So I became a Domain Controller

Black Hat USA 2018

Presented by: Benjamin Delpy, Vincent Le Toux
Date: Thursday August 09, 2018
Time: 12:10 - 13:00
Location: South Pacific F

They told me I could be anything I wanted, so I became a Domain Controller."

While SAMBA did implement Active Directory replication protocol for years, it was not easy to abuse it, especially on the Windows OS. The lsadump::DCSync feature in mimikatz was a first breakout in this area. Red teamers could extract secrets needed for kerberos tokens abuse and even impersonate domain controllers. In short, a read access to the AD database.

Let's be granted write access! It's time to invoke the full power of a domain controller with the new lsadump::DCShadow attack implemented in mimikatz and introduced at BlueHat IL 2018 by the mimikatz and PingCastle authors.

The immediate benefit of DCShadow is to bypass SIEMs, looking at logs collected from all DC, except this specific one. But what if the replication data doesn't follow the specification ? Can we do more ?

Let's be creative and push partial changes or changes forbidden by the specification: can we create some backdoors with Golden ticket ? Reaching unprotected trust via NTLM? targeting admins via monitoring reports? Is object class inmutable? Can we play god by creating and killing objects at will ? More ?

That's not the end: by owing replication data and internal attributes, forensic analysts will now have a hard time doing their job. Is DCShadow a game changer like DCSync was at its time?

Benjamin Delpy

Benjamin Delpy, is a Security Researcher known as `gentilkiwi`. A Security enthusiast, he publishes tools and articles that speak about products' weaknesses and prove some of his ideas. Mimikatz was the first software he developed that reached an international audience. It is now recognized as a Windows security audit tool. He previously spoke at PHDays, ASFWS, StHack, Black Hat, BlueHat and many more.

Vincent Le Toux

Vincent Le Toux is the Head of the CERT team of the ENGIE Group, a French energy utility. He is the CEO of My Smart Logon, a company specialized in smart cards (<https://www.mysmartlogon.com>) and the author of Ping Castle - an Active Directory security tool (<https://www.pingcastle.com>). He has also made many open source contributions such as mimikatz, OpenPGP, OpenSC, GIDS applet, etc. Finally, he already did presentations in security events, mainly FIRST and BlueHat.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats