As a persistent attacker moves laterally through your network harvesting more and more credentials as they go, the holy grail is obvious. When a bad guy gains Domain Admin authority in AD it’s “Game over, Dude!” – right? Well I’ll grant that is a very bad situation but the attacker shouldn’t feel safe.
Organizations that are alert will hopefully detect the misuse of the account. Or, if you are using privileged account management, the password will get changed. Or any other of a host of good things may happen that leads to discovery and disruption of the attack.
That’s why your above average level of adversary wants to make minimal and short-term use of those stolen credentials – basically just use them to establish persistent privileged access. And they want to establish that access as quietly as possible.
So, a sophisticated attacker won’t start exfiltrating data with stolen domain admin credentials. And they also won’t simply create a new user and add it to the Domain Admins group to use as a persistent back door account. Because at a minimum, I hope you are watching for Event IDs 4728, 4732 and 4756 where the group is Domain Admins, Adminstrators, et cal.
Instead, they will use something like DCSync or DCShadow. These are both features of Mimikatz and they allow attackers who have already gained privileged access to inject changes into AD that are not audited to the Windows Security Log.
This means you can do things like, create a new user account and make it a member of Domain Admins without a peep from Windows auditing. How do these tools fly under the radar like this? They take advantage of how replication between domain controllers works. As you know, AD uses a multi-master replication model where a change, such as a new user account, can originate on any DC (except read-only SCs) and AD will make sure it replicates to the rest of them. But the change is only logged by the DC where the change originates – nothing is said about the change in the security logs of the rest of the DCs that receive the change via replication. So DCSync and DCShadow inject changes into the replication stream. Of course, these tools depend on the attacker’s already privileged access to AD and that’s why bad guys use this for persistence – not for gaining privileged access in the first place.
In this technical webinar, my guests Adam Driscoll and Lee Berg, will show us how DCSync and DCShadow work. We’ll actually demonstrate them in the lab.
Here’s some of what we’ll cover:
- The AD kill chain
- “OK, now I have domain admin creds… it’s not over yet!”
- The Goals of Persistence
- Technical Discussion of Domain Replication Protocols
- How DCSync works and demo
- How DCShadow works and demo
- What a realistic attack looks like
- Post-Exploitation Tools
This is going to be an awesome, hands-on, technical, hacker real training for free event. Please join us.