Romern
RedTeam PentestingOur tool for KeyCredentialLinks and Shadow Credential attacks keycred now works with updated domain controllers again!
It turns out, Microsoft violated their own specs.
Try it out: https://github.com/RedTeamPentesting/keycred/
#infosec #security
Originally, Microsoft did not enforce their own specs for validated writes at all and only checked if a KeyCredentialLink is already present. Now they require a CustomKeyInformation field with the "MFA Not Required" flag to be present and the last logon timestamp to be absent.
This is kind of funny because CustomKeyInformation is actually forbidden for validated writes according to Microsoft's specs 🤡
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/f70afbcc-780e-4d91-850c-cfadce5bb15c
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/f70afbcc-780e-4d91-850c-cfadce5bb15c
CravateRouge@RedTeamPentesting Wow good job! How did you identify the change?
@CravateRouge A combination of reverse engineering (see https://gist.github.com/Romern/69a60b9a58d8f456a82ddf7afac418d3 ) and debugging with x64dbg.
@RedTeamPentesting So that's what the local_b==1 was doing!
I checked the decompiled and saw no assignment for local_b and didn't dig further, Claude is much better than me at analysing this
I checked the decompiled and saw no assignment for local_b and didn't dig further, Claude is much better than me at analysing this