diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC10a/General.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC10a/General.tsx index b00ca9b1b..02c61e356 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC10a/General.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC10a/General.tsx @@ -15,29 +15,12 @@ // SPDX-License-Identifier: Apache-2.0 import { FC } from 'react'; -import { groupSpecialFormat } from '../utils'; +import { useHelpTextStyles, groupSpecialFormat } from '../utils'; import { EdgeInfoProps } from '../index'; import { Typography } from '@mui/material'; -import { makeStyles } from '@mui/styles'; - -const useStyles = makeStyles((theme) => ({ - containsCodeEl: { - '& code': { - backgroundColor: 'darkgrey', - padding: '2px .5ch', - fontWeight: 'normal', - fontSize: '.875em', - borderRadius: '3px', - display: 'inline', - - overflowWrap: 'break-word', - whiteSpace: 'pre-wrap', - }, - }, -})); const General: FC = ({ sourceName, sourceType, targetName }) => { - const classes = useStyles(); + const classes = useHelpTextStyles(); return ( {groupSpecialFormat(sourceType, sourceName)} has the privileges to perform the ADCS ESC10 Scenario A attack diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC10a/LinuxAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC10a/LinuxAbuse.tsx index e7987bc68..b86b3aa9d 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC10a/LinuxAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC10a/LinuxAbuse.tsx @@ -16,26 +16,10 @@ import { FC } from 'react'; import { Box, Link, List, ListItem, Typography } from '@mui/material'; -import { makeStyles } from '@mui/styles'; - -const useStyles = makeStyles((theme) => ({ - containsCodeEl: { - '& code': { - backgroundColor: 'darkgrey', - padding: '2px .5ch', - fontWeight: 'normal', - fontSize: '.875em', - borderRadius: '3px', - display: 'inline', - - overflowWrap: 'break-word', - whiteSpace: 'pre-wrap', - }, - }, -})); +import { useHelpTextStyles } from '../utils'; const LinuxAbuse: FC = () => { - const classes = useStyles(); + const classes = useHelpTextStyles(); const step1 = ( <> diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC10a/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC10a/WindowsAbuse.tsx index fc0652d1e..dd9909443 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC10a/WindowsAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC10a/WindowsAbuse.tsx @@ -15,27 +15,11 @@ // SPDX-License-Identifier: Apache-2.0 import { FC } from 'react'; -import makeStyles from '@mui/styles/makeStyles'; import { Typography, Link, List, ListItem, Box } from '@mui/material'; - -const useStyles = makeStyles((theme) => ({ - containsCodeEl: { - '& code': { - backgroundColor: 'darkgrey', - padding: '2px .5ch', - fontWeight: 'normal', - fontSize: '.875em', - borderRadius: '3px', - display: 'inline', - - overflowWrap: 'break-word', - whiteSpace: 'pre-wrap', - }, - }, -})); +import { useHelpTextStyles } from '../utils'; const WindowsAbuse: FC = () => { - const classes = useStyles(); + const classes = useHelpTextStyles(); const step1 = ( <> diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC9a/General.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC9a/General.tsx index a53caf54b..6d1b25bb9 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC9a/General.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC9a/General.tsx @@ -15,29 +15,12 @@ // SPDX-License-Identifier: Apache-2.0 import { FC } from 'react'; -import { groupSpecialFormat } from '../utils'; +import { useHelpTextStyles, groupSpecialFormat } from '../utils'; import { EdgeInfoProps } from '../index'; import { Typography } from '@mui/material'; -import { makeStyles } from '@mui/styles'; - -const useStyles = makeStyles((theme) => ({ - containsCodeEl: { - '& code': { - backgroundColor: 'darkgrey', - padding: '2px .5ch', - fontWeight: 'normal', - fontSize: '.875em', - borderRadius: '3px', - display: 'inline', - - overflowWrap: 'break-word', - whiteSpace: 'pre-wrap', - }, - }, -})); const General: FC = ({ sourceName, sourceType, targetName }) => { - const classes = useStyles(); + const classes = useHelpTextStyles(); return ( <> diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC9a/LinuxAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC9a/LinuxAbuse.tsx index dbea805e6..f990bed66 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC9a/LinuxAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC9a/LinuxAbuse.tsx @@ -16,26 +16,10 @@ import { FC } from 