Red Team Summit CFP now open! Register Here
Shopping Cart

No products in the cart.

Finding and Fixing AD CS Issues with Locksmith

This Anti-Cast was originally published on December 11, 2024.

In this video, Jake Hildreth discusses finding and fixing ADCS issues using the tool Locksmith. Jake provides a high-level overview of Public Key Infrastructure (PKI) and Active Directory Certificate Services (ADCS), sharing common misconfigurations and demonstrating live attacks using Locksmith. Throughout the presentation, Jake emphasizes the importance of securing ADCS environments and offers practical remediation tips to improve security.

  • The webinar discusses common misconfigurations in Active Directory Certificate Services (ADCS) and how they can be exploited.
  • Locksmith is a tool developed to help identify and remediate vulnerabilities in ADCS without the need for complex configurations or third-party modules.
  • The importance of regularly auditing ADCS configurations and applying the principle of least privilege to minimize security risks is emphasized.

Highlights

Full Video

Transcript

Jake Hildreth

All right. Hello everyone, I’m Jake. Welcome to Finding and Fixing ADCS Issues with Locksmith with me.

I’m Jake Hildreth. I am a senior security consultant with Trimark. I am also as I said in the the pre show banter, like I am not just a guy that does cyber security.

I’m primarily a husband and a dad and I don’t know, I like to call myself a recovering sysadmin because I’ve been working in technology for about 25 years now at this point and most of it was sysadmin type stuff.

I will tell you that my recovery is coming along nicely. I no longer want to put an Exchange server in my house. I do lead the ADSA for Trimark, which is our active directory server C, security assessment and then open source enthusiast.

I like writing stuff in PowerShell and if you ever see me online you will see that I have the powershell logo as my, my logo.

Right. and I do host a webcast which is currently on hiatus, for the winter.

We’ll be starting back up in January, the Trimark Twitch Happy hour which we do every Friday from 2 to 3pm so that’s me.

This is what we’re going to talk about today. First up we are going to do a super high level view of what a PKI is.

Because you could spend weeks and we don’t have that kind of time, I don’t have that kind of brain power, you don’t want to hear it, etc. And then we’ll touch on how ADC, what is ADCS and how it is used or why what it is basically.

Then I will actually share the three most common misconfigurations that I see in assessments as part of working with trimarc. and then maybe a little bit of discussion about why those are so prevalent.

And then we’ll talk about Locksmith, the tool that I wrote, and presented it. Actually Wild West Hackin’ Fest in 2022 is when I released it. And then I will actually demo some live attacks using Locksmith and a couple other tools.

And I see the chat up on the screen, from, from Discord. If you have questions, if somebody in the backstage, can, can bring up good questions.

I tend to be kind of bad about that. But yeah, that, that would be awesome. All right. What the heck is a PKI?

It is public key infrastructure is what PKI stands for and public key infrastructures can do a lot of different things.

But today what we are going to primarily be talking about is a method for confirming the identity of other folks that you are talking to or the authenticity of their messages, etc.

PKI is not actually required for encryption. Most people think oh, you have to have that going in order to to do encryption.

You don’t think about anytime you visit a website and get a, a security certificate issue, your traffic to and from that website is still encrypted.

You just can’t really be sure who you’re talking to. So that’s what we’re going to be talking about today is authenticity. Right. And then it’s important to talk about the multiple parties involved in a public key infrastructure.

So we have the certificate authority which is kind of a root of trust. And then you have at least two other parties that want to talk to each other and want to be able or be sure that they are talking to the people that they are talking to.

Melon wants to talk to Benny. Benny wants to talk to Melon. I know we normally talk about Alice and Bob when it comes to public key infrastructure. Melon and Betty are my cats.

but yeah, three parties required. I guess you could have like a two party PKI if you wanted to. But if you need an outside party to confirm your identity, I’m sorry for your amnesia.

So what the heck is an adcs? It is Active Directory Certificate Services. Yay.

It is. ADCS is a PKI as designed by Microsoft. For better or worse, it’s a very Microsoft product.

It is tightly integrated with Active Directory. You can use certificates issued by ADCs to confirm the identity of the user, computer service account, etc.

That you are communicating with. Right. And it is super easy to use in that you could stand up a new certificate authority in 5ish minutes I would say.

and I know this because prepping for this, this this webcast, I had to deploy ADCs about six times. So including once last night when I blew everything up and had to redo everything fresh.

additionally, it is easy to use because of the usage of templates. anybody that’s ever had to like submit a certificate request to third party certification, authority.

sometimes those can be a little finicky to create. hi pup. My pup turned 15 a couple days ago so the fact that she can still jump on the bed is just makes me happy.

