1. Home
  2. Techniques
  3. Enterprise
  4. 伪造域控制器

伪造域控制器

伪造域控制器是攻击者通过注册或重用非授权域控制器,操纵Active Directory数据的高级攻击技术。该技术利用Active Directory的多主机复制机制,通过模拟合法域控制器行为注入恶意数据变更,可绕过常规安全监控实现权限提升、凭证窃取等目的。防御措施包括监控异常复制流量(如非DC主机的DRS接口调用)、审计AD架构配置分区变更(如nTDSDSA对象创建)、分析Kerberos SPN异常绑定等,同时需建立AD对象变更基线以识别异常元数据操作。

为规避传统检测手段,攻击者发展出基于协议逆向、元数据欺骗和时序伪装的隐蔽技术体系。通过深度渗透AD信任机制、精确模拟合法操作模式,将恶意活动嵌入目录服务正常业务流程,实现攻击行为的"合法化"伪装。

现有伪造域控制器匿迹技术的核心在于对AD协议栈的深度利用与信任链重构。攻击者通过三个层面实现隐匿:在身份层面,劫持合法SPN构建虚假认证凭证,突破基于计算机对象位置的访问控制;在数据层面,篡改复制元数据混淆操作溯源,使恶意变更获得与合法同步相同的版本标识;在行为层面,精确控制攻击节奏匹配正常同步周期,规避基于时序异常的检测。三类技术的共性在于突破传统边界防御思维,通过协议级仿冒、元数据污染和运维模式克隆,将攻击流量转化为AD基础设施的"白名单"行为,使得基于规则匹配或单维度特征分析的防御体系失效。

匿迹技术的演进导致传统依赖日志审计和流量监控的检测机制面临严峻挑战,防御方需构建AD元数据完整性校验、SPN生命周期监控、复制流量行为建模等深度防御能力,并引入机器学习技术识别隐蔽的协议级异常,实现对高级域控制器伪造攻击的精准捕获。

ID: T1207
Sub-techniques:  No sub-techniques
Tactic: 防御规避
Platforms: Windows
Permissions Required: Administrator
Defense Bypassed: Log analysis
Contributors: Vincent Le Toux
Version: 2.1
Created: 18 April 2018
Last Modified: 08 March 2022

Procedure Examples

ID Name Description
S0002 Mimikatz

Mimikatz’s LSADUMP::DCShadow module can be used to make AD updates by temporarily setting a computer to be a DC.[1][2]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0026 Active Directory Active Directory Object Creation

Baseline and periodically analyze the Configuration partition of the AD schema and alert on creation of nTDSDSA objects.[3]
Active Directory Object Modification

Leverage AD directory synchronization (DirSync) to monitor changes to directory state using AD replication cookies.[4] [5] Also consider monitoring and alerting on the replication of AD objects (Audit Detailed Directory Service Replication Events 4928 and 4929). [3]
DS0029 Network Traffic Network Traffic Content

Monitor and analyze network traffic associated with data replication (such as calls to DrsAddEntry, DrsReplicaAdd, and especially GetNCChanges) between DCs as well as to/from non DC hosts. [6][3] DC replication will naturally take place every 15 minutes but can be triggered by an adversary or by legitimate urgent changes (ex: passwords).
DS0002 User Account User Account Authentication

Investigate usage of Kerberos Service Principal Names (SPNs), especially those associated with services (beginning with "GC/") by computers not present in the DC organizational unit (OU). The SPN associated with the Directory Replication Service (DRS) Remote Protocol interface (GUID E3514235–4B06–11D1-AB04–00C04FC2DCD2) can be set without logging.[5] A rogue DC must authenticate as a service using these two SPNs for the replication process to successfully complete.

References

  1. Deply, B. (n.d.). Mimikatz. Retrieved September 29, 2015.
  2. Metcalf, S. (2015, November 13). Unofficial Guide to Mimikatz & Command Reference. Retrieved December 23, 2015.
  3. Delpy, B. & LE TOUX, V. (n.d.). DCShadow. Retrieved March 20, 2018.
  1. Microsoft. (n.d.). Polling for Changes Using the DirSync Control. Retrieved March 30, 2018.
  2. Lucand,G. (2018, February 18). Detect DCShadow, impossible?. Retrieved March 30, 2018.
  3. Spencer S. (2018, February 22). DCSYNCMonitor. Retrieved March 30, 2018.