Active Directory attack could enable malicious domain controller set up
February 3, 2018
Seid Yassin (557 articles)
Share

Active Directory attack could enable malicious domain controller set up

DCShadow attack allows installation of backdoor. Hackers could set up their own fake domain controller in an existing corporate network to distribute malware and leave a backdoor.

Security researchers Benjamin Delpy and Vincent Le Toux demonstrated an attack on Microsoft Active Directory, which enabled them to implement their own domain controller into existing corporate network settings. The attack, dubbed DCShadow, was presented last week at the Blue Hat conference in Israel.

DCShadow allows an attacker to create a fake domain controller in an Active Directory environment and use it to distribute malware.

In a tweet, Le Toux said that DCShadow used DrsReplicaAdd (DRSR 4.1.19.2) to trigger a replication. “It modifies the replTo attribute of a DC and triggers and immediate replication. ReplicaSync doesn’t trigger a replication (cc:@gentilkiwi) because replTo is not set,” he said.

Luc Delsalle, a security researcher who specialises in Active Directory, went into more detail in a blog post about the attack. He said that the idea of ​​creating a fake domain controller is not new and has already been mentioned in various publications. However, before this attack, hackers had to use invasive techniques (for example, configure a virtual machine running Windows Server) and log in to a conventional domain controller in order to turn the virtual machine into an attacker’s domain controller.

Desalle said this can be easiliy spotted. However, the attack explained Delpy and Le Toux has to “modify the targeted AD infrastructure database to authorise the rogue server to be part of the replication process.”

“The main action made by the “DCShadow” attack is to create a new server and nTDSDSA objects in the Configuration partition of the schema. Doing so provides the ability to generate malicious replication data and inject them to other domain controllers,” he said.

He added that once we understand what the “DCShadow” attack do, we need to understand what kind of privileges are required to create nTDSDSA objects in the Configuration partition.

Source | scmagazineuk