But yeah, so super easy to use. So why is ADCS such a threat to the modern identity landscape?

Yes, this is the identical slide as before. It’s PKI by Microsoft. Right. So it’s everywhere.

in assessments with Trimark, it is far and away like uncommon to not have a forest without a.

With adcs. Like if ADCS is missing, you’re like huh, huh, that’s weird. because it’s so tightly integrated with Active Directory, if you can compromise ADCs, you have compromised AD.

Like they, they are so tight that this diagram is not actually correct. It’s actually more like this. Right. And as I mentioned before, super easy.

Next, next, next. Finish a little bit of post configuration, you’re done. That method is, creates an inherently risky configuration called a single tier infrastructure.

We’re not going to get into why that’s risky. But yeah, it’s bad. You want to do two tiers or more. and until last month that out of the box installation was incredibly easy, to compromise via abuse of what’s called schema v1 templates.

thankfully Justin Bollinger from Trusted Sec discovered this, reported it to Microsoft. It was patched last month. So patch your, patch your servers please. Please do.

Okay, so that’s really kind of enough that you need to get through the rest of this discussion. So ADCS in the real world, as I mentioned, I do, I run or lead the service, the Active Directory Certificate.

Active Directory Security assessment. There we go. Service for trimarc. So I see every single assessment that comes through and assist in review in every single assessment.

So since I started working there about three years ago, hundreds, hundreds of environments, and most of them are bad.

So the things that we are seeing regularly, first off, and it’s a thing that is, could be applied to so many different types of objects.

This is not an ADCS specific issue. Right. It’s poor access control. You mistakenly grant rights to the Everyone group to edit and modify templates.

That’s bad. any of the rights, W R I T E star Right. So we’ve got. Right Property, right, owner, right dacl.

All of these allow basically full control over objects in ADCs and specifically templates.

Additionally there are property sets that exist. Thank you Jim Sikora for bringing property sets to my, my knowledge, which are groups of properties that can be configured with one access control entry.

And lastly ownership. If you own something you always have control of it even if you don’t have full control on that object. So I would say every Single environment that we’ve ever assessed that had ADCS has had at least one ESC4 issue where a low privileged user in the environment would be able to at least take control of one template.

there are some other configurations that limit exact blast radius around that etc. But yeah, every single one of them. That is correct. Sub 2000.

All right, next up. And this is the granddaddy of them all, the ESC one. This is basically like saying I want to request a certificate for authentication.

Active Directory allows you to authenticate using certificates you don’t have to use a username and password. Right. I want to request a certificate in the name of the domain controller, the domain admin, my dog, etc.

Whoever you want to be sure. And then you authenticate just like, like you would with a password and you have those privileges granted to that user.

Yeah, that certificate is still valid even after a password reset. So you, you notice something weird going on with the with an account, what do you do?

Automatically reset the password. Right. Well now make sure you go and you’re, you’re resetting, sorry, revoking any certificates assigned to that user.

it’s a problem. And this is probably the third one. We’re not actually going to attack this one at all.

It’s a little more esoteric but ESC2 allow you to create your own certificate authority.

Yeah, yeah, you could just, you could just stand up your own certification authority that’s trusted by Active Directory. Thankfully it’s not valid for authentication. You do have to do some more attacks, but you can do things like hi buddy, cat wants to be on screen today.

standing up a web server that you control and slapping a web, server certificate on there so that way the traffic does look valid. Going to it and secure.

You want, you want to create your own PowerShell scripts and sign those? Sure, go for it. It’s going to be going to look like valid code coming from your Active Directory forest.

That’s why I say that any identified issues with this cat really wants to bother me today. I’m sorry.

anytime this sort of certificate is being created you need to require approval and we’ll touch on approval in a little bit.

and then there are a bunch of other issues. We are now up to ESC15 with the release of the that, that vulnerability that, that Justin, Bollinger released a couple months ago.

in the top left here we’ve got ESE 3, 9, 10, 13, 14, 15 those are all template related issues.

ESC 6 through 8 those are not template related. Those are actually problems with the certification authority itself.

So it could be, the computer object could be controllable by a regular user or it may have the, a couple of these flags that are dangerous enabled.

it may have a, an enrollment endpoint where typically you could go to a website, enter some information and get a certificate back that may be open to NTLM relay.

So ESC5 is talking about ADCS objects. There are a ton of other objects that are included in ADCS. we’ve got OIDs and KRAs and AIAs and just a wide branch.

We’re not going to dig into those but those depending on combinations of, of issues there. Yes, a bunch more TLA’s Eric.

