CertifiedDCOM: The Privilege Escalation Journey to Domain Admin with DCOM

-

Learn how DCOM vulnerabilities in Active Directory Certificate Services can be exploited for domain admin privileges, and discover key mitigations to secure your environment.

Key takeaways
  • DCOM (Distributed COM) allows remote activation of COM objects and can be exploited for privilege escalation to Domain Admin

  • The CodeGet instance from iStorage API is vulnerable to DCOM activation abuse, allowing attackers to trigger high-privileged COM servers

  • Active Directory’s default configuration allows all domain users and computers to send certificate signing requests and validate certificates

  • ADCS (Active Directory Certificate Services) has special COM security configurations that make it vulnerable to attacks:

    • Authenticated users have remote activation privileges by default
    • ADCS machine accounts are used for network authentication
    • No authentication exists in the HTTP layer
  • Two main attack paths were demonstrated:

    • NTLM relay to ADCS HTTP endpoints
    • Kerberos reflection/relay attacks using ADCS machine accounts
  • Key mitigations include:

    • Updating ADCS and installing security patches
    • Enabling EPA (Extended Protection for Authentication)
    • Implementing LDAP signing and channel binding
    • Enabling DCOM authentication hardening
    • Updating COM security configurations
  • RPC supports multiple transport protocols (TCP, UDP, SMB, HTTP) which can be leveraged for attacks

  • DCOM communication uses RPC over TCP/IP between machines, with authentication occurring at the RPC layer

  • The vulnerability allows attackers to:

    • Relay authentication to other services
    • Execute commands via WMI on domain controllers
    • Obtain domain admin privileges
    • Perform resource-based delegation attacks
  • Windows default COM security is strict but can be bypassed through misconfigured services and custom configurations