Botnet Turns Active Directory Domain Controllers to C2 Servers

Researchers at the Australian security company, Threat Intelligence Pty Ltd., have created a possibly devastating botnet that exploits infected victims Active Directory Domain Controllers, resulting in internally hosted command and control servers.

Active Directory is a Microsoft directory service for Windows that domain networks & stores information on network components, automates network management of user data, and authenticates and authorizes users while enforcing security policies.

The attack method can use the AD as a central connecting point for any infected node or endpoint in the system, allowing the attacker to enable two-way communication with each other even when segmented into separate security zones.

Hypothetically, if an organization were to get infected by an AD botnet through a phishing attack, the attacker could utilize one of over 50 writable and readable AD user attributes to take over the domain controllers as a central communications point. Ty Miller, Managing Director of Threat Intelligence, further explained, “This means that we can utilize that connection to bypass all of your network access controls and all of your firewall rules because you’ve got that gaping hole where everything can communicate in one central place.”

The AD botnet was demonstrated yesterday at Black Hat 2017 in Las Vegas, where the goal was to create a botnet that could potentially bypass internal firewalls, defeat network segmentation, and leverage an infected organization’s cloud domain controllers to exfiltrate data.

Threat Intelligence suggests a few tips to help mitigate the threat. First, separate your domains into different domains based on security roles. This will help prevent users in one domain from escalating privileges by bypassing network filtering. The company also suggests taking note of any odd values in standard user attributes, monitoring regular changes of personal information attributes, and restricting permissions for standard users to update their attributes.

 

NNT also suggests:

  • Regularly run File Integrity Monitoring checks to detect new or changed system files
  • Ensure ex-employees rights are removed promptly to prevent ex-employees retaining access rights
  • Regularly review Domain Admin accounts for any change of privilege or new account creation- using Event Log Management solutions like NNT Log Tracker

 

Read this article on SCMagazine

 

 

Cloud and Container Security
The Most Powerful & Reliable Cybersecurity Products

change tracker gen7r2 logo

Change Tracker Gen 7R2: Complete configuration and system integrity assurance combined with the most comprehensive and intelligent change control solution available.

FAST Cloud logo

Fast Cloud: Leverage the world’s largest whitelist repository to automatically evaluate and verify the authenticity of file changes in real-time with NNT FAST™ (File Approved-Safe Technology)

vulnerability tracker logo

Vulnerability Tracker: The world’s only limitless and unrestricted vulnerability scanning solution with unparalleled accuracy and efficiency, protecting your IT assets on premises, in the cloud and mobile endpoints.

log tracker logo

Log Tracker: Comprehensive and easy to use security information & event log management with intelligent & self-learning correlation technology to highlight potentially harmful activity in seconds

Contact Us

Corporate Headquarters

Netwrix
6160 Warren Parkway, Suite 100
Frisco, Texas, 75034

Phone 1: 1-949-407-5125

Phone 2: 888-638-9749 (toll-free)


[email protected]
 

United Kingdom

Netwrix
5 New Street Square
London EC4A 3TW

Phone: +44 (0) 203 588 3023


 [email protected]
Information
SC Magazine Cybersecurity 500 CSGEA Winners 2021 CIS benchmarking SEWP Now Certified IBM Security
Copyright 2024, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.