'react'; import { Box, Link, List, ListItem, Typography } from '@mui/material'; -import { makeStyles } from '@mui/styles'; - -const useStyles = makeStyles((theme) => ({ - containsCodeEl: { - '& code': { - backgroundColor: 'darkgrey', - padding: '2px .5ch', - fontWeight: 'normal', - fontSize: '.875em', - borderRadius: '3px', - display: 'inline', - - overflowWrap: 'break-word', - whiteSpace: 'pre-wrap', - }, - }, -})); +import { useHelpTextStyles } from '../utils'; const LinuxAbuse: FC = () => { - const classes = useStyles(); + const classes = useHelpTextStyles(); const step1 = ( <> diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC9a/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC9a/WindowsAbuse.tsx index 43bfac392..844173b1f 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC9a/WindowsAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC9a/WindowsAbuse.tsx @@ -15,27 +15,11 @@ // SPDX-License-Identifier: Apache-2.0 import { FC } from 'react'; -import makeStyles from '@mui/styles/makeStyles'; import { Typography, Link, List, ListItem, Box } from '@mui/material'; - -const useStyles = makeStyles((theme) => ({ - containsCodeEl: { - '& code': { - backgroundColor: 'darkgrey', - padding: '2px .5ch', - fontWeight: 'normal', - fontSize: '.875em', - borderRadius: '3px', - display: 'inline', - - overflowWrap: 'break-word', - whiteSpace: 'pre-wrap', - }, - }, -})); +import { useHelpTextStyles } from '../utils'; const WindowsAbuse: FC = () => { - const classes = useStyles(); + const classes = useHelpTextStyles(); const step1 = ( <> diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC9b/ADCSESC9b.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC9b/ADCSESC9b.tsx new file mode 100644 index 000000000..724cfe762 --- /dev/null +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC9b/ADCSESC9b.tsx @@ -0,0 +1,31 @@ +// Copyright 2024 Specter Ops, Inc. +// +// Licensed under the Apache License, Version 2.0 +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// SPDX-License-Identifier: Apache-2.0 + +import General from './General'; +import WindowsAbuse from './WindowsAbuse'; +import LinuxAbuse from './LinuxAbuse'; +import Opsec from './Opsec'; +import References from './References'; + +const ADCSESC9b = { + general: General, + windowsAbuse: WindowsAbuse, + linuxAbuse: LinuxAbuse, + opsec: Opsec, + references: References, +}; + +export default ADCSESC9b; diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC9b/General.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC9b/General.tsx new file mode 100644 index 000000000..6ca89a668 --- /dev/null +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC9b/General.tsx @@ -0,0 +1,59 @@ +// Copyright 2024 Specter Ops, Inc. +// +// Licensed under the Apache License, Version 2.0 +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// SPDX-License-Identifier: Apache-2.0 + +import { FC } from 'react'; +import { useHelpTextStyles, groupSpecialFormat } from '../utils'; +import { EdgeInfoProps } from '../index'; +import { Typography } from '@mui/material'; + +const General: FC = ({ sourceName, sourceType, targetName }) => { + const classes = useHelpTextStyles(); + return ( + <> + + {groupSpecialFormat(sourceType, sourceName)} has the privileges to perform the ADCS ESC9 Scenario B + attack against the target domain. +
+
+ The principal has control over a victim computer with permission to enroll on one or more certificate + templates, configured to: 1) enable certificate authentication, 2) require the dNSHostName +  of the enrollee included in the Subject Alternative Name (SAN), and 3) not have the security + extension enabled. The victim computer also has enrollment permission for an enterprise CA with the + necessary templates published. This enterprise CA is trusted for NT authentication in the forest, and + chains up to a root CA for the forest. There is an affected Domain Controller (DC) configured to allow + weak certificate binding enforcement. This setup lets the principal impersonate any AD forest computer + without their credentials. +
+
