DCSync (DRSUAPI):
Channel: Security.
Event: 4662 (Property "1131f6aa-9c07-11d1-f79f-00c04fc2dcd" or "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2").

NTDS export using ntdsutil:
Channel: ESENT (Application.evtx).
Events: 206, 325, 326, 327

Overview

Secrets stored in the Active Directory database (ntds.dit) can be retrieved a number of ways:

  • By leveraging the DRSUAPI replication functions, normally used by Domain Controllers to replicate objects (replicated) properties. This attack can be conducted over the network (with out executing code on a Domain Controller) and is known as DCSync.

  • By executing code / commands on a Domain Controller and exfiltrating the ntds.dit database directly. While the ntds.dit database can be accessed and copied using various tools and techniques, the ntdsutil built-in administration utility is often leverage by threat actors to do so.

DCSync (DRSUAPI)

The DCSync attack consists in leveraging the Active Directory DRSUAPI replication functions (part of the Directory Replication Service (DRS) protocol) to remotely retrieve the specified Active Directory objects’ sensible information. The DRSUAPI functions are normally used by the Domain Controllers to replicate the modifications made to AD objects and keep the AD objects consistent across all the Domain Controllers of the forest. The DRSUAPI replication functions are exposed on the network by the Microsoft Remote Procedure Call (MSRPC) DRSUAPI interface on each Domain Controller. Thus, contrary to the others methods explicated so far, no local code execution on a Domain Controller is required to retrieve information from the ntds.dit database.

While multiples DRSUAPI intermediate functions are used in the replication process, the DSGetNCChanges function implements the replication request.

The following privileges on the domain root object are necessary to make replication requests through the DRSUAPI:

  • Replicating Directory Changes (Ds-Replication-Get-Changes, ACE GUID: 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2)
  • Replicating Directory Changes All (Ds-Replication-Get-Changes-All, ACE GUID: 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2)

Those privileges are, in a default Active Directory configuration, granted to the Domain Controllers, ENTERPRISE DOMAIN CONTROLLERS, Domain Admins, Enterprise Admins and Administrators domain groups.

Channel Conditions Events
Security Default configuration.

Events will be generated only if the operation was not conducted under a Domain Controller identity.		 Upon replication operations, such as the retrieval of Active Directory secrets (DCSync attack), the following event will be generated:

- Event 4662: An operation was performed on an object with the Property attribute equal to the GUID 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 or 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2``.

ntdsutil usage

If code execution is achieved on a Domain Controller, multiples Windows utilities can be used to export the ntds.dit database, file: %SystemDrive%\Windows\NTDS\ntds.dit (given sufficient privileges).

On a standard Domain Controller installation, the NT AUTHORITY\SYSTEM built-in Windows account and the Administrators domain group have full control access on the file. Additionally, yet again in a standard configuration, members of the Backup Operators (SID: S-1-5-32-551) domain group have the necessary privileges to open an interactive (and remote) session on the Domain Controllers (SeInteractiveLogonRight) and can make use of the SeBackupPrivilege privilege to open files with the FILE_FLAG_BACKUP_SEMANTICS flag in order to bypass the file access controls.

As the ntds.dit file is being continuously accessed, the file cannot be directly copied (“The action can’t be completed because the file is open in another program”). The copy must be done through the Windows shadow copy mechanism, which leverage a temporary freezing of the I/O requests on the file. The freezing is requested by the Volume Shadow Copy Service (VSS) Windows built-in service, which orchestrate the creation of the shadow copy.

The sensitive information in the ntds.dit file are encrypted using the system Boot Key (also known as the System Key, or SysKey). This key is located in the HKEY_LOCAL_MACHINE\SYSTEM registry hive (%SystemDrive%\Windows\system32\config\SYSTEM file) and is unique to each Domain Controller. The SYSTEM registry hive (or the Boot Key directly) must thus be exported from the Domain Controller the ntds.dit was copied from.

the ntdsutil built-in administration utility is often leverage by threat actors to export the ntds.dit database and the SECURITY and SYSTEM registry hives.

Channel Conditions Events
Channel:
ESENT

EVTX file:
Application.evtx		 Default configuration. Upon execution of the ntdsutil command to dump the Active Directory ntds.dit database, the following events (containing the ntds keyword) will be generated:

- Event 325: The database engine created a new database [...]

- Event 326: The database engine attached a database [...]

- Event 327: The database engine detached a database [...]

- Event 206: A database location change was detected [...]

References

Tags: windows_etw windows_misc

View on GitHub