active directory: what can make your million dollar siem ... directory what can make your...
TRANSCRIPT
Whoarewe
CONTRIBUTIONS
●Author of Ping Castle
(https://www.pingcastle.com)
●(few) Contributions in Mimikatz
●Smart card (GIDS applet, OpenSC, ….)
I’m :
●Check a few boxes here →
Vincent LE TOUX – Main Speaker @mysmartlogon
●Security researcher
● CEO of « My Smart Logon » (smart card &
windows authentication)
2
Benjamin DELPY – Guest « Technical
Guy » @gentilkiwi
● Security Kiwi researcher at night
AUTHOR OF MIMIKATZ
● This little program that he wrotes to learn C
● And kekeo, for personal usage ;)
I’m not:
● Bachelor, CISSP, CISA, OSCP, CHFI, CEH, ISO*,
MCSA, CHFI, PASSI, [...]
●Domains & risks discovery
○With a :
■‘Corporate like’ infrastucture simulated
■A Real demo inside ;)
●PingCastle
●mimikatz
●DCShadow
○A new domain post exploitation / domination concept
○Included in mimikatz lsadump module ;)
■YES ! With A Real demo inside too ! 3
What will be presented
Story: a Merger
4
Fabrikam, Inc Contoso Ltd Fabritoso Corp
To facilitate the merge, both IT department have been asked to allows accounting teams to share data and to
help in the « one accounting » team creation.
While this operation takes time, Executives decided to subcontract some IT operations with the company
Awesome Computers.
You have been tasked to exfiltrate data related to the merger.
Attack plan
1. Explore and take control of
the target domain via trusts
2. Bypass controls by running our
own « DC » !
5
Target Entry
point
Change this attribute to own the domain
And then exfiltrate data
No trust relationship The merger data is isolated from
third parties.
The defense team is not aware of the
changes instructed by the
management and lead by the
infrastructure team
What AD defenders assume?
Monitoring based on Logs or
public data AD logs are sent to a SIEM which
correlates data in real time.
Presence of batches to do some
health checking.
6
Should you care about trusts ?
●Real life example (1): Large company with 300 domains trusted including ○2 other large companies
○10 smaller companies
●Remember NotPetya?
A large company got infected through a former subsidiary with a 250M€ impact
Most vulnerable: merger, join venture, newly bought companies, …
(1) https://first.org/resources/papers/conf2017/Active-Directory-How-To-Change-a-Weak-Point-Into-a-Leverage-for-Security-Monitoring.pdf
Basic discovery techniques
9
Note: also accessible via nltest.exe /domain_trusts
Trust information
(partner, attributes, direction,..)
Forest information
(all child domains, UPN routing)
Trust information accessible for ANY users (including trusted ones)
Aiming Fabritoso via Awesome computers
10
tech.ac.com ac.com
Basic discovery techniques
it.fabrikam.com
it.fabrikam.com + … (?) *.ac.com
Too basic: go deeper!
11
Basic
Basic discovery
nltest /domain_trusts
Explore trusted
domains
CN=Configuration
Partition
data
Information used to
evaluate permissions
SID History and
ForeignSecurity
Principals
SID
lookup
Abuse DC locator
service
How DC are located
Domain
Locator
Technique#1: Partition data
https://technet.microsoft.com/en-
us/library/cc961591.aspx
●Every domain controller contains the partition
Configuration, which stores configuration objects
for the entire forest,
●The Configuration partition includes the definition
of the AD partitions (=domains) in
cn=partitions,cn=configuration,dc=forestRootDoma
in
●Information gained: Domains list of the forest
12
TRUST to a domain (not a forest)
= Read the Forest Configuration
= Get all domains information of the Forest
Shared
among all
DC of a
forest
Aiming Fabritoso via Awesome computers
13
tech.ac.com ac.com Partition data
it.fabrikam.com
fabrikam.com
*.fabrikam.com + … (?) *.ac.com
Technique#2: SID lookup Foreign users of a domain have a SID (S-1-5-…) related to their domain
14
CN=ForeignSecurityPrincipal
s
SIDHistory account attribute
List of Foreign Domain SID
Migration Bastion
SID Translation (LsaLookupSid)
List of most trusted domains
Aiming Fabritoso via Awesome computers
15
tech.ac.com ac.com
SID
Lookup
it.fabrikam.com
bastion.fabri
acc.contoso.com
fabrikam.com
*.fabrikam.com + … (?) *.ac.com
Technique#3: Domain Locator
16
You Ask a DC in a
domain you
can connect
To locate a DC
in a domain it
trusts
And return its forest info
A good old NT4 service ([MS-ADTS] - 6.3.6) In practive: nltest /Server:trustedDC /DsGetDC:domainToQuery
Aiming Fabritoso via Awesome computers
17
tech.ac.com ac.com
Domain locator
service
it.fabrikam.com
bastion.fabri
acc.contoso.com
contoso.com
fabrikam.com
Demo time
●#1 Domain discovery
PingCastle with cartography
mode
●#2 Compromise via trust
Mimikatz with:
○ DCSync
○ Golden ticket
18
Avoid SIEM detection:
run your own DC! Install your own DC with DCShadow and enjoy your next GEN backdoor
2
A typical AD monitoring architecture
20
DC1
DC2
DC3
Log
mgmt SIEM 👪
Replication
Log collection
Correlation Alerts
Investigation
Incident response
SOC /
CSIRT
We want to be granted admin rights to THIS server
What does a SIEM monitor ?
