Infosec researchers discovered a recent attack on Microsoft’s Active Directory software that let them insert their own domain controller into an existing enterprise setup.
DCShadow allows an attacker to create a rogue domain controller in an Active Directory environment, and use it to push malicious objects. How? Le Toux tweeted a summary:
For those you want the magic explained, #DCShadow is using DrsReplicaAdd (DRSR 18.104.22.168) to trigger a replication.
It modifies the replTo attribute of a DC and triggers and immediate replication.
ReplicaSync doesn’t trigger a replication (cc:@gentilkiwi) because replTo is not set pic.twitter.com/ZxKNhYBZfQ
— Vincent Le Toux (@mysmartlogon) January 29, 2018
Delsalle described: “The idea of a rogue domain controller is not new and has been mentioned multiple times in previous security publications but required invasive techniques (like installing a virtual machine with Windows Server) and to log on a regular domain controller (DC) to promote the VM into a DC for the targeted domain.”
“The main action made by the ‘DCShadow’ attack is to create a new server and nTDSDSA objects in the Configuration partition of the schema.” nTDSDSA objects are described by Microsoft as the replication agent responsible for processing the Directory Replication Service protocol.
They explain that change happens in a privileged environment, though, so the attack needs a way around controls on creating servers and initiating replications and attackers can register a domain controller into the replication environment, and had it authenticated by the anoter domain controller.
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.