By Sherri Davidoff   /   Oct 31st, 2024

SAINTCON 2024: LMG Security’s Highlights and Insights on Active Directory Security

Saintcon 2024 speaker imageAs the cybersecurity industry continues to evolve, smaller conferences like SAINTCON 2024 are gaining traction as invaluable opportunities for both seasoned professionals and newcomers to deepen their skills, build networks, and collaborate with a diverse range of experts. This year, our team at LMG Security had the pleasure of conducting two talks and hosting a booth at SAINTCON 2024, connecting with IT leaders, offensive security professionals, and those just stepping into the field.

I recently interviewed Matt Durrin, LMG’s Director of Training and Research, to gather his insights from SAINTCON 2024. Matt, alongside Tom Pohl, our Penetration Testing Team Lead, delivered a talk that offered attendees a firsthand look into the tactics, techniques, and procedures that real-world hackers use to exploit Active Directory Certificate Services (ADCS). Here’s a recap of our experience, along with some of the key lessons we shared at SAINTCON 2024.

The Unique Vibe of SAINTCON 2024

Unlike larger conferences like RSA and Black Hat, SAINTCON 2024 has a more intimate feel, offering participants a unique blend of technical rigor and networking opportunities. “One of the best parts of SAINTCON 2024 is the range of experience levels present,” Matt remarked. “We saw everything from college students eager to learn the ropes to industry veterans with 20+ years of experience.” This diversity fosters a collaborative environment where people can exchange ideas, ask questions freely, and learn from one another’s experiences.

Beyond the technical sessions, SAINTCON 2024 featured interactive, skill-building games. One of the most popular was the “attack towers,” where attendees could use their conference badges to participate in collaborative cybersecurity challenges. According to Matt, this kind of hands-on activity brings a “fun, community-focused” element to the event, and even provided him the opportunity to brush up on his soldering skills while chatting with other attendees.

A Deep Dive into Active Directory Certificate Services: Matt and Tom’s Presentation

Our primary presentation at SAINTCON 2024 focused on how cybercriminals exploit misconfigured Active Directory Certificate Services to gain full control of a network. This is a method our penetration testing team frequently encounters in real-world environments, and it’s increasingly used by ransomware groups aiming for complete network takeovers.

Matt and Tom began by walking the audience through a typical hacker’s journey, from initial entry to full domain compromise:

  1. Initial Access: The demonstration started with an attacker identifying and exploiting a vulnerability on the network’s perimeter, giving them a limited foothold within the organization’s systems.
  2. User Enumeration and Password Spraying: Using this initial access, the attacker was able to enumerate user accounts on the domain controller, thanks to a common misconfiguration that allowed usernames to be queried without authentication. With this list, they conducted a password-spraying attack, leveraging weak or commonly used passwords to compromise a low-level account.
  3. Targeting the Certificate Authority: With basic access secured, the attacker moved to the ADCS server, scanning for improperly configured certificates. “Defenders try to lock us out by resetting passwords, [but] it doesn’t actually stop us at all. We’ve had this happen. They actually have to revoke the certificate in order to be able to stop us from doing that,” Tom explained, underscoring the persistent nature of certificate-based attacks. In this instance, web enrollment was enabled, allowing the attacker to request certificates impersonating higher-privilege accounts.
  4. Privilege Escalation with PetitPotam: The attacker then used tools like Certipy and PetitPotam to relay authentication requests and acquire a domain administrator’s access level. This effectively gave them full control over the network and allowed them to extract all user password hashes, which could be cracked offline.

“This path from limited access to full domain compromise is exactly what real-world attackers are doing,” Matt emphasized. “The misconfiguration in ADCS that we showcased at SAINTCON 2024 is a prevalent issue and one that’s hard for many organizations to mitigate due to dependencies on legacy systems.”

Lessons for IT and Security Teams from SAINTCON 2024

Matt and Tom’s presentation at SAINTCON 2024 wasn’t just about illustrating a vulnerability but also about sharing actionable steps for prevention. Some key takeaways included:

  • Review and Update Certificate Configurations: IT teams should regularly audit ADCS configurations to ensure that features like web enrollment are disabled unless absolutely necessary. Default settings are often insecure and should be revisited frequently.
  • Implement Strong Password Policies: While password spraying remains a low-tech attack, it’s incredibly effective against weak or reused passwords. Organizations should enforce complex passwords and encourage regular updates to prevent easy account compromises.
  • Use Advanced Monitoring and Detection: Tools like Certipy are widely available to penetration testers and hackers alike. IT teams should leverage similar tools to identify and remediate certificate misconfigurations before attackers can exploit them.

While these steps can enhance security, Matt pointed out that mitigations aren’t always simple. Disabling certain ADCS functions or removing enrollment endpoints may disrupt legitimate processes, especially in networks with legacy systems that rely on older protocols. “It’s a balancing act,” he noted. “But understanding these configurations and planning around them is essential for reducing the risk.”

The Value of Collaboration in Cybersecurity

The highlight of SAINTCON 2024 for our team wasn’t just the technical content but the opportunity to connect with others in the field. Smaller conferences like SAINTCON allow for more in-depth conversations and personal connections than the whirlwind of large industry events. “We had in-depth discussions with offensive security experts, students, and even IT generalists who were just getting into cybersecurity,” Matt shared. “It’s a great place to gain new perspectives on our work and see how others are tackling similar challenges.”

Through our booth and talks, LMG Security was able to build meaningful connections, discuss our work with other cybersecurity professionals, and exchange ideas on best practices. We came away with new insights and fresh ideas for our own methodologies, which will no doubt shape our approach moving forward.

Looking Forward: Future Plans

SAINTCON 2024 underscored a growing trend in cybersecurity: attackers are increasingly focused on exploiting identity and access misconfigurations (watch our 3-minute video on Cloud Configuration Attack Trends for more insights). At LMG Security, we see this every day in our work with clients across various industries. As ransomware groups continue to adapt and evolve, our mission remains to stay one step ahead, helping organizations protect their networks from these types of sophisticated attacks.

Whether you’re a CISO, risk manager, or IT professional, the lessons from SAINTCON 2024 are clear—vigilance, collaboration, and a proactive approach to misconfigurations are essential for a strong security posture. We’re already looking forward to what next year’s conference will bring.

Please contact us if you need help with penetration testing, advisory or compliance services, or training. Our expert team is ready to help!

About the Author

Sherri Davidoff

Sherri Davidoff is the CEO of LMG Security and the author of three books, including “Ransomware and Cyber Extortion” and “Data Breaches: Crisis and Opportunity. As a recognized expert in cybersecurity, she has been called a “security badass” by the New York Times. Sherri is a regular instructor at the renowned Black Hat trainings and a faculty member at the Pacific Coast Banking School. She is also the co-author of Network Forensics: Tracking Hackers Through Cyberspace (Prentice Hall, 2012), and has been featured as the protagonist in the book, Breaking and Entering: The Extraordinary Story of a Hacker Called “Alien.” Sherri is a GIAC-certified forensic examiner (GCFA) and penetration tester (GPEN) and received her degree in Computer Science and Electrical Engineering from MIT.

CONTACT US