FalconFriday — Detecting UnPACing and shadowed credentials — 0xFF1E

Post-Image

FalconFriday — Detecting UnPACing and shadowed credentials — 0xFF1E

When playing around with Certipy and Rubeus in a recent project, I got into the rabbit hole. Going through the attacks implemented in Certipy, I wanted to build as many solid detections as possible — essentially revisiting our earlier work on ADCS abuse detection. The rabbit hole started when I began looking into the KDC options[1], their meaning and how they were used in these tools.

I managed to squeeze out quite some high-fidelity detections, of which I want to share two today.

Cross post from medium.com, please read the full article here:

https://medium.com/falconforce/falconfriday-detecting-unpacing-and-shadowed-credentials-0xff1e-2246934247ce