You could create even more issues. So as mentioned in the pre show, you’re shooting yourself in the foot. There are so many different ways but the biggest one that, that blows my mind is that auditing, auditing is not enabled by default in adcs.

You stand up active directory certificate server and it is not enabled. So step number one is enabling that.

So why did I create Locksmith? As you can tell, ton of issues there. Right. But first I want to touch on my tooling manifesto.

I created Locksmith because the tools that were available for ADCS stuff were not easy or were slow or were obviously red team focused. I’m not, I’m not an attacker.

I am a defender at heart. Right. So I wanted to create my own thing by easy, I mean no handle jiggling. What I mean by that is you go to somebody’s house and they’re like oh by the way when you flush the toilet you gotta, you gotta jiggle the handle a little bit to make it actually stop.

No, we don’t want that. Right. I don’t want third party modules. I only want to use the built in capabilities of Windows and I want it to be fast.

Like I want to get the information that I need immediately or as close to it as possible. And lastly I don’t want any of my tools to be have an easy button for exploitation.

Right. A lot of the tools that were out before are obviously designed as I said for, for red teaming and offensive security. And I, you can use Locksmith for offensive security.

I know plenty of pen testers that use it and love it. but that’s, I do not provide the easy button for exploitation.

So in that in that realm LOCKSMITH, it’s pure PowerShell and it uses the AD module. If you have the module version of Locksmith, it does require also the Server Manager module.

But any of these are available on ad admin workstations and that’s who this is written for. it’s fast and you’ll see that in a little bit.

and it’s going to highlight everything that it finds and provide code for almost everything that it can find. There are a couple things that just either are the tree branching logic that goes through there are just, it’s just too complex or it’s just it’s just easier to go through the GUI and we’ll see that in a little bit.

but again, code for everything almost. So you can find issues and then copy and paste some code and run it and boom, your issue is fixed.

There’s even an auto remediation mode built in. So that way if you don’t want to run it, it’ll show you what the code is and ask you if you want to run it as well as highlighting if there are going to be any operational impact going on.

So as I mentioned, auditing is not enabled. That was the first thing I wrote. It was super easy to find. but these are the other things that it does.

object issues with ESC 5 and ESC 13 issues, template issues, full gamut of ESC 1 through 4 plus 13 and 15 and then certificate, authority issues 6 and 8.

So there are still some gaps. 9th and 10 are not included. 11 should be. I don’t know why I don’t have that on there. and 14, sorry, 12 is one that has like, it’s a yubikey issue and I’m not sure how, how I would ever work with that.

So now’s the time that we attempt the demo guides. Let’s go ahead and enable auditing on our ca.

All right, here is my certification authority, which also is my domain controller. Because my lab is very, very small.

And if people that are watching, if the text is too small, please say so in the discord. I will, I will make, make it bigger.

Yeah. Oh man. All right, so here we go.

One command to rule them all. Invoke locksmith. Boom. we’re running, gathering, identifying and we got a bunch of issues in this environment.

So let’s go ahead and scroll back through here and see what is wrong with this environment. As I mentioned, auditing is not fully enabled.

We knew this was going to happen. Right. We also have an ESC1 not shocking, a couple ESC4s and an ESC5 and a couple false, false, positives that I’m not sure if I actually want to get rid of.

Plus a reminder that we ran this in mode zero. Locksmith has four different modes. Zero, five different modes I can count off by one errors, will be the death of me until the day after I die in mode zero.

It’s basically a high level view. Right. But we can also run Locksmith in modes in mode one, which gives us a set of questions.

Right. If it comes across issues where there are multiple remediations, Locksmith asks you questions to try and get the proper remediation for your specific environment.

So in this one. Right. do domain users need to enroll in this template? We’ll say yes.

Does this certificate get frequently used? Unsure. Cool. Oh, we got an ESC, uh4 issue to authenticated users administer or maintain this template.

No. Okay, so now we have the same issues as run in Mode 0, but now we have included much more detail about what type of object is an issue.

The full distinguished name fix code as mentioned before. And in situations where it makes sense there’s also reversion code.

So let’s see. Oh no, that’s in a different mode. Sorry, forgot my own tools. All right, so we know we can take care of this auditing issue right now.

Copy it. Okay, there we are. Oh, that’s right. Administrator permissions are needed to use the selected object option.

So let’s go ahead and do this from an elevated prompt and so we get the code again.

we’ll say no this time and no that time. Okay. And you can actually run Locksmith as well with calling out the specific scans that you want to see.

so let’s do that because we want Auditing. There we go.

Boom. Auditing not fully enabled. Here’s we paste it, we reset it, that issue is resolved.

Yes. Analog Kit. I am using a newer version. if you check the testing version. we, I recently pushed updates which include a lot of this stuff.

But there’s still a little bit a few little tiny bugs that I want to work out. And also I kind of really want to get risk scoring done before the end of the year.

So look forward to it soon. Okay. so yeah, now if we were to run Locksmith again and just look at auditing issues.

Right. No ADCs issues are found. Now we know that we have other issues, so but yeah, Resolve that one. Done. Wrong way.

Here we go. Move on to our next one. Are we gonna, are we gonna go there?

We are. All right. Okay. We’re gonna do an ESC1 attack. Imagine the scenario. You are a Goomba. You are a very junior IT mushroom and you recently learned about a tool called Locksmith that can help you secure ADCs.

And you’re just curious about what it looks like. So you run Locksmith not knowing what you’re seeing, not knowing what to expect.

And much like we just saw, right? Boom, boom, boom. Collect stuff, identify stuff. We get a big list and you find an ESC1 issue, do a little research and you realize that this is a, this is a critical issue, right?

If domain users can request, any domain user can request a certificate, in the name of anybody else. That’s a problem.

So you decide to test a little bit. And just, just so we’re, just so we’re all clear, you will do the traditional.

Who am I, Right? We are definitely Goomba. And let’s see. Did I forget to remove my, my file?

It’s fine. Beauty of live demos. All right, now we’re going to try to do a, hacking, right, Trying to view the C drive of our domain controller.

You can’t, you shouldn’t be able to see that. But those beautiful folks over at, SpectreOps created a tool called Certify which allows you to very simply make requests to your certification authority to try and retrieve certificates.

And certificate has been issues issued. Boom. There’s a certificate. we take this information, we’ve got a key and a certificate itself, right?

And we take that and turn it into these files, a key file which is that private key, and a PEM file which is the certificate itself.

Combine those together into a PFX file which is, all you need to authenticate and we go ahead and pass that off again to tools created by SpectreOps.

Thank you folks. Thank you, Lee. Thank you, Will, etc. Thank you, Jonas. we are going to ask for a ticket granting ticket in the name of J.

Jhda, which is my enterprise admin account. And then we are going to pass that ticket into the current session.

So there we go. We have a tgt. So what can we do? We can see first off, it is loaded into the current session.

Answer, your question marks to men. Yes, standalone, cas do not, do not suffer from this issue. All right, so let’s do some real hacking, right?

Let’s go ahead. We can see the C drive Contents now, because we are able to authenticate as that JHD JHDA account now viewing files.

we can do better than that. Why don’t we do our old friend Mimi cats right and let’s just go for gold, literally.

Golden ticket. Grab that curb TGT hash, you can authenticate and do stuff and just you are now the God of all gods in this forest.

The end. Game over. that’s that Lion’s share.

Nice. So this morning I was chatting with a friend about about this situation and he told me he works for, for a big organization that has a lot of visibility into a lot of, a lot of companies and still seeing this specific attack every day, multiple times a day.

And as you can see, if I can do the hack, it is incredibly simple to do. So I am not an attacker. This is outside of my realm.

All right, now we’re going to talk about a little more complex issue called an ESC4 to ESC1 attack in which we log in as Mr.

M. Koopa Troopa. Why? I don’t know. It’s fun. Let’s kick Goomba out.

All right, we are logging in and let’s clear that.

So ESC4, as we mentioned before, is a, it’s a weakly controlled template that can be modified by most by, by low privileged users.

So again, who am I? Boom. Koopa Troopa. Right. So I’m not going to prove to you that, I can’t see the C drive because kind of already makes sense or same thing as before, but this time around we’re going to request a slightly different template.

Oh. Hm. Interesting error constructing. Right, but the reason for that is because it doesn’t allow you to, to submit this alternative name.

This, this template is configured to build a certificate based off of the information that is in Active directory itself and not by what you pass it.

And this is what that looks.

so Demo three, here we are. Subject name, right? It is currently set to build from this active directory information that ESC1 template that we saw before is set to supply in the request.

So who has rights over that? That ESC4 template that I created?

Not mode ESC4 scans ESC4 and in case you didn’t remember, it is authenticated users.

Koopa Troopa is an authenticated user. We are currently logged into an ad administrator machine that has ADSI edit on it.

What you can do now is actually go in and find that certificate template demo 3 right.

And change one attribute certificate name flag MSPKI certificate name flag. Change that to a one hit apply hit OK etc.

And now boom.

Not only do we have any, we have Demo three as an ESC one and an ESC four. So yeah, gonna run through the whole process again.

Use that, request a certificate in the name of the enterprise admin and then request a TGT of that user.

