Thousand Ways To Backdoor A Windows Domain (Forest)

When the Kerberos elevation of privilege (CVE-2014-6324 / MS14-068) vulnerability has been made public, the remediation paragraph of the following blog post made some waves:
http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx

"The only way a domain compromise can be remediated with a high level of certainty is a complete rebuild of the domain."

Personally, I agree with this, but .... But whether this is the real solution, I'm not sure. And the same applies to compromised computers. When it has been identified that malware was able to run on the computer (e.g. scheduled scan found the malware), there is no easy way to determine with 100% certainty that there is no rootkit on the computer. Thus rebuilding the computer might be a good thing to consider. For paranoids, use new hardware ;)

But rebuilding a single workstation and rebuilding a whole domain is not on the same complexity level. Rebuilding a domain can take weeks or months (or years, which will never happen, as the business will close before that).

There are countless documented methods to backdoor a computer, but I have never seen a post where someone collects all the methods to backdoor a domain. In the following, I will refer to domain admin, but in reality, I mean Domain Admins, Enterprise Admins, and Schema Admins.

Ways to backdoor a domain

So here you go, an incomplete list to backdoor a domain:

• Create a new domain admin user. Easy to do, easy to detect, easy to remediate
• Dump password hashes. The attacker can either crack those or just pass-the-hash. Since KB2871997, pass-the-hash might be trickier (https://technet.microsoft.com/library/security/2871997), but not impossible. Easy to do, hard to detect, hard to remediate - just think about service user passwords. And during remediation, consider all passwords compromised, even strong ones.
• Logon scripts - modify the logon scripts and add something malicious in it. Almost anything detailed in this post can be added :D
• Use an already available account, and add domain admin privileges to that. Reset its password. Mess with current group memberships - e.g. http://www.exploit-db.com/papers/17167/
• Backdoor any workstation where domain admins login. While remediating workstations, don't forget to clean the roaming profile. The type of backdoor can use different forms: malware, local admin, password (hidden admin with 500 RID), sticky keys, etc.
• Backdoor any domain controller server. For advanced attacks, see Skeleton keys 
• Backdoor files on network shares which are commonly used by domain admins by adding malware to commonly used executables - Backdoor factory
• Change ownership/permissions on AD partitions - if you have particular details on how to do this specifically, please comment
• Create a new domain user. Hide admin privileges with SID history. Easy to do, hard to detect, easy to remediate - check Mimikatz experimental for addsid
• Golden tickets - easy to do, hard to detect, medium remediation
• Silver tickets - easy to do, hard to detect, medium/hard remediation
• Backdoor workstations/servers via group policy
• HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ RunOnce,
• scheduled tasks (run task 2 years later),
• sticky-keys with debug
• Backdoor patch management tool, see slides here

[Update 2017.01.10]

• Assign SeEnableDelegationPrivilege to a user 
• Directory Service Restore Mode (DSRM)
• Malicious Security Support Provider (SSP)
• DSRMv2
• AdminSDHolder
• Edit GPO 

Other tricks

The following list does not fit in the previous "instant admin" tips, but still, it can make the attackers life easier if their primary foothold has been disabled:

• Backdoor recent backups - and when the backdoor is needed, destroy the files, so the files will be restored from the backdoored backup
• Backdoor the Exchange server - get a copy of emails
• Backdoor workstation/server golden image
• Change permission of logon scripts to allow modification later
• Place malicious symlinks to file shares, collect hashes via SMB auth tries on specified IP address, grab password hashes later
• Backdoor remote admin management e.g. HP iLO - e.g. create new user or steal current password
• Backdoor files e.g. on shares to use in SMB relay
• Backdoor source code of in-house-developed software
• Use any type of sniffed or reused passwords in new attacks, e.g. network admin, firewall admin, VPN admin, AV admin, etc.
• Change the content of the proxy pac file (change browser configuration if necessary), including special exception(s) for a chosen domain(s)  to use proxy on malicious IP. Redirect the traffic, enforce authentication, grab password hashes, ???, profit.
• Create high privileged users in applications running with high privileges, e.g. MSSQL, Tomcat, and own the machine, impersonate users, grab their credentials, etc. The typical pentest path made easy.
• Remove patches from servers, change patch policy not to install those patches.
• Steal Windows root/intermediate CA keys
• Weaken AD security by changing group policy (e.g. re-enabling LM-hashes)

Update [2015-09-27]: I found this great presentation from Jakob Heidelberg. It mentions (at least) the following techniques, it is worth to check these:

• Microsoft Local Administrator Password Solution
• Enroll virtual smart card certificates for domain admins

Forensics

If you have been chosen to remediate a network where attackers gained domain admin privileges, well, you have a lot of things to look for :)

I can recommend two tools which can help you during your investigation:

• AD explorer tool to diff AD
• NTDS forensics
• BTA (thx to Sn0rkY)

Lessons learned

But guess what, not all of these problems are solved by rebuilding the AD. One has to rebuild all the computers from scratch as well. Which seems quite impossible. When someone is creating a new AD, it is impossible not to migrate some configuration/data/files from the old domain. And whenever this happens, there is a risk that the new AD will be backdoored as well.

Ok, we are doomed, but what can we do? I recommend proper log analysis, analyze trends, and detect strange patterns in your network. Better spend money on these, than on the domain rebuild. And when you find something, do a proper incident response. And good luck!

Ps: Thanks to Andrew, EQ, and Tileo for adding new ideas to this post.

