DNS zone transfer is a legitimate feature to replicate a DNS zone from a primary DNS server to a secondary one, using the AXFR query type. However, attackers often abuse this mechanism during the reconnaissance phase in order to retrieve all DNS records, providing them valuable information for attacking the environment. In particular, a successful DNS zone transfer can give an attacker useful information about the computers listed in the DNS zone, how to access them and also guessing their roles. Note that failed zone transfer (ex. not having the necessary rights, zone transfer not configured on the server, etc.) are also detected.
|Suspicious DC Password Change|
The critical CVE-2020-1472 named as Zerologon is an attack that abuses a cryptography flaw in the Netlogon protocol, allowing an attacker to establish a Netlogon secure channel with a domain controller as any computer. From there, several post exploitation techniques can be used to achieve privilege escalation, such as domain controller account password change, coerced authentication, DCSync attacks, and others. The ZeroLogon exploit is often mistaken with the post exploitation activities using the actual Netlogon spoofed authentication bypass (addressed by the IOA 'Zerologon Exploitation'). This indicator focuses on one of the post exploitation activities that can be used in conjunction with the Netlogon vulnerability: the modification of the domain controller machine account password.
The branded Zerologon vulnerability is related to a critical vulnerability (CVE-2020-1472) in Windows Server that has received a CVSS score of 10.0 from Microsoft. It consists of an elevation of privileges that exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). This vulnerability allows attackers to compromise a domain and acquire domain administrators privileges.
Kerberoasting is a type of attack that targets Active Directory service account credentials for offline password cracking. This attack seeks to gain access to service accounts by requesting service tickets and then cracking the service account's credentials offline. The classic Kerberoasting method is covered by the
DNSAdmins exploitation is an attack that allows members of the DNSAdmins group to take over control of a Domain Controller running the Microsoft DNS service. A member of the DNSAdmins group has rights to perform administrative tasks on the Active Directory DNS service. Attackers can abuse these rights to execute malicious code in a highly privileged context.
|DPAPI Domain Backup Key Extraction|
DPAPI Domain Backup Keys are an essential part of the recovery of DPAPI secrets. Various attack tools focus on extracting these keys from Domain Controllers using LSA RPC calls. Microsoft recognizes that there is no supported method to rotate nor change these keys. Therefore, if the DPAPI backup keys for the domain are compromised, they recommend creating an entire new domain from scratch which is a costly and lengthy operation.
The critical CVE-2021-42287 can lead to an elevation of privileges on the domain from a standard account. The flaw arises from bad handling of requests targeting an object with a nonexistent sAMAccountName attribute. The domain controller automatically adds a trailing dollar sign ($) to the sAMAccountName value if it doesn't find one, which can lead to the impersonation of a targeted computer account.
NTDS exfiltration refers to the technique that attackers use to retrieve the NTDS.dit database. This file stores Active Directory secrets such as password hashes and Kerberos keys. Once accessed, the attacker parses a copy of this file offline, providing an alternative to DCSync attacks for retrieval of the Active Directory's sensitive content.
Kerberoasting is a type of attack that targets Active Directory service account credentials for offline password cracking. This attack seeks to gain access to service accounts by requesting service tickets and then cracking the service account's credentials offline. The Kerberoasting Indicator of Attack requires the activation of Tenable Identity Exposure's Honey Account feature to send out an alert when there is a login attempt on the Honey Account or if this account receives a ticket request.
|Massive Computers Reconnaissance|
A massive number of authentication requests on multiple computers, using NTLM or Kerberos protocols and coming from the same source can be an indication of an attack.
|Enumeration of Local Administrators|
The local Administrators group was enumerated with SAMR RPC interface, more likely with BloodHound/SharpHound.
PetitPotam tool can be used to coerce authentication of the target machine to a remote system, generally to perform NTLM relay attacks. If PetitPotam targets a domain controller, an attacker can authenticate to another network machine relaying the domain controller's authentication.
Password spraying is an attack that attempts to access a large number of accounts (usernames) with a few commonly used passwords - also known as the low-and-slow method
A brute-force password guessing attack consists in submitting and checking all possible passwords and passphrases until it finds the correct one.
DCShadow is another late-stage kill chain attack that allows an attacker with privileged credentials to register a rogue domain controller in order to push changes to a domain via domain replication.
|OS Credential Dumping: LSASS Memory|
After a user logs on, attackers can attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).
A Golden Ticket attack gains control over an Active Directory Key Distribution Service account (KRBTGT), and uses that account to create valid Kerberos Ticket Granting Tickets (TGTs).
The DCSync command in Mimikatz allows an attacker to simulate a domain controller and retrieve password hashes and encryption keys from other domain controllers, without executing any code on the target.