Infosec researchers discovered a recent attack on Microsoft’s Active Directory software that let them insert their own domain controller into an existing enterprise setup.
France-based duo Benjamin Delpy – the Mimikatz creator – and Vincent Le Toux presented their technique, dubbed DCShadow, to the Windows Giant’s Blue Hat conference in Israel last week.
DCShadow allows an attacker to create a rogue domain controller in an Active Directory environment, and use it to push malicious objects. How? Le Toux tweeted a summary:
For those you want the magic explained, #DCShadow is using DrsReplicaAdd (DRSR 4.1.19.2) to trigger a replication.
It modifies the replTo attribute of a DC and triggers and immediate replication.
ReplicaSync doesn’t trigger a replication (cc:@gentilkiwi) because replTo is not set pic.twitter.com/ZxKNhYBZfQ— Vincent Le Toux (@mysmartlogon) January 29, 2018
Presentation [PDF] was unpicked in more detail by Luc Delsalle, a security researcher who specializes in Active Directory, here.
Delsalle described: “The idea of a rogue domain controller is not new and has been mentioned multiple times in previous security publications but required invasive techniques (like installing a virtual machine with Windows Server) and to log on a regular domain controller (DC) to promote the VM into a DC for the targeted domain.”
“The main action made by the ‘DCShadow’ attack is to create a new server and nTDSDSA objects in the Configuration partition of the schema.” nTDSDSA objects are described by Microsoft as the replication agent responsible for processing the Directory Replication Service protocol.
They explain that change happens in a privileged environment, though, so the attack needs a way around controls on creating servers and initiating replications and attackers can register a domain controller into the replication environment, and had it authenticated by the anoter domain controller.