Active Directory: What can make your million dollar SIEM go blind?

Transcription

1 Active Directory: What can make your million dollar SIEM go blind?

2 Whoarewe Vincent LE TOUX Main Security researcher CEO of «My Smart Logon» (smart card & windows authentication) CONTRIBUTIONS Author of Ping Castle ( (few) Contributions in Mimikatz Smart card (GIDS applet, OpenSC,.) I m : Check a few boxes here Benjamin DELPY Guest «Technical Security Kiwi researcher at night AUTHOR OF MIMIKATZ This little program that he wrotes to learn C And kekeo, for personal usage ;) I m not: Bachelor, CISSP, CISA, OSCP, CHFI, CEH, ISO*, MCSA, CHFI, PASSI, [...] 2

3 What will be presented Domains & risks discovery With a : Corporate like infrastucture simulated A Real demo inside ;) PingCastle mimikatz DCShadow A new domain post exploitation / domination concept Included in mimikatz lsadump module ;) YES! With A Real demo inside too! 3

4 Story: a Merger Fabrikam, Inc Contoso Ltd Fabritoso Corp To facilitate the merge, both IT department have been asked to allows accounting teams to share data and to help in the «one accounting» team creation. While this operation takes time, Executives decided to subcontract some IT operations with the company Awesome Computers. You have been tasked to exfiltrate data related to the merger. 4

5 Attack plan 1. Explore and take control of the target domain via trusts 2. Bypass controls by running our own «DC»! Entry point Target Change this attribute to own the domain And then exfiltrate data 5

6 What AD defenders assume? No trust relationship The merger data is isolated from third parties. The defense team is not aware of the changes instructed by the management and lead by the infrastructure team Monitoring based on Logs or public data AD logs are sent to a SIEM which correlates data in real time. Presence of batches to do some health checking. 6

7 1 Build a map & reach the target Exploit Trusts

8 Should you care about trusts? Real life example (1): Large company with 300 domains trusted including 2 other large companies 10 smaller companies Remember NotPetya? A large company got infected through a former subsidiary with a 250M impact Most vulnerable: merger, join venture, newly bought companies, (1)

9 Basic discovery techniques Note: also accessible via nltest.exe /domain_trusts Forest information (all child domains, UPN routing) Trust information (partner, attributes, direction,..) Trust information accessible for ANY users (including trusted ones) 9

10 Aiming Fabritoso via Awesome computers it.fabrikam.com + (?) *.ac.com it.fabrikam.com Basic discovery techniques tech.ac.com ac.com 10

11 Too basic: go deeper! Basic Partition data SID lookup Domain Locator Basic discovery Explore trusted domains Information used to evaluate permissions Abuse DC locator service nltest /domain_trusts CN=Configuration SID History and ForeignSecurity Principals How DC are located 11

12 Technique#1: Partition data Every domain controller contains the partition Configuration, which stores configuration objects for the entire forest, The Configuration partition includes the definition of the AD partitions (=domains) in cn=partitions,cn=configuration,dc=forestrootdoma in Information gained: Domains list of the forest Shared among all DC of a forest TRUST to a domain (not a forest) = Read the Forest Configuration = Get all domains information of the Forest 12

13 Aiming Fabritoso via Awesome computers *.fabrikam.com + (?) *.ac.com it.fabrikam.com Partition data tech.ac.com ac.com fabrikam.com 13

14 Technique#2: SID lookup Foreign users of a domain have a SID (S-1-5- ) related to their domain Bastion CN=ForeignSecurityPrincipal s SIDHistory account attribute Migration List of Foreign Domain SID SID Translation (LsaLookupSid) List of most trusted domains 14

15 Aiming Fabritoso via Awesome computers *.fabrikam.com + (?) *.ac.com acc.contoso.com it.fabrikam.com SID Lookup bastion.fabri fabrikam.com tech.ac.com ac.com 15

16 Technique#3: Domain Locator You Ask a DC in a domain you can connect To locate a DC in a domain it trusts And return its forest info A good old NT4 service ([MS-ADTS] ) In practive: nltest /Server:trustedDC /DsGetDC:domainToQuery 16

17 Aiming Fabritoso via Awesome computers Domain locator service contoso.com acc.contoso.com it.fabrikam.com bastion.fabri fabrikam.com tech.ac.com ac.com 17

18 Demo time #1 Domain discovery PingCastle with cartography mode #2 Compromise via trust Mimikatz with: DCSync Golden ticket 18

19 2 Avoid SIEM detection: run your own DC! Install your own DC with DCShadow and enjoy your next GEN backdoor

20 A typical AD monitoring architecture We want to be granted admin rights to THIS server Replication DC2 Investigation DC1 Log collection Log mgmt Correlation SIEM Alerts SOC / CSIRT DC3 Incident response 20