+ The attacker principal can abuse their control over the victim computer to modify the victim computer's{' '} + dNSHostName attribute to match the dNSHostName of a targeted computer. The + attacker principal will then abuse their control over the victim computer to obtain the credentials of + the victim computer, or a session as the victim computer, and enroll a certificate as the victim in one + of the affected certificate templates. The dNSHostName of the victim will be included in + the issued certificate under SAN DNS name. As the certificate template does not have the security + extension, the issued certificate will NOT include the SID of the victim computer. DCs with strong + certificate binding configuration will require a SID to be present in a certificate used for Kerberos + authentication, but the affected DCs with weak certificate binding configuration will not. The affected + DCs will split the SAN DNS name into a computer name and a domain name, confirm that the domain name is + correct, and use the computer name appended a $ to identify principals with a matching{' '} + sAMAccountName. At last, the DC issues a Kerberos TGT as the targeted computer to the + attacker, which means the attacker now has a session as the targeted computer. + + + ); +}; + +export default General; diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC9b/LinuxAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC9b/LinuxAbuse.tsx new file mode 100644 index 000000000..fa5a0e84e --- /dev/null +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC9b/LinuxAbuse.tsx @@ -0,0 +1,156 @@ +// Copyright 2024 Specter Ops, Inc. +// +// Licensed under the Apache License, Version 2.0 +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// SPDX-License-Identifier: Apache-2.0 + +import { FC } from 'react'; +import { Link, Typography } from '@mui/material'; +import { useHelpTextStyles } from '../utils'; + +const LinuxAbuse: FC = () => { + const classes = useHelpTextStyles(); + const step1 = ( + <> + + Step 1: Set dNSHostName of victim computer to targeted computer's{' '} + dNSHostName. +
+
+ Set the dNSHostName of the victim computer using Certipy: + + + { + 'certipy account update -username ATTACKER@CORP.LOCAL -password PWD -user VICTIM -dns TARGET.CORP.LOCAL' + } + + + ); + + const step2 = ( + <> + + Step 2: Check if mail attribute of victim must be set and set it if required. +
+
+ If the certificate template is of schema version 2 or above and its attribute{' '} + msPKI-CertificateNameFlag contains the flag SUBJECT_REQUIRE_EMAIL and/or + SUBJECT_ALT_REQUIRE_EMAIL then the victim principal must have their mail attribute set for + the certificate enrollment. The CertTemplate BloodHound node will have "Subject Require Email"{' '} + or "Subject Alternative Name Require Email" set to true if any of the flags are present. +
+
+ If the certificate template is of schema version 1 or does not have any of the email flags, then + continue to Step 3. +
+
+ If any of the two flags are present, you will need the victim's mail attribute to be set. The value of + the attribute will be included in the issues certificate but it is not used to identify the target + computer why it can be set to any arbitrary string. +
+
+ Check if the victim has the mail attribute set using ldapsearch: + + {`ldapsearch -x -D "ATTACKER-DN" -w 'PWD' -h DOMAIN-DNS-NAME -b "VICTIM-DN" mail`} + + If the victim has the mail attribute set, continue to Step 3. +
+
+ If the victim does not have the mail attribute set, set it to a dummy mail using ldapmodify: + + + {`echo -e "dn: VICTIM-DN\nchangetype: modify\nreplace: mail\nmail: test@mail.com" | ldapmodify -x -D "ATTACKER-DN" -w 'PWD' -h DOMAIN-DNS-NAME`} + + + ); + + const step3 = ( + + Step 3: Obtain a session as victim. +
+
+ There are several options for this step. You can obtain a session as SYSTEM on the host, which allows you to + interact with AD as the computer account, by abusing control over the computer AD object (see{' '} + + GenericAll edge documentation + + ) + + ); + + const step4 = ( + <> + + Step 4: Enroll certificate as victim. +
+
+ Use Certipy as the victim computer to request enrollment in the affected template, specifying the + affected EnterpriseCA: + + + {'certipy req -u VICTIM@CORP.LOCAL -p PWD -ca CA-NAME -target SERVER -template TEMPLATE'} + + + The issued certificate will be saved to disk with the name of the targeted computer. + + + ); + + const step5 = ( + <> + + Step 5 (Optional): Set dNSHostName of victim to the previous value. +
+
+ To avoid DNS issues in the environment, set the dNSHostName of the victim computer back to + its previous value using Certipy: + + + { + 'certipy account update -username ATTACKER@CORP.LOCAL -password PWD -user VICTIM -dns VICTIM.CORP.LOCAL' + } + + + ); + + const step6 = ( + <> + + Step 6: Perform Kerberos authentication as targeted computer against affected DC using + certificate. +
+
