Fabian Mosch
Fabian Mosch is Head of Offensive Services at r-tec IT Security GmbH. At work he likes to break into company networks and escalate privileges to make those environments a safer place afterwards. Evading AV/EDR systems was always of special interest for him. In the recent years and his spare time he created and shared tools/techniques/knowledge with the community under the handle S3cur3Th1sSh1t. He is founder of the company MSec Operations UG, which sells OST tools to Pentesters and Red Teams.
Session
COM Cross-Session Activation attacks have a years long history starting with local Privilege Escalation vector vulnerabilities. After these vulnerabilities were patched, NTLM and Kerberos relaying attacks were published, which can - under some pre-conditions - still get abused for Privilege Escalation attacks and Lateral Movement to this day.
Starting in 2024, the attack surface of remote Cross-Session Activation received more attention with the publication of techniques and tools such as certifiedDCOM, ADCSPotato and Silverpotato. They all allow(ed) Privilege Escalation in Active Directory environments.
This talk will first highlight, which of the previously published techniques, including their prerequisites, are still exploitable today. The next section explains our approach to finding new attack vectors. Finally, new research on abusing remote Cross-Session Activation for Lateral Movement and Credential theft is presented.