●Keep a trace of all
changes (permissions,
attribute, account creation,
membership, …)
●Raise alerts on sensitive
group change (domain
admin, enterprise admin,
accounting, …)
●Raise alerts on
connection to critical
assets with unusual
accounts (aka Domain
Controllers)
●Detect some attack
patterns:
○Bruteforce
○Simultaneous use of an
account
Good monitoring also
tracks “basic” dcsync
21
A « Security Information & Event Management » does:
How to avoid a SIEM ?
22
A « Security Information & Event Management » relies on log to
trigger alerts.
Idea#1: Alter the log policy
Problem: SIEM alerts based on log volume
Idea#2: take control of a DC
Problem: !! DC login !!
Global idea: remove the logs causing alerts
Idea#3: Run your own DC and push changes to other DC
Previous attempts to alter DC data
Patch here:
Mimikatz MISC::AddSid
Inject in LSASS
(not public)
DSInternals offline operations
+ DC recovery process
Install a VM and run a DC
Require HW
instructions not
enabled by default
Until now, no easy way to edit localy or remotely the DC database
Require to
login to a
DC
A layered view of a DC
A new attack: DCShadow
24
What is really a DC ? 1. A RPC server implementing MS-DRSR
2. A record in the Configuration partition +
known SPN
3. A server in the domain controllers group
4. A server promotted to AD DS role
Installation of a DC
●What is really needed to register a
DC ? 1. A change in the configuration
partition (domain admin only ?)
2. A modification of the SPN of a
computer account that the attacker
owns
25
No need to be a member of the « domain controller » group
Special function [MS-DSRS] DrsAddEntry
26
OID AttID
2.5.4.0 0
2.5.4.0 + 13 0x0000 + 0xd
Used to add special objects like DC
DrsAddEntry is not limited to DC registration !
User View Internal View
●What is really needed to run a DC ? 1. Impersonate the computer account to use its SPN
2. Run a RPC server listening for minimal APIs (like DrsGetNCChanges –
dcsync)
3. Trigger a replication
○ Use DrsReplicaAdd on the computer (require DS-Replication-Manage-
Topology and DS-Replication-Synchronize – “Administrator”)
○ OR wait for the KCC event for 15 minutes.
■ But not in this demo ;)
27
Running a DC
No need to be a member of the « domain controller » group or a real server!
●https://twitter.com/gentilkiwi/statuses/637402457740562432
(2015)
28
Running a DC
●MS-ADTS (Active Directory Technical Specification)
is the AD Bible. 625 pages !
●Completed by [MS-DRSR] (replication), [MS-LSAT]
Local security authority, [MS-NRPC] (netlogon), [MS-
SAMR] Security account management, …
30
Wait: you break MS-ADTS rules !
1/625
MS-SAMR: 3.1.1.8.7 unicodePwd
“The ntPwdHistory attribute MUST be updated with the new
unicodePwd attribute value”
MS-SAMR: 3.1.1.8.5 clearTextPassword
If the RID of the objectSid attribute is
DOMAIN_USER_RID_KRBTGT and the requesting protocol is a
change-password protocol, the server MUST abort the request
and return an error status.
What can be done with your own DC?
a normal DC will push
WITHOUT LOGGING
Example:
Change the primary group
as 519 (member of the
Enterprise admin group)
only a DC will prepare
WITHOUT LOGGING
Example:
add the Enterprise admin
group SID in the
SIDHistory attribute
are partial changes
WITHOUT LOGGING
Example:
Pushing an HASH as the
old password hash without
changing the current
HASH of the account nor
the last password change
date
31
Push any changes that …
●A consultant in an incident response company has been
tasked by Fabritoso to investigate some unsual activity
●The consultant suspects a possible Active Directory
compromission
●He wants to validate or discard this hypothesis
Going Forensic
37
Getting replication Metadata
repadmin /showobjmeta <DC> <Object>
Replication metadata:
• Public information
• Stored in ldap (replmetadata)
and RPC
Ldp.exe
38
Decrypting replication Metadata
Attribute id
(« description »)
Version of the
attribute value
(« 2 »)
Local USN = # of
the change seen
locally
DC which mades
the modification
USN of the DC
which made the
change
Date when the
change occured
on the remote DC
Idea: recover the attacker timeline by analysing the AD changes
●Changing default permission in schema is a powerfull backdoor
●Can be tracked easily by monitoring the attribute schemaInfo
●But wait … it is updated by a DC ?
39
Tracking Schema changes
MS-ADTS 3.1.1.2.1
Work in progress
Deletion =
●Move the object
●Removed properties
●Set IsDeleted
●Wait for deletion time
(180 days!)
●But deletionTime is
stored in metadata
40
Deleting Erasing objects ?
Idea: change the expiration time … Work in progress
Fabritoso hacked !
TRUSTS
The larger the
company is the
easier it is to
exploit trusts
DCSHADOW
DCShadow is a
new domination
attack aiming at
SIEM bypass
METADATA
Forensic
analysis trust
replication
data. Well, not
anymore 42
43
Thanks! https://www.pingcastle.com
https://github.com/gentilkiwi/mimikatz (will be updated to release DCShadow)
Also thanks to Victor KERR for inspiring the name DCShadow