Use that TGT to do all sorts of damage. Right. I just realized I skipped over fixing stuff. Let’s do that. Right.

I’m gonna flip back to my my tier zero, system. So that way, yeah, it’s just easier because I’m lazy.

Okay. Apparently. There we are. All right, we’re going to invoke locksmith on in mode one to get those, those F.

Say we’ll say yes. M, we’ll say no. And this one, yes, it does need to request that.

No, that is not frequently requested. Okay. And ESC4 issue. No, it’s not a admin. Right.

Okay, so now we have some code in most issues or most of it here.

All right. For the ESC one, since these user, this authenticated users, or I’m sorry, domain users should not be able to enroll in the certificate, we’re just going to go ahead and remove their access.

Boom. Domain users, we don’t actually want them enrolling. I don’t know why I still do apply and okay, I know I don’t have to.

And then let’s do some code here because this one we can just go ahead and Enable Manager approval on this one.

Right? We took it, we paste the code, we do it and object name has bad syntax. Oh, because it’s split in the middle.

Let’s, let’s get that unsplit. Okay. Public key services.

Boom. All right, so we just changed that enrollment flag to 2. So that now requires manager approval. I said I would talk about that. Some of these issues can simply be remediated by just requiring a human to look at the request before it gets approved.

analog kid. No, does not currently look for and call out potentially malicious certificates that have been created. It would be nice to have that, checking the history of what’s been issued using those templates.

TBD down the road. okay, so now let’s look at those ESC ones. Are they all gone at this point? We’ll look at Mode 0 because we just want the.

Just the fax, ma’am. And we’re going to look at ESC1. No ADCS issues found. So what we have Done there. In the demo one, we, we removed the ability for either domain users or authenticated users to actually enroll in that template.

Cool. For the other one, we made it so a manager needs to approve every single request using that template.

In situations where, it’s a template that gets, certificates created from it frequently, that’s a bad, that’s a bad time. You’re going to break stuff. In those situations, it’s much better to tightly scope who can actually request that certificate.

So whether that be a service account, a single service account, or a small number of service accounts, that’s the way to approach that, Jim.

Yeah. Oh, geez. Okay, so we found it. We fixed that one. Right, Right.

All right, this one pretty esoteric. So just, just to review, let’s see, who do we want to log in as today?

Let’s do we skip too far ahead. We’ll say you are Bowser and you want to gain access to Mushroom, Kingdom.

and how do you do that? You do it by sending a phishing message to Mario and getting access to Mario’s, environment.

And then so let’s log in as Mario. Mario is a PKI admin and he’s logging in with a separate PKI account.

PKI admin account. I bet this machine is going to slow to a crawl as I have three people logged into it.

But we’ll, we’ll deal with that when it comes. Come on, Mario. Mario is angry right now. All right, so Bowser has taken over Mario’s, Mario’s account.

Right. And logs into as Mario and does what any, any good, dragon turtle thing would do and invokes locksmith.

And we’re just going to do again, no, no, no parameters. Just to do a high level view of what’s going on. Okay, so we have no more esc.

one issues, right? Oh, we still didn’t resolve that authenticated users issue. Let’s do that real quick because, that’s bad.

Couple different ways to do it, but this is the easiest. Right. Domain users should not have, I’m sorry, authenticated users should not have the ability to write to this.

So we just remove that, look at it again, and here we are, we are down to just one ESC4 and it’s an ownership issue.

We talked about ownership before. Ownership is interesting in that can appear that you have no rights over something, but in reality because you are the owner, you can grant yourself whatever rights you need.

Mario is a member of the PKI Admins Group, which also has owner rights over another castle. That’s right. It’s a certificate authority that is actually issuing certificates, so.

Oh yeah, Virus protection is turned off. Thanks. Thanks, Microsoft. All right, so by default again, Mario doesn’t have, the rights to view the C drive because he’s in a PKI admin.

You don’t, you don’t need to get on domain controllers. But. Excuse me, as we did before.

Invoke locksmith. Wait, we just looked at this. I’m sorry, we’re running it again. Screw it. But it runs fast. See, it runs fast. You can do this fast and just kind of keep going and we see that.

Huh? Huh? My. My user account has ownership over both a CA and a template. What can I do with that? Well, let’s try first.

Let’s just request that template, see what happens. Denied by policy, not supported.

Now, if you noticed, this is the list of published certificates on this certificate authority. Demo 5, which is the one that we are doing right now, is not actually, available.

It is not published or enabled. So Mario has the rights to edit the certification authority object.

Right, the issuing CA object. And this is how.

