Security Advisor at Improsec
Martin Sohn Christensen ,Martin is a security consultant at Improsec, a pragmatic security consulting firm in Denmark. With a background in Windows IT operations, he has pivoted to security in mainly Windows and Active Directory where he performs offence, analysis, and assessments. Although new to the industry, both his security passion and knowledge is strong because of a desire to understand concepts, technologies, and problems to their core. He enjoys researching, brain sharing, and solving hard problems in a team.
Not understanding Active Directory domain- and forest trusts can be a big risk. We often have to stress, to quote from Microsoft: “the forest (not the domain) is the security boundary in an Active Directory implementation”. This means that any compromised child domain could result in a compromised root domain. But why is it so? We guessed the answer must be because of the attack/technique known as Access Token Manipulation: SID-History Injection, which enable a Domain Admin of a child domain to escalate to Enterprise Admin and gain full control of the forest. The attack can be mitigated by enabling SID filtering on the trust relationship, but it is not enabled by default for intra-forest domain trusts. SID Filtering is however enabled for inter-forest trusts by default, as Microsoft explains: “SID filtering helps prevent malicious users with administrative credentials in a trusted forest from taking control of a trusting forest”.
What is interesting is that SID filtering can be enabled on intra-forest domain trust as well and in theory prevent the SID-History injection technique. This posed the question – could SID filtering make the domain a security boundary? Our talk will take the audience through our research on this question. We will demonstrate typical trust attacks, how they can be mitigated, and present our SID filtering research including new techniques we discovered that make intra-forest SID filtering obsolete. Finally, we will explain and demonstrate a trust attack technique for moving from a TRUSTING domain to a TRUSTED domain (opposite direction of other trust attacks) which works even over one-way forest trusts (thereby breaking both Microsoft’s “forest is security boundary” statement and the “Red Forest”/ESAE design). Deep knowledge of Kerberos authentication is not necessary as the attacks are of low complexity, but a basic understanding of the protocol is an advantage. Attacks will be demonstrated using living-off-the-land tools and FOSS tools like Mimikatz and Rubeus. The talk is a summary of our work published in the “SID filter as security boundary between domains?” blog post series where part 1 explains Kerberos authentication between domains: https://improsec.com/tech-blog/o83i79jgzk65bbwn1fwib1ela0rl2d
