Author Topic: Active Directory Botnet sets up C&C infrastructure inside infected networks  (Read 1780 times)


  • Administrator
  • Boffin
  • *****
  • Posts: 13168
    • View Profile
    • The ADROTH Project
Active Directory Botnet sets up C&C infrastructure inside infected networks, while bypassing defenses

Researchers at Australian infosec company Threat Intelligence Pty Ltd. have developed a potentially devastating new botnet that abuses infected victims' Active Directory Domain Controllers, turning them into internally hosted command and control servers.

Even more frightening, the attack technique can use the AD as a central connection point for any infected node or endpoint on the system, allowing them to facilitate two-way communication with each other even if they are segmented into separate security zones. Such power would potentially give attackers tremendous freedom to laterally infiltrate organizations and exfiltrate data from myriad network sources.

< Edited >

Active Directory is a Microsoft directory service for Windows that domain networks that stores information on network components, automates network management of user data, and authenticates and authorizes users while enforcing security policies. For this reason, a great many devices and servers within an organization will connect to AD.

According to the researchers, if an organization were to be infected by an AD botnet – say via a phishing campaign for example – an attacker could then leverage one of over 50 writable and readable AD user attributes to take over the domain controllers as a central communications point. “Which means that we can utilize that connection to bypass all of your network access controls and all of your firewall rules. because [you've] got that gaping hole where everything can communicate in this one central place,” said Miller.

< Edited >

The Black Hat briefing synopsis explains the technique further: “The Active Directory Botnet Client injects unique data entries into their corresponding AD account attributes within the target Domain Controller, and begins polling to identify other compromised systems within the domain. At this point, any Active Directory Botnet Client within the domain can identify compromised machines and begin issuing commands to be executed on either individual systems or across all infected endpoints. The Active Directory Botnet Clients then execute the commands and begin tunnelling the command output back through their corresponding Active Directory account attribute fields, which are then collected by the Active Directory Botnet Client that issued the original command.

< Edited >