Really wanted to settle down and have a family with the the woman who'd become my wife. So left that, got a job in a computer lab because of a friend of mine, and just really took off from there. I do love playing games, board games, computer games, online games, role playing games.

Eric Kuehn: 04:43

Take your pick. I really enjoy it. I still don't have as much time as I would like to play games. I'm a father of four, but three of them are now at college. The last one's going off to college.

Eric Kuehn: 04:54

And if you have kids going to college, you will find out that the year ahead of time and the year of college turns into a never ending journey of visiting different universities at different times. So I've been traveling a lot and very busy. Looking forward to sitting down and and playing more games with my friends and wife and everybody else. So looking forward to it. Yeah.

Eric Kuehn: 05:17

Lots of road trips. You know? Also, secure ideas to to level it out. You may not be familiar with the name secure ideas, but you probably have heard our motto professionally evil. We like to think that way when we're attacking our our our clients, right, when we're under contract.

Eric Kuehn: 05:35

We want to be an attacker just like they are acting just in a professional manner. Right? Only when we're actually hired to do so. So let's talk about why we're really here. Once again, we're talking about changes and the recent change timeline.

Eric Kuehn: 05:54

And I I put recent in quotes just because we're we're talking about going back to 2022. This is really when the big series of events started happening. And really, it was a catalyst of Spectrops released the method to abuse certificates to gain access, right, and do privilege escalation, pivoting, etcetera. And there were some other things found within Kerberos and at log on that were not the most secure. So Microsoft threw in some fixes right in late twenty twenty two, October, November time frame.

Eric Kuehn: 06:29

They released a bunch of hot fixes to correct the Kerberos and NetLogon issues. And, unfortunately, that broke a whole bunch of stuff. I mean, it changed how certificates Kerberos tickets were read, the information that needed to be there, how it's processed, and it really just broke authentication all over the place, especially if you weren't in a Windows centric environment. So they decided let's, you know, kinda roll this back in a way, and they moved to this phased approach that was scheduled to go over years. So we move forward into 2023, and we had some changes to attributes and who could write to them and and what was happening so that some certificate exploits wouldn't work.

Eric Kuehn: 07:14

And then more things started happening with net log on and RPC with PAC signatures so that it would be addressed and used. But, really, things weren't fully enforced, so we still had the good old days of how we could use tools. It was kind of in this hybrid environment. Then 2024, we had some, actually, some hardening going on within Active Directory. Right?

Eric Kuehn: 07:40

There was a change to how the pack was set up. Kerberos tickets were used again. They Microsoft announced that NTLM was officially deprecated. You know? NTLM, the old legacy challenge and response protocol that has all sorts of security vulnerabilities, and really just kinda had issues.

Eric Kuehn: 08:03

Still has issues to this day. We also had extended protection for authentication released on some things, and then server twenty twenty five is released. And I see this idea of, you know, you know, is this a fan? I wouldn't say necessarily that this is a fan. It's just kind of the perspective of how things have changed.

Eric Kuehn: 08:23

As I said, yes, there are still problems. Don't get me wrong. Lots of things with bad passwords and and other issues that people put in, but there are actual security changes being placed into active directory to cover issues. Right? So we're we're kinda in this better state than we were.

Eric Kuehn: 08:42

It doesn't mean it's perfect, but definitely better. 2025 hit, and that's where all of the enforcements really came into play. Things like certificate authorities need to be fully registered for them to be used for authentication. We need to have strongly mapped certificates for it to work. And once again, now you need to have the restructured pack, which means some of the older tools don't necessarily work as well as you would want.

Eric Kuehn: 09:15

When we think about this year and going, right, what's changing? Well, number one, Microsoft announced recently, very early this year, late last year, that they're getting rid of r c four. Right? R c four is for Kerberos tickets, r c four is not a very secure encryption method. It it's pretty easy to break.

Eric Kuehn: 09:37

It's being deprecated and phased out. Once again, it's not just being turned off because Microsoft has learned if we just turn it off, it's all gonna be things are gonna break. So it's being slowly phased out. In theory, the second half of twenty twenty six, we're gonna start seeing more things happen with NTLM to really start that process of getting it out of our environment. Microsoft, you know, announced late last year this idea of Kerberos forwarding, which is an interesting idea.

Eric Kuehn: 10:10

So if you have some systems out there that can't necessarily reach a domain controller, a more secure method of getting that connectivity back to a domain controller. And also getting rid of local the the local methods of authentication that rely on NTLM still and move to a a KDC and Kerberos methodology. Some things are going to happen to really change some core Windows components so that they always negotiate Kerberos first, which I find hilarious because that is the default way everything was supposed to be working since, like, Windows 2,000. But we still had all those systems that were more than willing to do NTLM first. I think our RDP to this day still wants to hit NTLM rather than Kerberos when you're doing that initial challenge.

Eric Kuehn: 11:00

So all of those wonderful things. We're gonna start getting rid of NTLM altogether, and then, you know, the default Kerberos for service tickets is gonna be shipped to AES SHA one or better in the near future. Right? AES will become the primary method. Then the next major release, so we'll say Windows '20 20 seven in theory, NTLM is gonna be disabled by fault default.

Eric Kuehn: 11:27

People will have to turn it back on. Yeah. Absolutely. If you have a question, please ask. Don't I I'm taking a look at Discord every once in a while to jump back and forth.

Eric Kuehn: 11:38

So please ask, and I will get to it quickly. So let me see. Yeah. The the whole idea of NTLM I mean, honestly, when is it gonna be removed? That's a great question.

