Active Directory (AD) enterprise attack vectors continue to get a lot of attention from security researchers. If history is our guide, it is only a matter of time before we see more active exploits in the wild. I sat in on Ty Miller and Paul Kalinin’s Black Hat presentation, “The Active Directory Botnet” this year and they unveiled a novel way to use, or more accurately abuse, Active Directory user attributes to create a communication channel between any compromised domain machine located throughout the organization.
Before we get into the mechanics of the botnet, we need to examine Active Directory user attributes to understand how they can be abused.
There are over 200 user attributes within Active Directory, which are readable by all machines that are part of the domain. Behind the scenes, these attributes can be either binary or strings. Each attribute can hold data of different sizes and range from a few bytes—all the way up to 1 MB in the case of some binaries. This is where the botnet will inject data for later use.
Now let’s take a look at how the Active Directory botnet operates. Like any botnet setup, there is a botmaster and there are slaves. In this scenario, the compromised host injects data entries into their corresponding Active Directory account attributes and queries other machines in the domain to identify compromised systems.
This approach allows the bot master (or other slaves) to identify compromised machines and begin issuing commands to be executed on either individual systems or across all infected endpoints. Once commands are executed, the responses are tunneled back through their corresponding Active Directory account attribute fields, which are then collected by the master or slaves that issued the original command. The Botnet also has a cloaking feature that enables confidential communications between hosts, along with the ability to use custom Active Directory properties to bypass detection attempts.
This attack provides a powerful communication channel for attacks that bypass network access controls (NAC) and enables a centralized Active Directory Command & Control solution. Domain separation and network segmentation are not able to stop communication as the botnet is piggybacking on legitimate Active Directory communication; disabling that communication would break Active Directory.
Once communication is established, binary attributes are used to download files from remote locations with a binary-to-text Base64 encoding. Now the bots can communicate externally via reverse shells, which are also used for exfiltrating data outside of the organization.
The primary way of preventing this attack with native Microsoft solutions is to monitor regular changes to Active Directory standard user attributes that are not typically changed on a regular basis. The challenge is user attributes are updated regularly, and with over 200 attributes, monitoring even small Active Directory environments is not feasible for most organizations. Separating domains into different domains based on security roles will also help reduce the impact, but does not remove the threat to each of those domains.
To effectively defend against Active Directory botnets, we need to first reduce the attack surface. In this scenario, I created a policy within StealthINTERCEPT to lock down attributes in my environment that I know will not be updated with any frequency.
This is especially useful for removing access to those large attributes that are used for downloading additional software. I then build on this by configuring a policy that only allows domain administrators to alter attributes that we do not need users updating themselves. Should the botnet attempt to write to any of these attributes, the action is blocked, logged, and we receive an alert about the attempts. With our attack surface reduced, we can now monitor the rest of the attributes for abnormal activity and alert when we see activity associated with attribute abuse.
If you have been following Jeff Warren’s Active Directory Attack Series, you know there are many ways an attacker can gain Domain Admin rights in Active Directory, also evident by the number of AD-focused presentations at Black Hat this year. These new techniques use our own infrastructure against us for exfiltrating data, hiding in plain sight, and maintaining persistence—adding to the list of AD threats we must actively defend against.
In my next blog, I am going to explain how attackers exploit Discretionary Access Control List (DACL) misconfigurations in Active Directory as backdoors to create hidden persistence.
To register for the webinar on Active Directory Botnets & DACL Backdoors: How Attackers Exploit Native AD Capabilities to Achieve Domain Persistence, please click here.
Sign up here to be notified when the second attack is published.
Gabriel Gumbs is the VP of Product Strategy at STEALTHbits Technologies responsible for end-to-end product vision and innovation. With a 16 year tenure in CyberSecurity, he has spent most of that time as a security practitioner, aligning security innovations with business objectives for Fortune 100 organizations. Gabriel is an information security thought leader, privacy advocate and public speaker.
Proper data security begins with a strong foundation. Find out what you're standing on with a free deep-dive into the security of your Structured and Unstructured Data, Active Directory, and Windows infrastructure.Read more
Start a Free Stealthbits Trial!
No risk. No obligation.