![]() ![]() Also consider monitoring and alerting on the replication of AD objects (Audit Detailed Directory Service Replication Events 49). Leverage AD directory synchronization (DirSync) to monitor changes to directory state using AD replication cookies. īaseline and periodically analyze the Configuration partition of the AD schema and alert on creation of nTDSDSA objects. Adversaries may also utilize this technique to perform SID-History Injection and/or manipulate AD objects (such as accounts, access control lists, schemas) to establish backdoors for Persistence. The technique may also be used to alter and delete replication and other associated metadata to obstruct forensic analysis. This technique may bypass system logging and security monitors such as security information and event management (SIEM) products (since actions taken on a rogue DC may not be reported to these sensors). ![]() Registering a rogue DC involves creating a new server and nTDSDSA objects in the Configuration partition of the AD schema, which requires Administrator privileges (either Domain or local to the DC) or the KRBTGT hash. ![]() ![]() Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys. DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. DCShadow may be used to create a rogue Domain Controller (DC). Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |