none
[MS-ADTS] 6.1.6.7.9 trustAttributes RRS feed

  • Question

  • There was a July 2019 security updates which modified the trustattributes flag of forest trusts.

    It was a followup of this attack: http://www.harmj0y.net/blog/redteaming/not-a-security-boundary-breaking-forest-trusts/

    The MS documentation about that is located here:

    https://techcommunity.microsoft.com/t5/Premier-Field-Engineering/Changes-to-Ticket-Granting-Ticket-TGT-Delegation-Across-Trusts/ba-p/440283/tab/rich
    https://support.microsoft.com/en-us/help/4490425/updates-to-tgt-delegation-across-incoming-trusts-in-windows-server

    I built a lab and though the change refereed to the value CROSS_ORGANIZATION_NO_TGT_DELEGATION

    According to the feedback I received here: https://github.com/vletoux/pingcastle/issues/9, it seems that there is indeed a new flag which is undocumented for trustattributes.

    So question:

    are there a new flag 0x800 whose value is CROSS_ORGANIZATION_ENABLE_TGT_DELEGATION and which is not documented ?

    Thanks in advance for your feedback.

    best regards,

    Vincent

    Thursday, August 1, 2019 6:31 AM

All replies

  • Hello Vincent,

    Thank you for this question. One of our engineers will investigate this and follow-up soon.

    Regards,

    Edgar

    Thursday, August 1, 2019 3:38 PM
    Moderator
  • Hi Vincent:

    I'll help you with this issue and will be in touch as soon as I have an answer.


    Regards, Obaid Farooqi

    Monday, August 5, 2019 5:21 PM
    Owner
  • Hi Vincent:

    Yes there is a new flag added whose value is 0x800 for trustAttributes.

    This flag will be added in a future release of MS-ADTS. Please let us know if you have any specific questions about this flag.

    Please let me know if this does not answer your question.


    Regards, Obaid Farooqi

    Friday, August 9, 2019 5:17 PM
    Owner
  • I've been chatting with Vincent about this on Twitter per his original post on Tech Community. He is unable to use the reply button here from his iPad, but he wanted to say, "I Need it". 

    http://twitter.com/tristanwatkins http://tristanwatkins.com

    Friday, August 23, 2019 8:41 AM
  • Hi Tristian:

    Can you please elaborate a little more on "I Need it"?


    Regards, Obaid Farooqi

    Friday, August 23, 2019 7:43 PM
    Owner
  • First, let me report that the "reply" button does not work on iOS (iPhone & iPad) which is very annoying.

    Then, yes, I've specific question about this flag because your answer didn't answer my initial question.

    I need a documented answer about the new flag behavior, specifically when dealing with SID Filtering and TGT delegation and about what the change does invalidate (such as the other flag dealing with TGT delegation)

    Indeed, I've implemented a tool with does check these security statuses and none of these new behaviors have been documented.

    best regards,

    Vincent LE TOUX

    Sunday, August 25, 2019 3:59 PM
  • Hi Vincent:

    Hi Vincent:
    The new flag CROSS_ORGANIZATION_ENABLE_TGT_DELEGATION is opposite in functionality to the existing CROSS_ORGANIZATION_NO_TGT_DELEGATION. 

    Both of these flags exist currently. by default this flag is clear, meaning the unconstrained delegation is disabled across forests. CROSS_ORGANIZATION_ENABLE_TGT_DELEGATION supersedes CROSS_ORGANIZATION_NO_TGT_DELEGATION, except when both of them is set. In that case, the unconstrained delegation across forest remains disabled.

    In a future release of MS-ADTS and MS-KILE this flag and its functionality will be documented.

    Please let me know if this does not answer your question.

    For iPad reply button issue, please use the "Feedback" button on this page to report it.



    Thursday, August 29, 2019 8:00 PM
    Owner