This is so silly. This is how it’s determined what can actually be viewed or, sorry, what is enabled and what is available for enrollment is a simple multi value attribute on the CA host.

The CA object itself. But as you noticed, I can’t actually modify this right now. But because I have ownership over this object.

Right? Right. I’m a member of PKI Admins. I’m sorry, I’m not Mario. Mario has ownership over PKI Admins. Let’s go ahead and just, let’s just grant full control over this object.

Right. And now we can modify what templates are available.

All right. And to confirm that it is now available for enrollment. Boom. We have Demo 5 available for enrollment.

Okay, cool. Let’s rock it. Let’s get this. All right, we’ll request again.

Hmm. What happened here? This. It doesn’t actually allow a subject alternative name.

Does not allow you to request, an additional name. Interesting. But again, because we have rights, we are a PKI admin. We have rights over this template and can go ahead and modify it in the same way that we modified the one before and.

Oh, forgot. Need to grant ourselves full control. Mario, PKI full control and find that, that dangerous attribute, MSPKI certificate name flag.

Change it to a one hit. Ok, I remembered not to hit apply that time. Request it one more time.

We have a certificate that’s all you need. Game over. Forest owned by Bowser, your princess will not be found in another castle, etc.

I am, so we found and we fixed it. I know a lot of that seems really complex and I get it.

ADCS is complex. It’s a, it’s a minefield. It’s. There are so many different places where you change one number and suddenly you’ve opened up your entire environment.

But if you really just take some time to do basic, what do you call it?

least privilege. It’s hard. It’s hard, right? But if you scope everything as narrowly as possible, you make sure that templates that you are not being used, that are not being used are unavailable for, for enrollment or deleted completely.

you in those, those ones where you need to make these more dangerous templates, if you enable manager approval on those, you’re going to eliminate a lot of issues.

And I will say, since this has been released, I’ve had a couple pen testers come to me and be like, I hate you now because now I can’t just blow up ADCs left and right.

And so I appreciate that. Another thing would be protecting your PKI admins and your PKI itself. So that’s your certificate authorities.

like I said, admins, they are tier zero. I, I know they may not be able to handle AD ad, administration, but they can get there, protect them like tier zero.

So that’s a, put everything in a top level organizational unit that doesn’t inherit security or doesn’t inherit security from up above, separation of duties, the whole thing.

Right. Adding things to protected users group. Oh, if only somebody created a tool that helps you do that. I have one on my GitHub. And lastly, invoke locksmith.

like just run it regularly. You never know, what, what might happen. Right. So I hope that all dispels a little bit of the fear from, from certificates.

When I stood up my first PKI almost four years ago, I didn’t think I’d be where I am now about things like I just three years ago when I was working at Trimarcs, we’re like, oh, we need to talk about ADCs.

And I was like, I recently stood up PKI and now I’ve stood up so many of them and dug into so many things like it’s, it’s, it’s shocking.

I see you, Kathy. I’m gonna say thanks.

Kathy Chambers

No, no rush, no rush. I just didn’t want to be Late. Finish your screen. You’re fine. You’re fine.

Jake Hildreth

All right, good deal. I. I do want to shout out some thanks. the Locksmith team, Spencer Alesi, Sam Erdy, Herman Cadain, HK on here.

Herman’s awesome. Nathan Kelly, Corey Buzzard, they all help with, really kind of guiding where this goes. got a wide range of experience, and so they kind of do things that make it better.

And tons of contributors have helped out. I’ve seen a couple on here already. yeah, it’s great having people reach out and offer their. Their.

Their opinions and stuff. So thank you so much. thanks to, obviously, the folks at Spectre Ops, Will and Lee with rele pre owned back in the summer of 2021.

Like, just kind of collecting all the information that was out there and put it, tying it up with a bow and then being like, have fun, Blue Team Compass.

Sylvain over at Compass really explained the. I think it was the ESC 11 really well. Jonas at Spectre Ops explained ES 13 really well. Justin at Trusted SEC with the ESE 15.

Like, locksmith wouldn’t be with where. Where it is without it. And then obviously, the John Strand Cinematic Universe, I love to call it, the whole thing. I. I was telling Kathy before we started, four years ago this month, I found out about Bhis, just through we were doing a security audit at my old job, and, like, I thought that those folks seem cool, and now I get to be here.

So, yeah, thanks so much to John Strand and the people working under him. and lastly, obviously, Trimar. I would not be where I am with Trimark without Trimark either. Sean and all of the co workers that I have, like, super are.

Are awesome. So supportive. Let me do have time to, like, do this kind of stuff. So, yeah, love very much and everything you need if you want to get, in contact with me.

