TY MILLER & PAUL KALININ

The Active Directory Botnet

Botnets and C&C servers are taking over the internet and are a major threat to all of us ... but what happens when these botnets and C&C servers start existing and operating inside the walls of our organisations? What if these botnets and C&C servers could bypass all of our network controls? What if these botnets and C&C servers could communicate internally across our security zones and organisations? What if micro-segmentation suddenly became useless?

This brand new attack technique makes this nightmare a reality by turning your Active Directory Domain Controllers into C&C servers that can command a powerful internal botnet. This attack technique is a fundamental flaw within the way that nearly every organisation implements their Active Directory solution, which leaves a gaping hole within their security and their ability to contain security breaches.

This is achieved by leveraging standard Active Directory attributes and features to force your Domain Controllers to act as a central communication point for all internally compromised systems.

Due to the architecture of nearly every Active Directory implementation on the planet, almost all servers, workstations, laptops, mobile devices, and wireless devices throughout our organisations can connect to a Domain Controller for authentication purposes.

This provides the ability for The Active Directory Botnet to communicate through a network of strategically placed Active Directory C&C servers. This enables all of your firewalls and network access controls to be bypassed through this central authentication mechanism that automatically synchronises our botnet traffic across all of your Domain Controllers throughout your organisation.

This means that our Active Directory Botnet can not only communicate across WAN sites globally, but if your Active Directory is configured to sync to the cloud, then this introduces a whole other level.

So how does the Active Directory Botnet work? Standard Active Directory accounts support over 50 user attributes that can be combined to create a communication channel between any compromised domain machine located throughout your organisation.

The Active Directory Botnet Client injects unique data entries into their corresponding AD account attributes within the target Domain Controller, and begins polling to identify other compromised systems within the domain. At this point, any Active Directory Botnet Client within the domain can identify compromised machines and begin issuing commands to be executed on either individual systems or across all infected endpoints.

The Active Directory Botnet Clients then execute the commands and begin tunnelling the command output back through their corresponding Active Directory account attribute fields, which are then collected by the Active Directory Botnet Client that issued the original command.

Not only does the Active Directory Botnet enable remote command execution for any domain system, it also has the capability to provide a transparent TCP data channel that ultimately turns your entire security architecture into a flat network.

A series of live demonstrations of this attack will be performed during the presentation to show the attack in action, including remote command execution, backdoor uploads, and multiple transparent data transfer techniques.

The primary way of preventing this attack is to lock down access to change standard user attributes in AD, monitor regular changes to Active Directory standard user attributes that are not typically changed on a regular basis, and by rearchitecting security zones to use different Active Directory Forests. This attack is a clear violation of the way that Active Directory is typically used; however, due to the overwhelming insecure architecture implementations of Active Directory, and the difficulty of changing Active Directory architectures, this new attack technique will be effective for many years to come.

TY MILLER & PAUL KALININ BIO

Ty Miller is the Managing Director of Threat Intelligence Pty Ltd (www.threatintelligence.com) who is a Specialist Security Company based in Australia. Ty holds a position on the Black Hat Asia Review Board, the CREST ANZ Board of Directors and leads the CREST Technical Team.

He is a long term trainer for Black Hat running “The Shellcode Lab” and “Practical Threat Intelligence”, and is a presenter at security conferences including Ruxcon, Black Hat USA, Black Hat DC, and Hack In The Box, amongst many others. This includes presenting on “Reverse DNS Tunneling Shellcode” at Black Hat USA, “BeEF Bind Shellcode” at Ruxcon, and others including “Machine Learning and Modern Malware Mitigations”, “Securing Your Startup to Secure Big Brands”, “Modern Threat Detection and Prevention” and “Can your application be breached?”.



Ty has developed attack techniques for global security firms including the “DNS Channel Payload” for Core Impact and is a co-author of “Hacking Exposed Linux 3rd Edition”.



Paul Kalinin is a Senior Security Consultant at Threat Intelligence Pty Ltd. Paul has presented his security research at Black Hat and ran the Practical Threat Intelligence training at Black Hat USA.



Paul has been working in the IT industry for 20 years with the last 8 years being dedicated as a security specialist focusing on penetration testing. Paul has achieved a range of industry certifications such as CISSP, PCI QSA, CEH and CREST.



Paul's areas of expertise include web and mobile application penetration testing, internal and external infrastructure penetration testing, wireless infrastructure penetration testing, red teaming and open source intelligence specialist.



Paul has been a key player in the development of penetration testing tools, exploits, methodologies and cyber threat intelligence gathering within the Threat Intelligence team.