Check out the host backdooring post as well! :)

Continue reading

1. Pentest Box Tools Download
2. Best Hacking Tools 2020
3. Hacker Tools Hardware
4. Hacker Tools
5. Pentest Tools Bluekeep
6. Bluetooth Hacking Tools Kali
7. Hack Website Online Tool
8. Pentest Tools Website Vulnerability
9. Hacks And Tools
10. Hack Tool Apk
11. Top Pentest Tools
12. Hack App
13. Hack Tools Pc
14. Free Pentest Tools For Windows
15. World No 1 Hacker Software
16. Pentest Tools Github
17. Pentest Tools Alternative
18. Hak5 Tools
19. Top Pentest Tools
20. Termux Hacking Tools 2019
21. Hacking Tools For Pc
22. Hacking Tools Free Download
23. Hacker Tools List
24. Pentest Tools Android
25. Game Hacking
26. Pentest Tools Bluekeep
27. Tools 4 Hack
28. Hacking App
29. Pentest Tools For Windows
30. Hacker Tools 2020
31. Github Hacking Tools
32. Hack Tool Apk No Root
33. Hacking Tools Software
34. Hacker Tools Linux
35. Physical Pentest Tools
36. Hack Tools
37. How To Install Pentest Tools In Ubuntu
38. Hacker Security Tools
39. Hacker Tools
40. Ethical Hacker Tools
41. Hack Apps
42. Pentest Tools Alternative
43. Hacking Tools Mac
44. Growth Hacker Tools
45. Hack Tools Github
46. Black Hat Hacker Tools
47. Hacking Tools Kit
48. Hak5 Tools
49. Hacking Tools For Mac
50. Hacker Tools Software
51. Hacker Tools Linux
52. Hack Tools For Games
53. Termux Hacking Tools 2019
54. Pentest Box Tools Download
55. Hacking Tools Windows 10
56. Hack Tools For Mac
57. Pentest Tools Windows
58. Hacker Search Tools
59. Hack Website Online Tool
60. Pentest Tools Alternative
61. Pentest Tools List
62. Hacker Tools Apk
63. Computer Hacker
64. Hacker Tools Free
65. Kik Hack Tools
66. Hacking Tools
67. Pentest Recon Tools
68. Pentest Tools For Ubuntu
69. Hacking Tools Free Download
70. Hacking Tools For Kali Linux
71. Pentest Tools
72. Hacker
73. Hack Tool Apk No Root
74. New Hacker Tools
75. How To Hack
76. Tools 4 Hack
77. Hacker Tools Hardware
78. Pentest Tools Bluekeep
79. Hack Rom Tools
80. Hack Rom Tools
81. Wifi Hacker Tools For Windows
82. Pentest Tools Android
83. Pentest Tools Url Fuzzer
84. New Hacker Tools
85. Pentest Tools Website
86. Hacking Tools For Kali Linux
87. Hack Tools Github
88. Hacking Tools Pc
89. Hack And Tools
90. Hacker Tools For Ios
91. Tools 4 Hack
92. Pentest Tools For Mac
93. Hacker Tools For Pc
94. Pentest Tools Website
95. Hack Tools Github
96. Hacks And Tools
97. Hack Apps
98. Hack Tools For Pc
99. Pentest Tools For Windows
100. Install Pentest Tools Ubuntu
101. Hack And Tools
102. Easy Hack Tools
103. Hacking Tools 2020
104. Hacking Tools Github
105. Hacker Tools Apk Download
106. New Hacker Tools
107. Hackers Toolbox
108. Pentest Tools Linux
109. Hack Apps
110. Pentest Tools Open Source
111. Blackhat Hacker Tools
112. Hacker Tools Github
113. Hak5 Tools
114. Pentest Tools Bluekeep
115. Pentest Tools Nmap
116. Bluetooth Hacking Tools Kali
117. Tools Used For Hacking
118. Pentest Tools Subdomain
119. How To Make Hacking Tools
120. Best Hacking Tools 2020
121. Hacker Security Tools
122. Pentest Tools Online
123. Hacking Tools
124. Hacking Tools Kit
125. New Hack Tools
126. Physical Pentest Tools
127. Hacker Tool Kit
128. Hacking Tools
129. Pentest Tools Alternative
130. Hacker Tools Software
131. Ethical Hacker Tools
132. Hacking Tools Github
133. Hacking Tools Online
134. Best Hacking Tools 2020
135. Usb Pentest Tools
136. Hacker Tools Free Download
137. Pentest Tools Windows
138. Pentest Recon Tools
139. Pentest Tools For Mac
140. Pentest Tools Download
141. Easy Hack Tools
142. Pentest Tools Windows
143. Hackers Toolbox
144. Pentest Tools Subdomain
145. Hacker Tools 2020
146. Black Hat Hacker Tools
147. Hack Website Online Tool
148. Hacker Tools For Mac
149. Pentest Tools For Windows
150. Hacker Tools List
151. Hacking Tools Usb
152. Pentest Tools For Android
153. Hacking Tools For Beginners
154. Hacker Tool Kit
155. Game Hacking
156. Hacking Tools Kit
157. Hacker Tools Free Download
158. Hack App
159. Pentest Tools Download
160. Hacker Tools Windows
161. Pentest Tools Review
162. Pentest Tools Online
163. Growth Hacker Tools
164. Hacking Tools For Kali Linux
165. Pentest Tools Linux
166. Hacker Security Tools
167. Hackrf Tools
168. Best Pentesting Tools 2018
169. Pentest Tools Online
170. Wifi Hacker Tools For Windows
171. Hacking Tools Name