[email protected]

04 AD Attacks

Bruteforce on ldap
DC Shadow
DC Sync
MITRE ATT&CK Sub0technique T1207
A new feature in mimikatz's lsadump Module, an attacker register a rogue domain controller after compromised a privileged credentials, then, the adversary can push any valid changes.
1) An attacker obtains a Domain Admin Permissions
2) The attacker registers a computer workstation as a domain controller. the AD trusted to replicate changes.
3) The attacker submits changes for replication, including password hash, account data or security group
4) Once the action triggered, the attacker can extract valuable data.
MITRE ATT&CK Sub0technique T1003.006
It is a credential dumping techniques, adversary to simulate the replication process of a Domain Controllers to ask other DC to replicate information using the MS-DRSR. It cannot disabled as MS-DRSR is a necessary servers of a AD.
This attack requires domain admin privileges (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All) Members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups have this privileges by default.