Eric Kuehn: 11:54

Microsoft is gonna say they wanna get rid of it as quick as they can. But as everybody is pointing out in Discord and it is very true, just because Microsoft wants to get rid of it doesn't mean that everybody actually understands how Kerberos works. Everything that you need to have in your environment to actually make it work, applications developed to use it, etcetera, there's probably gonna be NTLM around for a while. You know, I'm gonna guess there's a minimum of four years before we have the idea of Microsoft wanting to get rid of it, but we're probably looking at 10 or longer. I mean, there's so many things that are NTLM specific just because we keep falling to it.

Eric Kuehn: 12:33

You know, you're supposed to start, Kerberos, and if anything breaks up for any reason, like you don't have a a service principal name for your application or it's pointed to the wrong account or I just can't resolve it or it happened to go away or it's not working properly, any number of things, not formatted properly, you drop to NTLM for free behind the scene, Windows being nice and helpful for you. So yep, and and I know that, yeah, Kerberos is definitely very difficult to to set up. Yeah. It's it's not easy, all the things. So, yes, we all know there's a risk.

Eric Kuehn: 13:13

Microsoft has agreed there's a risk, and they're not just gonna say we're gonna keep NTLM. They've announced that they're getting rid of it, and they're actively working towards that goal, which is the big change. Alright? And that's one of those things that, you know, is starting to hit us right now and something that we as pen testers and blue teamers and everybody else need to be aware of. This idea of NTLM going away did start with the release of server twenty twenty five.

Eric Kuehn: 13:40

Actually, server 20 twenty five released a whole bunch of different things on it. And the questions come up, what's the pack? I'm gonna get to that in a little bit more when we talk about Kerberos tickets, but we're gonna start with NTLM here. What's happened is with server twenty twenty five, and I unfortunately, with server twenty twenty five only. So to get all of these benefits, you need to upgrade some systems.

Eric Kuehn: 14:05

Go you know, that is a downside here to get some of this auditing and other things. But with server twenty twenty five, it doesn't understand the full authentication mechanism with NTLM v one. It can still be used for some things like if you have you're you're doing certain types of authentication for remote access server, etcetera. It still allows the cryptography, but it doesn't really understand the full authentication method anymore. So to to start prepping us for the removal of NTLM, Microsoft has introduced some new auditing that is open on server twenty twenty five.

Eric Kuehn: 14:44

It's more detailed than anything that we've ever had before. It's not only why did this occur, like why was it selected over Kerberos? Why did you drop to NTLM if you're supposed to be? Because I thought I had this application configured to use Kerberos. Who actually requested it?

Eric Kuehn: 15:01

The process that was actually doing it, where it came from, the name, IP address, all of this information. Alright? It's in a different location altogether. It's not sitting underneath the security event log, which is both good and bad. Good on the sense that it's isolated to its own environment, bad in the sense that we have to look somewhere else.

Eric Kuehn: 15:22

It's also not turned on by default. You have to turn it on even with server twenty twenty five. Right? You have to go configure this both well, probably in the GPU is the best place. Configure it to be turned on for your domain controllers, and then to get the best benefit, really wanna turn it on your twenty twenty five servers as well.

Eric Kuehn: 15:41

Gonna show you what this logging looks like later. But the important thing is if you use NTLM authentication or you use a lot of tools that pentesters rely on that are doing some interesting NTLM things behind the scenes, you will be detected very quickly if your clients are auditing. And if you are a blue teamer, this is something that you should be turn turning on so you can start getting this view into your environment. I mean, honestly, these days, there should be nothing that drops to NTLMV one. This should be the safest thing to turn off.

Eric Kuehn: 16:23

I know it still happens on occasion, but NTLMV two has been around since NT four. Alright? So it is now somebody help me out. It is at least 28 years old, if not older. Okay?

Eric Kuehn: 16:40

So so, yeah, these event logs are definitely in 2025. I think you can get them on server 2019 and 2016 if you turn on the event logging. But for your domain controllers, honestly, I would recommend that people should upgrade. I know somebody out there is gonna say, oh, what about bad successor and those attacks that came out when 2025 was released? Hotfixes have gone into place to correct part of that.

Eric Kuehn: 17:11

But honestly, bad successor, like a lot of other active directory attacks, are based upon the entire idea of somebody has permissions to create something that maybe you don't want them to do. Okay? So looking forward, I would be urging people to upgrade their domain controllers. There shouldn't be anything else other than problems with NTLM v one. So if you are using NTLM v one out there, you know, not the best option for you.

Eric Kuehn: 17:45

So still has some stability issues. Fair enough. At least two open tickets with Microsoft. That's horrible. I'm sorry to hear that.

Eric Kuehn: 17:54

So yep. The negotiated flags will show you. Yes. So the the especially in the new event logs that you can get, it will definitely have more details, and we'll show you some of that. Yep.

Eric Kuehn: 18:08

Yeah. Don't do enough for domain controller in general as as Horst is saying there. I would not recommend doing an in place upgrade. Really, it's better to build a new server, promote it, demote your other domain controllers. Kinda build in place.

Eric Kuehn: 18:23

Don't don't do in place upgrades. Definitely a better option for you. You can't disable NTLM one because three major business applications still need it. What do you do? Somebody said quit.

Eric Kuehn: 18:39

I don't know if that's the best method for you. You know, it it really is a a hard play. I don't know if I have a good answer for you. It it would be the the classic idea idea of let's firewall this off and all begins to fall apart with Active Directory and authentication. Yeah.

