Active Directory combines DNS functionalty (with an LDAP database, Kerberos authentication, and some other stuff) to create a unified directory service platform. As such, the fates of AD and DNS will be forever linked. In fact, you might say they are now married. In this talk you will learn how to keep that marriage happy and healthy!
Since the mid-80s, the Domain Name System (DNS) has been instrumental in improving the useablility of computer networks and the Internet. In 2000, Microsoft released Active Directory (AD) which combined DNS with a Lightweight Directory Access Protocol (LDAP) database and Kerberos authentication to create a unified directory service platform. Since AD's release, the fates of AD and DNA have been linked. In fact, you might say they are married. In this talk, we will discuss existing DNA attacks that can be used to compromise AD and the ways to mitigate the AD-specific DNA vulnerabilities.
Initially, we will talk about something OLD: Kevin Robertson's research into attacking DNA and the tool he created for this purpose: PowerMAD. We will delve into the specific default configurations and misconfigurations which give rise to these attacks. Additionally, we will touch on the issues that arise when non-AD admins are given permission to modify DNS.
Next, we will move onto something BORROWED: Dirk-jan Mollema and Elad Shamir have done extensive research into Resource Based Constrain Delegation. We will borrow some of this research to see how it can be applied to creating and modifying DNS records. Specifically, we will be targeting the ms-DS-Additional-Dns-Host-Name attribute and how it can be used maliciously.
After discussion the existing research and our extension, we move on to something NEW: a tool! We plan to release a tool later this year that will scan a network's AD-integrated (ADI) DNS servers, identify the most common DNS vulnerabilities, and provide guidance on resolving the issues.
Lastly, we will discuss something BLUE: We will walk through the process of integrating DNS logs into a Security Information and Event Management (SIEM) system - likely Azure Sentinel. After logs are being shipped to the SIEM properly, we will review the workbooks and alerts built in to Azure Sentinel. Finally, we will provide custom Kusto Query Language to check for evidence of less-common attacks and persistence methods.
Jim Sykora is a Security Consultant at Trimarc focused on identity security. Jim started his sysadmin path in 3rd grade & did a bunch of gigs before starting to blend operational experience & rampant curiosity with security knowledge.
Jake Hildreth is the Service Lead for the Active Directory Security Assessment (ADSA) at Trimarc & maintainer of the Locksmith AD CS remediation tool. His work at Trimarc focuses on assessing AD for F500 companies. He holds the CISSP and Security+ certs.