+ Request a ticket granting ticket (TGT) from the domain, specifying the certificate created in Step 4 and + the IP of an affected DC: + + {'certipy auth -pfx TARGET.pfx -dc-ip IP'} + + ); + + return ( + <> + An attacker may perform this attack in the following steps: + {step1} + {step2} + {step3} + {step4} + {step5} + {step6} + + ); +}; + +export default LinuxAbuse; diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC9b/Opsec.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC9b/Opsec.tsx new file mode 100644 index 000000000..cc73a72e2 --- /dev/null +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC9b/Opsec.tsx @@ -0,0 +1,31 @@ +// Copyright 2024 Specter Ops, Inc. +// +// Licensed under the Apache License, Version 2.0 +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// SPDX-License-Identifier: Apache-2.0 + +import { FC } from 'react'; +import { Typography } from '@mui/material'; + +const Opsec: FC = () => { + return ( + + When the affected certificate authority issues the certificate to the attacker, it will retain a local copy + of that certificate in its issued certificates store. Defenders may analyze those issued certificates to + identify illegitimately issued certificates and identify the computer that requested the certificate, as + well as the target identity the attacker is attempting to impersonate. + + ); +}; + +export default Opsec; diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC9b/References.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC9b/References.tsx new file mode 100644 index 000000000..1ac6d3fe1 --- /dev/null +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC9b/References.tsx @@ -0,0 +1,75 @@ +// Copyright 2024 Specter Ops, Inc. +// +// Licensed under the Apache License, Version 2.0 +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// SPDX-License-Identifier: Apache-2.0 + +import React, { FC } from 'react'; +import { Link, Box } from '@mui/material'; + +const References: FC = () => { + const references = [ + { + label: 'Certipy 4.0', + link: 'https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7', + }, + { + label: 'Certified Pre-Owned', + link: 'https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf', + }, + { + label: 'Certipy', + link: 'https://github.com/ly4k/Certipy', + }, + { + label: 'GhostPack Certipy', + link: 'https://github.com/GhostPack/Certify', + }, + { + label: 'GhostPack Rubeus', + link: 'https://github.com/GhostPack/Rubeus', + }, + { + label: 'Set-DomainObject', + link: 'https://powersploit.readthedocs.io/en/latest/Recon/Set-DomainObject', + }, + { + label: 'CertUtil.exe', + link: 'https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil', + }, + { + label: 'LDAPSearch', + link: 'https://linux.die.net/man/1/ldapsearch', + }, + { + label: 'LDAPModify', + link: 'https://linux.die.net/man/1/ldapmodify', + }, + ]; + return ( + + {references.map((reference) => { + return ( + + + {reference.label} + +
+ + ); + })} + + ); +}; + +export default References; diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC9b/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC9b/WindowsAbuse.tsx new file mode 100644 index 000000000..35305c6e9 --- /dev/null +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC9b/WindowsAbuse.tsx @@ -0,0 +1,164 @@ +// Copyright 2024 Specter Ops, Inc. +// +// Licensed under the Apache License, Version 2.0 +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// SPDX-License-Identifier: Apache-2.0 + +import { FC } from 'react'; +import { Typography, Link } from '@mui/material'; +import { useHelpTextStyles } from '../utils'; + +const WindowsAbuse: FC = () => { + const classes = useHelpTextStyles(); + const step1 = ( + <> + + Step 1: Set dNSHostName of victim computer to targeted computer's{' '} + dNSHostName. +
+
+ Set the dNSHostName of the victim computer using PowerView: + + + {"Set-DomainObject -Identity VICTIM -Set @{'dnshostname'='target.corp.local'}"} + + + ); + + const step2 = ( + <> + + Step 2: Check if mail attribute of victim must be set and set it if required. +
+
+ If the certificate template is of schema version 2 or above and its attribute{' '} + msPKI-CertificateNameFlag contains the flag SUBJECT_REQUIRE_EMAIL and/or{' '} + SUBJECT_ALT_REQUIRE_EMAIL then the victim principal must have their mail{' '} + attribute set for the certificate enrollment. The CertTemplate BloodHound node will have{' '} + "Subject Require Email" or "Subject Alternative Name Require Email" set to true if any + of the flags are present. + "Subject Alternative Name Require Email" set to true if any of the flags are present. +