21 What does a SIEM monitor? A «Security Information & Event Management» does: Keep a trace of all changes (permissions, attribute, account creation, membership, ) Raise alerts on sensitive group change (domain admin, enterprise admin, accounting, ) Raise alerts on connection to critical assets with unusual accounts (aka Domain Controllers) Detect some attack patterns: Bruteforce Simultaneous use of an account Good monitoring also tracks basic dcsync 21

22 How to avoid a SIEM? A «Security Information & Event Management» relies on log to trigger alerts. Global idea: remove the logs causing alerts Idea#1: Alter the log policy Problem: SIEM alerts based on log volume Idea#2: take control of a DC Problem:!! DC login!! Idea#3: Run your own DC and push changes to other DC 22

23 Previous attempts to alter DC data Require HW instructions not enabled by default Install a VM and run a DC Patch here: Mimikatz MISC::AddSid Inject in LSASS (not public) Require to login to a DC A layered view of a DC DSInternals offline operations + DC recovery process Until now, no easy way to edit localy or remotely the DC database

24 A new attack: DCShadow What is really a DC? 1. A RPC server implementing MS-DRSR 2. A record in the Configuration partition + known SPN 3. A server in the domain controllers group 4. A server promotted to AD DS role 24

25 Installation of a DC No need to be a member of the «domain controller» group What is really needed to register a DC? 1. A change in the configuration partition (domain admin only?) 2. A modification of the SPN of a computer account that the attacker owns 25

26 Special function [MS-DSRS] DrsAddEntry User View Internal View x xd Used to add special objects like DC DrsAddEntry is not limited to DC registration! OID AttID 26

27 Running a DC What is really needed to run a DC? 1. Impersonate the computer account to use its SPN 2. Run a RPC server listening for minimal APIs (like DrsGetNCChanges dcsync) 3. Trigger a replication Use DrsReplicaAdd on the computer (require DS-Replication-Manage- Topology and DS-Replication-Synchronize Administrator ) OR wait for the KCC event for 15 minutes. But not in this demo ;) No need to be a member of the «domain controller» group or a real server! 27

28 Running a DC (2015) 28

29 Demo time 29

30 Wait: you break MS-ADTS rules! MS-ADTS (Active Directory Technical Specification) is the AD Bible. 625 pages! Completed by [MS-DRSR] (replication), [MS-LSAT] Local security authority, [MS-NRPC] (netlogon), [MS- SAMR] Security account management, MS-SAMR: unicodepwd The ntpwdhistory attribute MUST be updated with the new unicodepwd attribute value 1/625 MS-SAMR: cleartextpassword If the RID of the objectsid attribute is DOMAIN_USER_RID_KRBTGT and the requesting protocol is a change-password protocol, the server MUST abort the request and return an error status. 30

31 What can be done with your own DC? Push any changes that a normal DC will push WITHOUT LOGGING Example: Change the primary group as 519 (member of the Enterprise admin group) only a DC will prepare WITHOUT LOGGING Example: add the Enterprise admin group SID in the SIDHistory attribute are partial changes WITHOUT LOGGING Example: Pushing an HASH as the old password hash without changing the current HASH of the account nor the last password change date 31

32 Breaking the rules Setting any SIDHistory Setting «whenchanged» to Bastille day 32

33 Demo time the last one ;) 33

34 A DC does not accept everything You cannot set a NULL DACL Nor the attribute «WhenCreated» 34

35 3 «We are being hacked!» Incident response

36 Going Forensic A consultant in an incident response company has been tasked by Fabritoso to investigate some unsual activity The consultant suspects a possible Active Directory compromission He wants to validate or discard this hypothesis

37 Getting replication Metadata Replication metadata: Public information Stored in ldap (replmetadata) and RPC Ldp.exe repadmin /showobjmeta <DC> <Object> 37

38 Decrypting replication Metadata Attribute id («description») DC which mades the modification Version of the attribute value («2») Local USN = # of the change seen locally USN of the DC which made the change Date when the change occured on the remote DC Idea: recover the attacker timeline by analysing the AD changes 38

39 Tracking Schema changes MS-ADTS Changing default permission in schema is a powerfull backdoor Can be tracked easily by monitoring the attribute schemainfo But wait it is updated by a DC? Work in progress 39

40 Deleting Erasing objects? Deletion = Move the object Removed properties Set IsDeleted Wait for deletion time (180 days!) But deletiontime is stored in metadata Idea: change the expiration time Work in progress 40

41 Conclusion

42 Fabritoso hacked! TRUSTS The larger the company is the easier it is to exploit trusts DCSHADOW DCShadow is a new domination attack aiming at SIEM bypass METADATA Forensic analysis trust replication data. Well, not anymore 42

43 Thanks! (will be updated to release DCShadow) Also thanks to Victor KERR for inspiring the name DCShadow 43