I am. I am horse on the anti siphon, training discord, but you can also grab me there. I promise the. The QR code and both URLs all go to the same thing, and I’m not tracking you on the QR code.

So, yeah, come. Come hang out, ask questions. I. We love. I love just chatting with people about the. The specifics of this.

So, yeah, thanks all y’all. Thanks for coming out. This has been a lot of fun.

Kathy Chambers

This was fine. Jake, you did an awesome job for everyone. I was telling Jake that it was very brave for him to do Live demos.

so I loved it. It worked out well, don’t you think?

Jake Hildreth

I thought so. I was happy with it.

Kathy Chambers

Yeah, that was great.

Jake Hildreth

I mean, there were a couple things where I was like, why wasn’t I reading my notes? My notes told me exactly what I’m supposed to say.

Kathy Chambers

Jake, I am going to tell you that last slide where you were thanking everybody. I was going to ask you if you’re winning an Oscar or an Emmy. I’d like to thank the Academy. I would like to thank my mom.

I’d like to thank God. I would like to thank.

Jake Hildreth

Well, that’s. You also said, like, we said, what’s. What’s your favorite part about. About cybersecurity. And it is the community. Like, I wouldn’t be where I am without helping all the help of everybody else and, like, bouncing ideas off of people and just.

Yeah.

Kathy Chambers

So, yeah, and that’s how I got in, was 100% of the community from just joining it. And then, very surprised that everybody just welcomes you with open arms. And, there’s some stereotypes that surround people in IT and cyber.

Right. And a lot of it’s like, being antisocial, not leaving the house. Like, that’s so not true. When you go to Wild West Hacking Fest, it’s like a different story. Right. Everybody gets together and welcomes each other.

And I hate to say it’s like family, but it is like family. I feel like when you’re there, definitely, definitely.

Jake Hildreth

I will say, yeah, I went to Wild West Hacking Fest in person for the first time two years ago, and, like, it’s gonna be on my must go list. I. I didn’t go this year.

I did present, but I did it virtually just because I was overworked. And that happens. Right. But yeah, it. Like, my. My wife, after.

After I gave my presentation, she was like, you seem sad. I was like, yeah, I wish I would have been there. She’s like, next year you’re going. Just. Just go, like. Okay.

So, yeah, Well, I hope to see.

Kathy Chambers

You there and I hope to see people in Denver. that’s coming up soon. So if you guys haven’t registered to go to Denver, please join us. We were kind of joking that there’s more direct and easier flights, to get to Denver.

But I will tell you that some of the trainers and I think this is a really good point for those who come to Deadwood, you really want to be there. Right? I mean, it’s. It takes a bit to get there.

Jake Hildreth

Right?

Kathy Chambers

You Fly into rapid. You have to drive. It’s hard to put in a hotel, but like, for the folks that are there really want to be there. And that makes a huge difference.

Jake Hildreth

It’s great.

Daniel Lowrie

I love how Jerry last, year was saying how it’s like, or this year, I guess it is, it’s more like a retreat than it is a convention.

Kathy Chambers

Sure.

Daniel Lowrie

Where, we all kind of get together and hang out and talk shop. Because how often in your day to day life, other than the people that you work with, do you get to talk about these things and hear what they are doing and people that you don’t really get to see in person all the time or ever at all to come into such a cool place like Deadwood.

And it’s a great part, great time of the year because the weather’s cool and it’s a pretty little town. Everybody has such a great time. It is. And then we have fun after hours.

Jake Hildreth

Right.

Daniel Lowrie

We’re going, we’re doing the, the, the, the open mic night stuff and the bar crawls and there is just so much fun stuff to do that if you have not made it to Deadwood Hack and Fest, that you, you, you have to try it at least one time in your life and you’ll go, oh, this is what everyone was talking about.

Totally worth it for sure.

Jake Hildreth

Yeah.

Kathy Chambers

And I hate to get all marketing, but the tickets sold out so fast this past time. Like so fast.

So when it’s posted, like, you don’t have a lot of time to think. Like as soon as they go on sale, you need to get them. And that’s like a true story. Not trying to, be a.

Jake Hildreth

Ticket, but 800 tickets or something like that. I mean it is not very many tickets. So.

Kathy Chambers

Yeah, yeah, it’s a small venue, very, intimate venue.

Jake Hildreth

Very intimate. I was like I had heard before, like I don’t know how they fit all these people in there. And I’m like, how that can’t be possible. Right? And then I get there, I’m like, oh, yeah, okay.

Yep.

Kathy Chambers

Yeah, yep. It’s the atmosphere. James, first of all, I want to thank the community and Discord. You guys have been awesome. there were a couple of questions. I. You guys have so many memes.