+
+ If the certificate template is of schema version 1 or does not have any of the email flags, then + continue to Step 3. +
+
+ If any of the two flags are present, you will need the victim's mail attribute to be set. The value of + the attribute will be included in the issues certificate but it is not used to identify the target + computer why it can be set to any arbitrary string. +
+
+ Check if the victim has the mail attribute set using PowerView: + + {'Get-DomainObject -Identity VICTIM -Properties mail'} + + If the victim has the mail attribute set, continue to Step 3. +
+
+ If the victim does not have the mail attribute set, set it to a dummy mail using PowerView: + + + {"Set-DomainObject -Identity VICTIM -Set @{'mail'='dummy@mail.com'}"} + + + ); + + const step3 = ( + + Step 3: Obtain a session as victim. +
+
+ There are several options for this step. You can obtain a session as SYSTEM on the host, which allows you to + interact with AD as the computer account, by abusing control over the computer AD object (see{' '} + + GenericAll edge documentation + + ). + + ); + + const step4 = ( + <> + + Step 4: Enroll certificate as victim. +
+
+ Use Certify as the victim computer to request enrollment in the affected template, specifying the + affected EnterpriseCA: + + + {'Certify.exe request /ca:SERVERCA-NAME /template:TEMPLATE /machine'} + + + Save the certificate as cert.pem and the private key as cert.key. + + + ); + + const step5 = ( + <> + + Step 5: Convert the emitted certificate to PFX format: + + {'certutil.exe -MergePFX .cert.pem .cert.pfx'} + + ); + const step6 = ( + <> + + Step 6 (Optional): Set dNSHostName of victim to the previous value. +
+
+ To avoid DNS issues in the environment, set the dNSHostName of the victim computer back to + its previous value using PowerView: + + + {"Set-DomainObject -Identity VICTIM -Set @{'dnshostname'='victim.corp.local'}"} + + + ); + const step7 = ( + <> + + Step 7: Perform Kerberos authentication as targeted computer against affected DC using + certificate. +
+
+ Use Rubeus to request a ticket granting ticket (TGT) from an affected DC, specifying the target identity + to impersonate and the PFX-formatted certificate created in Step 5: + + + {'Rubeus.exe asktgt /certificate:cert.pfx /user:TARGET$ /domain:DOMAIN /dc:DOMAIN_CONTROLLER'} + + + ); + + return ( + <> + An attacker may perform this attack in the following steps. + {step1} + {step2} + {step3} + {step4} + {step5} + {step6} + {step7} + + ); +}; + +export default WindowsAbuse; diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/index.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/index.tsx index d3927d287..03d497150 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/index.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/index.tsx @@ -112,6 +112,7 @@ import ADCSESC1 from './ADCSESC1/ADCSESC1'; import ADCSESC6a from './ADCSESC6a/ADCSESC6a'; import ADCSESC6b from './ADCSESC6b/ADCSESC6b'; import ADCSESC9a from './ADCSESC9a/ADCSESC9a'; +import ADCSESC9b from './ADCSESC9b/ADCSESC9b'; import ADCSESC10a from './ADCSESC10a/ADCSESC10a'; export type EdgeInfoProps = { @@ -218,6 +219,7 @@ const EdgeInfoComponents = { ADCSESC6a: ADCSESC6a, ADCSESC6b: ADCSESC6b, ADCSESC9a: ADCSESC9a, + ADCSESC9b: ADCSESC9b, ADCSESC10a: ADCSESC10a, ManageCA: ManageCA, ManageCertificates: ManageCertificates, diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/utils.ts b/packages/javascript/bh-shared-ui/src/components/HelpTexts/utils.ts index 0ad6a85cb..7a6caf3ab 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/utils.ts +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/utils.ts @@ -14,6 +14,8 @@ // // SPDX-License-Identifier: Apache-2.0 +import { makeStyles } from "@mui/styles"; + export const groupSpecialFormat = (sourceType: string | undefined, sourceName: string | undefined) => { if (!sourceType || !sourceName) return 'This entity has'; if (sourceType === 'Group') { @@ -41,3 +43,20 @@ export const typeFormat = (type: string | undefined): string => { return type.toLowerCase(); } }; + + +export const useHelpTextStyles = makeStyles((theme) => ({ + containsCodeEl: { + '& code': { + backgroundColor: 'darkgrey', + padding: '2px .5ch', + fontWeight: 'normal', + fontSize: '.875em', + borderRadius: '3px', + display: 'inline', + + overflowWrap: 'break-word', + whiteSpace: 'pre-wrap', + }, + }, +})); \ No newline at end of file