Eric Kuehn: 19:01

I would definitely be seeing if there's any way to to move them. So there was a question about the r c four deprecation and Kerberos. So that's gonna be across the board. Right? But it's only for service tickets.

Eric Kuehn: 19:16

Right? Very important. As it stands right now, when people are logging in to take a step back, there are two types of Kerberos tickets. And this kinda leads actually into the next part, the packed signatures. There's two types of Kerberos tickets.

Eric Kuehn: 19:32

There is your identity, which is the ticket granting ticket, the TGT. That has been AES for quite a while. Alright? Service tickets can run the gamut, but quite often, they're gonna come down as r c four unless you have enforced things. Right?

Eric Kuehn: 19:52

So what's happening is that change is going to force service tickets to be be AES encrypted, which means for us as a pentester, one of our favorite attacks out there is Kerberos thing, which is we're gonna act like a normal Windows client and request a service ticket. A service ticket is what is presented to an application to prove that you are who you say you are. I like to think of it as a passport. Okay? You you go to another country.

Eric Kuehn: 20:24

You go up to customs. You give them your passport. They look at the picture. They look at you. They don't necessarily reach out to any true author authoritative source, but they say this passport came from The US.

Eric Kuehn: 20:36

I trust The US or your country, and therefore I believe that you are who you say you are, and I'm gonna let you in. Same thing for a service ticket. That's gonna be changed. That is normal behavior. Kerberos thing is just going out and requesting service tickets for applications that use Kerberos and just taking them offline and cracking them instead of actually sending them to the application.

Eric Kuehn: 21:01

So this whole AES encryption part is going to make it harder to brute force tickets. But if people still go out there and are using bad passwords for their service accounts, you know, eight characters or less, you know, known passwords, known breaches, known individual words, words following a standard setup, like a capital letter and then, like, six or seven letters and then a number and an exclamation point, we're still gonna crack them in no time at all. It's just gonna be a little bit longer. Right? So it will help some, right, but not everything.

Eric Kuehn: 21:44

So let me see as I kinda go back through Discord here. The idea of moving an application to another domain is one way that you could absolutely solve that issue of that NTLM d one other than you're talking about a huge migration. That's a a lot of work. So let me see. What else?

Eric Kuehn: 22:04

So when we talk about the PAC, because we covered this before, this was a big issue and and caused all sorts of problems, probably initially, when things began enforcement. What happened is there was one format for the pack and then a new. The pack itself is extra information added to a Kerberos ticket. Kerberos itself, the default method is prove your identity. This is Eric.

Eric Kuehn: 22:30

That's all it does. And then the application is supposed to have more information about you to know if you're supposed to be doing something. Alright? The the the pack includes a whole bunch of other pieces of information, like groups you're a member of. And, you know, who actually gave the the the Kerberos ticket domain it came from and all these other things.

Eric Kuehn: 22:57

The pack changed and tools like Mimikatz and other things didn't immediately work. And honestly, I'll be honest right now, I have troubles even with the new newest version of Mimikatz getting it to to do the new pack. Rubius has become my my new friend for generic tools. Right? Or build your own and to do that type of authentication.

Eric Kuehn: 23:21

But to top it off, beyond the tools, we have this idea that a lot of the documentation out there with the tools say that, you know, when you build your Kerberos ticket using a tool, build a cold a golden ticket, which is just you're forging a new TGT for yourself instead of requesting a real one. A lot of the documentation out there is still saying use this method right past this hash. Your old NTLM hash still works, will work forever. Right? Probably work forever.

Eric Kuehn: 23:58

However, since 2008, there's been these other methods down here, AES. Right? All the tools will let you specify those hashes instead when you're messing with Kerberos, and that's what we should be using. Okay? Yeah.

Eric Kuehn: 24:15

Exactly. As Roswell said. Right? You need to really start moving to AES for any tool that's using that that's building a ticket or doing Kerberos authentication based off of a hash. Use NTLM instead of AES.

Eric Kuehn: 24:28

You will have a better chance of remaining undetected. Although, once again, a lot of these tools are doing some interesting things behind the scenes that that I will show. I'm not familiar with DC LimeWire, so I can't answer that one. Yep. So you you we should be adapting tools out there.

Eric Kuehn: 24:49

And once again, Rubius, IMPacket, a lot of those are already capable of doing it. They just don't reference it necessarily off the bat. Right? And so we just need to start using the new one. Limewire.

Eric Kuehn: 25:09

I apologize. Not thinking about that way. Malware delivery. I was completely lost. So going back to certificates then.

Eric Kuehn: 25:21

This is another thing. Huge attack method, still very popular to this day. And it used to be similar to the all of the documentation for tools that's out there that, say, use this older hash method, the the old NTLM version instead of the new AES, a lot of these didn't include the extra attributes that you need to add when requesting a ticket. Alright? It's well known now that, you know, when you use certify or certify or anything like that, you that you need to add the SID.

Eric Kuehn: 25:56

That's the idea of the strong mapping. Microsoft said we aren't just gonna accept a certificate that says it belongs to the domain admin. It needs to actually have some other pieces of information to prove that fact. The SID is how that is mapped at this point. So when you request a Kerberos ticket or sorry.

Eric Kuehn: 26:17

A certificate, you need to include the SID of who you're trying to become when you request a certificate, not just here's the name. The protections that Microsoft have put in place for abusing certificate based authentication, the default set were out there to prevent us from manipulating information in the AD to fool the certificate authority to believing we are somebody else. Right? You you can't write to certain attributes anymore that would let you just say, yes. I am this person.

