FalconFriday — Certified Pre-Owned — 0xFF12

Post-Image

FalconFriday — Certified Pre-Owned — 0xFF12

On June 17th Will and Lee over at SpecterOps have published their impressive and detailed research into Microsoft Active Directory Certificate Server (AD CS)(mis)configurations in a blog and whitepaper.

If you have not read the blog and whitepaper and you run an AD CS in your environment I strongly encourage you to spend some time understanding the possible issues you might have.

To a certain extent, not all of their mitigation suggestions might be an option for your organization to (immediately) implement. Do keep in mind that mitigating is always preferred over detecting and responding.

One great thing about the white paper is that they have also extensively documented detective guidance, providing all kinds op detection opportunities. To support you on the detection side, we have developed a set of rules to at least have some tripwires in place that alert you of potential abuse.

Cross post from medium.com, please read the full article here:

https://medium.com/falconforce/falconfriday-certified-pre-owned-0xff12-40f00a35e51a

Direct link to our Github page:

https://github.com/FalconForceTeam/FalconFriday