DCSync and DCShadow

I had recently a chat with Benjamin Delpy, the father of Mimikatz about his last findings (with Vincent Le Toux), DCSync and DCShadow – first presented at the Bluehat IL 2018 conference – now included in his tool.

Context | Domain controllers often talk with each other, and the protocol they use is MS-DRSR (apparently not very well documented)

DCSync | When a DC wants to update its data requesting another DC, it calls an API, using domain admin or DC$ creds. What if this API is called by something which is not a DC ?

Among all the available methods, one is very interesting : DRSGetNCChanges. It is used “To obtain all change of the targeted object (using its GUID)”. This allows for example, from an old XP, to pull password hashes from a DC without login to the DC, or retrieving the AD database file – ntds.dit.

DCShadows | With this attack you can use a computer account in the domain, to be seen as a target for domain replication... which will partially and shortly behave as if it was a DC. Then you can force a legit DC to come and synchronize, allowing you to change all the parameters you want, like for example : modify unmodifiable params, add new entries to admin groups, avoid generating event logs, etc. (as for DCSync, privileged accounts are needed)

Conclusion | These are not vulnerabilities, thus, nothing to patch. These are clever methods to break AD infrastructures. Seem easy, but there is a lot of work behind. Specific detection technics have to be defined. Probably MS Threat Analytics (ATA) and methods inspired by database security (like AD database monitoring to detect strange changes) will help.

 
 
 
 
 
 
Partager sur Twitter  |  Partager sur LinkedIn