Skip to content

Fix for asktgt: /opsec flag is not respected when using PKINIT with /certificate#162

Open
MexHigh wants to merge 3 commits intoGhostPack:masterfrom
MexHigh:dev-opsec-fix
Open

Fix for asktgt: /opsec flag is not respected when using PKINIT with /certificate#162
MexHigh wants to merge 3 commits intoGhostPack:masterfrom
MexHigh:dev-opsec-fix

Conversation

@MexHigh
Copy link
Copy Markdown

@MexHigh MexHigh commented Jun 5, 2023

This MR implements the /opsec flag in all overloaded functions used for asktgt with PKINIT. Previously, the /opsec flag only had an effect when using password authentication.

This has the effect that the Defender for Identity alert "Suspicious certificate usage over Kerberos protocol (PKINIT)" will not be triggered (ref: https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/microsoft-defender-for-identity-now-detects-suspicious/ba-p/3743335).

Closes #161

MexHigh added 3 commits June 2, 2023 13:06
@MexHigh
Unclean temporary implementation done
2d2d017
@MexHigh
Some changes:
ee7ea7a 
- Applied opsec params to necessary overloads
- Removed unused opsec flag from InnerTGT function
- Added some justification commets to overloaded functions
@MexHigh
Outsourced opsec adjustements to req body to its own function
3d490e6
@TH3xACE
Copy link
Copy Markdown

TH3xACE commented Dec 6, 2024

I think that MDI solution has evolved... even with this modification which is great btw... it is now being flagged. The only way that I think that could help bypass it... is by also making some amendment on the section for the PA_DATA.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

asktgt: /opsec flag is not respected when using PKINIT with /certificate

2 participants

@MexHigh @TH3xACE