Eric Kuehn: 26:55

That doesn't change the fact that many organizations have very insecure certificate templates out there that allow you to go and state without a doubt that I am this other person. And as long as you include the SID of that other person along with your request, you get to be that person. Right? And we'll kinda show this in a little bit. I do like to point out that while Certify is a great tool out there, Certify is a great tool that's out there, you don't need to use them if you have a Windows device.

Eric Kuehn: 27:33

You could do the exact same behavior to request a certificate by using the inherent Windows tools. You just have to add a URL attribute in them, and I give it down below there on the screen to make that certificate request as long as there is a a template that is vulnerable to you specifying an alternate name. If you're familiar with certify or you've heard it, it's called escape one. Right? Microsoft has also put in some other protections if an organization has put them in place to prevent things like relaying NTLM and requesting certificates through the browser portion of the certificate authority.

Eric Kuehn: 28:13

All of these can be put in place. They just may or may not actually be implemented yet. If they are using server twenty twenty five as a certificate authority, it should be in place. They may just need to change it from expected to required. It's not expected.

Eric Kuehn: 28:39

I can't remember the default term, but change it over to being enforced. So I've been told that the next version is server twenty twenty eight, and there's gonna be a whole bunch of other security enhancements. I'm looking forward to seeing how that all is going to change. I'm waiting to see all of the different things that they announce instead of it just being in preview. Right?

Eric Kuehn: 28:58

I I know there's a whole bunch of things in preview right now. I I wanna see what is getting officially released. I'm looking forward to that. Let me see. What else can we find here as I go through it?

Eric Kuehn: 29:15

So as NTLM is being phased out completely in future windows, how can BlueTeams audit current dependencies through the operational logs? Yep. That's exactly one of those things that I was gonna show. Right? All of that information is in the operational logs right now if we've turned on that auditing.

Eric Kuehn: 29:33

And it will show you on a domain controller where the request came from, why it dropped, and other things. The clients will give you even more information. So that is out there and something that we should definitely be turn enabling. So I like to highlight this one, and somebody brought it up as as, something to look for. These are nonsecurity events.

Eric Kuehn: 29:55

So events that aren't in the security event log that people may or may not be looking for right now. Okay? These are out there in case something is requested in an old way that should no longer work, where somebody requests a certificate with the old PAC signature. It's gonna fail. Right?

Eric Kuehn: 30:18

Instant event is created, not just, hey. Authentication failed, but another one that shows up in the system event log that says, hey. This is why it failed because the signature was wrong. Similar, if somebody requests a certificate without the appropriate information, right, where they are are trying to exploit that that whole escape one where I specify another name, an event will be created in the system event log under the security Kerberos or k d s KDCSVC. Right?

Eric Kuehn: 30:52

There are events that are created in the system event log that are definitely worth capturing as indicators of something going wrong. And, unfortunately, not a way to bypass if you use a tool improperly. On top of that, I don't know why organizations aren't auditing certificate servers fully. It might be because you have to go in and you actually have to configure it in a couple of places. But once you do this, you will actually see the certificate request, and you can see when people begin to request things that are not as you expect.

Eric Kuehn: 31:31

Right? Really, this is huge visibility gap if you are not auditing it. It does take turning on a subcategory on your CA, do it through the local security policy or preferred would be via GPO, where you turn on audit certificate services under the object access. And then you have to go into the CA properties and say, hey. Log when you issue or somebody requests or and it gets a certificate issued.

Eric Kuehn: 32:05

Couple of steps. But then you get new events. Easily begin to show all sorts of other information. So Kerberos enhancements. Mentioned things that are going to be occurring very very soon.

Eric Kuehn: 32:18

Started already. Right? But in July, the default encryption type for service tickets will be AES. Already mentioned that this is going to help protect service tickets and protect service accounts as long as the passwords are strong. Okay?

Eric Kuehn: 32:38

We'll have to attackers will have to hope that a service account has a weak password. But honestly, right now, if you have a very, very strong password, 25 characters, etcetera, you are pretty well protected, but this is going to make it even harder. Right? It quite often, we see wonderful things like someone installed SQL, and they said, yes. I wanna make it Kerberos enabled, but they don't actually specify another account, and it goes to their user account, their admin account, which is even better because that's probably going to be a weak password, something that we can move to very quickly.

Eric Kuehn: 33:13

Alright? RC4 will be used can still be used, but only if it's explicitly added to the account that you need that service ticket for. So this is gonna make things much harder. Right? This is going to create new events that are already available in the system event log.

Eric Kuehn: 33:32

There are events 200 through two zero nine. You don't necessarily need to forward all of those on out there, but it there are set and things that will give you more information about older encryption, who's requesting, etcetera. But once again, in the system event log, yes, and and people are mentioning, yep, how many events are created and all of these going. That is a big problem with active directory, especially if you're doing Kerberos audit Kerberos authentication. That is a whole load of events that you are there.

Eric Kuehn: 34:05

Alright? This has been redone for 2019, 2016, 2025. The events have been changed if you are doing log on events or the audit Kerberos authentication events. These the events four seven six eight, four seven six nine, when a Kerberos ticket is is issued, now includes information about what type of encryption was requested. So you can start filtering, like somebody asked, on whether or not you go through and get the you can start seeing who's using RC the old RC four.

Eric Kuehn: 34:43

Right? What's going on? And see what's what's happening. There's this, as I said, will absolutely enhance the security. Right?

