logo

So I became a Domain Controller

Conference:  BlackHat USA 2018

2018-08-09

Summary

The presentation discusses the importance of detecting Mimikatz attacks in Active Directory environments and provides tips on how to do so.
  • Detecting Mimikatz attacks is crucial in Active Directory environments
  • Basic steps to progress towards detection include understanding the methodology and identifying a match domain
  • An anecdote is provided on how to impersonate a DC and steal its password hash
  • Another anecdote is given on exploiting a domain controller that was not properly renewed after being promoted from a server
  • Tools such as BloodHound can be used to detect Mimikatz attacks
The presenter provides an example of how to impersonate a DC and steal its password hash by waiting for it to reboot and then pushing whatever data is desired using DC shadow. This attack does not require a replicating injector and will not leave any trace on the AD. Another example is given on exploiting a domain controller that was not properly renewed after being promoted from a server.

Abstract

"They told me I could be anything I wanted, so I became a Domain Controller." While SAMBA did implement Active Directory replication protocol for years, it was not easy to abuse it, especially on the Windows OS. The lsadump::DCSync feature in mimikatz was a first breakout in this area. Red teamers could extract secrets needed for kerberos tokens abuse and even impersonate domain controllers. In short, a read access to the AD database. Let's be granted write access! It's time to invoke the full power of a domain controller with the new lsadump::DCShadow attack implemented in mimikatz and introduced at BlueHat IL 2018 by the mimikatz and PingCastle authors. The immediate benefit of DCShadow is to bypass SIEMs, looking at logs collected from all DC, except this specific one. But what if the replication data doesn't follow the specification ? Can we do more ? Let's be creative and push partial changes or changes forbidden by the specification: can we create some backdoors with Golden ticket ? Reaching unprotected trust via NTLM? targeting admins via monitoring reports? Is object class inmutable? Can we play god by creating and killing objects at will ? More ? That's not the end: by owing replication data and internal attributes, forensic analysts will now have a hard time doing their job. Is DCShadow a game changer like DCSync was at its time?

Materials:

Tags: