In the previous blog, we described how to catch attackers targeting Active Directory (AD) in the reconnaissance stage, which is one of the earliest stages of the attack. We mainly focused on LDAP protocol, flagging suspicious queries.
In part two, we describe how to detect more advanced Active Directory attacks that are based on DCE/RPC protocol.
Within an AD environment, DCE/RPC protocol-based attacks pose a significant threat. They can compromise domain controllers, escalate privileges, or facilitate lateral movement within the network. Active Directory relies on RPC mechanism for various operations, making it an attractive target for adversaries.
We will focus on detecting the following Active Directory attacks using Network Traffic Analysis (NTA):
- DCSync
- DCShadow
- Extraction of domain DPAPI backup key from Domain Controllers
DCSync Attack
About DSCync
Mitre: T1003.006
Attack name: DCSync
Common attacking tools: Mimikatz, Impacket
An attacker who compromised AD user account can pretend to be a Domain Controller (DC) and ask for sensitive information, provided the compromised account has the following permissions: “Replicating Directory Changes” or “Replicating Directory Changes All”.
The attacker will leverage the Directory Replication Service Remote Protocol, which is used for replication between domain controllers. In particular, they will use the DSGetNCChanges function, which retrieves data updates from the DC.
While the attacker typically uses Mimikatz in these attacks, they can use other tools as well. Regardless, the tool will ask the DC for user and computer NTLM hashes stored at the AD database file (NTDS.DIT). After the attacker gets the hashes, they can try to brute force attack offline and determine passwords. Or, if using krbtgt service account hash, the attacker can perform a golden ticket attack.
How to detect DCSync Attack?
When using DCE/RPC protocol, the client specifies which RPC interface they want to connect to. After the connection is done, the client specifies which RPC procedures they want to use. When using DCSync attack, the attacker will send a bind request for DRSUAPI interface, and after the binding process is complete, they will send DSGetNCChanges request to the server, which is a request for AD objects updates. Detecting those packets from a non-DC to a DC will help us catch the DCSync attack in real time.
To detect a DCSync attack, we will analyze traffic between non-DC and a DC. We will capture the following packets for the detection:
1. DCE/RPC bind request for DRSUAPI interface:
2.DRSUAPI packet with DsGetNCChanges request:
DCSHADOW Attack
About DCSHADOW
Mitre: T1207
Attack name: DCShadow
Common Attacking tools: Mimikatz
In DCShadow attack, the attacker registers a machine as a DC, allowing the attacker to push changes to AD environment through replication between his rogue DC to the other DCs. The attacker will need to compromise a Domain Admin or Enterprise Admin account to perform the attack.
After registering the rogue DC, an attacker can change any AD object attributes in the domain.
The attack has a lot of similarities to DCSync attack. However, while DcSync gives the attacker the ability to read information from the DC, DCShadow allows the attacker to write and update the DC.
Detection Techniques for DCShadow
Similar to DCSync, DCShadow attacks use DRSUAPI interface. DCShadow uses the following RPC procedures as part of the attack:
- DrsAddEntry: the attacker alters the spn of his rouge DC to “GC/*” in the domain Configuration partition.
- DrsReplicaAdd: the attacker pushes the malicious Active Directory objects he changed to the DC.
To detect DCShadow, we will monitor for a bind request to the DRSUAPI interface and RPC procedure requests for DrsAddEntry and DrsReplicaAdd. Alert on request originating from a non-DCs to a DC.
To detect DCShadow attack, we’ll monitor traffic between non-domain controllers and DCs. We will capture the following packets for the detection:
1. DCE/RPC bind request for DRSUAPI interface:
2. DRSUAPI packet with DrsAddEntry request:
3. DRSUAPI packet with DrsReplicaAdd request:
Reading Domain DPAPI BACKUP KEY FROM DOMAIN CONTROLLER
Mitre: T1555.003
Attack name: Domain DPAPI backup key extraction
Common Attacking tools: Mimikatz, SharpDPAPI, Impacket
Windows provides a mechanism for protecting asymmetric private keys, passwords, and confidential data. The mechanism, called DPAPI, performs symmetric encryption of data. Data Protection API (DPAPI) allows developers to encrypt data without the need for implementing the underlying encryption algorithm. Every windows user will have a DPAPI master key he can use to encrypt and decrypt data.
Common uses of DPAPI encryption include:
- Network passwords in Credential Manager
- Google Chrome cookies and login data
- Users pin and fingerprint in Windows 8
- WIFI passwords
- VPN passwords
- Email Account passwords
In an AD environment, the DPAPI master key is encrypted with the user domain password. Decryption of the DPAPI master key will allow attackers to read all the data protected by DPAPI. The domain controllers have a backup mechanism to recover domain users master keys (for the case of lost passwords). For every domain, the domain controllers have one pair of public and private keys associated with DPAPI. The clients in the domain use the domain DPAPI backup public key to encrypt their master key. If an attacker gains access to the domain DPAPI backup private key, he can decrypt any domain user’s DPAPI master key, allowing him to reveal all the confidential data encrypted with the DPAPI master key. The attacker will require admin privileges to extract the domain backup key from domain controllers.
Detecting DPAPI attack
Attackers will use the LsaRetrievePrivateData function of the LSARPC interface in order to request the domain backup key from the DC. To identify the attacks, we will flag a DCE/RPC bind request for LSARPC interface, and a request for LsaRetrievePrivateData function from the DC.
To detect domain DPAPI backup key extraction attack, we will analyze all the traffic going into the DC.
We will look for attempts to get the domain DPAPI backup key from the DC.
We will capture the following packets for the DPAPI detection:
1. DCE/RPC bind request for LSARPC interface:
2. LSARPC packet with LsaRetrievePrivateData API request:
Conclusion
Cyber threat actors are continually developing new and novel techniques to gain access to sensitive data. By exploiting Active Directory vulnerabilities, attackers can escalate privileges and move laterally within your network, potentially compromising your entire domain. Applying detection measures helps in catching the attackers early on and prevents any severe damage.
To ensure the safety of your organization, it’s essential to keep your systems up to date and install an automated detection system like Fidelis Elevate®. Known for its comprehensive protection, spanning network, endpoint, and Active Directory security, Fidelis Elevate® helps to proactively defend against cyber threats and active attacks.
Subscribe to the Threat Geek blog for the latest updates, threat research, and industry insights from the professionals at Fidelis Security. To see how Fidelis Security platforms help security teams worldwide to protect, detect, respond, and neutralize even the most advanced cyber adversaries across network, endpoints, and cloud, schedule a free demo.
