Active Directory: What

can make your million

dollar SIEM go blind?

Whoarewe

CONTRIBUTIONS

●Author of Ping Castle

(https://www.pingcastle.com)

●(few) Contributions in Mimikatz

●Smart card (GIDS applet, OpenSC, ….)

I’m :

●Check a few boxes here →

Vincent LE TOUX – Main Speaker @mysmartlogon

●Security researcher

● CEO of « My Smart Logon » (smart card &

windows authentication)

2

Benjamin DELPY – Guest « Technical

Guy » @gentilkiwi

● Security Kiwi researcher at night

AUTHOR OF MIMIKATZ

● This little program that he wrotes to learn C

● And kekeo, for personal usage ;)

I’m not:

● Bachelor, CISSP, CISA, OSCP, CHFI, CEH, ISO*,

MCSA, CHFI, PASSI, [...]

●Domains & risks discovery

○With a :

■‘Corporate like’ infrastucture simulated

■A Real demo inside ;)

●PingCastle

●mimikatz

●DCShadow

○A new domain post exploitation / domination concept

○Included in mimikatz lsadump module ;)

■YES ! With A Real demo inside too ! 3

What will be presented

Story: a Merger

4

Fabrikam, Inc Contoso Ltd Fabritoso Corp

To facilitate the merge, both IT department have been asked to allows accounting teams to share data and to

help in the « one accounting » team creation.

While this operation takes time, Executives decided to subcontract some IT operations with the company

Awesome Computers.

You have been tasked to exfiltrate data related to the merger.

Attack plan

1. Explore and take control of

the target domain via trusts

2. Bypass controls by running our

own « DC » !

5

Target Entry

point

Change this attribute to own the domain

And then exfiltrate data

No trust relationship The merger data is isolated from

third parties.

The defense team is not aware of the

changes instructed by the

management and lead by the

infrastructure team

What AD defenders assume?

Monitoring based on Logs or

public data AD logs are sent to a SIEM which

correlates data in real time.

Presence of batches to do some

health checking.

6

Exploit Trusts Build a map & reach the target

1

Should you care about trusts ?

●Real life example (1): Large company with 300 domains trusted including ○2 other large companies

○10 smaller companies

●Remember NotPetya?

A large company got infected through a former subsidiary with a 250M€ impact

Most vulnerable: merger, join venture, newly bought companies, …

(1) https://first.org/resources/papers/conf2017/Active-Directory-How-To-Change-a-Weak-Point-Into-a-Leverage-for-Security-Monitoring.pdf

Basic discovery techniques

9

Note: also accessible via nltest.exe /domain_trusts

Trust information

(partner, attributes, direction,..)

Forest information

(all child domains, UPN routing)

Trust information accessible for ANY users (including trusted ones)

Aiming Fabritoso via Awesome computers

10

tech.ac.com ac.com

Basic discovery techniques

it.fabrikam.com

it.fabrikam.com + … (?) *.ac.com

Too basic: go deeper!

11

Basic

Basic discovery

nltest /domain_trusts

Explore trusted

domains

CN=Configuration

Partition

data

Information used to

evaluate permissions

SID History and

ForeignSecurity

Principals

SID

lookup

Abuse DC locator

service

How DC are located

Domain

Locator

Technique#1: Partition data

https://technet.microsoft.com/en-

us/library/cc961591.aspx

●Every domain controller contains the partition

Configuration, which stores configuration objects

for the entire forest,

●The Configuration partition includes the definition

of the AD partitions (=domains) in

cn=partitions,cn=configuration,dc=forestRootDoma

in

●Information gained: Domains list of the forest

12

TRUST to a domain (not a forest)

= Read the Forest Configuration

= Get all domains information of the Forest

Shared

among all

DC of a

forest

Aiming Fabritoso via Awesome computers

13

tech.ac.com ac.com Partition data

it.fabrikam.com

fabrikam.com

*.fabrikam.com + … (?) *.ac.com

Technique#2: SID lookup Foreign users of a domain have a SID (S-1-5-…) related to their domain

14

CN=ForeignSecurityPrincipal

s

SIDHistory account attribute

List of Foreign Domain SID

Migration Bastion

SID Translation (LsaLookupSid)

List of most trusted domains

Aiming Fabritoso via Awesome computers

15

tech.ac.com ac.com

SID

Lookup

it.fabrikam.com

bastion.fabri

acc.contoso.com

fabrikam.com

*.fabrikam.com + … (?) *.ac.com

Technique#3: Domain Locator

16

You Ask a DC in a

domain you

can connect

To locate a DC

in a domain it

trusts

And return its forest info

A good old NT4 service ([MS-ADTS] - 6.3.6) In practive: nltest /Server:trustedDC /DsGetDC:domainToQuery

Aiming Fabritoso via Awesome computers

17

tech.ac.com ac.com

Domain locator

service

it.fabrikam.com

bastion.fabri

acc.contoso.com

contoso.com

fabrikam.com

Demo time

●#1 Domain discovery

PingCastle with cartography

mode

●#2 Compromise via trust

Mimikatz with:

○ DCSync

○ Golden ticket

18

Avoid SIEM detection:

run your own DC! Install your own DC with DCShadow and enjoy your next GEN backdoor

2

A typical AD monitoring architecture

20

DC1

DC2

DC3

Log

mgmt SIEM 👪

Replication

Log collection

Correlation Alerts

Investigation

Incident response

SOC /

CSIRT

We want to be granted admin rights to THIS server

What does a SIEM monitor ?