Jake, it’s your fault for picking such a fun theme because the memes are like crazy town. HK Helped you out and answered a couple questions. So thank you, HK for always being so helpful.

Jake Hildreth

The best man.

Kathy Chambers

I want to make sure I didn’t miss A question that didn’t get answered.

Jake Hildreth

I was trying to look down occasionally, but yeah, I’m sure, it.

Kathy Chambers

There was like two locksmith questions. They are very closely related and I’m now scrolling through my 100th meme, so not sure.

Jake Hildreth

It’s okay. It’s okay.

Kathy Chambers

If it’s a pressing question. Whoever asked it, if you want to drop it again. Oh, here it is. Does locksmith look for and call out any potentially malicious certificates that have already been created?

Jake Hildreth

I actually did catch that one on screen.

Kathy Chambers

Did you? Okay.

Jake Hildreth

but yeah, it’s, it’s, it’s one of those like would be nice. So. Yeah, but it’s not there yet. Yeah, risk ratings are, are the next thing on, on the list.

So I finished building if you noticed, in one of them I was marking the, the published or unpublished status of templates. that was the last bit that was missing and I finished that last night.

So yeah, wanted to, wanted to get. I love doing demos where I can show features that other people can’t get to yet. So.

Kathy Chambers

That’s awesome. That’s awesome.

Jake Hildreth

Here’s another one, right? Yeah.

Kathy Chambers

How how often should orgs run locksmith to test their environment for A.D.C. s issues? Once a month.

Jake Hildreth

I’ve heard of people doing it monthly. I mean it’s so lightweight really. I mean it’s just doing gets right. It’s like just pulling data in daily, would not hurt.

another thing that you can do in a, in modes 2 and 3, it actually like will spit out a CSV file of either just a high level view or the, the view with all the additional information.

So you could like, run it and then email that CSV to you and then just have it running in the background. A lot of different things. we’re actually in discussion right now about locksmith 2 and what we want to do with that, which will be, GUI based, run down a scheduled task, provide pretty reports.

Because even though like this is simple, right, you run one command, getting to the command line is still scary for some people. And so why not have, have a web page that you can look at or at least a PDF report that says here are your issues today, sir.

Daniel Lowrie

I love how tools, they always start off as some like simple little thing. We were like, what, this would be a good idea if I just script this out real quick and then it grows and you add some features. The next thing GitHub repo is blowing up, and everybody’s starting to use it.

And then it’s like, all right, well, I guess I should actually build something, right?

Jake Hildreth

Sam. Sam on the locksmith team is like, he is great in that, I’ll do something quick, dirty, just get it done. And he’s like, how’s your comment based help?

Did you name everything properly? Is every. are there comments that people can look through the code? Can. Can we, are you, delivering it properly? Oh, I hate this.

But okay, you’re right, you’re right. Yep.

Kathy Chambers

I think that we should end, on a fun question. So this is from Andy. He said, what is the story behind the horse name?

Jake Hildreth

So this is incredibly stupid, and I’ve never told it in public before.

Kathy Chambers

you’ve heard it here first, folks. Breaking news.

Jake Hildreth

Incredibly stupid. So back, in 2017, when.

When Trump was elected the first time, somebody. I was listening to a podcast that said something, something, something like, like, betting on a barfing horse.

And so I went and created a Twitter name that was the barfing horse. And, like, and then somebody questioned me about that.

I was like, yeah, that is kind of gross. And so, like, I just put, like, dot, dot, dot, horse question mark as the, as my. My header, not the actual name.

And then finally, it’s like, that’s a way better name. Horse. And so that was my Twitter name for the longest. Until, yeah, my account just died last month. So, Yeah, and now horse is even shorter.

So there we are.

Daniel Lowrie

I was about to say, I’ve never seen a puking or barfing horse before. And then someone in Discord Chat helped me out. And this is hysterical, as I thought.

Jake Hildreth

It was going to be. Oh, God, yeah. I’m glad I wasn’t looking down at that moment.

Kathy Chambers

Oh, well, Jake, we want to thank you for your time. You’ve been awesome. The presentation was great. We’d like to invite you back next year. so please keep in touch with me, and I can help make that happen.

And then for those of you listening, if you are on Zoom, you can join us in a breakout room. it should be there on the bottom of your screen for ama, and Daniel Lowery will answer your questions.

Daniel Lowrie

I’ll do my best.

Kathy Chambers

Yeah. So, Jake, have an awesome day. We’ll see you sometime next year. Happy Holidays. And for everybody else on Zoom, who wants to join us in ama, we’ll catch you backstage.

Jake Hildreth

Bye.