Botnets and C&C servers are taking over the internet and are a major threat to all of us ... but what happens when these botnets and C&C servers start existing and operating inside the walls of our organisations? What if these botnets and C&C servers could bypass all of our network controls? What if these botnets and C&C servers could communicate internally across our security zones and organisations? What if micro-segmentation suddenly became useless?
This brand new attack technique being released at Black Hat USA makes this nightmare a reality by turning your Active Directory Domain Controllers into C&C servers that can command a powerful internal botnet. This attack technique is a fundamental flaw within the way that nearly every organisation implements their Active Directory solution, which leaves a gaping hole within their security and their ability to contain security breaches. This is achieved by leveraging standard Active Directory attributes and features to force your Domain Controllers to act as a central communication point for all internally compromised systems.
Due to the architecture of nearly every Active Directory implementation on the planet, almost all servers, workstations, laptops, mobile devices, and wireless devices throughout our organisations can connect to a Domain Controller for authentication purposes. This provides the ability for our internal Active Directory Botnet to communicate through a network of strategically placed Active Directory C&C servers. This enables all of your network access controls to be bypassed through this central authentication mechanism that automatically synchronises our botnet traffic across all of your Domain Controllers throughout your organisation. This means that our Active Directory Botnet can not only communicate across WAN sites globally, but if your Active Directory is configured with a Forest Trust with a third party, then the Active Directory Botnet is empowered with an internal cross-organisation communication channel to extend its control.
So, how does the Active Directory Botnet work? Standard Active Directory accounts support over 50 user attributes that can be combined to create a communication channel between any compromised domain machine located throughout your organisation. The Active Directory Botnet Client injects unique data entries into their corresponding AD account attributes within the target Domain Controller, and begins polling to identify other compromised systems within the domain. At this point, any Active Directory Botnet Client within the domain can identify compromised machines and begin issuing commands to be executed on either individual systems or across all infected endpoints.
The Active Directory Botnet Clients then execute the commands and begin tunnelling the command output back through their corresponding Active Directory account attribute fields, which are then collected by the Active Directory Botnet Client that issued the original command. Active Directory Botnet Cloaking features enable confidential communications between AD Botnet Clients to avoid detection, and has the ability to use custom Active Directory properties to bypass detection attempts. This attack provides a powerful communication channel for attacks that bypass networks access controls and enable a centralised Active Directory Command & Control solution.
A series of live demonstrations of this attack will be performed during the presentation to show the attack in action. The primary way of preventing this attack is to monitor regular changes to Active Directory standard user attributes that are not typically changed on a regular basis, and by rearchitecting security zones to use different Active Directory Forests. This is a clear violation of the way that Active Directory is typically used; however, due to the overwhelming insecure architecture implementations of Active Directory, and the difficulty of changing Active Directory architectures, this new attack technique will be effective for many years to come.