DCShadow attack allows installation of backdoor. Hackers could set up their own fake domain controller in an existing corporate network to distribute malware and leave a backdoor.
Security researchers Benjamin Delpy and Vincent Le Toux demonstrated an attack on Microsoft Active Directory, which enabled them to implement their own domain controller into existing corporate network settings. The attack, dubbed DCShadow, was presented last week at the Blue Hat conference in Israel.
DCShadow allows an attacker to create a fake domain controller in an Active Directory environment and use it to distribute malware.
In a tweet, Le Toux said that DCShadow used DrsReplicaAdd (DRSR 18.104.22.168) to trigger a replication. “It modifies the replTo attribute of a DC and triggers and immediate replication. ReplicaSync doesn't trigger a replication (cc:@gentilkiwi) because replTo is not set,” he said.
Luc Delsalle, a security researcher who specialises in Active Directory, went into more detail in a blog post about the attack. He said that the idea of ??creating a fake domain controller is not new and has already been mentioned in various publications. However, before this attack, hackers had to use invasive techniques (for example, configure a virtual machine running Windows Server) and log in to a conventional domain controller in order to turn the virtual machine into an attacker's domain controller.
Desalle said this can be easiliy spotted. However, the attack explained Delpy and Le Toux has to “modify the targeted AD infrastructure database to authorise the rogue server to be part of the replication process.”
“The main action made by the “DCShadow” attack is to create a new server and nTDSDSA objects in the Configuration partition of the schema. Doing so provides the ability to generate malicious replication data and inject them to other domain controllers,” he said.
He added that once we understand what the “DCShadow” attack do, we need to understand what kind of privileges are required to create nTDSDSA objects in the Configuration partition.
“One of the key findings of Benjamin Delpy and Vincent Le Toux was to isolate the minimum set of SPNs required for the replication process to go through. The results of their studies show that two SPNs are required to let another DC to connect to the rogue server,” said Delsalle.
These are the DRS service class (which has the well-known GUID E3514235–4B06–11D1-AB04–00C04FC2DCD2) and the Global Catalog service class (which has the string “GC”).
Hackers could then register a rogue domain controller into the replication process and be authenticated by another DC. The remaining step is now to force the DC to initiate the replication process with malicious data, he added.
He said that forcing eplication with the IDL_DRSReplicaAdd RPC is the last step taken during a “DCShadow” attack.
“It allows to inject arbitrary data into a targeted AD infrastructure. Doing so, it becomes trivial to add any backdoor in the domain (by adding new member on an administrative group, or by setting SID history on a controlled user account for example),” said Delsalle.
Delsalle added that DCShadow is not a vulnerability “but an innovative way to inject illegitimate data into an AD infrastructure”.
“No unprivileged attacker will ever be able to use it to escalate their privileges and gain administrative access to your AD using “DCShadow”. Bottom-line is: if your AD is properly configured and secured, you do not need to take any urgent actions.”
Dr. Guy Bunker, SVP Products, Clearswift, told SC Media UK that attacking Active Directory is one of the primary targets for cyber-attacks.
“The media focus is usually on ransomware, but actually when there is a long-lived malware (Advanced Persistent Threat), there will usually have been a compromise on the authentication or authorisation system e.g. Active Directory – which in effect allows the cyber-attackers to more easily hide themselves in the network / infrastructure and give themselves all the access they require – to then go about stealing critical information,” he said.
Bunker said that organisations should ensure that patching for AD servers are up to date. Additionally, companies should ensure there are sufficient alerts on behaviours such as adding, removing users, and raising and lowering of privileges.
“A key point here is also to ensure someone is watching for the alerts. For example, if a user is added at 2am, and removed at 3am or an existing person has their privileges raised at 2am and lowered at 3am. Is this correct – or does it point to the system being compromised,” he added.
Matt Walmsley, EMEA Director at Vectra, told SC Media UK that manipulation of AD controllers must be seen as just one part of an attack lifecycle. “Attackers establish a point of presence, perform reconnaissance, move laterally and escalate privileges, all before they move towards data manipulation, theft, or denial. This means that there are many opportunities to detect and respond to active attackers.
“Many organisations have their AD infrastructure send syslog events to a SIEM platform. However, logs are invariable, noisy, of limited scope, and are time-consuming to review in the hunt for attackers. Using the DCShadow technique, the attacker's rogue AD controller creating will not be sending logs to the SIEM, and will therefore not be picked up. Scenarios like this highlight the scale and performance limitations of data sources and manual analysis when threat hunting ‘in the weeds',” he said.