Rogue Domain Controller (T1207)
Rogue Domain Controller [T1207]
Last updated
Rogue Domain Controller [T1207]
Last updated
Name: Rogue Domain Controller
ID: T1207
Tactics:
The Rogue Domain Controller technique (MITRE ATT&CK ID: T1207) involves adversaries introducing unauthorized domain controllers into an Active Directory (AD) environment. Attackers leverage this rogue controller to intercept authentication requests, harvest credentials, manipulate group policies, and execute man-in-the-middle (MITM) attacks. This technique allows attackers to gain persistent, privileged access and control over the targeted network infrastructure, often remaining undetected for extended periods.
Deploying a rogue domain controller typically involves several technical steps, mechanisms, and procedures:
Domain Controller Promotion:
Attackers first gain administrative privileges within the target domain, allowing them to create and register new domain controllers.
Using tools like Microsoft's built-in DCPromo utility or PowerShell cmdlets (Install-ADDSDomainController), attackers promote compromised hosts or virtual machines to domain controllers.
DNS Manipulation:
Attackers may modify DNS records or DHCP configurations to redirect authentication requests to the rogue domain controller.
DNS poisoning or DHCP spoofing techniques can ensure client systems authenticate through the rogue controller instead of legitimate ones.
Credential Harvesting and MITM Attacks:
Once operational, the rogue controller intercepts and logs authentication requests, allowing attackers to capture credentials, hashes, or Kerberos tickets.
Attackers can leverage tools such as Mimikatz, Impacket, or Responder to extract credentials from intercepted traffic.
Group Policy Manipulation:
Attackers can deploy malicious group policy objects (GPOs) from the rogue controller to execute arbitrary code, deploy malware, or maintain persistence across the domain.
Malicious GPOs may disable security mechanisms, deploy backdoors, or create new privileged user accounts.
Persistence and Concealment:
Attackers often attempt to blend the rogue domain controller into the existing AD structure, naming it similarly to legitimate controllers or placing it in trusted organizational units (OUs).
Attackers may manipulate replication settings to prevent or limit synchronization with legitimate controllers, reducing visibility and detection.
Attackers typically deploy rogue domain controllers during specific stages and scenarios of advanced persistent threats (APTs):
Lateral Movement and Privilege Escalation:
After initial compromise and gaining administrative privileges, attackers deploy rogue controllers to escalate privileges further and facilitate lateral movement within the AD environment.
Credential Harvesting and Persistence:
Attackers use rogue domain controllers to continuously harvest credentials, maintain persistent access, and re-establish control even if initial compromised hosts are remediated.
Man-in-the-Middle and Interception Attacks:
Attackers deploy rogue controllers to intercept authentication traffic, enabling MITM attacks for credential theft, session hijacking, or injecting malicious payloads.
Long-Term Espionage and Data Exfiltration Campaigns:
Sophisticated threat actors deploy rogue domain controllers in prolonged espionage campaigns to maintain persistent, undetected access to sensitive corporate data and intellectual property.
Effective detection of rogue domain controllers involves multiple approaches, tools, and indicators of compromise (IoCs):
Monitoring Domain Controller Promotions:
Continuously monitor event logs (e.g., Windows Event ID 29223) for unauthorized domain controller promotions.
Utilize Security Information and Event Management (SIEM) solutions (Splunk, QRadar, Elastic Security) to correlate events and generate alerts.
DNS and DHCP Anomaly Detection:
Monitor DNS records for unexpected additions or modifications, especially new SRV records pointing to unknown domain controllers.
Detect DHCP anomalies or unauthorized DHCP servers appearing on the network.
Active Directory Replication Monitoring:
Regularly audit AD replication topology for unauthorized or unexpected replication partners.
Leverage tools such as Microsoft Defender for Identity (formerly Azure ATP), BloodHound, or PingCastle to identify irregularities in AD replication and domain controller configurations.
Network Traffic Analysis:
Analyze network traffic for unusual authentication flows or Kerberos exchanges toward unknown IP addresses or hosts.
Use network monitoring tools (Wireshark, Zeek, Suricata) to detect anomalies in authentication traffic patterns.
Indicators of Compromise (IoCs):
Unexpected domain controllers appearing in AD Sites and Services.
Unauthorized changes to DNS SRV records (_ldap._tcp.dc._msdcs.<domain>).
Suspicious GPO modifications or new GPOs created unexpectedly.
Presence of credential-dumping tools (Mimikatz, Impacket) or evidence of their use in logs.
Rogue domain controllers identified by unusual hostnames, IP addresses, or locations within AD.
Detecting rogue domain controllers early is crucial due to the severe impacts and risks they pose to organizational security:
Credential Theft and Privilege Escalation:
Rogue controllers enable attackers to intercept and harvest credentials, leading to widespread privilege escalation and lateral movement within the network.
Long-Term Persistence and Access:
Attackers can maintain persistent, hidden access to the organization's infrastructure, enabling prolonged espionage, data theft, and sabotage.
Compromise of Entire Active Directory Environment:
Once attackers control a rogue domain controller, they can manipulate AD configurations, group policies, and replication, compromising the entire domain and all connected resources.
Operational Disruption and Downtime:
Remediation of rogue domain controllers can be complex, costly, and disruptive, potentially requiring extensive downtime, forensic investigations, and rebuilding of AD infrastructure.
Compliance and Regulatory Risks:
Failure to detect and remediate rogue controllers may result in severe compliance violations, regulatory penalties, and reputational damage.
Real-world examples illustrating the use of rogue domain controllers include:
APT29 (Cozy Bear) Campaign:
Attackers leveraged rogue domain controllers to intercept authentication requests, harvest credentials, and maintain persistent access to targeted government and private sector networks.
Tools used: Mimikatz, custom PowerShell scripts, and native Windows utilities (DCPromo).
Impacts: Persistent espionage, credential theft, sensitive data exfiltration, and prolonged undetected access.
Operation Skeleton Key:
Attackers deployed rogue domain controllers and modified AD authentication mechanisms to accept a universal "skeleton key" password, granting persistent administrative access across the domain.
Tools used: Mimikatz, custom malware payloads, and AD manipulation scripts.
Impacts: Persistent compromise of AD infrastructure, privileged access, and credential theft across multiple organizations.
FIN6 Cybercrime Group:
In targeted attacks against financial institutions, FIN6 deployed rogue domain controllers to intercept credentials, manipulate group policies, and deploy ransomware payloads.
Tools used: PowerShell scripts, Impacket toolkit, Mimikatz, and ransomware payloads.
Impacts: Credential harvesting, widespread ransomware infections, operational disruption, and significant financial losses.
NotPetya Attack (2017):
Although primarily a destructive malware attack, NotPetya leveraged compromised domain controllers and AD infrastructure to propagate rapidly across networks.
Attackers manipulated AD configurations and credentials harvested from compromised controllers to spread malicious payloads.
Tools used: Mimikatz, EternalBlue exploit, AD manipulation scripts.
Impacts: Massive operational disruption, billions of dollars in financial losses, and extensive infrastructure damage across multiple industries globally.