Adversary Village

Jonas Bülow Knudsen

Technical Account Manager at SpecterOps

Jonas is a passionate Active Directory security professional. At Improsec, Jonas got experience as an AD hardening consultant helping organizations remediate their vulnerabilities and misconfiguration in and around Active Directory. This work included Windows OS hardening, clean-up in AD, and the AD tier model implementation. Additionally, he worked in incident response for a period, again focusing on AD. In Spring 2021, Jonas published a FOSS tool called ImproHound, which is a tool to identify the attack paths in breaking AD tiering, using BloodHound: ImproHound was presented at DEF CON 29 Adversary Village: Jonas recently joined the BloodHound Enterprise team at SpecterOps as Technical Account Manager to help organizations identify and remediate attack paths in Active Directory and Azure.

Talk: Don’t be trusted: Active Directory trust attacks
Adversary Tradecraft Technical Talk

Not understanding Active Directory domain- and forest trusts can be a big risk. We often have to stress, to quote from Microsoft: “the forest (not the domain) is the security boundary in an Active Directory implementation”. This means that any compromised child domain could result in a compromised root domain. But why is it so? We guessed the answer must be because of the attack/technique known as Access Token Manipulation: SID-History Injection, which enable a Domain Admin of a child domain to escalate to Enterprise Admin and gain full control of the forest. The attack can be mitigated by enabling SID filtering on the trust relationship, but it is not enabled by default for intra-forest domain trusts. SID Filtering is however enabled for inter-forest trusts by default, as Microsoft explains: “SID filtering helps prevent malicious users with administrative credentials in a trusted forest from taking control of a trusting forest”.

What is interesting is that SID filtering can be enabled on intra-forest domain trust as well and in theory prevent the SID-History injection technique. This posed the question – could SID filtering make the domain a security boundary? Our talk will take the audience through our research on this question. We will demonstrate typical trust attacks, how they can be mitigated, and present our SID filtering research including new techniques we discovered that make intra-forest SID filtering obsolete. Finally, we will explain and demonstrate a trust attack technique for moving from a TRUSTING domain to a TRUSTED domain (opposite direction of other trust attacks) which works even over one-way forest trusts (thereby breaking both Microsoft’s “forest is security boundary” statement and the “Red Forest”/ESAE design). Deep knowledge of Kerberos authentication is not necessary as the attacks are of low complexity, but a basic understanding of the protocol is an advantage. Attacks will be demonstrated using living-off-the-land tools and FOSS tools like Mimikatz and Rubeus. The talk is a summary of our work published in the “SID filter as security boundary between domains?” blog post series where part 1 explains Kerberos authentication between domains: