CertifiedDCOM: The Privilege Escalation Journey to Domain Admin with DCOM

Over the past few years, DCOM received a lot of attention in Windows security research. The "Potato" exploits (RottenPotato, JuicyPotato, RoguePotato, RemotePotato , and LocalPotato) and Kerberos Relay attack are both impressive research in this area.

However, all these research have mainly focused on the local attack surface of DCOM, and aimed at local privilege escalation. Given that DCOM was initially designed as a remote protocol and is widely used in Windows enterprise networks, what about its remote attack surface? can it be abused for more powerful attacks?

In this talk, I will uncover a remote attack surface of DCOM and disclose a critical vulnerability related to it. Attackers can trigger and exploit this vulnerability remotely with only Domain User privileges, perform privilege escalation to Domain Admin, and then RCE on Domain Controllers. In short, attackers can take over your entire Active Directory with it. Because AD CS (Active Directory Certificate Service) also plays an important role in this exploit chain, I named this vulnerability "CertifiedDCOM".

I'll walk you through my entire journey of discovering CertifiedDCOM, covering some DCOM internals, how I converted previous local attack surface into a new remote attack surface, how I found a vulnerable DCOM service, and the way to exploit it to become Domain Admin.

By:
Tianze Ding | Senior Security Researcher, Tencent

Full Abstract & Presentation Materials:
https://www.blackhat.com/asia-24/brie...