Eric Kuehn: 34:52

It doesn't remove a bunch of the other vulnerabilities that exist out there. You know, you could still do pass the hash with NTLM. All of those are still available. It's just helping protect those Kerberos enabled applications. Make it harder for us to brute force those passwords.

Eric Kuehn: 35:12

But once again, just brute forcing. It will not save an organization if they're using weak passwords. So just in quick summary before I try and and show some of these things in the demo and we see how how life goes. From this point forward, NTLM authentication may be a risky endeavor for you. Probably not yet.

Eric Kuehn: 35:32

Okay? You're still gonna be able to use NTLM for a while. It's still gonna be hidden in a lot of cases unless you are using NTLM v one, or you're using a tool that might be using NTLM v one behind the scenes. My favorite is NetExec. It's funny.

Eric Kuehn: 35:49

If you use NetExec and you specify Kerberos authentication, it does an NTLM v one anonymous lookup before it does a Kerberos authentication. So, like, really easy to target or see if that is happening in an environment where they know they aren't using n two m p one. We're gonna stop seeing all of that RC four encrypted Kerberos tickets for service accounts. Gonna be a little bit harder to decrypt Kerberos thing, but not necessarily. We need to start in any tool that allows you to pass a hash instead of a password.

Eric Kuehn: 36:30

We need to start moving to the AES hash. Stop using the old one. Move to AES. Start looking more like other things. Detections are going to be put in place.

Eric Kuehn: 36:39

Right? Start using the new methodology. Certificate services as escalation still works, still available to everybody, but it might be detected if you aren't specifying pieces of information. Right? And other tools may not work as well as they used to.

Eric Kuehn: 36:56

Like I said, I mentioned NetExec, a whole bunch of other things out there are going to be going on and and probably gonna start working and and leaving fingerprints and trails that we aren't expecting. For the blue teamers, we need to, you know, start looking in other event logs if we can, right, for for key indicators of problems. And then on top of that, if you haven't turned it on, right, enable that NTLM auditing, turn that on, make it better. The Kerberos enhancements are gonna apply to all versions. Right?

Eric Kuehn: 37:36

They're it it's going to occur and be back ported. Right? So it's more everything right now can use the newer I shouldn't say everything. Windows systems should all be able to use the the newer encryption. Right?

Eric Kuehn: 37:52

The AES for service tickets. It's legacy applications that are might have a problem and still require that older RC four. So before I get into questions, everybody work with me and let's let's hope that these demos kinda work properly here. I had mentioned in the pre show banter that I'm horrible at typing when I'm trying to do a demo, so forgive me. I copied and pasted things.

Eric Kuehn: 38:14

But I'm on a 25 a Windows twenty twenty five domain controller. And I have turned on that new operational event log. Right? So I've turned I've enabled it. As we can see, I'm gonna get NTLM logs that are sitting underneath not the security event log, way up here, but under this buried one, way down here under an NTLM operational log.

Eric Kuehn: 38:41

And it should be empty, maybe there's some things happening in the background. Nope. It's empty. Over here, I have my Kali box. I've just SSHed into my Kali box that's sitting on the same network.

Eric Kuehn: 38:53

And let's just, we'll do NetExec first. So I'm just gonna do a quick NetExec. If you're not familiar, NetExec is a great tool for seeing all sorts of things in mass through an environment. I love the tool for speed. Not trying to not knock it at all.

Eric Kuehn: 39:09

It is a wonderful tool. And I connected to in this case, I connected to my domain controller that is IP one. And we see, hey, there's this wonderful thing that says NTLM was used to authenticate to this device. So this is what you would see on a Windows client or a Windows server. It said where it came from, the IP address, other pieces of information.

Eric Kuehn: 39:34

And honestly, it said, hey, you know, we dropped to NTLM v one in this case, which is even more interesting. So if I connect to, let's say, another server on my environment, which is the certificate authority. There we go. Same thing. You used a password, and it is a different event.

Eric Kuehn: 39:54

Let me make this a little bit bigger for folks maybe. And we could say, hey, this was actually forwarded on. And I don't know if people can see this very well because the Windows event log is very small. Right? It said it was forward on, and it said the person was trying to reach this, right, this thing on this device.

Eric Kuehn: 40:12

So I was actually trying to connect to the CA, but we dropped to NTLM, and they were trying to access the file system. If we go forward and now we use Kerberos because we're like, oh, we don't want to use NTLM. I already have the Kerberos ticket sitting here in the c cache file as a c cache file, but I'm gonna tell NetExec to use this. Alright. So in this case, I didn't use a password.

Eric Kuehn: 40:39

I used my Kerberos ticket. I requested a TGT, an identity. Do a quick refresh. And here is that anonymous. Right?

Eric Kuehn: 40:48

NTON v one. So even though I said use Kerberos, right, it definitely still made that NTLM v one call. So something to be aware of. Very easy to detect certain tools that are working in the same way. Certificates, we're gonna see the same general type of behavior.

Eric Kuehn: 41:08

So if you're not familiar with this their certificate exploit, I have a CA here. I'm gonna use CertiPi in this case. I'm gonna ask it to go find a vulnerable certificate. You don't need to use Certify. You can use other tools just as well.

Eric Kuehn: 41:23

This is just a a classic one, and the most common I would say out there for pen testers. It gave me the results and it said, hey, there's this template out here, new user one, that says anybody can enroll it and we can specify we wanna be somebody else. That's pretty neat. I wanna go here and I wanna say operationally, let's just review and see how this one came in. Lo and behold, yet again, we dropped to NTLM v two to make this request.

Eric Kuehn: 41:53

Let's actually request the ticket. I've already done my recon. Right? It was easy. I have a user account to do this.

Eric Kuehn: 42:01

I know what the SID of the administrator account is, and all I'm going to do is specify, hey, I want to use this SID. This I want to be administrator. Even the certificate is being requested by me, just a regular user. I'm going to specify I'm the administrator, and here's the SID of the administrator account. It was very nice.

Eric Kuehn: 42:23

It created the certificate for me. Certify has this other wonderful thing that says let me authenticate as that person. I can't believe I forgot to copy this one, I have to type it out And I'm gonna fail horribly. Oh, no. I have it up there.

Eric Kuehn: 42:39

Perfect. It was just in the wrong place. So I'm gonna log in with this. Certify by default is nice. It lets you connect.

Eric Kuehn: 42:49

And it gave me the old hash, NT hash for this person. And once again, if we go through, we'll see that some of these still came through, including this one, right, as an NTLM request even though it was a Kerberos request in the end. Right? So they are doing an anonymous v one check before they do something. So that's a couple of the tools really fast.

Eric Kuehn: 43:20

Just showing how even though we think we're using Kerberos, we're dropping to NTLM v one for certain parts of the authentication process. We have to be careful with these tools. I'm a huge proponent of using Windows systems, oops, as a method to to go forward and do this. Right? Why worry about what am I trying to why even worry about the the potentially using a tool that is doing a request in a strange way?

Eric Kuehn: 43:51

Let me make sure I'm on the right box here. That's the domain controller. Is it not coming up? Yay. Live demos.

Eric Kuehn: 43:59

Give me a second here. Let me see why I can't get that other screen to come up. Alright. Well, let's do it in a different way. Since I can't get my server online, I'll just kinda, yeah, request this.

Eric Kuehn: 44:18

I did it again. This is why everybody loves demos, just to see people having issues with them. I know it. What I wanna show here is all of these requests by default. I have not turned on the auditing.

Eric Kuehn: 44:32

Absolutely created an event. Right? However, it's that this was issued. It was done in the certificate authority log location, but we didn't see it anywhere else. Right?

Eric Kuehn: 44:46

If we look at the security policy, it's not there. It's hard to get it out of this information. Let me see. So what we can do is turn this on. So I'm just gonna say I want to enable it.

Eric Kuehn: 45:03

Close that so it actually works. Manage my CA. Right there. And in theory, if I run the request again, we should see the information appear. Hey.

Eric Kuehn: 45:19

Look at my life. So I'm gonna just request that certificate again. Yep. Replace that guy. Alright.

Eric Kuehn: 45:32

I will be able to show that in a minute. Perfect. If we go through and we look at the CA now, in theory, there should be a new event here for there it is. The certificate being issued. Right?

Eric Kuehn: 45:51

So once again, we can see that, hey, user one requested it, but when he said he's somebody else, he actually said that he's this other person. So auditing really much better than it used to be if you turn it on. Alright. Let's see if it comes back up. So this is the last thing I wanted to show.

Eric Kuehn: 46:11

I'm a proponent of using Windows systems. Please come back. Hey. Alright. It's back.

Eric Kuehn: 46:17

Why use CertiPi? As somebody has mentioned, CertiPi and other things are going to be detected. Right? Probably gonna be detected by EDRs. Maybe they're keying off of that NTLM v one.

Eric Kuehn: 46:29

But why not just go through if you can log on to a Windows box and you have a user account, just request a certificate the way that Microsoft is expecting you to. So, hey. We're gonna use the active directory enrollment policy. That's what we're using with Certify. Here is this wonderful vulnerable cert that we found before, new user.

Eric Kuehn: 46:51

Let us give some information. Like I said, the one thing we have to give is the URL to make it work just like sort of and because I don't wanna have to try and copy that out I thought I had it. Here we go. This is the tag. It's the exact thing that put every request that's being made needs this for the strong mapping.

Eric Kuehn: 47:15

It is literally a tag Microsoft, a date, and then the SID of the person you wanna become. The other thing that we can do that makes this one better than certify beyond the fact that I'm using Windows tools is I can specify a subject fully here. We can specify with certify as well, but most people don't. If I pick the full d n and I put it in here, alright. I got all of this from active directory, easy to get it by using get AD user and I want to enroll.

Eric Kuehn: 47:49

There's the ticket. Issue to administrator, right? If we look at the domain controller, I hope, watch it prove me wrong, there was no NTLM authentication, That's just the CA. Alright. It did do it but a little bit.

Eric Kuehn: 48:12

But more importantly, when we look at the CA, even though it still says it was issued to me, the certificate looks a little bit different. Right? It has the the other information that it's looking for, like the subject. Of course, it's not doing it now. There goes my demo, guys.

Eric Kuehn: 48:38

Not working the way it does when I do it on my own. So it does give that the extra information was here. It still says that lab user one gave it, but the certificate it looks more like a real certificate. Might bypass things a little bit better than the old way. So anyways, with all of that, with my demos failing with live because you know what I'm gonna say?

Eric Kuehn: 49:04

It's because I was expecting, you know, 1,300 people. That's why it failed. We have all of these things. Yeah. No.

Eric Kuehn: 49:12

It's a skill issue. Absolutely. I'm having problems today.

