Paul Kalinin, senior security consultant at Threat Intelligence Pty Ltd., demonstrates a botnet that turns victims' Active Directory Domain Controllers to C2 servers.
Paul Kalinin, senior security consultant at Threat Intelligence Pty Ltd., demonstrates a botnet that turns victims' Active Directory Domain Controllers to C2 servers.

Researchers at Australian infosec company Threat Intelligence Pty Ltd. have developed a potentially devastating new botnet that abuses infected victims' Active Directory Domain Controllers, turning them into internally hosted command and control servers.

Even more frightening, the attack technique can use the AD as a central connection point for any infected node or endpoint on the system, allowing them to facilitate two-way communication with each other even if they are segmented into separate security zones. Such power would potentially give attackers tremendous freedom to laterally infiltrate organisations and exfiltrate data from myriad network sources.

Ty Miller, managing director of Threat Intelligence and Paul Kalinin, a senior security consultant at the same company, demonstrated their Active Directory Botnet attack on Wednesday at Black Hat 2017 in Las Vegas. Miller explained that the goal was to create a botnet that could potentially bypass internal firewalls, defeat network segmentation, and even leverage an infected organisation's cloud domain controllers to exfiltrate data.

Active Directory is a Microsoft directory service for Windows that domain networks that stores information on network components, automates network management of user data, and authenticates and authorises users while enforcing security policies. For this reason, a great many devices and servers within an organisation will connect to AD.

According to the researchers, if an organisation were to be infected by an AD botnet – say via a phishing campaign for example – an attacker could then leverage one of over 50 writable and readable AD user attributes to take over the domain controllers as a central communications point. “Which means that we can utilise that connection to bypass all of your network access controls and all of your firewall rules. because [you've] got that gaping hole where everything can communicate in this one central place,” said Miller.

“It's not something that going to be easily visible on any of your network detection mechanisms,” added Kalinin, noting that security logs are generally not going to raise any red flags either, because there typically are so many updates to AD objects that any malicious activity would likely get lost in the noise.

The Black Hat briefing synopsis explains the technique further: “The Active Directory Botnet Client injects unique data entries into their corresponding AD account attributes within the target Domain Controller, and begins polling to identify other compromised systems within the domain. At this point, any Active Directory Botnet Client within the domain can identify compromised machines and begin issuing commands to be executed on either individual systems or across all infected endpoints. The Active Directory Botnet Clients then execute the commands and begin tunnelling the command output back through their corresponding Active Directory account attribute fields, which are then collected by the Active Directory Botnet Client that issued the original command. 

To mitigate the threat, Miller and Kalinin suggested that network administrators and CISOs separate their domains into different domains based on security roles, to prevent users in one domain from escalating privileges by bypassing network filtering. They also recommended taking note of any odd values in standard user attributes, monitoring regular changes of personal information attributes, and restricting permissions for standard users to update their attributes.