BackBox.org offers a range of Penetration Testing services to simulate an attack on your network or application. If you are interested in our services, please contact us and we will provide you with further information as well as an initial consultation.
Cyberattack on Lee Enterprises Causes Disruptions at Dozens of Newspapers
/in General NewsDozens of local newspapers owned by media company Lee Enterprises experienced disruptions as a result of a cyberattack.
The post Cyberattack on Lee Enterprises Causes Disruptions at Dozens of Newspapers appeared first on SecurityWeek.
SecurityWeek – Read More
SystemBC RAT Now Targets Linux, Spreading Ransomware and Infostealers
/in General NewsSystemBC RAT now targets Linux, enabling ransomware gangs like Ryuk & Conti to spread, evade detection, and maintain encrypted C2 traffic for stealthy cyberattacks.
Hackread – Latest Cybersecurity, Tech, Crypto & Hacking News – Read More
Intel Patched 374 Vulnerabilities in 2024
/in General NewsIntel says roughly 100 of the 374 vulnerabilities it patched last year were firmware and hardware security defects.
The post Intel Patched 374 Vulnerabilities in 2024 appeared first on SecurityWeek.
SecurityWeek – Read More
Gcore DDoS Radar Reveals 56% YoY Increase in DDoS Attacks
/in General NewsGcore’s latest DDoS Radar report analyzes attack data from Q3–Q4 2024, revealing a 56% YoY rise in the total number of DDoS attacks with the largest attack peaking at a record 2 Tbps. The financial services sector saw the most dramatic increase, with a 117% rise in attacks, while gaming remained the most-targeted industry. This period’s findings emphasize the need for robust, adaptive DDoS
The Hacker News – Read More
Progress Software Patches High-Severity LoadMaster Flaws Affecting Multiple Versions
/in General NewsProgress Software has addressed multiple high-severity security flaws in its LoadMaster software that could be exploited by malicious actors to execute arbitrary system commands or download any file from the system.
Kemp LoadMaster is a high-performance application delivery controller (ADC) and load balancer that provides availability, scalability, performance, and security for business-critical
The Hacker News – Read More
US Cyber Agency Puts Election Security Staffers Who Worked With the States on Leave
/in General NewsStaffers at the nation’s cybersecurity agency whose job is to ensure the security of US elections have been placed on administrative leave.
The post US Cyber Agency Puts Election Security Staffers Who Worked With the States on Leave appeared first on SecurityWeek.
SecurityWeek – Read More
Threat Actors Exploit ClickFix to Deploy NetSupport RAT in Latest Cyber Attacks
/in General NewsThreat actors have observed the increasingly common ClickFix technique to deliver a remote access trojan named NetSupport RAT since early January 2025.
NetSupport RAT, typically propagated via bogus websites and fake browser updates, grants attackers full control over the victim’s host, allowing them to monitor the device’s screen in real-time, control the keyboard and mouse, upload and download
The Hacker News – Read More
OpenAI Finds No Evidence of Breach After Hacker Offers to Sell 20 Million Credentials
/in General NewsA hacker recently offered to sell 20 million OpenAI credentials, but the data likely comes from information stealers, not the AI firm’s systems.
The post OpenAI Finds No Evidence of Breach After Hacker Offers to Sell 20 Million Credentials appeared first on SecurityWeek.
SecurityWeek – Read More
Protecting Your Software Supply Chain: Assessing the Risks Before Deployment
/in General NewsImagine you’re considering a new car for your family. Before making a purchase, you evaluate its safety ratings, fuel efficiency, and reliability. You might even take it for a test drive to ensure it meets your needs. The same approach should be applied to software and hardware products before integrating them into an organization’s environment. Just as you wouldn’t buy a car without knowing its
The Hacker News – Read More
Stealthy AD CS Reconnaissance
/in General NewsEver since Will Schroeder and Lee Christensen from SpecterOps have released their seminal Active Directory Certificate Services (AD CS) research, it has been a popular avenue for Windows domain privilege escalation used by security professionals and threat actors alike.
Such attack paths usually begin with the enumeration of published certificate templates by means of LDAP queries to a domain controller (or COM / RPC requests to a certificate authority). However, in mature environments LDAP traffic is monitored, both on the client (API hooking, ETW) as well as server side (query logging, SACL based audit policies), for known tool behavior and malicious activities. To evade these detections, attackers use selective queries, obfuscate their requests, leverage native utilities and have developed new enumeration techniques with corresponding tooling based on alternative protocols (ADWS).
Wouldn’t it be convenient to use another – less monitored – data source to learn the same information?
Registry Certificate Template Cache
This is what Cedric Van Bockhaven and Max Grim from Outflank have presented in their The Registry Rundown talk at Troopers. They discovered that the local registry contains a certificate template cache:
AD CS is a gift that keeps on giving (ESC13, ESC14, ESC15) with new misconfigurations being discovered on a regular basis. It therefore seemed natural to plug this new data source into an existing analysis framework to reuse its capabilities and structured data output.
Extend Existing Tooling
This idea was realized by introducing a new
certipy
command to parse TrustedSec’s reg_query BOF output as well as the text-based Windows registry (.reg) file format.Using the
reg_query
BOFAssuming you have code execution as a low privileged user on a domain-joined Windows machine, collect the cached certificate template meta data from the local registry using:
One missing piece of information is whether the certificate template is actually published to a certificate authority. This still has to be queried via LDAP:
Passing the returned comma separated list of published template names, the previously captured registry query output and a set of SIDs, belonging to owned principals, allows familiar analysis using certipy:
Using
regedit.exe
If you instead have interactive access to a compromised client and want to use the native
regedit.exe
utility to live off the land and better blend into the target environment, you can File > Export the relevant registry branch to a.reg
file.Changing the
-format
toreg
allows parsing of this too:What’s next?
Of course, being aware of available certificate templates is only the first step. Obtaining a valid certificate while avoiding possible honey pots, detections based on suspicious ticket options during PKINIT or Kerberos traffic from an unusual process is left as an exercise for the sophisticated attacker.
As for detection, the same mechanism (a custom SACL on the relevant registry keys) as for detecting local SCCM reconnaissance can be employed.
Happy red teaming.
Compass Security Blog – Read More