Maybe you should've stuck with NetWare: Hijackers can bypass Active Directory controls

'DCShadow' attack lets attackers add their own controllers, do some wrecking

Updated Two infosec bods have demonstrated an attack on Microsoft's Active Directory software that lets them insert their own domain controller into an existing enterprise setup.

France-based duo Benjamin Delpy – the Mimikatz creator – and Vincent Le Toux presented their technique, dubbed DCShadow, to the Windows Giant's Blue Hat conference in Israel last week.

DCShadow allows an attacker to create a rogue domain controller in an Active Directory environment, and use it to push malicious objects. How? Le Toux tweeted a summary:

Their presentation [PDF] was unpicked in more detail by Luc Delsalle, a security researcher who specialises in Active Directory, here.

Delsalle explained: “The idea of a rogue domain controller is not new and has been mentioned multiple times in previous security publications but required invasive techniques (like installing a virtual machine with Windows Server) and to log on a regular domain controller (DC) to promote the VM into a DC for the targeted domain.”

That's easily spotted, so Delsalle wrote that the attack described by Delpy and Le Toux has to “modify the targeted AD infrastructure database to authorise the rogue server to be part of the replication process.”

He continued: “The main action made by the 'DCShadow' attack is to create a new server and nTDSDSA objects in the Configuration partition of the schema.” nTDSDSA objects are described by Microsoft as the replication agent responsible for processing the Directory Replication Service protocol.

That change happens in a privileged environment, though, so the attack needs a way around controls on creating servers and initiating replications. Delsalle explained that Delpy and Le Toux were able to “isolate the minimum set of SPNs required for the replication process to go through. The results of their studies show that two SPNs are required to let another DC to connect to the rogue server” – these being the DRS service class (which has the well-known GUID E3514235–4B06–11D1-AB04–00C04FC2DCD2), and the Global Catalog service class (which has the string 'GC')."

From there, the attackers registered a domain controller into the replication environment, and had it authenticated by another domain controller.

The final step is to force a last replication step, with the IDL_DRSReplicaAdd RPC, allowing the attacker to add backdoors into the domain “by adding new member on an administrative group, or by setting SID history on a controlled user account for example).”

Crucially, how bad is this? Delsalle noted:

What is most important to take away from this analysis is that “DCShadow” is not a vulnerability but an innovative way to inject illegitimate data into an AD infrastructure.

No unprivileged attacker will ever be able to use it to escalate their privileges and gain administrative access to your AD using “DCShadow”. Bottom-line is: if your AD is properly configured and secured, you do not need to take any urgent actions.

Le Toux noted in a tweet a few technical points about Delsalle's writeup you should probably keep in mind, though... ®

Updated to add

A website describing the attack is now live here if you want more information.

Sponsored: Minds Mastering Machines - Call for papers now open


Biting the hand that feeds IT © 1998–2018