There was a time when cyberattacks on identity and authentication infrastructures [like Active Directory (AD)] were immensely challenging to perform. A lot of forethought had to be put into devising a plan for the careful execution of attacks, and advanced technical knowledge of domains and networks was a requisite. Over time, with the advent of open-source pen testing tools, the knowledge gap and the complexities involved to carry out a full-scale cyberattack have narrowed drastically.
AD attacks: Understanding the intent
The objective of AD attacks, or attacks on any identity administration infrastructure, is pretty simple: to gain the highest access in the shortest time possible. Regardless of the source of the attack or the point of intrusion, attackers are always looking to escalate privileges. And the highest level of access in AD is access to a domain controller (DC), because then attackers gain instant administrative access to every critical resource in the network.
AD attack kill chain
AD attacks are performed in multiple phases; attackers typically infect an end-user workstation (since they have less stringent security controls), scan the domain for vulnerabilities or misconfigured permissions, and exploit them to move laterally and gain access to a server higher up in the network hierarchy, like a business-critical file server or a DC.
But what if we told you that an attacker could impersonate the role of a DC and stealthily extract sensitive domain information?
Replication between DCs in AD
An organization’s IT infrastructure often needs more than one DC for their AD. To keep information between the DCs consistent, the AD objects must be replicated through those DCs.
Most of the replication-related tasks are specified on the Microsoft Directory Replication Service Remote Protocol (MS-DRSR). The Microsoft API that implements the protocol is called DRSUAPI.
The client DC sends a DSGetNCChanges request when it wants to get AD object updates from the second DC. The response contains a set of updates from the second DC that the client DC has to apply to the NC replica (a structure that stores replication information).
Let’s see how attackers take advantage of the replication function in AD, which cannot be turned off or disabled.
Exploiting replication privileges to access sensitive domain data
Offensive open-source tools can utilize specific commands within MS-DRSR to simulate the behavior of a DC and fetch domain user password hashes.
Such attacks are known as post-exploitation attacks, because attackers need access to a user account that has replication privileges in AD. Administrators, Domain Admins, and Enterprise Admins generally have the rights required. But more specifically, the following rights are required:
Once the access is acquired, the steps to perform the attack are fairly straightforward.
The attacker discovers a DC to request replication.
A simple one-line command, such as NLTEST /dclist:[ Domainname], can help determine DC names, including details such as the Primary DC and the DCs’ site names.
Replication changes are requested using the GetNCChanges function.
The DC returns the replication data, including password hashes, to the requester.
Check out this short video to see how the attack is executed.
Mitigating replication attacks with ManageEngine Log360
With Log360, you can:
Detect in real time when replication permissions are assigned to unauthorized users.
Track memberships of privileged groups like Domain Admins and Enterprise Admins, which have domain replication privileges by default.
Monitor the network for any illicit DC IP addresses that are not allowed to perform replication.
Discover the execution of malicious open-source tools by monitoring Windows processes and scripts.
Further, with the ability to configure customized alerts and instantly mitigate damage by shutting down devices, terminating user sessions, or carrying out more actions based on the scripts configured, you can rest assured that every sensitive change is brought to notice and acted upon.
Download a trial version of Log360 now to stay safe from AD attacks.