The Active Directory Botnet

Presented at Black Hat USA 2017, July 26, 2017, 1:30 p.m. (50 minutes)

Botnets and C&C servers are taking over the internet and are a major threat to all of us ... but what happens when these botnets and C&C servers start existing and operating inside the walls of our organisations? What if these botnets and C&C servers could bypass all of our network controls? What if these botnets and C&C servers could communicate internally across our security zones and organisations? What if micro-segmentation suddenly became useless? This brand new attack technique being released at Black Hat USA makes this nightmare a reality by turning your Active Directory Domain Controllers into C&C servers that can command a powerful internal botnet. This attack technique is a fundamental flaw within the way that nearly every organisation implements their Active Directory solution, which leaves a gaping hole within their security and their ability to contain security breaches. This is achieved by leveraging standard Active Directory attributes and features to force your Domain Controllers to act as a central communication point for all internally compromised systems. Due to the architecture of nearly every Active Directory implementation on the planet, almost all servers, workstations, laptops, mobile devices, and wireless devices throughout our organisations can connect to a Domain Controller for authentication purposes. This provides the ability for our internal Active Directory Botnet to communicate through a network of strategically placed Active Directory C&C servers. This enables all of your network access controls to be bypassed through this central authentication mechanism that automatically synchronises our botnet traffic across all of your Domain Controllers throughout your organisation. This means that our Active Directory Botnet can not only communicate across WAN sites globally, but if your Active Directory is configured with a Forest Trust with a third party, then the Active Directory Botnet is empowered with an internal cross-organisation communication channel to extend its control. So, how does the Active Directory Botnet work? Standard Active Directory accounts support over 50 user attributes that can be combined to create a communication channel between any compromised domain machine located throughout your organisation. The Active Directory Botnet Client injects unique data entries into their corresponding AD account attributes within the target Domain Controller, and begins polling to identify other compromised systems within the domain. At this point, any Active Directory Botnet Client within the domain can identify compromised machines and begin issuing commands to be executed on either individual systems or across all infected endpoints. The Active Directory Botnet Clients then execute the commands and begin tunnelling the command output back through their corresponding Active Directory account attribute fields, which are then collected by the Active Directory Botnet Client that issued the original command. Active Directory Botnet Cloaking features enable confidential communications between AD Botnet Clients to avoid detection, and has the ability to use custom Active Directory properties to bypass detection attempts. This attack provides a powerful communication channel for attacks that bypass networks access controls and enable a centralised Active Directory Command & Control solution. A series of live demonstrations of this attack will be performed during the presentation to show the attack in action. The primary way of preventing this attack is to monitor regular changes to Active Directory standard user attributes that are not typically changed on a regular basis, and by rearchitecting security zones to use different Active Directory Forests. This is a clear violation of the way that Active Directory is typically used; however, due to the overwhelming insecure architecture implementations of Active Directory, and the difficulty of changing Active Directory architectures, this new attack technique will be effective for many years to come.

Presenters:

• Ty Miller - Managing Director, Threat Intelligence Pty Ltd
  Ty Miller is the Managing Director of Threat Intelligence (www.threatintelligence.com) who are specialists in the area of penetration testing, cyber threat intelligence, and specialist security consulting. Ty runs "The Shellcode Lab" each year at Black Hat USA, he presented at Black Hat on his development of "Reverse DNS Tunnelling Shellcode", and is the creator of the "Practical Threat Intelligence" course at Black Hat USA. Ty is also a member of the Black Hat Asia Review Board. He also presented at "Ruxcon" where he demonstrated his cutting edge attack technique to force your web browser to exploit internal servers from the Internet, and also developed the Core Impact Pro covert DNS Channel for Core Security. Ty Miller was also a co-author of "Hacking Exposed Linux 3rd Edition". Ty is on the CREST Australia and New Zealand Board of Directors, runs the CREST Australia and New Zealand Technical Team and is a CREST Certified Tester and Assessor. Ty's experience not only covers penetration testing and specialist security, it also expands into traditional and cloud security architecture designs, regulations like PCI, developing and running industry benchmark accreditations, performing forensic investigations, as well as creating and executing a range of specialist security training.
• Paul Kalinin - Senior Security Consultant, Threat Intelligence Pty Ltd
  Paul Kalinin is a Senior Security Consultant at Threat Intelligence Pty Ltd, and has been working in the IT industry for 20 years with the last 8 years being dedicated as a security specialist focusing on penetration testing. Paul has attended numerous specialised security courses over the years and has achieved industry certifications such as CISSP, PCI QSA, CEH and CREST. Paul's areas of expertise include web and mobile application penetration testing, internal and external infrastructure penetration testing, wireless infrastructure penetration testing, read teaming and open source intelligence specialist. Paul has been a key player in the development of penetration testing tools, exploits, methodologies and cyber threat intelligence gathering within the Threat Intelligence team.

Links:

• https://www.blackhat.com/us-17/briefings/schedule/#the-active-directory-botnet-7423
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2017/The Active Directory Botnet.mp4
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2017/The Active Directory Botnet.en.transcribed.srt (subtitles)
• https://www.youtube.com/watch?v=agGHu2hTmV0
• https://www.blackhat.com/docs/us-17/wednesday/us-17-Miller-The-Active-Directory-Botnet.pdf

Similar Presentations:

• TROOPERS17 (2017) / Active Directory Security Best Practices. Top 11 Security Mistakes in Active Directory and How to Avoid Them
• NolaCon 2018 / Active Directory Security: The Journey
• TROOPERS18 (2018) / Active Directory Security: The Journey