Jennifer Shannon: 49:15

You can sacrifice potatoes

Eric Kuehn: 49:17

to Yeah. I didn't I didn't set to get a potato out there. I didn't do fried chicken, any of those things. Yep. So regardless, any other questions, we need to be prepared.

Eric Kuehn: 49:28

Things are changing. More things are coming down the line. Right? We are gonna if we're gonna continue to attack active directory like we will always want to because it's the keys to the kingdom, we are gonna have to keep adapting. I am a huge proponent of using Windows systems.

Eric Kuehn: 49:44

If you don't know PowerShell, learn PowerShell. Use Windows to attack Windows instead of relying on some of these other other tools. It's definitely going to help you stay undetected a little bit better. Learn PowerShell. It's gonna help you out.

Jennifer Shannon: 50:00

I can second that learn PowerShell, by the way. As somebody I very heavily a Linux background. I'm much more of a Linux person than I am a Windows person, and I still do recommend learning PowerShell because it is it has helped me a lot. And I had to learn PowerShell anyways from malware. So I do have learn PowerShell like it's ever.

Eric Kuehn: 50:21

Yeah. Well, changes. I will admit. PowerShell is is painful. It for a lot of reasons.

Eric Kuehn: 50:27

Yeah. Length? Yeah. It's very verbose. I have to type, like, 8,000 characters when I'd rather do less than sometimes.

Eric Kuehn: 50:33

There is the idea of PowerHell. Yes. And then the problem of which commandlets do I actually need and all of those other things. There are a few core ones I'd recommend you know. You know?

Eric Kuehn: 50:44

Some Windows based Windows ones and then Active Directory definitely, but there's some other ones.

Jennifer Shannon: 50:50

I live and die by two teams.

Eric Kuehn: 50:51

Oh, yeah. And that is another great point. Thank you. I didn't even mention that. At this point, you can install PowerShell on Linux.

Eric Kuehn: 50:59

Right? You know, definitely do that. There's no reason not to use PWSH on your Kali box at times.

Jennifer Shannon: 51:08

I mean, there's a lot of

Eric Kuehn: 51:10

Alright. Sure. There's lots of reasons not to do it at times, but you know what? Using it at times will work well for you as well.

Jennifer Shannon: 51:17

I do have I did save some questions.

Eric Kuehn: 51:20

Oh, thank you. I was trying to get back and forth, but I was not

Jennifer Shannon: 51:23

doing I know. I I tried to get some of the questions. So somebody said, how do you go about telling an organization, specifically health care, how do you go about basically telling them to turn off NTLM? Because it's a tough conversation, and a lot of the people said that trying to really highlight the associated risk and the exposure with it is a good way to kinda stress it to them. But do you have anything that you would like to add?

Eric Kuehn: 51:51

No. I I I think that's actually true. It it explain the exposure. They're not gonna necessarily use using security doesn't always work well with management. Right?

Jennifer Shannon: 52:03

Mhmm.

Eric Kuehn: 52:04

There there can absolutely be a way of we are using this old system that's talking in in a way that doesn't work well, that is holding all of our PHI information. Right? It is easy for an attacker to break this and gain access to all of our PHI information. That would make sure it, you know, actually is heard. If you can give some money, monetary value to that, it would help you even more.

Eric Kuehn: 52:32

But, yes, risk yeah. Compliance, saying it's a compliance issue would be better. Although, I don't I I don't think even with the current version of of HIPAA says that you you can't use NTLM. I could be wrong on that, but I don't think it's that specific. So yep.

Jennifer Shannon: 52:55

And did have a bunch of really good questions, so I don't know if we'll have time to get through all of them, but I'll go ahead and read some of those out. As we see NTLM and RC four or as we phase out NTLM and r c four, what architectural considerations should be made for legacy applications that still rely on those protocols? For instance, can we design a hybrid authentication or can we design hybrid authentication bridges to minimize disruption during the transition?

Eric Kuehn: 53:23

So e e yes. So even though the default is gonna be AES for a while, you still have the option of on the specific service accounts that are running it to specify it can use RC four. I don't know if that's necessarily the best way for you to stay long term. It will work. It should continue to work.

Eric Kuehn: 53:47

You just want to, you know, definitely do what you can to to change that. It begins by tracking and seeing what those applications are, and then you can have a better idea of what the actual impact is gonna be and how hard it will be to move.

Jennifer Shannon: 54:04

I do. I think that I I have an idea of what this answer is gonna be, and it's unfortunately going to be that it depends on your organization. But the next question from them is, looking ahead to the complete removal of NTLM from Windows, what foundational architectural shift should organizations prioritize now, such as moving to Kerberos first designs or integrating with Azure AD for hybrid scenarios?

Eric Kuehn: 54:26

Oh. Yeah. So I don't wanna take the security consultant depends, but it does. Microsoft is investing, has invested, continues to invest a lot of money into Entra and Azure and those offerings. More and more offerings are coming out there first and then maybe somehow tying back into on prem.

Eric Kuehn: 54:50

If you want to continue to, you know, stay in the Microsoft landscape, I would be saying it is definitely worth looking at what it takes to move applications to, you know, authenticate against Entra instead of an on prem. But it is a very different authentication mechanism. It does not work any way similarly. Right? So it that that could be a huge shift.

Eric Kuehn: 55:15

So will disabling anonymous logins NERF certify so I don't have anonymous actual logins set, right, by default. So I don't think that is going to NERF it. It's just doing a quick request. Oh, somebody's asking about the AD protected users group. My favorite hidden security feature.