●Keep a trace of all

changes (permissions,

attribute, account creation,

membership, …)

●Raise alerts on sensitive

group change (domain

admin, enterprise admin,

accounting, …)

●Raise alerts on

connection to critical

assets with unusual

accounts (aka Domain

Controllers)

●Detect some attack

patterns:

○Bruteforce

○Simultaneous use of an

account

Good monitoring also

tracks “basic” dcsync

21

A « Security Information & Event Management » does:

How to avoid a SIEM ?

22

A « Security Information & Event Management » relies on log to

trigger alerts.

Idea#1: Alter the log policy

Problem: SIEM alerts based on log volume

Idea#2: take control of a DC

Problem: !! DC login !!

Global idea: remove the logs causing alerts

Idea#3: Run your own DC and push changes to other DC

Previous attempts to alter DC data

Patch here:

Mimikatz MISC::AddSid

Inject in LSASS

(not public)

DSInternals offline operations

+ DC recovery process

Install a VM and run a DC

Require HW

instructions not

enabled by default

Until now, no easy way to edit localy or remotely the DC database

Require to

login to a

DC

A layered view of a DC

A new attack: DCShadow

24

What is really a DC ? 1. A RPC server implementing MS-DRSR

2. A record in the Configuration partition +

known SPN

3. A server in the domain controllers group

4. A server promotted to AD DS role

Installation of a DC

●What is really needed to register a

DC ? 1. A change in the configuration

partition (domain admin only ?)

2. A modification of the SPN of a

computer account that the attacker

owns

25

No need to be a member of the « domain controller » group

Special function [MS-DSRS] DrsAddEntry

26

OID AttID

2.5.4.0 0

2.5.4.0 + 13 0x0000 + 0xd

Used to add special objects like DC

DrsAddEntry is not limited to DC registration !

User View Internal View

●What is really needed to run a DC ? 1. Impersonate the computer account to use its SPN

2. Run a RPC server listening for minimal APIs (like DrsGetNCChanges –

dcsync)

3. Trigger a replication

○ Use DrsReplicaAdd on the computer (require DS-Replication-Manage-

Topology and DS-Replication-Synchronize – “Administrator”)

○ OR wait for the KCC event for 15 minutes.

■ But not in this demo ;)

27

Running a DC

No need to be a member of the « domain controller » group or a real server!

●https://twitter.com/gentilkiwi/statuses/637402457740562432

(2015)

28

Running a DC

Demo time

29

●MS-ADTS (Active Directory Technical Specification)

is the AD Bible. 625 pages !

●Completed by [MS-DRSR] (replication), [MS-LSAT]

Local security authority, [MS-NRPC] (netlogon), [MS-

SAMR] Security account management, …

30

Wait: you break MS-ADTS rules !

1/625

MS-SAMR: 3.1.1.8.7 unicodePwd

“The ntPwdHistory attribute MUST be updated with the new

unicodePwd attribute value”

MS-SAMR: 3.1.1.8.5 clearTextPassword

If the RID of the objectSid attribute is

DOMAIN_USER_RID_KRBTGT and the requesting protocol is a

change-password protocol, the server MUST abort the request

and return an error status.

What can be done with your own DC?

a normal DC will push

WITHOUT LOGGING

Example:

Change the primary group

as 519 (member of the

Enterprise admin group)

only a DC will prepare

WITHOUT LOGGING

Example:

add the Enterprise admin

group SID in the

SIDHistory attribute

are partial changes

WITHOUT LOGGING

Example:

Pushing an HASH as the

old password hash without

changing the current

HASH of the account nor

the last password change

date

31

Push any changes that …

Breaking the rules …

32

Setting

« whenChanged » to

Bastille day

Setting any

SIDHistory

Demo time the last one ;)

33

A DC does not accept everything

34

You cannot set a NULL DACL

Nor the attribute « WhenCreated »

Incident response « We are being hacked ! »

3

●A consultant in an incident response company has been

tasked by Fabritoso to investigate some unsual activity

●The consultant suspects a possible Active Directory

compromission

●He wants to validate or discard this hypothesis

Going Forensic

37

Getting replication Metadata

repadmin /showobjmeta <DC> <Object>

Replication metadata:

• Public information

• Stored in ldap (replmetadata)

and RPC

Ldp.exe

38

Decrypting replication Metadata

Attribute id

(« description »)

Version of the

attribute value

(« 2 »)

Local USN = # of

the change seen

locally

DC which mades

the modification

USN of the DC

which made the

change

Date when the

change occured

on the remote DC

Idea: recover the attacker timeline by analysing the AD changes

●Changing default permission in schema is a powerfull backdoor

●Can be tracked easily by monitoring the attribute schemaInfo

●But wait … it is updated by a DC ?

39

Tracking Schema changes

MS-ADTS 3.1.1.2.1

Work in progress

Deletion =

●Move the object

●Removed properties

●Set IsDeleted

●Wait for deletion time

(180 days!)

●But deletionTime is

stored in metadata

40

Deleting Erasing objects ?

Idea: change the expiration time … Work in progress

Conclusion

Fabritoso hacked !

TRUSTS

The larger the

company is the

easier it is to

exploit trusts

DCSHADOW

DCShadow is a

new domination

attack aiming at

SIEM bypass

METADATA

Forensic

analysis trust

replication

data. Well, not

anymore 42

43

Thanks! https://www.pingcastle.com

https://github.com/gentilkiwi/mimikatz (will be updated to release DCShadow)

Also thanks to Victor KERR for inspiring the name DCShadow