Dirk Jan Mollema recently presented an attack that can be used to obtain a certificate for highly privileged accounts via Intune. This can then be used to compress the entire Active Directory environment.
The attack is similar in its basic features to what I have already described in the article "From Zero to Enterprise Administrator through Network Device Enrollment Service (NDES) - and What to Do About It" and in the article "Attack vector on Active Directory directory service via smartcard logon mechanism" (generally also known as ESC1).
What is new, however, is to utilize the Mobile Device Management (MDM) system - in this case Microsoft Intune - accordingly.
What is not new, however, is what can be done with the TameMyCerts Policy Module for Active Directory Certificate Services to drastically reduce the attack surface.
Continue reading „Angriff auf das Active Directory über Microsoft Intune – und wie sie mit TameMyCerts eingedämmt werden können“
English 
Deutsch