Eric Kuehn: 55:34

And I know, Zach, I'm running really late. I'll keep this super, fast. You're good. So, that AD protected users group, if you aren't using it, is another thing that you should be putting in place for your administrative accounts that do default Windows things. They aren't logging to applications.

Eric Kuehn: 55:48

If you put those users in that group, they cannot use NTLM anymore. It will not work. It counts as a a bad password login attempt, which is why they can't log in to apps. As I said before, people don't know how to set up apps properly in Kerberos, and they're defaulting to NTLM, and you get problems. It also limits Kerberos ticket lifetime.

Eric Kuehn: 56:07

It doesn't let them use older authentication mechanism. It does all sorts of things that really help protect those accounts. Please, please, please use those. Where can everybody get a delegations? Yep.

Eric Kuehn: 56:17

Absolutely. T shirt. Stops that too. Yep. Sorry.

Eric Kuehn: 56:19

Go ahead, Zach.

Zach Hill: 56:20

Where can everybody get a Secure Ideas T shirt?

Eric Kuehn: 56:23

Oh, that's a great question. I don't I I know we have more.

Jennifer Shannon: 56:28

I think we mostly just have oh, wait. Hold on. There is I know we have the web store that I'll have to go find, but then as far as, like, the actual, like, swag

Eric Kuehn: 56:36

Oh, yeah. We actually we have those too.

Jennifer Shannon: 56:37

I think we only have, like, extra larges left.

Eric Kuehn: 56:42

So We could take a look at that. Polos are definitely should be available in the store. You know?

Jennifer Shannon: 56:48

Yeah. Let me go find the store real quick and see if I can post it. I know I do not remember the links because I will say I got some of the hoodies from the store that they like, hi. My name is domain admin. Yeah.

Jennifer Shannon: 57:01

Love that hoodie. They are so comfortable.

Eric Kuehn: 57:04

Yep. And I was gonna one last super fast thing. I know people mentioned Purple Knight and and oh, I can't remember the other one right now. The tools to help you audit, those are great tools to do like a vuln scan of your AD environment and give you Pinkcastle. Thank you, Tyler.

Eric Kuehn: 57:24

Great tools to get a quick snapshot of your environment. Definitely recommend it. Bloodhound is another tool, but works slightly different. Pinkcastle and and Purple Knight are like, I would just say a bone scan of AD for common AD issues, but treat it like a bone scan. It doesn't mean it's really a problem.

Zach Hill: 57:40

Awesome. Love it. Thank you, sir. Thank you for coming on, sharing your knowledge with us. We definitely appreciate that.

Zach Hill: 57:45

And Jennifer, thank you for being here as well. While you were presenting, we were able to get your class up for registration. So if anybody is interested in in in learning more with Eric, please consider taking his red team fundamentals for active directory class coming up in March. I put the link into the Discord chat. I will add it over to our Zoom chat as well.

Zach Hill: 58:13

And I did add the slides, to the Zoom, application as well. So if you guys wanna access the slides, they should be there. And if you're on the Discord, all the slides should be in the slides resources section. And if you'd also like to compete in this week's CTF, we put the link for that in this, resources section as well, but I'll drop a link in the main area. And, Jennifer, we have your class that is up for registration now as well.

Zach Hill: 58:41

So if you all wanna learn more evil API with Jennifer, definitely check out her class coming up April 14, I believe it is. Yep. April 14. And last thing I got is our SOC summit coming up March 25. If you all wanna come and hang out with us for a full day of talks related to blue team, incident response, and security operation centers, then definitely check out the SOC Summit.

Zach Hill: 59:05

I'll be there. I'm super excited for it and we'll have a lot of great talks. Jennifer and Eric, do you all have anything you would like to share with us before we depart for the day?

Eric Kuehn: 59:16

I don't think I have anything other than once again, thank you for listening to me. Hopefully, didn't ramble too much. Always enjoy the the opportunity to be here.

Zach Hill: 59:25

I appreciate you being here, and no rambling. It was fantastic. There's a lot of knowledge, and everybody loved it. So thank you, sir. Jennifer, what's up?

Jennifer Shannon: 59:33

Oh, I was just saying that I saw that the the link to the professional label store was posted, so I commented on it. So that way, people would know. That is the legitimate link. That is where I have heard I least I hope it is because I bought stuff from there. Awesome.

Zach Hill: 59:53

Y'all can check out the secure ideas merch from that link. And if y'all have any questions, please feel free to reach out, or we'll see you all next week where oh, goodness. I don't have next week's coming up. Let's see. I but I know I can look and see what is coming up if I go to poweredbybhas.com.

Zach Hill: 01:00:13

Let me grab the link for that. If you go to poweredbybhs.com, it'll take you to our security stadium, which will show you all of the fun things that we're gonna be doing coming up. So next week, it looks like we have red teaming AI, a WASP, LLM top 10 with Brian and Derek. That should be a fun fun Awesome. Very fun episode for sure.

Zach Hill: 01:00:32

Oh, and it looks like Friday, have a threat hunting webcast with active countermeasures with FON. So that should be a good one as well. So anytime you guys wanted to see what we have going on powered by bhs.com, we'll take you to our stadium, and you can sign up for all the fun events. Hopefully, we see you at the next one. Until then, take care everybody, and have a great week.

Zach Hill: 01:00:51

Thank you again to Eric and Jennifer and Secure Ideas. See y'all later. Bye bye.

Jennifer Shannon: 01:00:56

Bye.

Zach Hill: 01:00:58

Kill the fire, Megan.